fix(ci): mythos-auto plumbing — slug ordering, unzip install

[avrabe]

Summary

Three plumbing fixes for mythos-auto.yml, all surfaced by PR #163's first end-to-end run. None of these affect Mythos discover semantics — they all live in the workflow scaffolding around the action.

What broke on PR #163

14:32:12 Error: Unable to locate executable file: unzip. Please verify either the file path exists...
14:32:12 /var/lib/runners/runner5/_work/_temp/.../d9f8a6f8.sh: line 3: bun: command not found
14:32:12 ##[error]Process completed with exit code 127.
14:32:14 ##[error]No files were found with the provided path: mythos-out/.json. No artifacts will be uploaded.

Three discrete bugs cascaded:

#	Bug	Effect
1	unzip missing on rust-cpu runners	oven-sh/setup-bun fails → claude-code-action's bun-based entrypoints exit 127
2	Slug step had no if: always() and ran AFTER discover	When discover failed, slug was skipped; steps.slug.outputs.slug empty
3	Empty slug interpolated silently into mythos-out/.json path	upload-artifact failed; no per-file result; aggregate ran on missing data

Fixes

Fix	What it does
Move slug step BEFORE discover	Slug is now always set regardless of discover outcome. No if: always() needed — slug + discover share the same precondition.
New Install unzip (required by setup-bun) step	Best-effort apt install, continue-on-error: true. Mirrors the action's own subprocess-isolation install pattern. Non-Debian runners log a warning and proceed.
Read SLUG from env in save-step, fail loudly on empty	Pulls slug out of ${{ }} interpolation into env var SLUG. Explicit [ -z "$SLUG" ] check writes a ::error:: log instead of silently producing mythos-out/.json.
Guard upload-artifact with steps.slug.outputs.slug != ''	Even if save-step somehow runs with empty slug, upload-artifact won't try to use it as a name.

The placeholder-FINDING fallback that surfaced these issues (writes "discover step failed before emitting structured output" when RESULT_JSON is empty) is intentional and stays — it's what makes the gate block on workflow failures rather than silently passing.

Test plan

• CI green
• Mythos auto-runner fires end-to-end on this PR (touches .github/workflows/mythos-auto.yml — not a Tier-5 file, so the auto-runner's detect job will set any=false and the scan job will skip cleanly). To exercise the matrix path end-to-end we need the next Tier-5 PR.
• Watch for: any new "::error::" logs from the SLUG-empty guard

Sequencing

This is PR #164 in the post-v0.8.1 cycle:

• feat(ci): LS-N verification gate (spar-pattern port) #161 LS-N gate ✅
• feat(ci): Mythos delta-pass auto-runner (single-actor, OAuth-token) #162 mythos-auto.yml (this workflow) ✅
• test(merger): add LS-A-19 regression for exact resource-import lookup #163 LS-A-19 regression — first end-to-end mythos-auto run ✅ (admin-merged, surfaced these issues)
• fix(ci): mythos-auto plumbing — slug ordering, unzip install #164 (this PR) plumbing fixes

🤖 Generated with Claude Code

[github-actions]

LS-N verification gate

⚠️ 16/19 verified — 3 missing regression tests

	count
Passed (≥1 test, all green)	16
Failed (≥1 test failure)	0
Missing (no ls_*_NN_* test found)	3

_{Approved loss-scenarios.yaml entries are expected to have a
regression test named ls_<letter>_<num>_* (e.g. LS-A-11 →
ls_a_11_*). The gate runs each prefix via cargo test --lib --no-fail-fast and aggregates pass/fail/missing.}

Failed LS entries

(none)

Missing regression tests

• LS-CP-4
• LS-A-8
• LS-A-9

_{Updated automatically by tools/post_verification_comment.py.
Source of truth: safety/stpa/loss-scenarios.yaml.}