feat: upload-attachment safe output #79
Description
Summary
Add an upload-attachment safe output that allows agents to upload file attachments to Azure DevOps work items (reports, logs, generated documentation, etc.).
ADO API
Two-step process:
POST /_apis/wit/attachments?api-version=7.1— Upload the file, get attachment URLPATCH /_apis/wit/workitems/{id}?api-version=7.1— Link attachment to work item via JSON Patch:
[{
"op": "add",
"path": "/relations/-",
"value": {
"rel": "AttachedFile",
"url": "{attachmentUrl}",
"attributes": { "comment": "Uploaded by agent" }
}
}]Agent Parameters
work-item-id(required) — Work item to attach the file tofile-path(required) — Path to the file in the agent's workspace to uploadcomment(optional) — Description of the attachment
Front Matter Configuration (safe-outputs.upload-attachment)
max-file-size— Maximum file size in bytes (default: 5 MB)allowed-extensions— Restrict file types (e.g.,[".md", ".json", ".txt", ".csv", ".png", ".pdf"])comment-prefix— Prefix for attachment comments
Use Cases
- Analysis agents attaching generated reports
- Security agents attaching scan results
- Documentation agents attaching generated diagrams
- Testing agents attaching test result summaries or coverage reports
Security Considerations
- File size limits prevent abuse
- Extension allow-list prevents uploading executables or dangerous file types
- File path validation (no
.., no absolute paths, must be within workspace) - Content scanning for
##vso[command injection (similar to memory tool) - Standard text sanitization on comment
- Binary files are not text-sanitized but are size-limited
Priority
Tier 3 — Niche but useful for reporting workflows. Medium complexity (binary upload + linking).