docs/reference/github-attachment-upload.md
Use this reference when a PR or issue body needs screenshots or other short-lived evidence images without committing them, creating a release asset, or using an external image host.
https://github.com/user-attachments/assets/<uuid> URL./tmp or an untracked evidence directory such as .omo/evidence/....The flow depends on an authenticated GitHub web session, not only a gh API token. GitHub's same-site cookie/session requirements mean the requests must carry the browser session cookies for github.com, the expected same-site/referrer context, and the CSRF tokens issued for the current PR or issue page. Treat every cookie and token as a secret.
POST https://github.com/upload/policies/assets with:{
"repository_id": "REPOSITORY_ID",
"name": "terminal.png",
"size": 12345,
"content_type": "image/png",
"authenticity_token": "FILE_ATTACHMENT_CSRF_TOKEN"
}
PUT https://github.com/upload/assets/:id with the returned asset_upload_authenticity_token.https://github.com/user-attachments/assets/<uuid> URL in the PR body.Do not print cookies, authenticity tokens, S3 fields, authorization headers, or raw browser storage. A helper may print only the final user-attachments URL and non-secret file metadata such as filename, byte size, and content type. If a temporary script is needed, write it under /tmp, inspect it for accidental logging, and delete it after updating the PR body.
For PR body editing, write the body to /tmp/pr-body.md, inspect it, then pass it to gh pr edit --body-file /tmp/pr-body.md. The body should include the final attachment URLs and local evidence paths, but never the upload transaction details.
## Visual Evidence
- ANSI terminal rendering: https://github.com/user-attachments/assets/<uuid>
- Long-line wrapping: https://github.com/user-attachments/assets/<uuid>
- Local evidence: `.omo/evidence/20260623-web-terminal-rendering/`
If the authenticated browser session is unavailable, leave the PR ready with local evidence paths and state the blocker. Do not fall back to releases or external hosting.