From 2225fcc5421633217cdac9f5ceba7b0d9a406c94 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Jul 2026 11:23:22 +0000 Subject: [PATCH 1/8] Initial plan From 40dc28fb32ca4b78cdf80e244aa73da14f5c59af Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Jul 2026 11:44:27 +0000 Subject: [PATCH 2/8] Initial plan Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/ai-moderator.lock.yml | 12 ------------ .github/workflows/auto-triage-issues.lock.yml | 12 ------------ .github/workflows/contribution-check.lock.yml | 13 ------------- .../daily-agent-of-the-day-blog-writer.lock.yml | 13 ------------- .github/workflows/daily-doc-updater.lock.yml | 12 ------------ .github/workflows/daily-issues-report.lock.yml | 12 ------------ .github/workflows/daily-team-status.lock.yml | 12 ------------ .../dataflow-pr-discussion-dataset.lock.yml | 12 ------------ .github/workflows/discussion-task-miner.lock.yml | 12 ------------ .github/workflows/grumpy-reviewer.lock.yml | 12 ------------ .../workflows/impeccable-skills-reviewer.lock.yml | 12 ------------ .github/workflows/issue-arborist.lock.yml | 12 ------------ .github/workflows/issue-monster.lock.yml | 12 ------------ .github/workflows/issue-triage-agent.lock.yml | 12 ------------ .../workflows/mattpocock-skills-reviewer.lock.yml | 12 ------------ .github/workflows/org-health-report.lock.yml | 12 ------------ .github/workflows/plan.lock.yml | 13 ------------- .github/workflows/pr-code-quality-reviewer.lock.yml | 12 ------------ .github/workflows/pr-nitpick-reviewer.lock.yml | 12 ------------ .github/workflows/pr-sous-chef.lock.yml | 12 ------------ .github/workflows/pr-triage-agent.lock.yml | 12 ------------ .github/workflows/q.lock.yml | 12 ------------ .github/workflows/refiner.lock.yml | 12 ------------ .github/workflows/scout.lock.yml | 13 ------------- .github/workflows/security-review.lock.yml | 12 ------------ .github/workflows/skillet.lock.yml | 12 ------------ .github/workflows/smoke-agent-all-merged.lock.yml | 13 ------------- .github/workflows/smoke-agent-all-none.lock.yml | 13 ------------- .../workflows/smoke-agent-public-approved.lock.yml | 13 ------------- .github/workflows/smoke-agent-public-none.lock.yml | 13 ------------- .../workflows/smoke-agent-scoped-approved.lock.yml | 13 ------------- .../workflows/smoke-copilot-aoai-apikey.lock.yml | 12 ------------ .github/workflows/smoke-copilot-aoai-entra.lock.yml | 12 ------------ .github/workflows/smoke-copilot.lock.yml | 12 ------------ .github/workflows/stale-repo-identifier.lock.yml | 12 ------------ .github/workflows/weekly-blog-post-writer.lock.yml | 13 ------------- .github/workflows/weekly-issue-summary.lock.yml | 12 ------------ .../weekly-safe-outputs-spec-review.lock.yml | 12 ------------ .github/workflows/workflow-generator.lock.yml | 12 ------------ 39 files changed, 478 deletions(-) diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index e307a47c28e..cfb3495c5ad 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -47,7 +47,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -592,17 +591,6 @@ jobs: run: npm install --ignore-scripts -g @openai/codex@0.142.5 - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'none' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 87b1d660010..0651e7cacda 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -47,7 +47,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -554,17 +553,6 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install Pi CLI run: npm install --ignore-scripts -g @earendil-works/pi-coding-agent@0.80.3 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 9319a294263..cbd538d2ecc 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -47,7 +47,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # # Container images used: @@ -602,18 +601,6 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'none' - GH_AW_GITHUB_REPOS: 'all' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml index db11201fd10..eddc44eed3c 100644 --- a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml +++ b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml @@ -47,7 +47,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # - docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 @@ -582,18 +581,6 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install GitHub Copilot SDK (Node.js) run: cd "${GITHUB_WORKSPACE}" && npm install --ignore-scripts --no-save @github/copilot-sdk@1.0.5 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - GH_AW_GITHUB_REPOS: '["github/gh-aw"]' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 9d8f04d1288..4fb5e6767ea 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -47,7 +47,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -578,17 +577,6 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install Pi CLI run: npm install --ignore-scripts -g @earendil-works/pi-coding-agent@0.80.3 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 73c6d95b3f9..9afcf238b0c 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -54,7 +54,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -775,17 +774,6 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install GitHub Copilot SDK (Python) run: cd "${GITHUB_WORKSPACE}" && python3 -m pip install --disable-pip-version-check github-copilot-sdk==1.0.5 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 7d2c2f0450f..9fc023b8c51 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -43,7 +43,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -494,17 +493,6 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'none' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/dataflow-pr-discussion-dataset.lock.yml b/.github/workflows/dataflow-pr-discussion-dataset.lock.yml index 602c843b3e2..a97f95d66f9 100644 --- a/.github/workflows/dataflow-pr-discussion-dataset.lock.yml +++ b/.github/workflows/dataflow-pr-discussion-dataset.lock.yml @@ -49,7 +49,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # - safedep/pmg@46cc70db535107183c9e752bb55d1d5c5f1a9290 # v1 @@ -822,17 +821,6 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index c6e0b2e148d..5c7d1eb4165 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -49,7 +49,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -536,17 +535,6 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install GitHub Copilot SDK (Node.js) run: cd "${GITHUB_WORKSPACE}" && npm install --ignore-scripts --no-save @github/copilot-sdk@1.0.5 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index da8d48ca1ff..6b791c7d092 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -50,7 +50,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -577,17 +576,6 @@ jobs: run: npm install --ignore-scripts -g @openai/codex@0.142.5 - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/impeccable-skills-reviewer.lock.yml b/.github/workflows/impeccable-skills-reviewer.lock.yml index bb0c6268bf1..3d31d175f7d 100644 --- a/.github/workflows/impeccable-skills-reviewer.lock.yml +++ b/.github/workflows/impeccable-skills-reviewer.lock.yml @@ -49,7 +49,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -537,17 +536,6 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 413f056701e..e422675da1e 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -50,7 +50,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -605,17 +604,6 @@ jobs: run: npm install --ignore-scripts -g @openai/codex@0.142.5 - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index f2d8ef0c35f..ecf39b3a30c 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -48,7 +48,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -908,17 +907,6 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install Pi CLI run: npm install --ignore-scripts -g @earendil-works/pi-coding-agent@0.80.3 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 9a50ec78c34..354e767734d 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -46,7 +46,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -494,17 +493,6 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/mattpocock-skills-reviewer.lock.yml b/.github/workflows/mattpocock-skills-reviewer.lock.yml index 2fc4b05aa3c..ed7cd7b2ee3 100644 --- a/.github/workflows/mattpocock-skills-reviewer.lock.yml +++ b/.github/workflows/mattpocock-skills-reviewer.lock.yml @@ -48,7 +48,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -685,17 +684,6 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 5ed0b938d9b..66b00730c70 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -49,7 +49,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -566,17 +565,6 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install GitHub Copilot SDK (Node.js) run: cd "${GITHUB_WORKSPACE}" && npm install --ignore-scripts --no-save @github/copilot-sdk@1.0.5 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index bffcde8600e..dc45c1bedf7 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -45,7 +45,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -615,18 +614,6 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install GitHub Copilot SDK (Node.js) run: cd "${GITHUB_WORKSPACE}" && npm install --ignore-scripts --no-save @github/copilot-sdk@1.0.5 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'none' - GH_AW_GITHUB_REPOS: 'all' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/pr-code-quality-reviewer.lock.yml b/.github/workflows/pr-code-quality-reviewer.lock.yml index 27646d07458..477f155fbc1 100644 --- a/.github/workflows/pr-code-quality-reviewer.lock.yml +++ b/.github/workflows/pr-code-quality-reviewer.lock.yml @@ -48,7 +48,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -571,17 +570,6 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install GitHub Copilot SDK (Node.js) run: cd "${GITHUB_WORKSPACE}" && npm install --ignore-scripts --no-save @github/copilot-sdk@1.0.5 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 8076c8f2332..0d15cd3898e 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -49,7 +49,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -577,17 +576,6 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install GitHub Copilot SDK (Node.js) run: cd "${GITHUB_WORKSPACE}" && npm install --ignore-scripts --no-save @github/copilot-sdk@1.0.5 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/pr-sous-chef.lock.yml b/.github/workflows/pr-sous-chef.lock.yml index 4edea1d91d6..91c0a97bc46 100644 --- a/.github/workflows/pr-sous-chef.lock.yml +++ b/.github/workflows/pr-sous-chef.lock.yml @@ -47,7 +47,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -783,17 +782,6 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install Pi CLI run: npm install --ignore-scripts -g @earendil-works/pi-coding-agent@0.80.3 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 6f47d926c52..14e96346007 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -49,7 +49,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -543,17 +542,6 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install GitHub Copilot SDK (Node.js) run: cd "${GITHUB_WORKSPACE}" && npm install --ignore-scripts --no-save @github/copilot-sdk@1.0.5 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 615e9890107..87b4c7352aa 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -46,7 +46,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -646,17 +645,6 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install GitHub Copilot SDK (Node.js) run: cd "${GITHUB_WORKSPACE}" && npm install --ignore-scripts --no-save @github/copilot-sdk@1.0.5 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'none' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 693dcf01d82..51a195fb34b 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -49,7 +49,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -553,17 +552,6 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 47cd01af410..ee38950f9c7 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -53,7 +53,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -637,18 +636,6 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@2.1.201 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'none' - GH_AW_GITHUB_REPOS: 'all' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 4b0c8b2b2e0..ed0ca3f2e38 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -49,7 +49,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -605,17 +604,6 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/skillet.lock.yml b/.github/workflows/skillet.lock.yml index 57d45afb029..b3ba0d8202e 100644 --- a/.github/workflows/skillet.lock.yml +++ b/.github/workflows/skillet.lock.yml @@ -49,7 +49,6 @@ # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -588,17 +587,6 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index eb2737518ad..0660d3483f7 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -46,7 +46,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -571,18 +570,6 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@2.1.201 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'merged' - GH_AW_GITHUB_REPOS: 'all' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index e3c01af0690..c19bd80f530 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -46,7 +46,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -571,18 +570,6 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@2.1.201 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'none' - GH_AW_GITHUB_REPOS: 'all' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index 1f3c8d280bf..08b69c573f0 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -48,7 +48,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -574,18 +573,6 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@2.1.201 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - GH_AW_GITHUB_REPOS: 'public' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index 0d0dbff429e..7ae226ccf77 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -46,7 +46,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -571,18 +570,6 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@2.1.201 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'none' - GH_AW_GITHUB_REPOS: 'public' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index f31750ecd4c..9a3f6f1663a 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -47,7 +47,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -573,18 +572,6 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@2.1.201 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - GH_AW_GITHUB_REPOS: '["github/gh-aw","github/*"]' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/smoke-copilot-aoai-apikey.lock.yml b/.github/workflows/smoke-copilot-aoai-apikey.lock.yml index 3d0dc5709d7..21fcd80bdc4 100644 --- a/.github/workflows/smoke-copilot-aoai-apikey.lock.yml +++ b/.github/workflows/smoke-copilot-aoai-apikey.lock.yml @@ -54,7 +54,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -740,17 +739,6 @@ jobs: env: PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: '1' timeout-minutes: 10 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/smoke-copilot-aoai-entra.lock.yml b/.github/workflows/smoke-copilot-aoai-entra.lock.yml index 4926e897bf1..15114322a04 100644 --- a/.github/workflows/smoke-copilot-aoai-entra.lock.yml +++ b/.github/workflows/smoke-copilot-aoai-entra.lock.yml @@ -53,7 +53,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -741,17 +740,6 @@ jobs: env: PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: '1' timeout-minutes: 10 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index ecb826ff4cb..bc2b0ddd920 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -52,7 +52,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -756,17 +755,6 @@ jobs: env: PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: '1' timeout-minutes: 10 - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 54bf40a2010..77ecfc0a24f 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -55,7 +55,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -641,17 +640,6 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index d48546e25ea..cb23fe4e768 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -47,7 +47,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -656,18 +655,6 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - GH_AW_GITHUB_REPOS: '["github/gh-aw"]' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index f56a3c971b4..77c4ceea083 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -51,7 +51,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -549,17 +548,6 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index f51ccf66904..a8a031e8868 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -47,7 +47,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -512,17 +511,6 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 601ece38a3b..44e222de3c6 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -47,7 +47,6 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 -# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -546,17 +545,6 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - - name: Determine automatic lockdown mode for GitHub MCP Server - id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) - env: - GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} - GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} - GH_AW_GITHUB_MIN_INTEGRITY: 'approved' - with: - script: | - const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); - await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: From 24765ccb6067cac776580b3809114522b0281e22 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Jul 2026 12:03:56 +0000 Subject: [PATCH 3/8] fix: reclaim root-owned sandbox firewall dirs before and after AWF runs - Add `sudo chown` in the post-run "Print firewall logs" step so AWF leaves the sandbox firewall dir owned by the runner user (uid=1001). This ensures the next run's `rm -rf /tmp/gh-aw` succeeds without needing sudo at all, breaking the EACCES cycle on reused runners. - Add pre-flight cleanup + pre-creation of `/tmp/gh-aw/sandbox/firewall` dirs in `create_gh_aw_tmp_dir.sh` as defense-in-depth: if the post-run chown didn't execute (e.g. previous run was killed), sudo rm reclaims the stale root-owned directory before AWF starts; then mkdir creates the firewall dirs as the runner user so AWF never needs to create them. - Update tests and WASM golden files for new chown step output. - Fix stale test assertion for smoke-call-workflow aw_context forwarding (smoke-workflow-call.md no longer declares aw_context as a workflow_call input; recompile corrected the lock file; test updated to match). - Recompile all 258 workflow lock files to pick up the chown step. Closes #44242 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/ab-testing-advisor.lock.yml | 5 +++- .github/workflows/ace-editor.lock.yml | 5 +++- .../agent-performance-analyzer.lock.yml | 5 +++- .../workflows/agent-persona-explorer.lock.yml | 5 +++- .../workflows/agentic-token-audit.lock.yml | 5 +++- .../agentic-token-optimizer.lock.yml | 5 +++- .../agentic-token-trend-audit.lock.yml | 5 +++- .github/workflows/ai-moderator.lock.yml | 5 +++- .../workflows/api-consumption-report.lock.yml | 5 +++- .github/workflows/approach-validator.lock.yml | 5 +++- .github/workflows/archie.lock.yml | 5 +++- .../workflows/architecture-guardian.lock.yml | 5 +++- .github/workflows/artifacts-summary.lock.yml | 5 +++- .github/workflows/audit-workflows.lock.yml | 5 +++- .github/workflows/auto-triage-issues.lock.yml | 5 +++- .github/workflows/avenger.lock.yml | 5 +++- .../aw-failure-investigator.lock.yml | 5 +++- .github/workflows/blog-auditor.lock.yml | 5 +++- .github/workflows/bot-detection.lock.yml | 5 +++- .github/workflows/brave.lock.yml | 5 +++- .../breaking-change-checker.lock.yml | 5 +++- .github/workflows/changeset.lock.yml | 5 +++- .../workflows/chaos-pr-bundle-fuzzer.lock.yml | 5 +++- .github/workflows/ci-coach.lock.yml | 5 +++- .github/workflows/ci-doctor.lock.yml | 5 +++- .../claude-code-user-docs-review.lock.yml | 5 +++- .../cli-consistency-checker.lock.yml | 5 +++- .../workflows/cli-version-checker.lock.yml | 5 +++- .github/workflows/cloclo.lock.yml | 5 +++- .../workflows/code-scanning-fixer.lock.yml | 5 +++- .github/workflows/code-simplifier.lock.yml | 5 +++- .../codex-github-remote-mcp-test.lock.yml | 5 +++- .../commit-changes-analyzer.lock.yml | 5 +++- .../constraint-solving-potd.lock.yml | 5 +++- .github/workflows/contribution-check.lock.yml | 5 +++- .../workflows/copilot-agent-analysis.lock.yml | 5 +++- .../copilot-centralization-drilldown.lock.yml | 5 +++- .../copilot-centralization-optimizer.lock.yml | 5 +++- .../copilot-cli-deep-research.lock.yml | 5 +++- .github/workflows/copilot-opt.lock.yml | 5 +++- .../copilot-pr-merged-report.lock.yml | 5 +++- .../copilot-pr-nlp-analysis.lock.yml | 5 +++- .../copilot-pr-prompt-analysis.lock.yml | 5 +++- .../copilot-session-insights.lock.yml | 5 +++- .github/workflows/craft.lock.yml | 5 +++- ...aily-agent-of-the-day-blog-writer.lock.yml | 5 +++- .../daily-agentrx-trace-optimizer.lock.yml | 5 +++- .../daily-ambient-context-optimizer.lock.yml | 5 +++- .../daily-architecture-diagram.lock.yml | 5 +++- .../daily-assign-issue-to-user.lock.yml | 5 +++- ...strostylelite-markdown-spellcheck.lock.yml | 5 +++- ...daily-aw-cross-repo-compile-check.lock.yml | 5 +++- ...daily-awf-spec-compiler-surfacing.lock.yml | 5 +++- .../workflows/daily-byok-ollama-test.lock.yml | 5 +++- .../daily-cache-strategy-analyzer.lock.yml | 5 +++- .../daily-caveman-optimizer.lock.yml | 5 +++- .github/workflows/daily-choice-test.lock.yml | 5 +++- .../workflows/daily-cli-performance.lock.yml | 5 +++- .../workflows/daily-cli-tools-tester.lock.yml | 5 +++- .github/workflows/daily-code-metrics.lock.yml | 5 +++- .../daily-community-attribution.lock.yml | 5 +++- .../workflows/daily-compiler-quality.lock.yml | 5 +++- ...ly-compiler-threat-spec-optimizer.lock.yml | 5 +++- .../daily-credit-limit-test.lock.yml | 5 +++- .github/workflows/daily-doc-healer.lock.yml | 5 +++- .github/workflows/daily-doc-updater.lock.yml | 5 +++- .../daily-experiment-report.lock.yml | 5 +++- .github/workflows/daily-fact.lock.yml | 5 +++- .github/workflows/daily-file-diet.lock.yml | 5 +++- .../workflows/daily-firewall-report.lock.yml | 5 +++- .../daily-formal-spec-verifier.lock.yml | 5 +++- .../workflows/daily-function-namer.lock.yml | 5 +++- .../workflows/daily-geo-optimizer.lock.yml | 5 +++- .github/workflows/daily-hippo-learn.lock.yml | 5 +++- .../workflows/daily-issues-report.lock.yml | 5 +++- .../daily-malicious-code-scan.lock.yml | 5 +++- .../daily-max-ai-credits-test.lock.yml | 5 +++- .../daily-mcp-concurrency-analysis.lock.yml | 5 +++- .../workflows/daily-model-inventory.lock.yml | 5 +++- .../workflows/daily-model-resolution.lock.yml | 5 +++- .../daily-multi-device-docs-tester.lock.yml | 5 +++- .github/workflows/daily-news.lock.yml | 5 +++- .../daily-observability-report.lock.yml | 5 +++- .../daily-performance-summary.lock.yml | 5 +++- .github/workflows/daily-regulatory.lock.yml | 5 +++- .../daily-reliability-review.lock.yml | 5 +++- .../daily-rendering-scripts-verifier.lock.yml | 5 +++- .../workflows/daily-repo-chronicle.lock.yml | 5 +++- .../daily-safe-output-integrator.lock.yml | 5 +++- .../daily-safe-output-optimizer.lock.yml | 5 +++- .../daily-safe-outputs-conformance.lock.yml | 5 +++- .../daily-safeoutputs-git-simulator.lock.yml | 5 +++- .../workflows/daily-secrets-analysis.lock.yml | 5 +++- .../daily-security-observability.lock.yml | 5 +++- .../daily-security-red-team.lock.yml | 5 +++- .github/workflows/daily-semgrep-scan.lock.yml | 5 +++- .../workflows/daily-sentrux-report.lock.yml | 5 +++- .../workflows/daily-skill-optimizer.lock.yml | 5 +++- .../daily-spdd-spec-planner.lock.yml | 5 +++- .../daily-syntax-error-quality.lock.yml | 5 +++- .../daily-team-evolution-insights.lock.yml | 5 +++- .github/workflows/daily-team-status.lock.yml | 5 +++- .../daily-testify-uber-super-expert.lock.yml | 5 +++- .../daily-token-consumption-report.lock.yml | 5 +++- ...dows-terminal-integration-builder.lock.yml | 5 +++- .../workflows/daily-workflow-updater.lock.yml | 5 +++- .../workflows/daily-yamllint-fixer.lock.yml | 5 +++- .../dataflow-pr-discussion-dataset.lock.yml | 5 +++- .github/workflows/dead-code-remover.lock.yml | 5 +++- .github/workflows/deep-report.lock.yml | 5 +++- .github/workflows/delight.lock.yml | 5 +++- .github/workflows/dependabot-burner.lock.yml | 5 +++- .../workflows/dependabot-go-checker.lock.yml | 5 +++- .github/workflows/dependabot-repair.lock.yml | 5 +++- .../deployment-incident-monitor.lock.yml | 5 +++- .../workflows/design-decision-gate.lock.yml | 5 +++- .../workflows/designer-drift-audit.lock.yml | 5 +++- .../detection-analysis-report.lock.yml | 5 +++- .github/workflows/dev-hawk.lock.yml | 5 +++- .github/workflows/dev.lock.yml | 5 +++- .../developer-docs-consolidator.lock.yml | 5 +++- .github/workflows/dictation-prompt.lock.yml | 5 +++- .../workflows/discussion-task-miner.lock.yml | 5 +++- .github/workflows/docs-noob-tester.lock.yml | 5 +++- .github/workflows/draft-pr-cleanup.lock.yml | 5 +++- .../duplicate-code-detector.lock.yml | 5 +++- .github/workflows/eslint-miner.lock.yml | 5 +++- .github/workflows/eslint-monster.lock.yml | 5 +++- .github/workflows/eslint-refiner.lock.yml | 5 +++- .../example-failure-category-filter.lock.yml | 5 +++- .../example-permissions-warning.lock.yml | 5 +++- .../example-workflow-analyzer.lock.yml | 5 +++- .github/workflows/firewall-escape.lock.yml | 5 +++- .github/workflows/firewall.lock.yml | 5 +++- .../workflows/functional-pragmatist.lock.yml | 5 +++- .../github-mcp-structural-analysis.lock.yml | 5 +++- .../github-mcp-tools-report.lock.yml | 5 +++- .../github-remote-mcp-auth-test.lock.yml | 5 +++- .../workflows/glossary-maintainer.lock.yml | 5 +++- .github/workflows/go-fan.lock.yml | 5 +++- .github/workflows/go-logger.lock.yml | 5 +++- .../workflows/go-pattern-detector.lock.yml | 5 +++- .github/workflows/gpclean.lock.yml | 5 +++- .github/workflows/grumpy-reviewer.lock.yml | 5 +++- .github/workflows/hippo-embed.lock.yml | 5 +++- .github/workflows/hourly-ci-cleaner.lock.yml | 5 +++- .../impeccable-skills-reviewer.lock.yml | 5 +++- .../workflows/instructions-janitor.lock.yml | 5 +++- .github/workflows/issue-arborist.lock.yml | 5 +++- .github/workflows/issue-monster.lock.yml | 5 +++- .github/workflows/issue-triage-agent.lock.yml | 5 +++- .github/workflows/jsweep.lock.yml | 5 +++- .../workflows/layout-spec-maintainer.lock.yml | 5 +++- .github/workflows/lint-monster.lock.yml | 5 +++- .github/workflows/linter-miner.lock.yml | 5 +++- .github/workflows/lockfile-stats.lock.yml | 5 +++- .../mattpocock-skills-reviewer.lock.yml | 5 +++- .github/workflows/mcp-inspector.lock.yml | 5 +++- .github/workflows/mergefest.lock.yml | 5 +++- .github/workflows/metrics-collector.lock.yml | 5 +++- .github/workflows/necromancer.lock.yml | 5 +++- .../workflows/notion-issue-summary.lock.yml | 5 +++- .../objective-impact-report.lock.yml | 5 +++- .github/workflows/org-health-report.lock.yml | 5 +++- .github/workflows/outcome-collector.lock.yml | 5 +++- .github/workflows/pdf-summary.lock.yml | 5 +++- .github/workflows/plan.lock.yml | 5 +++- .github/workflows/poem-bot.lock.yml | 5 +++- .github/workflows/portfolio-analyst.lock.yml | 5 +++- .../pr-code-quality-reviewer.lock.yml | 5 +++- .../workflows/pr-description-caveman.lock.yml | 5 +++- .../workflows/pr-nitpick-reviewer.lock.yml | 5 +++- .github/workflows/pr-sous-chef.lock.yml | 5 +++- .github/workflows/pr-triage-agent.lock.yml | 5 +++- .../prompt-clustering-analysis.lock.yml | 5 +++- .github/workflows/python-data-charts.lock.yml | 5 +++- .github/workflows/q.lock.yml | 5 +++- .../workflows/refactoring-cadence.lock.yml | 5 +++- .github/workflows/refiner.lock.yml | 5 +++- .github/workflows/release.lock.yml | 5 +++- .../workflows/repo-audit-analyzer.lock.yml | 5 +++- .github/workflows/repo-tree-map.lock.yml | 5 +++- .../repository-quality-improver.lock.yml | 5 +++- .github/workflows/research.lock.yml | 5 +++- .github/workflows/ruflo-backed-task.lock.yml | 5 +++- .github/workflows/safe-output-health.lock.yml | 5 +++- .../schema-consistency-checker.lock.yml | 5 +++- .../schema-feature-coverage.lock.yml | 5 +++- .github/workflows/scout.lock.yml | 5 +++- .../workflows/security-compliance.lock.yml | 5 +++- .github/workflows/security-review.lock.yml | 5 +++- .../semantic-function-refactor.lock.yml | 5 +++- .github/workflows/sergo.lock.yml | 5 +++- .github/workflows/skillet.lock.yml | 5 +++- .../workflows/slide-deck-maintainer.lock.yml | 5 +++- .../workflows/smoke-agent-all-merged.lock.yml | 5 +++- .../workflows/smoke-agent-all-none.lock.yml | 5 +++- .../smoke-agent-public-approved.lock.yml | 5 +++- .../smoke-agent-public-none.lock.yml | 5 +++- .../smoke-agent-scoped-approved.lock.yml | 5 +++- .github/workflows/smoke-antigravity.lock.yml | 5 +++- .../workflows/smoke-call-workflow.lock.yml | 5 +++- .github/workflows/smoke-ci.lock.yml | 5 +++- .../smoke-claude-on-copilot.lock.yml | 5 +++- .github/workflows/smoke-claude.lock.yml | 5 +++- .github/workflows/smoke-codex.lock.yml | 5 +++- .../smoke-copilot-aoai-apikey.lock.yml | 5 +++- .../smoke-copilot-aoai-entra.lock.yml | 5 +++- .github/workflows/smoke-copilot-arm.lock.yml | 5 +++- .github/workflows/smoke-copilot-sdk.lock.yml | 5 +++- .../smoke-copilot-sub-agents.lock.yml | 5 +++- .github/workflows/smoke-copilot.lock.yml | 5 +++- .../smoke-create-cross-repo-pr.lock.yml | 5 +++- .github/workflows/smoke-crush.lock.yml | 5 +++- .github/workflows/smoke-gemini.lock.yml | 5 +++- .github/workflows/smoke-multi-pr.lock.yml | 5 +++- .github/workflows/smoke-opencode.lock.yml | 5 +++- .../workflows/smoke-otel-backends.lock.yml | 5 +++- .github/workflows/smoke-pi.lock.yml | 5 +++- .github/workflows/smoke-project.lock.yml | 5 +++- .../workflows/smoke-service-ports.lock.yml | 5 +++- .github/workflows/smoke-temporary-id.lock.yml | 5 +++- .github/workflows/smoke-test-tools.lock.yml | 5 +++- .../smoke-update-cross-repo-pr.lock.yml | 5 +++- .../smoke-workflow-call-with-inputs.lock.yml | 5 +++- .../workflows/smoke-workflow-call.lock.yml | 5 +++- .github/workflows/spec-enforcer.lock.yml | 5 +++- .github/workflows/spec-extractor.lock.yml | 5 +++- .github/workflows/spec-librarian.lock.yml | 5 +++- .github/workflows/stale-pr-cleanup.lock.yml | 5 +++- .../workflows/stale-repo-identifier.lock.yml | 5 +++- .../workflows/static-analysis-report.lock.yml | 5 +++- .../workflows/step-name-alignment.lock.yml | 5 +++- .github/workflows/sub-issue-closer.lock.yml | 5 +++- .github/workflows/super-linter.lock.yml | 5 +++- .../workflows/technical-doc-writer.lock.yml | 5 +++- .github/workflows/terminal-stylist.lock.yml | 5 +++- .../test-create-pr-error-handling.lock.yml | 5 +++- .github/workflows/test-dispatcher.lock.yml | 5 +++- .../test-project-url-default.lock.yml | 5 +++- .../workflows/test-quality-sentinel.lock.yml | 5 +++- .github/workflows/test-workflow.lock.yml | 5 +++- .github/workflows/tidy.lock.yml | 5 +++- .github/workflows/typist.lock.yml | 5 +++- .../workflows/ubuntu-image-analyzer.lock.yml | 5 +++- .../uk-ai-operational-resilience.lock.yml | 5 +++- .github/workflows/unbloat-docs.lock.yml | 5 +++- .github/workflows/update-astro.lock.yml | 5 +++- .github/workflows/video-analyzer.lock.yml | 5 +++- .../visual-regression-checker.lock.yml | 5 +++- .../weekly-blog-post-writer.lock.yml | 5 +++- .../weekly-editors-health-check.lock.yml | 5 +++- .../workflows/weekly-issue-summary.lock.yml | 5 +++- .../weekly-safe-outputs-spec-review.lock.yml | 5 +++- .github/workflows/workflow-generator.lock.yml | 5 +++- .../workflow-health-manager.lock.yml | 5 +++- .../workflows/workflow-normalizer.lock.yml | 5 +++- .../workflow-skill-extractor.lock.yml | 5 +++- actions/setup/sh/create_gh_aw_tmp_dir.sh | 23 +++++++++++++++++++ pkg/workflow/compiled_lock_files_test.go | 6 +++-- pkg/workflow/engine_firewall_support.go | 18 +++++++++++---- pkg/workflow/engine_firewall_support_test.go | 15 ++++++++++++ .../TestWasmGolden_AllEngines/claude.golden | 5 +++- .../TestWasmGolden_AllEngines/codex.golden | 5 +++- .../TestWasmGolden_AllEngines/copilot.golden | 5 +++- .../TestWasmGolden_AllEngines/gemini.golden | 5 +++- .../TestWasmGolden_AllEngines/pi.golden | 5 +++- .../basic-copilot.golden | 5 +++- .../playwright-cli-mode.golden | 5 +++- .../smoke-copilot.golden | 5 +++- .../with-imports.golden | 5 +++- 271 files changed, 1124 insertions(+), 273 deletions(-) diff --git a/.github/workflows/ab-testing-advisor.lock.yml b/.github/workflows/ab-testing-advisor.lock.yml index b9b31fd786e..0a9d0e3ec23 100644 --- a/.github/workflows/ab-testing-advisor.lock.yml +++ b/.github/workflows/ab-testing-advisor.lock.yml @@ -958,7 +958,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/ace-editor.lock.yml b/.github/workflows/ace-editor.lock.yml index 90411b35a85..8a696325409 100644 --- a/.github/workflows/ace-editor.lock.yml +++ b/.github/workflows/ace-editor.lock.yml @@ -918,7 +918,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index ce3712f290a..90ce908bd02 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -1164,7 +1164,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 853bf95b036..b62d97593c4 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -1081,7 +1081,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/agentic-token-audit.lock.yml b/.github/workflows/agentic-token-audit.lock.yml index 5dfce95053e..b163d55b24f 100644 --- a/.github/workflows/agentic-token-audit.lock.yml +++ b/.github/workflows/agentic-token-audit.lock.yml @@ -1091,7 +1091,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/agentic-token-optimizer.lock.yml b/.github/workflows/agentic-token-optimizer.lock.yml index b352ed36c14..70071509aaf 100644 --- a/.github/workflows/agentic-token-optimizer.lock.yml +++ b/.github/workflows/agentic-token-optimizer.lock.yml @@ -977,7 +977,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/agentic-token-trend-audit.lock.yml b/.github/workflows/agentic-token-trend-audit.lock.yml index 273674a790a..2828588d9db 100644 --- a/.github/workflows/agentic-token-trend-audit.lock.yml +++ b/.github/workflows/agentic-token-trend-audit.lock.yml @@ -1065,7 +1065,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index cfb3495c5ad..fd7d28f9644 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -1073,7 +1073,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/api-consumption-report.lock.yml b/.github/workflows/api-consumption-report.lock.yml index 515a9667918..44087804917 100644 --- a/.github/workflows/api-consumption-report.lock.yml +++ b/.github/workflows/api-consumption-report.lock.yml @@ -1415,7 +1415,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/approach-validator.lock.yml b/.github/workflows/approach-validator.lock.yml index e83a3f107a2..f430654923b 100644 --- a/.github/workflows/approach-validator.lock.yml +++ b/.github/workflows/approach-validator.lock.yml @@ -1142,7 +1142,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 25982af82e0..cf91f5fb916 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -1041,7 +1041,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/architecture-guardian.lock.yml b/.github/workflows/architecture-guardian.lock.yml index 64536778159..27a122cb41f 100644 --- a/.github/workflows/architecture-guardian.lock.yml +++ b/.github/workflows/architecture-guardian.lock.yml @@ -1041,7 +1041,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index e5de3ec4b6b..439845117c0 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -954,7 +954,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 96261aa333a..157a2f7e489 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -1235,7 +1235,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 0651e7cacda..30ed002f00b 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -984,7 +984,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/avenger.lock.yml b/.github/workflows/avenger.lock.yml index d00d1f70701..a57827d4978 100644 --- a/.github/workflows/avenger.lock.yml +++ b/.github/workflows/avenger.lock.yml @@ -1066,7 +1066,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/aw-failure-investigator.lock.yml b/.github/workflows/aw-failure-investigator.lock.yml index c213112d778..d66d365e1fd 100644 --- a/.github/workflows/aw-failure-investigator.lock.yml +++ b/.github/workflows/aw-failure-investigator.lock.yml @@ -1235,7 +1235,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 1653edf6620..20dbf75f2c6 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -1111,7 +1111,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index 4865dac24df..f4883b8ba01 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -1035,7 +1035,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 060818d7155..9f17753104f 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -1030,7 +1030,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index ae1ea3e163a..591ae6e4543 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -1038,7 +1038,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index be449427b18..fe402f37a59 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -1078,7 +1078,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml b/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml index 86b51d8b3d1..f7194a70068 100644 --- a/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml +++ b/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml @@ -961,7 +961,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index ebbd319ac14..bf89b1b16ef 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -1071,7 +1071,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 2dcebef0caa..91f2e96f161 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -1235,7 +1235,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 32e03bcbc88..32fa6c6a1e2 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -1063,7 +1063,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 9fe032be5ab..66a36ef5036 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -968,7 +968,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 84886ebe748..d03be1ebac1 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -1056,7 +1056,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 848fa3e44d5..20d130c98bd 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -1340,7 +1340,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 2b91070a896..b5dfd0603a4 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -1024,7 +1024,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index ca95612d606..e1f5cc4fbfd 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -994,7 +994,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index df2db690d6b..5b694e1017b 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -920,7 +920,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index c33b6633bec..11127c94902 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -925,7 +925,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index f987a657f53..2fbdbae37da 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -953,7 +953,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index cbd538d2ecc..22be4de3007 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -1094,7 +1094,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index bf70ea3bc11..6a92862d5d4 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -1121,7 +1121,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/copilot-centralization-drilldown.lock.yml b/.github/workflows/copilot-centralization-drilldown.lock.yml index 76900948a34..23619e18ead 100644 --- a/.github/workflows/copilot-centralization-drilldown.lock.yml +++ b/.github/workflows/copilot-centralization-drilldown.lock.yml @@ -948,7 +948,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/copilot-centralization-optimizer.lock.yml b/.github/workflows/copilot-centralization-optimizer.lock.yml index 49202265b75..d4d5068f5e4 100644 --- a/.github/workflows/copilot-centralization-optimizer.lock.yml +++ b/.github/workflows/copilot-centralization-optimizer.lock.yml @@ -979,7 +979,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index caf97a9175f..0e8982d56b0 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -991,7 +991,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/copilot-opt.lock.yml b/.github/workflows/copilot-opt.lock.yml index 90f47e9ba5e..4c65703f0ab 100644 --- a/.github/workflows/copilot-opt.lock.yml +++ b/.github/workflows/copilot-opt.lock.yml @@ -1048,7 +1048,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 058bf624e5b..cc15ec47227 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -911,7 +911,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 42d0705af9c..ae7d5c37b35 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -1069,7 +1069,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index a51e99cc0b5..57ac38fa1cb 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -1018,7 +1018,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 62a99f25912..c9b25494b25 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -1133,7 +1133,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index e981cc51c13..4acd1736435 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -1037,7 +1037,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml index eddc44eed3c..2175e9868e1 100644 --- a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml +++ b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml @@ -1143,7 +1143,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-agentrx-trace-optimizer.lock.yml b/.github/workflows/daily-agentrx-trace-optimizer.lock.yml index 5197698490d..cb2cbdcdfa0 100644 --- a/.github/workflows/daily-agentrx-trace-optimizer.lock.yml +++ b/.github/workflows/daily-agentrx-trace-optimizer.lock.yml @@ -1176,7 +1176,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-ambient-context-optimizer.lock.yml b/.github/workflows/daily-ambient-context-optimizer.lock.yml index 83476eedd13..5e95658a245 100644 --- a/.github/workflows/daily-ambient-context-optimizer.lock.yml +++ b/.github/workflows/daily-ambient-context-optimizer.lock.yml @@ -1069,7 +1069,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index 750fcabd608..9b570ea233c 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -1101,7 +1101,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 0458e2e888a..2c32bf184da 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -966,7 +966,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml b/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml index 6ecf1a4ecb4..3c7a2628fba 100644 --- a/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml +++ b/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml @@ -1070,7 +1070,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml b/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml index 3d788423a43..180815469c7 100644 --- a/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml +++ b/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml @@ -1055,7 +1055,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-awf-spec-compiler-surfacing.lock.yml b/.github/workflows/daily-awf-spec-compiler-surfacing.lock.yml index 377b33d7a20..b9e0bce466b 100644 --- a/.github/workflows/daily-awf-spec-compiler-surfacing.lock.yml +++ b/.github/workflows/daily-awf-spec-compiler-surfacing.lock.yml @@ -953,7 +953,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-byok-ollama-test.lock.yml b/.github/workflows/daily-byok-ollama-test.lock.yml index 49e36a69944..80e3e2a2557 100644 --- a/.github/workflows/daily-byok-ollama-test.lock.yml +++ b/.github/workflows/daily-byok-ollama-test.lock.yml @@ -982,7 +982,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-cache-strategy-analyzer.lock.yml b/.github/workflows/daily-cache-strategy-analyzer.lock.yml index 7a0fdac1a88..8002b4a066e 100644 --- a/.github/workflows/daily-cache-strategy-analyzer.lock.yml +++ b/.github/workflows/daily-cache-strategy-analyzer.lock.yml @@ -1192,7 +1192,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-caveman-optimizer.lock.yml b/.github/workflows/daily-caveman-optimizer.lock.yml index ee38116df0b..7d0373ecaf3 100644 --- a/.github/workflows/daily-caveman-optimizer.lock.yml +++ b/.github/workflows/daily-caveman-optimizer.lock.yml @@ -1095,7 +1095,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 5b7dc90e6aa..96253a238ff 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -1012,7 +1012,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 9c3abb0fb88..485e4fef6f5 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -1233,7 +1233,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 5b302193e84..76598119074 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -1075,7 +1075,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 4aa0c1323ea..85c92a2f3ab 