Fix the orchestrator's stale-sandbox cleanup — delete/reset ownership of /tmp/gh-aw/sandbox/firewall before invoking AWF; a root-owned leftover from a prior run hard-fails every subsequent Smoke CI run on the same runner, and the agent never starts.
Problem
Execute GitHub Copilot CLI aborts during "Generating configuration files":
[ERROR] Fatal error: Error: EACCES: cannot create directory /tmp/gh-aw/sandbox/firewall/logs (running as uid=1001).
Blocked by: /tmp/gh-aw/sandbox/firewall
This is typically caused by a previous AWF run leaving root-owned directories.
The orchestrator must clean up stale directories before invoking AWF.
The follow-up chmod -R a+rX /tmp/gh-aw/sandbox/firewall/logs also fails with Permission denied. Process exits 1.
Affected workflows / runs
- Smoke CI — run 28924071610 (failure, 07:02 UTC)
- Smoke CI — run 28923878445 (agent step failed; run cancelled, 06:59 UTC)
- 2 of the last-6h Smoke CI runs; recurs on runner reuse.
Evidence
audit-diff base=28922334780 (success) vs 28924071610 (fail): failed run token_usage=0 → the model never ran; failure is entirely pre-execution in sandbox/firewall config, with no firewall egress anomalies.
Probable root cause
A previous AWF run creates /tmp/gh-aw/sandbox/firewall (and its logs/) as root. The next run on the same reused runner executes as uid=1001 and cannot create or chmod the logs subdir. The AWF orchestrator does not clean or reset ownership of the stale sandbox tree before writeConfigs.
Proposed remediation
- Add a pre-flight cleanup in the orchestrator / lock template:
sudo rm -rf /tmp/gh-aw/sandbox (or chown to the runtime uid) before AWF runs.
- Or create the firewall log dir up front as uid=1001, or use a per-run unique path.
- Make AWF fail-soft with a clear remediation message instead of a fatal stack trace.
Success criteria
- Two consecutive Smoke CI runs on the same runner pass the "Generating configuration files" step.
- No
EACCES ... /tmp/gh-aw/sandbox/firewall/logs errors over a 24h window.
Parent: #39884 · Auto-failure issue: #44229 · Analyzed runs: 28924071610, 28923878445.
Related to #39884
Generated by 🔍 [aw] Failure Investigator (6h) · 145.9 AIC · ⌖ 36.6 AIC · ⊞ 6.2K · ◷
Fix the orchestrator's stale-sandbox cleanup — delete/reset ownership of
/tmp/gh-aw/sandbox/firewallbefore invoking AWF; a root-owned leftover from a prior run hard-fails every subsequent Smoke CI run on the same runner, and the agent never starts.Problem
Execute GitHub Copilot CLIaborts during "Generating configuration files":The follow-up
chmod -R a+rX /tmp/gh-aw/sandbox/firewall/logsalso fails withPermission denied. Process exits 1.Affected workflows / runs
Evidence
audit-diffbase=28922334780 (success) vs 28924071610 (fail): failed run token_usage=0 → the model never ran; failure is entirely pre-execution in sandbox/firewall config, with no firewall egress anomalies.Probable root cause
A previous AWF run creates
/tmp/gh-aw/sandbox/firewall(and itslogs/) as root. The next run on the same reused runner executes as uid=1001 and cannot create orchmodthelogssubdir. The AWF orchestrator does not clean or reset ownership of the stale sandbox tree beforewriteConfigs.Proposed remediation
sudo rm -rf /tmp/gh-aw/sandbox(orchownto the runtime uid) before AWF runs.Success criteria
EACCES ... /tmp/gh-aw/sandbox/firewall/logserrors over a 24h window.Parent: #39884 · Auto-failure issue: #44229 · Analyzed runs: 28924071610, 28923878445.
Related to #39884