From 5c272841199d43c8185376072ad0f98ec72260a9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= <speed47_github@speed47.net>
Date: Sat, 18 Apr 2026 14:05:15 +0000
Subject: [PATCH] chore: workflow: save logs

---
 .github/workflows/vuln-scan.yml | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/vuln-scan.yml b/.github/workflows/vuln-scan.yml
index a41b5c1..c95a790 100644
--- a/.github/workflows/vuln-scan.yml
+++ b/.github/workflows/vuln-scan.yml
@@ -78,11 +78,20 @@ jobs:
           SCAN_DATE: ${{ github.run_started_at }}
         with:
           model: claude-opus-4-7
+          claude_args: |
+            --model claude-sonnet-4-6 --allowedTools "Read,Write,Edit,Bash,Grep,Glob,WebFetch"
           prompt: |
             Read the full task instructions from .github/workflows/daily_vuln_scan_prompt.md and execute them end-to-end. That file fully specifies: sources to poll, how to read and update state/seen.json, the 25-hour window, which rss_YYYY-MM-DD_*.md files to write, and the run guardrails. Use $SCAN_DATE (env var) as "now" for time-window decisions.
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          allowed_tools: "Read,Write,Edit,Bash,Grep,Glob,WebFetch"
-          timeout_minutes: 15
+
+      - name: Upload Claude execution log
+        if: always()         # keep the log even if the scan step failed
+        uses: actions/upload-artifact@v4
+        with:
+          name: claude-execution-log-${{ github.run_id }}
+          path: ${{ steps.scan.outputs.execution_file }}
+          retention-days: 30
+          if-no-files-found: warn
 
       # ---- Persist outputs -------------------------------------------------
       - name: Prune state (keep only entries from the last 30 days)