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -1155,7 +1155,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-community-attribution.lock.yml b/.github/workflows/daily-community-attribution.lock.yml index 257dd5af477..0087e32b666 100644 --- a/.github/workflows/daily-community-attribution.lock.yml +++ b/.github/workflows/daily-community-attribution.lock.yml @@ -1122,7 +1122,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 68d1e2827f3..7b8130ea0f1 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -1096,7 +1096,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml b/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml index c2544fa3214..d1540303df3 100644 --- a/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml +++ b/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml @@ -1037,7 +1037,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-credit-limit-test.lock.yml b/.github/workflows/daily-credit-limit-test.lock.yml index d7859fa4fcf..44a5324003d 100644 --- a/.github/workflows/daily-credit-limit-test.lock.yml +++ b/.github/workflows/daily-credit-limit-test.lock.yml @@ -929,7 +929,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index fcc0b7cd145..ff77b6cd46f 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -1199,7 +1199,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 4fb5e6767ea..dd43b75eec9 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -1002,7 +1002,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-experiment-report.lock.yml b/.github/workflows/daily-experiment-report.lock.yml index b657579bee9..568880c12da 100644 --- a/.github/workflows/daily-experiment-report.lock.yml +++ b/.github/workflows/daily-experiment-report.lock.yml @@ -1072,7 +1072,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index a7527079b8f..94a08be5b44 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -1205,7 +1205,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 4fec39c8853..86576db62b0 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -1039,7 +1039,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 797f1183c91..d5aa2d503d2 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -1031,7 +1031,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-formal-spec-verifier.lock.yml b/.github/workflows/daily-formal-spec-verifier.lock.yml index cc309da6d3e..8c52181af52 100644 --- a/.github/workflows/daily-formal-spec-verifier.lock.yml +++ b/.github/workflows/daily-formal-spec-verifier.lock.yml @@ -1049,7 +1049,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-function-namer.lock.yml b/.github/workflows/daily-function-namer.lock.yml index 7d45a7f9c18..1609d58f3fa 100644 --- a/.github/workflows/daily-function-namer.lock.yml +++ b/.github/workflows/daily-function-namer.lock.yml @@ -1023,7 +1023,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-geo-optimizer.lock.yml b/.github/workflows/daily-geo-optimizer.lock.yml index ff781dfdf56..4d2f570538f 100644 --- a/.github/workflows/daily-geo-optimizer.lock.yml +++ b/.github/workflows/daily-geo-optimizer.lock.yml @@ -1029,7 +1029,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-hippo-learn.lock.yml b/.github/workflows/daily-hippo-learn.lock.yml index f8a0536f19f..06146359100 100644 --- a/.github/workflows/daily-hippo-learn.lock.yml +++ b/.github/workflows/daily-hippo-learn.lock.yml @@ -1116,7 +1116,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 9afcf238b0c..a00e5d16208 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -1241,7 +1241,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index 9ef7335bf5d..f478133e4a0 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -997,7 +997,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-max-ai-credits-test.lock.yml b/.github/workflows/daily-max-ai-credits-test.lock.yml index 1d822371e7a..27e21b47b21 100644 --- a/.github/workflows/daily-max-ai-credits-test.lock.yml +++ b/.github/workflows/daily-max-ai-credits-test.lock.yml @@ -870,7 +870,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index 66451752e84..57238651e39 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -1102,7 +1102,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-model-inventory.lock.yml b/.github/workflows/daily-model-inventory.lock.yml index c6a18d32af5..7aaa162acf0 100644 --- a/.github/workflows/daily-model-inventory.lock.yml +++ b/.github/workflows/daily-model-inventory.lock.yml @@ -1003,7 +1003,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-model-resolution.lock.yml b/.github/workflows/daily-model-resolution.lock.yml index 2613b06c7eb..ee38255e9b7 100644 --- a/.github/workflows/daily-model-resolution.lock.yml +++ b/.github/workflows/daily-model-resolution.lock.yml @@ -1049,7 +1049,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 73b9bdc425e..0dcbd394d78 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -1012,7 +1012,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index a15aeebfce1..856c315e994 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -1183,7 +1183,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index a46247d11e4..dddd473e16b 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -1086,7 +1086,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index a48a48f72a7..67376e85e2e 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -1546,7 +1546,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index fb49e4ae082..62b90dd8cdc 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -1470,7 +1470,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-reliability-review.lock.yml b/.github/workflows/daily-reliability-review.lock.yml index ccb648eb9f3..54e30a74ca3 100644 --- a/.github/workflows/daily-reliability-review.lock.yml +++ b/.github/workflows/daily-reliability-review.lock.yml @@ -1096,7 +1096,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index b263e1e1ef4..18b3de560ed 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -1230,7 +1230,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 2cb1323e974..cec1980bb13 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -1026,7 +1026,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-safe-output-integrator.lock.yml b/.github/workflows/daily-safe-output-integrator.lock.yml index ccfe69c74aa..d01a5a4cb5d 100644 --- a/.github/workflows/daily-safe-output-integrator.lock.yml +++ b/.github/workflows/daily-safe-output-integrator.lock.yml @@ -1002,7 +1002,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 4844f8dd3e3..cb553ce9001 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -1241,7 +1241,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index a9d4b047b76..711afc65697 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -1050,7 +1050,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-safeoutputs-git-simulator.lock.yml b/.github/workflows/daily-safeoutputs-git-simulator.lock.yml index 0ccde52c6ed..7d7ac47d02c 100644 --- a/.github/workflows/daily-safeoutputs-git-simulator.lock.yml +++ b/.github/workflows/daily-safeoutputs-git-simulator.lock.yml @@ -1104,7 +1104,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 398f42acabe..486ce5cacf9 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -957,7 +957,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-security-observability.lock.yml b/.github/workflows/daily-security-observability.lock.yml index 7617de17a1f..229a669a1d4 100644 --- a/.github/workflows/daily-security-observability.lock.yml +++ b/.github/workflows/daily-security-observability.lock.yml @@ -1152,7 +1152,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index 77057b8948e..b7e60c904ea 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -1127,7 +1127,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 964a9c244f0..33d5011a5f2 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -1030,7 +1030,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-sentrux-report.lock.yml b/.github/workflows/daily-sentrux-report.lock.yml index f9adfd976b2..f9cf25b5466 100644 --- a/.github/workflows/daily-sentrux-report.lock.yml +++ b/.github/workflows/daily-sentrux-report.lock.yml @@ -990,7 +990,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-skill-optimizer.lock.yml b/.github/workflows/daily-skill-optimizer.lock.yml index 62cc8d6bc17..c28f931fd1b 100644 --- a/.github/workflows/daily-skill-optimizer.lock.yml +++ b/.github/workflows/daily-skill-optimizer.lock.yml @@ -973,7 +973,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-spdd-spec-planner.lock.yml b/.github/workflows/daily-spdd-spec-planner.lock.yml index 0db6b748890..321bdc37039 100644 --- a/.github/workflows/daily-spdd-spec-planner.lock.yml +++ b/.github/workflows/daily-spdd-spec-planner.lock.yml @@ -1025,7 +1025,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index f1815da2b40..893c157dad3 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -975,7 +975,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index f7c80f71f9c..76f63ea08ce 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -1016,7 +1016,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 9fc023b8c51..a1415d85240 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -940,7 +940,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 5ea70de4b40..652e19f420f 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -1073,7 +1073,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-token-consumption-report.lock.yml b/.github/workflows/daily-token-consumption-report.lock.yml index b7133eaa2c9..41300034015 100644 --- a/.github/workflows/daily-token-consumption-report.lock.yml +++ b/.github/workflows/daily-token-consumption-report.lock.yml @@ -1168,7 +1168,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-windows-terminal-integration-builder.lock.yml b/.github/workflows/daily-windows-terminal-integration-builder.lock.yml index 9944622b7e2..1b5f05254af 100644 --- a/.github/workflows/daily-windows-terminal-integration-builder.lock.yml +++ b/.github/workflows/daily-windows-terminal-integration-builder.lock.yml @@ -933,7 +933,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 35c1d615b64..d56d9c0bad9 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -968,7 +968,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/daily-yamllint-fixer.lock.yml b/.github/workflows/daily-yamllint-fixer.lock.yml index 29d0487e93a..9c6bb445b31 100644 --- a/.github/workflows/daily-yamllint-fixer.lock.yml +++ b/.github/workflows/daily-yamllint-fixer.lock.yml @@ -1047,7 +1047,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/dataflow-pr-discussion-dataset.lock.yml b/.github/workflows/dataflow-pr-discussion-dataset.lock.yml index a97f95d66f9..329f8ca3c1e 100644 --- a/.github/workflows/dataflow-pr-discussion-dataset.lock.yml +++ b/.github/workflows/dataflow-pr-discussion-dataset.lock.yml @@ -1289,7 +1289,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index 43618b77a61..1ffdd332229 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -1022,7 +1022,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index ed868f73e2f..4ac65c37095 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -1475,7 +1475,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index ad512ebd2fc..475826fd4f5 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -1056,7 +1056,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index 652490c29a5..663da0b5606 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -1112,7 +1112,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 11a4476419d..89135821423 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -1020,7 +1020,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/dependabot-repair.lock.yml b/.github/workflows/dependabot-repair.lock.yml index 3182bcc67ee..ba0309a8fb7 100644 --- a/.github/workflows/dependabot-repair.lock.yml +++ b/.github/workflows/dependabot-repair.lock.yml @@ -1061,7 +1061,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/deployment-incident-monitor.lock.yml b/.github/workflows/deployment-incident-monitor.lock.yml index 7bff68c05fd..f1ba157171d 100644 --- a/.github/workflows/deployment-incident-monitor.lock.yml +++ b/.github/workflows/deployment-incident-monitor.lock.yml @@ -979,7 +979,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/design-decision-gate.lock.yml b/.github/workflows/design-decision-gate.lock.yml index 06f78ac9aed..760ea09b5b4 100644 --- a/.github/workflows/design-decision-gate.lock.yml +++ b/.github/workflows/design-decision-gate.lock.yml @@ -1160,7 +1160,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/designer-drift-audit.lock.yml b/.github/workflows/designer-drift-audit.lock.yml index 67ca1e23de1..8915cacddba 100644 --- a/.github/workflows/designer-drift-audit.lock.yml +++ b/.github/workflows/designer-drift-audit.lock.yml @@ -939,7 +939,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/detection-analysis-report.lock.yml b/.github/workflows/detection-analysis-report.lock.yml index 1c549fea431..58db75892f9 100644 --- a/.github/workflows/detection-analysis-report.lock.yml +++ b/.github/workflows/detection-analysis-report.lock.yml @@ -1172,7 +1172,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 049c5e8526f..55b8da8ec06 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -1087,7 +1087,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index c69227a401e..3ee80523221 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -1052,7 +1052,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 58f83fc6039..6d1e9e87b64 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -1180,7 +1180,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index eb7d2777663..ed042b14d50 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -970,7 +970,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 5c7d1eb4165..1c9e2daab1a 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -1034,7 +1034,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 119fdb96cf2..414c3fe0105 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -1006,7 +1006,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index 46eaea101fc..f994b197c53 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -1001,7 +1001,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 9c4ae2e989e..e222cca4846 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -1058,7 +1058,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/eslint-miner.lock.yml b/.github/workflows/eslint-miner.lock.yml index 4ebe4b7587b..d00a68754db 100644 --- a/.github/workflows/eslint-miner.lock.yml +++ b/.github/workflows/eslint-miner.lock.yml @@ -978,7 +978,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/eslint-monster.lock.yml b/.github/workflows/eslint-monster.lock.yml index d8a9f636119..b4ddaa41897 100644 --- a/.github/workflows/eslint-monster.lock.yml +++ b/.github/workflows/eslint-monster.lock.yml @@ -1063,7 +1063,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/eslint-refiner.lock.yml b/.github/workflows/eslint-refiner.lock.yml index 8bfa6e9117b..425a94cf056 100644 --- a/.github/workflows/eslint-refiner.lock.yml +++ b/.github/workflows/eslint-refiner.lock.yml @@ -1092,7 +1092,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/example-failure-category-filter.lock.yml b/.github/workflows/example-failure-category-filter.lock.yml index b7b5c682e3a..0da1d480823 100644 --- a/.github/workflows/example-failure-category-filter.lock.yml +++ b/.github/workflows/example-failure-category-filter.lock.yml @@ -920,7 +920,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index f274ac7b490..4db5596df50 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -885,7 +885,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index e34cca0595a..ac8a3de6822 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -1099,7 +1099,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index e17d51b0a1e..05ca5316d96 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -1027,7 +1027,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml index afa13696180..90390548ef3 100644 --- a/.github/workflows/firewall.lock.yml +++ b/.github/workflows/firewall.lock.yml @@ -888,7 +888,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index fe4305550e9..b880854a9d4 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -968,7 +968,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 29892a3fd22..f4d79ebb882 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -1085,7 +1085,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 1802903c714..aca0b78da0d 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -1086,7 +1086,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 799c5c8e369..b8b28a6436a 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -965,7 +965,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index bf135793a71..635119fcbca 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -1085,7 +1085,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 6c7838420c9..e34af1fea5e 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -1127,7 +1127,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index cc291ace470..dac7e6dfb8f 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -1108,7 +1108,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index d7eeee0411a..5431b621c1e 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -1043,7 +1043,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 03d9c6595d0..02b3fc189c3 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -1035,7 +1035,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 6b791c7d092..51009d6615d 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -1088,7 +1088,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/hippo-embed.lock.yml b/.github/workflows/hippo-embed.lock.yml index 52a332e4737..69c70a0b8cf 100644 --- a/.github/workflows/hippo-embed.lock.yml +++ b/.github/workflows/hippo-embed.lock.yml @@ -1014,7 +1014,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 787b6435878..cc8d1457f3f 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -1073,7 +1073,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/impeccable-skills-reviewer.lock.yml b/.github/workflows/impeccable-skills-reviewer.lock.yml index 3d31d175f7d..f61ffc07c51 100644 --- a/.github/workflows/impeccable-skills-reviewer.lock.yml +++ b/.github/workflows/impeccable-skills-reviewer.lock.yml @@ -1049,7 +1049,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 77296fd20fd..6d95049a40f 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -1084,7 +1084,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index e422675da1e..aac86371823 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -1132,7 +1132,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index ecf39b3a30c..c5d61902702 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -1338,7 +1338,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 354e767734d..8316ea0eef0 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -939,7 +939,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index d51301aff59..cb42ce69950 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -1013,7 +1013,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index 1237ebec841..c0aefee92fa 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -1015,7 +1015,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/lint-monster.lock.yml b/.github/workflows/lint-monster.lock.yml index 5f0606f7409..98abd9f3070 100644 --- a/.github/workflows/lint-monster.lock.yml +++ b/.github/workflows/lint-monster.lock.yml @@ -1058,7 +1058,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/linter-miner.lock.yml b/.github/workflows/linter-miner.lock.yml index bd6ae385657..da10f3e959b 100644 --- a/.github/workflows/linter-miner.lock.yml +++ b/.github/workflows/linter-miner.lock.yml @@ -1041,7 +1041,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 7a51cb46d8b..80da825f6b8 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -1037,7 +1037,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/mattpocock-skills-reviewer.lock.yml b/.github/workflows/mattpocock-skills-reviewer.lock.yml index ed7cd7b2ee3..c8b2f01406f 100644 --- a/.github/workflows/mattpocock-skills-reviewer.lock.yml +++ b/.github/workflows/mattpocock-skills-reviewer.lock.yml @@ -1197,7 +1197,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 3d5f54114ca..ffa48f776e4 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -1528,7 +1528,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 5e23b5f99f6..231b4511a91 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -1055,7 +1055,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index ffd4650d0ea..c72c7a645f1 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -1082,7 +1082,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/necromancer.lock.yml b/.github/workflows/necromancer.lock.yml index f4ca99b7671..65b07bd4555 100644 --- a/.github/workflows/necromancer.lock.yml +++ b/.github/workflows/necromancer.lock.yml @@ -1073,7 +1073,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 6fe8c706bfa..48503f746c5 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -965,7 +965,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/objective-impact-report.lock.yml b/.github/workflows/objective-impact-report.lock.yml index e51975d7ef8..8922c7e0088 100644 --- a/.github/workflows/objective-impact-report.lock.yml +++ b/.github/workflows/objective-impact-report.lock.yml @@ -994,7 +994,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 66b00730c70..49c6bade8fd 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -1029,7 +1029,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/outcome-collector.lock.yml b/.github/workflows/outcome-collector.lock.yml index a6815c1aee5..34da5ad7a83 100644 --- a/.github/workflows/outcome-collector.lock.yml +++ b/.github/workflows/outcome-collector.lock.yml @@ -999,7 +999,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index ae4ec4cfc96..067d843c4eb 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -1102,7 +1102,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index dc45c1bedf7..cf12005ce48 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -1095,7 +1095,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index ba219194e19..9e163e48a54 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1307,7 +1307,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 6c7bbdf50cc..03d0352f848 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -1169,7 +1169,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/pr-code-quality-reviewer.lock.yml b/.github/workflows/pr-code-quality-reviewer.lock.yml index 477f155fbc1..f698eee883a 100644 --- a/.github/workflows/pr-code-quality-reviewer.lock.yml +++ b/.github/workflows/pr-code-quality-reviewer.lock.yml @@ -1060,7 +1060,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/pr-description-caveman.lock.yml b/.github/workflows/pr-description-caveman.lock.yml index 77294237cd3..1d85b6ee95a 100644 --- a/.github/workflows/pr-description-caveman.lock.yml +++ b/.github/workflows/pr-description-caveman.lock.yml @@ -993,7 +993,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 0d15cd3898e..0d8c72630e2 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -1086,7 +1086,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/pr-sous-chef.lock.yml b/.github/workflows/pr-sous-chef.lock.yml index 91c0a97bc46..d67336d5596 100644 --- a/.github/workflows/pr-sous-chef.lock.yml +++ b/.github/workflows/pr-sous-chef.lock.yml @@ -1324,7 +1324,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 14e96346007..f6a34c540d9 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -1099,7 +1099,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 8c515518318..de59804f7fc 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -1206,7 +1206,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index bc58fd72755..7f60992c767 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -1108,7 +1108,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 87b4c7352aa..db6af4501d6 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -1195,7 +1195,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/refactoring-cadence.lock.yml b/.github/workflows/refactoring-cadence.lock.yml index 717da5f9f82..42344fecd26 100644 --- a/.github/workflows/refactoring-cadence.lock.yml +++ b/.github/workflows/refactoring-cadence.lock.yml @@ -993,7 +993,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 51a195fb34b..f9cea9c8e20 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -1094,7 +1094,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 72298168c63..6c45150d4ea 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -1003,7 +1003,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 01cadf93b70..31a7bb2c2eb 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -981,7 +981,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 9a339964b4d..e697efb004d 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -949,7 +949,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index ba9f072c7b8..29d0002aca8 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -991,7 +991,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index ae21bff016a..4e291124155 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -980,7 +980,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/ruflo-backed-task.lock.yml b/.github/workflows/ruflo-backed-task.lock.yml index 463a9cc82b7..2a8e6f5beb3 100644 --- a/.github/workflows/ruflo-backed-task.lock.yml +++ b/.github/workflows/ruflo-backed-task.lock.yml @@ -1174,7 +1174,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 4d1052f30b2..c852f755659 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -1154,7 +1154,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 4a8717144e6..4785a1fdf79 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -964,7 +964,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/schema-feature-coverage.lock.yml b/.github/workflows/schema-feature-coverage.lock.yml index d9418f99aee..1414aa8765f 100644 --- a/.github/workflows/schema-feature-coverage.lock.yml +++ b/.github/workflows/schema-feature-coverage.lock.yml @@ -1021,7 +1021,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index ee38950f9c7..a4a8edb7f45 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1242,7 +1242,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 501c459d387..385c7c4bfd9 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -1000,7 +1000,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index ed0ca3f2e38..98e4ebb00ed 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -1134,7 +1134,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index c24e7d67818..c8e965d2abe 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -1100,7 +1100,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 3018a02b5f0..081903f4df1 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -1133,7 +1133,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/skillet.lock.yml b/.github/workflows/skillet.lock.yml index b3ba0d8202e..47f4489e156 100644 --- a/.github/workflows/skillet.lock.yml +++ b/.github/workflows/skillet.lock.yml @@ -1065,7 +1065,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index d5f60c410d2..11f6d1ce73e 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -1082,7 +1082,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index 0660d3483f7..47319bdcf0a 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -1057,7 +1057,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index c19bd80f530..6345108b9a4 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -1057,7 +1057,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index 08b69c573f0..3e1ec1403f6 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -1088,7 +1088,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index 7ae226ccf77..2295c78c72e 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -1057,7 +1057,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index 9a3f6f1663a..51856e1039b 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -1064,7 +1064,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-antigravity.lock.yml b/.github/workflows/smoke-antigravity.lock.yml index 8949b2beb00..34931c9eae5 100644 --- a/.github/workflows/smoke-antigravity.lock.yml +++ b/.github/workflows/smoke-antigravity.lock.yml @@ -1114,7 +1114,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-call-workflow.lock.yml b/.github/workflows/smoke-call-workflow.lock.yml index ce29cfb5e20..eba95a524a1 100644 --- a/.github/workflows/smoke-call-workflow.lock.yml +++ b/.github/workflows/smoke-call-workflow.lock.yml @@ -1043,7 +1043,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-ci.lock.yml b/.github/workflows/smoke-ci.lock.yml index fbe89a7c3be..fa4030ee503 100644 --- a/.github/workflows/smoke-ci.lock.yml +++ b/.github/workflows/smoke-ci.lock.yml @@ -1231,7 +1231,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-claude-on-copilot.lock.yml b/.github/workflows/smoke-claude-on-copilot.lock.yml index 356a088b48f..27817ba6ff0 100644 --- a/.github/workflows/smoke-claude-on-copilot.lock.yml +++ b/.github/workflows/smoke-claude-on-copilot.lock.yml @@ -1032,7 +1032,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 46dbc3c2a1d..a85fdec1b25 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1872,7 +1872,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index b4c51ce9c68..ce5a8b4527e 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1401,7 +1401,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-copilot-aoai-apikey.lock.yml b/.github/workflows/smoke-copilot-aoai-apikey.lock.yml index 21fcd80bdc4..1db8323a529 100644 --- a/.github/workflows/smoke-copilot-aoai-apikey.lock.yml +++ b/.github/workflows/smoke-copilot-aoai-apikey.lock.yml @@ -2059,7 +2059,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-copilot-aoai-entra.lock.yml b/.github/workflows/smoke-copilot-aoai-entra.lock.yml index 15114322a04..c557ab791cd 100644 --- a/.github/workflows/smoke-copilot-aoai-entra.lock.yml +++ b/.github/workflows/smoke-copilot-aoai-entra.lock.yml @@ -2062,7 +2062,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 82338bafd37..6570d586a2a 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -1899,7 +1899,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-copilot-sdk.lock.yml b/.github/workflows/smoke-copilot-sdk.lock.yml index b1da9f19ee6..b3be288bd95 100644 --- a/.github/workflows/smoke-copilot-sdk.lock.yml +++ b/.github/workflows/smoke-copilot-sdk.lock.yml @@ -1013,7 +1013,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-copilot-sub-agents.lock.yml b/.github/workflows/smoke-copilot-sub-agents.lock.yml index 8ec3c737f03..df2ee723756 100644 --- a/.github/workflows/smoke-copilot-sub-agents.lock.yml +++ b/.github/workflows/smoke-copilot-sub-agents.lock.yml @@ -930,7 +930,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index bc2b0ddd920..c76a2e1d36c 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -2072,7 +2072,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 51e7f318d94..3122776303a 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -1123,7 +1123,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-crush.lock.yml b/.github/workflows/smoke-crush.lock.yml index 93f73defa45..da2ffb8e931 100644 --- a/.github/workflows/smoke-crush.lock.yml +++ b/.github/workflows/smoke-crush.lock.yml @@ -1028,7 +1028,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index 0a81dee6001..d1490e47a62 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -1118,7 +1118,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index ae824465d12..65c0dd0e530 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -1074,7 +1074,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml index ac028970d45..446562fc121 100644 --- a/.github/workflows/smoke-opencode.lock.yml +++ b/.github/workflows/smoke-opencode.lock.yml @@ -1032,7 +1032,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-otel-backends.lock.yml b/.github/workflows/smoke-otel-backends.lock.yml index 2e013b28739..71d4e2afd85 100644 --- a/.github/workflows/smoke-otel-backends.lock.yml +++ b/.github/workflows/smoke-otel-backends.lock.yml @@ -1184,7 +1184,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-pi.lock.yml b/.github/workflows/smoke-pi.lock.yml index 5bbe9ddbf8d..47dfd38e8d8 100644 --- a/.github/workflows/smoke-pi.lock.yml +++ b/.github/workflows/smoke-pi.lock.yml @@ -1071,7 +1071,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index 64b75558d62..483fc165457 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -1251,7 +1251,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-service-ports.lock.yml b/.github/workflows/smoke-service-ports.lock.yml index 0a69103ef4b..fe1c7fa2c2e 100644 --- a/.github/workflows/smoke-service-ports.lock.yml +++ b/.github/workflows/smoke-service-ports.lock.yml @@ -1003,7 +1003,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 7f4b6139ec7..e43d3bb8935 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -1102,7 +1102,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 2f24809a94a..8cce0ae735f 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -1033,7 +1033,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index 11f10c694bf..63a726f6c3e 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -1135,7 +1135,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml index df6a53edfbb..ecbf3a14f3e 100644 --- a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml +++ b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml @@ -1058,7 +1058,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index a9e543f5f52..3819c7b3793 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -1045,7 +1045,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/spec-enforcer.lock.yml b/.github/workflows/spec-enforcer.lock.yml index 7eb0e0a9800..9cb81bc5ee0 100644 --- a/.github/workflows/spec-enforcer.lock.yml +++ b/.github/workflows/spec-enforcer.lock.yml @@ -978,7 +978,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/spec-extractor.lock.yml b/.github/workflows/spec-extractor.lock.yml index 149518e3142..b5f2626d1d5 100644 --- a/.github/workflows/spec-extractor.lock.yml +++ b/.github/workflows/spec-extractor.lock.yml @@ -1073,7 +1073,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/spec-librarian.lock.yml b/.github/workflows/spec-librarian.lock.yml index cd9cfbb61b9..b29879c2e06 100644 --- a/.github/workflows/spec-librarian.lock.yml +++ b/.github/workflows/spec-librarian.lock.yml @@ -1054,7 +1054,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/stale-pr-cleanup.lock.yml b/.github/workflows/stale-pr-cleanup.lock.yml index 80b6c04fa62..7b95206f9e7 100644 --- a/.github/workflows/stale-pr-cleanup.lock.yml +++ b/.github/workflows/stale-pr-cleanup.lock.yml @@ -996,7 +996,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 77ecfc0a24f..0a96854e3a9 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -1166,7 +1166,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index d2fe8546aec..83ab9992920 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1186,7 +1186,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 4b79754924a..0a03e9ea4d6 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -1072,7 +1072,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 17f0ca26158..d84e24b9961 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -996,7 +996,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index 83dcf13a089..cf81a571039 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -1001,7 +1001,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 81c997252b7..08cf47efa13 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -1073,7 +1073,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 0053ac6dabc..f1299d89e46 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -990,7 +990,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index de41afc3cf4..682e9e421b3 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -1046,7 +1046,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index 052f1aea19f..2c0b2af910b 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -950,7 +950,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index ea7bc073916..9c95c81255c 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -995,7 +995,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/test-quality-sentinel.lock.yml b/.github/workflows/test-quality-sentinel.lock.yml index 8bf86075ece..e9c2a188a97 100644 --- a/.github/workflows/test-quality-sentinel.lock.yml +++ b/.github/workflows/test-quality-sentinel.lock.yml @@ -1099,7 +1099,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/test-workflow.lock.yml b/.github/workflows/test-workflow.lock.yml index 2f62068bb77..d730f36610c 100644 --- a/.github/workflows/test-workflow.lock.yml +++ b/.github/workflows/test-workflow.lock.yml @@ -881,7 +881,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 525bd249c60..fc6af792f5e 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -1096,7 +1096,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 66ddfbce79a..286d3d90e49 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -1111,7 +1111,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 6e3c9d9529b..911ac9d647e 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -1010,7 +1010,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/uk-ai-operational-resilience.lock.yml b/.github/workflows/uk-ai-operational-resilience.lock.yml index 7c543a03c99..4372e6683df 100644 --- a/.github/workflows/uk-ai-operational-resilience.lock.yml +++ b/.github/workflows/uk-ai-operational-resilience.lock.yml @@ -1028,7 +1028,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 45c16f2659d..f21910957d0 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -1069,7 +1069,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/update-astro.lock.yml b/.github/workflows/update-astro.lock.yml index a582474e291..30673184a1b 100644 --- a/.github/workflows/update-astro.lock.yml +++ b/.github/workflows/update-astro.lock.yml @@ -985,7 +985,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 0f911b00f67..fdddddc9a34 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -971,7 +971,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/visual-regression-checker.lock.yml b/.github/workflows/visual-regression-checker.lock.yml index 110e8bba6d3..7dfc95abb69 100644 --- a/.github/workflows/visual-regression-checker.lock.yml +++ b/.github/workflows/visual-regression-checker.lock.yml @@ -1041,7 +1041,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index cb23fe4e768..e6902fc09b6 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -1165,7 +1165,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 1740655cfd3..e6e774ba44d 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -1027,7 +1027,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 77c4ceea083..83ba9d78cae 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -1001,7 +1001,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index a8a031e8868..11ecd04b4cc 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -965,7 +965,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 44e222de3c6..8a7a08a6247 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -1035,7 +1035,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 063416da509..c8ad380aa81 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -1067,7 +1067,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 817050842cc..730e361941d 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -1045,7 +1045,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 5a1f7d5ec8c..850c6359560 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -1014,7 +1014,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/actions/setup/sh/create_gh_aw_tmp_dir.sh b/actions/setup/sh/create_gh_aw_tmp_dir.sh index bd7c0a92aeb..fe889660084 100755 --- a/actions/setup/sh/create_gh_aw_tmp_dir.sh +++ b/actions/setup/sh/create_gh_aw_tmp_dir.sh @@ -1,5 +1,28 @@ #!/usr/bin/env bash set +o histexpand + +# Reclaim stale root-owned /tmp/gh-aw/sandbox/firewall before creating it fresh. +# A previous AWF run can leave this directory owned by root (Docker containers run as root, +# e.g. Squid runs as UID 13 inside a container, writing files to the host-mounted volume). +# setup.sh removes the entire /tmp/gh-aw tree using sudo, but if that cleanup partially +# failed (e.g. sudo was unavailable), the stale directory persists here. +# This targeted cleanup is defense-in-depth: it removes the specific directory that AWF's +# writeConfigs step will try to populate, so AWF can always create it fresh as the runner user. +if [ -d /tmp/gh-aw/sandbox/firewall ] && [ ! -w /tmp/gh-aw/sandbox/firewall ]; then + echo "Pre-flight: /tmp/gh-aw/sandbox/firewall is not writable (likely root-owned from prior AWF run); reclaiming with sudo" + if command -v sudo >/dev/null 2>&1; then + sudo -n rm -rf /tmp/gh-aw/sandbox/firewall 2>/dev/null || echo "::warning::sudo rm failed for /tmp/gh-aw/sandbox/firewall; AWF may fail with EACCES" + else + echo "::warning::sudo unavailable; cannot reclaim /tmp/gh-aw/sandbox/firewall; AWF may fail with EACCES" + fi +fi + mkdir -p /tmp/gh-aw/agent mkdir -p /tmp/gh-aw/sandbox/agent/logs +# Pre-create the firewall sandbox dirs as the runner user (uid=1001) before AWF starts. +# If the stale directory was successfully removed above, these create fresh dirs. +# If removal failed and the dirs still exist as root-owned, mkdir -p will emit EACCES here +# rather than deep inside AWF, surfacing the problem at an earlier step. +mkdir -p /tmp/gh-aw/sandbox/firewall/logs +mkdir -p /tmp/gh-aw/sandbox/firewall/audit echo "Created /tmp/gh-aw/agent directory for agentic workflow temporary files" diff --git a/pkg/workflow/compiled_lock_files_test.go b/pkg/workflow/compiled_lock_files_test.go index d083fff78da..8f746074f8d 100644 --- a/pkg/workflow/compiled_lock_files_test.go +++ b/pkg/workflow/compiled_lock_files_test.go @@ -443,7 +443,9 @@ func TestCompiledLockFiles_SmokeCallWorkflowForwardsAwContext(t *testing.T) { t.Run("CallWorkflowJobForwardsGeneratedAwContext", func(t *testing.T) { assert.Contains(t, lockContent, "call-smoke-workflow-call:", "lock file should contain the call-workflow job") - assert.Contains(t, lockContent, "aw_context:", "call-workflow job should synthesize aw_context directly in YAML") - assert.Contains(t, lockContent, "${{ fromJSON(needs.safe_outputs.outputs.call_workflow_payload).aw_context }}", "call-workflow job should forward aw_context from the handler payload") + // smoke-workflow-call.md declares 'payload' and 'task-description' as workflow_call inputs; + // the caller job forwards both from the safe_outputs payload. + assert.Contains(t, lockContent, "payload: ${{ needs.safe_outputs.outputs.call_workflow_payload }}", "call-workflow job should forward payload from safe_outputs") + assert.Contains(t, lockContent, "${{ fromJSON(needs.safe_outputs.outputs.call_workflow_payload)['task-description'] }}", "call-workflow job should forward task-description from the handler payload") }) } diff --git a/pkg/workflow/engine_firewall_support.go b/pkg/workflow/engine_firewall_support.go index e62dbb5dd33..8b4b361bf9f 100644 --- a/pkg/workflow/engine_firewall_support.go +++ b/pkg/workflow/engine_firewall_support.go @@ -148,15 +148,25 @@ func generateFirewallLogParsingStep(workflowName string, workflowData *WorkflowD // AWF's own post-run cleanup (fixArtifactPermissionsForRootless) normally handles // this, but if AWF is killed by timeout or OOM, the cleanup never runs. // Use a non-sudo chmod as a best-effort fallback for artifact upload accessibility. + // + // The chown reclaims ownership back to the runner user so the NEXT run's setup.sh + // can remove /tmp/gh-aw with a plain `rm -rf` (no sudo required). Without chown, + // the root-owned sandbox/firewall tree causes EACCES in consecutive runs on reused + // runners and the agent never starts. if !isAWFNetworkIsolationEnabled(workflowData) { stepLines = append(stepLines, - " # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts", - " # AWF runs with sudo, creating files owned by root", - fmt.Sprintf(" sudo chmod -R a+rX %s 2>/dev/null || true", firewallDir), + " # Reclaim ownership and fix permissions on firewall dirs for artifact upload and next-run cleanup.", + " # AWF runs with sudo, creating files owned by root; chown transfers ownership back to the runner", + " # user so the next run's setup.sh can rm -rf /tmp/gh-aw without requiring sudo.", + fmt.Sprintf(" sudo chown -R \"$(id -u):$(id -g)\" %[1]s 2>/dev/null || true", firewallDir), + fmt.Sprintf(" sudo chmod -R a+rX %[1]s 2>/dev/null || true", firewallDir), ) } else { stepLines = append(stepLines, - " # Best-effort permission fix for artifact upload (AWF cleanup may not have run)", + " # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run).", + " # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw", + " # without requiring sudo, preventing EACCES failures on reused runners.", + fmt.Sprintf(" sudo -n chown -R \"$(id -u):$(id -g)\" %[1]s 2>/dev/null || true", firewallDir), fmt.Sprintf(" sudo -n chmod -R a+rX %[1]s 2>/dev/null || chmod -R a+rX %[1]s 2>/dev/null || true", firewallDir), ) } diff --git a/pkg/workflow/engine_firewall_support_test.go b/pkg/workflow/engine_firewall_support_test.go index 51a311a46b8..2f9895f477a 100644 --- a/pkg/workflow/engine_firewall_support_test.go +++ b/pkg/workflow/engine_firewall_support_test.go @@ -284,6 +284,11 @@ func TestGenerateFirewallLogParsingStepFixesFirewallPermissions(t *testing.T) { if !strings.Contains(stepContent, "sudo chmod -R a+rX "+expectedFirewallDir+" 2>/dev/null || true") { t.Error("Expected firewall log parsing step to chmod the parent firewall directory for logs and audit upload") } + + // chown reclaims ownership back to the runner user so the next run can rm -rf /tmp/gh-aw without sudo + if !strings.Contains(stepContent, `sudo chown -R "$(id -u):$(id -g)" `+expectedFirewallDir) { + t.Error("Expected firewall log parsing step to chown the firewall directory back to runner user to prevent EACCES on reused runners") + } } func TestGenerateFirewallLogParsingStepNetworkIsolationOmitsSudo(t *testing.T) { @@ -308,6 +313,11 @@ func TestGenerateFirewallLogParsingStepNetworkIsolationOmitsSudo(t *testing.T) { t.Error("Expected firewall log parsing step to contain best-effort chmod for artifact upload even in network-isolation mode") } + // Should contain best-effort non-sudo chown to reclaim ownership for next run + if !strings.Contains(stepContent, `sudo -n chown -R "$(id -u):$(id -g)"`) { + t.Error("Expected firewall log parsing step to contain best-effort chown to reclaim ownership for next-run cleanup") + } + // Should still contain the awf logs summary logic if !strings.Contains(stepContent, "awf logs summary") { t.Error("Expected firewall log parsing step to contain awf logs summary") @@ -331,4 +341,9 @@ func TestGenerateFirewallLogParsingStepWithNetworkIsolationFalse(t *testing.T) { if !strings.Contains(stepContent, "sudo chmod -R a+rX") { t.Error("Expected sudo chmod when NetworkIsolation is explicitly false") } + + // And sudo chown to reclaim ownership for next run + if !strings.Contains(stepContent, `sudo chown -R "$(id -u):$(id -g)"`) { + t.Error("Expected sudo chown to reclaim ownership when NetworkIsolation is explicitly false") + } } diff --git a/pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden b/pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden index f163c924fd1..513b7909e7f 100644 --- a/pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden +++ b/pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden @@ -695,7 +695,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden b/pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden index 9786d493e70..84a1e49ebb8 100644 --- a/pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden +++ b/pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden @@ -665,7 +665,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden b/pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden index 7db9b28cf9d..985350f80ec 100644 --- a/pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden +++ b/pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden @@ -639,7 +639,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden b/pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden index 60e342fd7f5..798c4488c80 100644 --- a/pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden +++ b/pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden @@ -619,7 +619,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden b/pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden index ffa6c7f0334..76ff318f770 100644 --- a/pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden +++ b/pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden @@ -565,7 +565,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden index d6aa5750f50..37c47adcbd1 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden @@ -639,7 +639,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden index f3a53402be5..ffa108d2b7d 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden @@ -659,7 +659,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden index 9d52816b457..1446a0ac23a 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden @@ -899,7 +899,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden index 8c8a1a865a0..2204f2a4402 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden @@ -640,7 +640,10 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then From 7b2617773515cd32a8778c000788fc05746bfeb4 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Jul 2026 13:22:21 +0000 Subject: [PATCH 4/8] plan: address review feedback on comments, test names, and shell script hardening Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/ai-moderator.lock.yml | 12 ++++++++++++ .github/workflows/auto-triage-issues.lock.yml | 12 ++++++++++++ .github/workflows/contribution-check.lock.yml | 13 +++++++++++++ .../daily-agent-of-the-day-blog-writer.lock.yml | 13 +++++++++++++ .github/workflows/daily-doc-updater.lock.yml | 12 ++++++++++++ .github/workflows/daily-issues-report.lock.yml | 12 ++++++++++++ .github/workflows/daily-team-status.lock.yml | 12 ++++++++++++ .../dataflow-pr-discussion-dataset.lock.yml | 12 ++++++++++++ .github/workflows/discussion-task-miner.lock.yml | 12 ++++++++++++ .github/workflows/grumpy-reviewer.lock.yml | 12 ++++++++++++ .../workflows/impeccable-skills-reviewer.lock.yml | 12 ++++++++++++ .github/workflows/issue-arborist.lock.yml | 12 ++++++++++++ .github/workflows/issue-monster.lock.yml | 12 ++++++++++++ .github/workflows/issue-triage-agent.lock.yml | 12 ++++++++++++ .../workflows/mattpocock-skills-reviewer.lock.yml | 12 ++++++++++++ .github/workflows/org-health-report.lock.yml | 12 ++++++++++++ .github/workflows/plan.lock.yml | 13 +++++++++++++ .github/workflows/pr-code-quality-reviewer.lock.yml | 12 ++++++++++++ .github/workflows/pr-nitpick-reviewer.lock.yml | 12 ++++++++++++ .github/workflows/pr-sous-chef.lock.yml | 12 ++++++++++++ .github/workflows/pr-triage-agent.lock.yml | 12 ++++++++++++ .github/workflows/q.lock.yml | 12 ++++++++++++ .github/workflows/refiner.lock.yml | 12 ++++++++++++ .github/workflows/scout.lock.yml | 13 +++++++++++++ .github/workflows/security-review.lock.yml | 12 ++++++++++++ .github/workflows/skillet.lock.yml | 12 ++++++++++++ .github/workflows/smoke-agent-all-merged.lock.yml | 13 +++++++++++++ .github/workflows/smoke-agent-all-none.lock.yml | 13 +++++++++++++ .../workflows/smoke-agent-public-approved.lock.yml | 13 +++++++++++++ .github/workflows/smoke-agent-public-none.lock.yml | 13 +++++++++++++ .../workflows/smoke-agent-scoped-approved.lock.yml | 13 +++++++++++++ .../workflows/smoke-copilot-aoai-apikey.lock.yml | 12 ++++++++++++ .github/workflows/smoke-copilot-aoai-entra.lock.yml | 12 ++++++++++++ .github/workflows/smoke-copilot.lock.yml | 12 ++++++++++++ .github/workflows/stale-repo-identifier.lock.yml | 12 ++++++++++++ .github/workflows/weekly-blog-post-writer.lock.yml | 13 +++++++++++++ .github/workflows/weekly-issue-summary.lock.yml | 12 ++++++++++++ .../weekly-safe-outputs-spec-review.lock.yml | 12 ++++++++++++ .github/workflows/workflow-generator.lock.yml | 12 ++++++++++++ 39 files changed, 478 insertions(+) diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index fd7d28f9644..b25b6ccb799 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -47,6 +47,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -591,6 +592,17 @@ jobs: run: npm install --ignore-scripts -g @openai/codex@0.142.5 - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'none' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 30ed002f00b..f8c0f77bb3a 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -47,6 +47,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -553,6 +554,17 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install Pi CLI run: npm install --ignore-scripts -g @earendil-works/pi-coding-agent@0.80.3 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 22be4de3007..ff2a13e5f55 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -47,6 +47,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # # Container images used: @@ -601,6 +602,18 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'none' + GH_AW_GITHUB_REPOS: 'all' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml index 2175e9868e1..a2ba9661ee2 100644 --- a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml +++ b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml @@ -47,6 +47,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # - docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 @@ -581,6 +582,18 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install GitHub Copilot SDK (Node.js) run: cd "${GITHUB_WORKSPACE}" && npm install --ignore-scripts --no-save @github/copilot-sdk@1.0.5 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + GH_AW_GITHUB_REPOS: '["github/gh-aw"]' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index dd43b75eec9..312abf2e008 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -47,6 +47,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -577,6 +578,17 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install Pi CLI run: npm install --ignore-scripts -g @earendil-works/pi-coding-agent@0.80.3 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index a00e5d16208..35b6cc447f8 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -54,6 +54,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -774,6 +775,17 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install GitHub Copilot SDK (Python) run: cd "${GITHUB_WORKSPACE}" && python3 -m pip install --disable-pip-version-check github-copilot-sdk==1.0.5 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index a1415d85240..51ee9b45cd1 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -43,6 +43,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -493,6 +494,17 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'none' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/dataflow-pr-discussion-dataset.lock.yml b/.github/workflows/dataflow-pr-discussion-dataset.lock.yml index 329f8ca3c1e..065bb58c201 100644 --- a/.github/workflows/dataflow-pr-discussion-dataset.lock.yml +++ b/.github/workflows/dataflow-pr-discussion-dataset.lock.yml @@ -49,6 +49,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # - safedep/pmg@46cc70db535107183c9e752bb55d1d5c5f1a9290 # v1 @@ -821,6 +822,17 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 1c9e2daab1a..89ac103d692 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -49,6 +49,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -535,6 +536,17 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install GitHub Copilot SDK (Node.js) run: cd "${GITHUB_WORKSPACE}" && npm install --ignore-scripts --no-save @github/copilot-sdk@1.0.5 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 51009d6615d..ecf65bfd53d 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -50,6 +50,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -576,6 +577,17 @@ jobs: run: npm install --ignore-scripts -g @openai/codex@0.142.5 - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/impeccable-skills-reviewer.lock.yml b/.github/workflows/impeccable-skills-reviewer.lock.yml index f61ffc07c51..ed826e81de2 100644 --- a/.github/workflows/impeccable-skills-reviewer.lock.yml +++ b/.github/workflows/impeccable-skills-reviewer.lock.yml @@ -49,6 +49,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -536,6 +537,17 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index aac86371823..8633c4a80d9 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -50,6 +50,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -604,6 +605,17 @@ jobs: run: npm install --ignore-scripts -g @openai/codex@0.142.5 - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index c5d61902702..55675c36993 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -48,6 +48,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -907,6 +908,17 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install Pi CLI run: npm install --ignore-scripts -g @earendil-works/pi-coding-agent@0.80.3 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 8316ea0eef0..d9ecfaeac4c 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -46,6 +46,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -493,6 +494,17 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/mattpocock-skills-reviewer.lock.yml b/.github/workflows/mattpocock-skills-reviewer.lock.yml index c8b2f01406f..2d0ed316089 100644 --- a/.github/workflows/mattpocock-skills-reviewer.lock.yml +++ b/.github/workflows/mattpocock-skills-reviewer.lock.yml @@ -48,6 +48,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -684,6 +685,17 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 49c6bade8fd..16307757967 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -49,6 +49,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -565,6 +566,17 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install GitHub Copilot SDK (Node.js) run: cd "${GITHUB_WORKSPACE}" && npm install --ignore-scripts --no-save @github/copilot-sdk@1.0.5 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index cf12005ce48..605b252bc0d 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -45,6 +45,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -614,6 +615,18 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install GitHub Copilot SDK (Node.js) run: cd "${GITHUB_WORKSPACE}" && npm install --ignore-scripts --no-save @github/copilot-sdk@1.0.5 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'none' + GH_AW_GITHUB_REPOS: 'all' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/pr-code-quality-reviewer.lock.yml b/.github/workflows/pr-code-quality-reviewer.lock.yml index f698eee883a..b2df510a4d3 100644 --- a/.github/workflows/pr-code-quality-reviewer.lock.yml +++ b/.github/workflows/pr-code-quality-reviewer.lock.yml @@ -48,6 +48,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -570,6 +571,17 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install GitHub Copilot SDK (Node.js) run: cd "${GITHUB_WORKSPACE}" && npm install --ignore-scripts --no-save @github/copilot-sdk@1.0.5 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 0d8c72630e2..216822a975f 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -49,6 +49,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -576,6 +577,17 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install GitHub Copilot SDK (Node.js) run: cd "${GITHUB_WORKSPACE}" && npm install --ignore-scripts --no-save @github/copilot-sdk@1.0.5 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/pr-sous-chef.lock.yml b/.github/workflows/pr-sous-chef.lock.yml index d67336d5596..7534a7e9ed9 100644 --- a/.github/workflows/pr-sous-chef.lock.yml +++ b/.github/workflows/pr-sous-chef.lock.yml @@ -47,6 +47,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -782,6 +783,17 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install Pi CLI run: npm install --ignore-scripts -g @earendil-works/pi-coding-agent@0.80.3 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index f6a34c540d9..579201b32c2 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -49,6 +49,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -542,6 +543,17 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install GitHub Copilot SDK (Node.js) run: cd "${GITHUB_WORKSPACE}" && npm install --ignore-scripts --no-save @github/copilot-sdk@1.0.5 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index db6af4501d6..7ea719ad218 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -46,6 +46,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -645,6 +646,17 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install GitHub Copilot SDK (Node.js) run: cd "${GITHUB_WORKSPACE}" && npm install --ignore-scripts --no-save @github/copilot-sdk@1.0.5 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'none' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index f9cea9c8e20..838d57a401b 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -49,6 +49,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -552,6 +553,17 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index a4a8edb7f45..78617b96c28 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -53,6 +53,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -636,6 +637,18 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@2.1.201 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'none' + GH_AW_GITHUB_REPOS: 'all' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 98e4ebb00ed..8c72f59dae2 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -49,6 +49,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -604,6 +605,17 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/skillet.lock.yml b/.github/workflows/skillet.lock.yml index 47f4489e156..d93bfc2b6b3 100644 --- a/.github/workflows/skillet.lock.yml +++ b/.github/workflows/skillet.lock.yml @@ -49,6 +49,7 @@ # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -587,6 +588,17 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index 47319bdcf0a..27219385e49 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -46,6 +46,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -570,6 +571,18 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@2.1.201 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'merged' + GH_AW_GITHUB_REPOS: 'all' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index 6345108b9a4..8228f0ecd30 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -46,6 +46,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -570,6 +571,18 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@2.1.201 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'none' + GH_AW_GITHUB_REPOS: 'all' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index 3e1ec1403f6..6aa21b82de4 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -48,6 +48,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -573,6 +574,18 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@2.1.201 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + GH_AW_GITHUB_REPOS: 'public' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index 2295c78c72e..91e0bb98fa4 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -46,6 +46,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -570,6 +571,18 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@2.1.201 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'none' + GH_AW_GITHUB_REPOS: 'public' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index 51856e1039b..d289d0a0a57 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -47,6 +47,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -572,6 +573,18 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless - name: Install Claude Code CLI run: npm install -g @anthropic-ai/claude-code@2.1.201 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + GH_AW_GITHUB_REPOS: '["github/gh-aw","github/*"]' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/smoke-copilot-aoai-apikey.lock.yml b/.github/workflows/smoke-copilot-aoai-apikey.lock.yml index 1db8323a529..5c24121f234 100644 --- a/.github/workflows/smoke-copilot-aoai-apikey.lock.yml +++ b/.github/workflows/smoke-copilot-aoai-apikey.lock.yml @@ -54,6 +54,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -739,6 +740,17 @@ jobs: env: PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: '1' timeout-minutes: 10 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/smoke-copilot-aoai-entra.lock.yml b/.github/workflows/smoke-copilot-aoai-entra.lock.yml index c557ab791cd..a49a22d0497 100644 --- a/.github/workflows/smoke-copilot-aoai-entra.lock.yml +++ b/.github/workflows/smoke-copilot-aoai-entra.lock.yml @@ -53,6 +53,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -740,6 +741,17 @@ jobs: env: PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: '1' timeout-minutes: 10 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index c76a2e1d36c..7613fe2db30 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -52,6 +52,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -755,6 +756,17 @@ jobs: env: PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: '1' timeout-minutes: 10 + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 0a96854e3a9..bc6f964d689 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -55,6 +55,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -640,6 +641,17 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index e6902fc09b6..3636fa673b0 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -47,6 +47,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -655,6 +656,18 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + GH_AW_GITHUB_REPOS: '["github/gh-aw"]' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 83ba9d78cae..93311631e72 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -51,6 +51,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -548,6 +549,17 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 11ecd04b4cc..e1b75b157ee 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -47,6 +47,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -511,6 +512,17 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 8a7a08a6247..34bb6556817 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -47,6 +47,7 @@ # - actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 +# - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) # - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # @@ -545,6 +546,17 @@ jobs: GH_HOST: github.com - name: Install AWF binary run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless + - name: Determine automatic lockdown mode for GitHub MCP Server + id: determine-automatic-lockdown + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) + env: + GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} + GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} + GH_AW_GITHUB_MIN_INTEGRITY: 'approved' + with: + script: | + const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); + await determineAutomaticLockdown(github, context, core); - name: Parse integrity filter lists id: parse-guard-vars env: From 26c85ad2b2267b886777191b018e418841b11e47 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Jul 2026 13:26:34 +0000 Subject: [PATCH 5/8] fix: address review feedback - shell hardening, comments, test rename Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- actions/setup/sh/create_gh_aw_tmp_dir.sh | 1 + pkg/workflow/compiled_lock_files_test.go | 4 ++-- pkg/workflow/engine_firewall_support.go | 10 ++++++---- pkg/workflow/engine_firewall_support_test.go | 2 +- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/actions/setup/sh/create_gh_aw_tmp_dir.sh b/actions/setup/sh/create_gh_aw_tmp_dir.sh index fe889660084..b56db0ec145 100755 --- a/actions/setup/sh/create_gh_aw_tmp_dir.sh +++ b/actions/setup/sh/create_gh_aw_tmp_dir.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash set +o histexpand +set -euo pipefail # Reclaim stale root-owned /tmp/gh-aw/sandbox/firewall before creating it fresh. # A previous AWF run can leave this directory owned by root (Docker containers run as root, diff --git a/pkg/workflow/compiled_lock_files_test.go b/pkg/workflow/compiled_lock_files_test.go index 8f746074f8d..6e478f22afd 100644 --- a/pkg/workflow/compiled_lock_files_test.go +++ b/pkg/workflow/compiled_lock_files_test.go @@ -434,14 +434,14 @@ func TestCompiledLockFiles_SmokeWorkflowCallHasExpectedOutputs(t *testing.T) { }) } -func TestCompiledLockFiles_SmokeCallWorkflowForwardsAwContext(t *testing.T) { +func TestCompiledLockFiles_SmokeCallWorkflowForwardsPayload(t *testing.T) { lockPath := filepath.Join(workflowsDir, "smoke-call-workflow.lock.yml") lockBytes, err := os.ReadFile(lockPath) require.NoError(t, err, "smoke-call-workflow.lock.yml should be readable") lockContent := string(lockBytes) - t.Run("CallWorkflowJobForwardsGeneratedAwContext", func(t *testing.T) { + t.Run("CallWorkflowJobForwardsPayloadAndTaskDescription", func(t *testing.T) { assert.Contains(t, lockContent, "call-smoke-workflow-call:", "lock file should contain the call-workflow job") // smoke-workflow-call.md declares 'payload' and 'task-description' as workflow_call inputs; // the caller job forwards both from the safe_outputs payload. diff --git a/pkg/workflow/engine_firewall_support.go b/pkg/workflow/engine_firewall_support.go index 8b4b361bf9f..09af25a01b3 100644 --- a/pkg/workflow/engine_firewall_support.go +++ b/pkg/workflow/engine_firewall_support.go @@ -143,16 +143,18 @@ func generateFirewallLogParsingStep(workflowName string, workflowData *WorkflowD " run: |", } - // When sudo is false (network isolation mode), AWF runs rootless but Docker - // containers still write files as non-runner UIDs (e.g., Squid writes as UID 13). + // Docker containers write files as non-runner UIDs (e.g., Squid as UID 13). // AWF's own post-run cleanup (fixArtifactPermissionsForRootless) normally handles // this, but if AWF is killed by timeout or OOM, the cleanup never runs. - // Use a non-sudo chmod as a best-effort fallback for artifact upload accessibility. // - // The chown reclaims ownership back to the runner user so the NEXT run's setup.sh + // chown reclaims ownership back to the runner user so the NEXT run's setup.sh // can remove /tmp/gh-aw with a plain `rm -rf` (no sudo required). Without chown, // the root-owned sandbox/firewall tree causes EACCES in consecutive runs on reused // runners and the agent never starts. + // + // When AWF runs with sudo (non-network-isolation mode), plain `sudo chown/chmod` are + // used. In network-isolation (rootless) mode, `sudo -n` (non-interactive) is used with + // a non-sudo chmod as a best-effort fallback for artifact upload accessibility. if !isAWFNetworkIsolationEnabled(workflowData) { stepLines = append(stepLines, " # Reclaim ownership and fix permissions on firewall dirs for artifact upload and next-run cleanup.", diff --git a/pkg/workflow/engine_firewall_support_test.go b/pkg/workflow/engine_firewall_support_test.go index 2f9895f477a..e0a1a1d6f97 100644 --- a/pkg/workflow/engine_firewall_support_test.go +++ b/pkg/workflow/engine_firewall_support_test.go @@ -313,7 +313,7 @@ func TestGenerateFirewallLogParsingStepNetworkIsolationOmitsSudo(t *testing.T) { t.Error("Expected firewall log parsing step to contain best-effort chmod for artifact upload even in network-isolation mode") } - // Should contain best-effort non-sudo chown to reclaim ownership for next run + // Should contain best-effort sudo -n chown (non-interactive sudo) to reclaim ownership for next run if !strings.Contains(stepContent, `sudo -n chown -R "$(id -u):$(id -g)"`) { t.Error("Expected firewall log parsing step to contain best-effort chown to reclaim ownership for next-run cleanup") } From e567bb63366e8723f59780802a0eb0fb55092a7b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Jul 2026 14:27:59 +0000 Subject: [PATCH 6/8] refactor: extract Print firewall logs inline shell into print_firewall_logs.sh script with tests Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/ab-testing-advisor.lock.yml | 13 +-- .github/workflows/ace-editor.lock.yml | 13 +-- .../agent-performance-analyzer.lock.yml | 13 +-- .../workflows/agent-persona-explorer.lock.yml | 13 +-- .../workflows/agentic-token-audit.lock.yml | 13 +-- .../agentic-token-optimizer.lock.yml | 13 +-- .../agentic-token-trend-audit.lock.yml | 13 +-- .github/workflows/ai-moderator.lock.yml | 13 +-- .../workflows/api-consumption-report.lock.yml | 13 +-- .github/workflows/approach-validator.lock.yml | 13 +-- .github/workflows/archie.lock.yml | 13 +-- .../workflows/architecture-guardian.lock.yml | 13 +-- .github/workflows/artifacts-summary.lock.yml | 13 +-- .github/workflows/audit-workflows.lock.yml | 13 +-- .github/workflows/auto-triage-issues.lock.yml | 13 +-- .github/workflows/avenger.lock.yml | 13 +-- .../aw-failure-investigator.lock.yml | 13 +-- .github/workflows/blog-auditor.lock.yml | 13 +-- .github/workflows/bot-detection.lock.yml | 13 +-- .github/workflows/brave.lock.yml | 13 +-- .../breaking-change-checker.lock.yml | 13 +-- .github/workflows/changeset.lock.yml | 13 +-- .../workflows/chaos-pr-bundle-fuzzer.lock.yml | 13 +-- .github/workflows/ci-coach.lock.yml | 13 +-- .github/workflows/ci-doctor.lock.yml | 13 +-- .../claude-code-user-docs-review.lock.yml | 13 +-- .../cli-consistency-checker.lock.yml | 13 +-- .../workflows/cli-version-checker.lock.yml | 13 +-- .github/workflows/cloclo.lock.yml | 13 +-- .../workflows/code-scanning-fixer.lock.yml | 13 +-- .github/workflows/code-simplifier.lock.yml | 13 +-- .../codex-github-remote-mcp-test.lock.yml | 13 +-- .../commit-changes-analyzer.lock.yml | 13 +-- .../constraint-solving-potd.lock.yml | 13 +-- .github/workflows/contribution-check.lock.yml | 13 +-- .../workflows/copilot-agent-analysis.lock.yml | 13 +-- .../copilot-centralization-drilldown.lock.yml | 13 +-- .../copilot-centralization-optimizer.lock.yml | 13 +-- .../copilot-cli-deep-research.lock.yml | 13 +-- .github/workflows/copilot-opt.lock.yml | 13 +-- .../copilot-pr-merged-report.lock.yml | 13 +-- .../copilot-pr-nlp-analysis.lock.yml | 13 +-- .../copilot-pr-prompt-analysis.lock.yml | 13 +-- .../copilot-session-insights.lock.yml | 13 +-- .github/workflows/craft.lock.yml | 13 +-- ...aily-agent-of-the-day-blog-writer.lock.yml | 13 +-- .../daily-agentrx-trace-optimizer.lock.yml | 13 +-- .../daily-ambient-context-optimizer.lock.yml | 13 +-- .../daily-architecture-diagram.lock.yml | 13 +-- .../daily-assign-issue-to-user.lock.yml | 13 +-- ...strostylelite-markdown-spellcheck.lock.yml | 13 +-- ...daily-aw-cross-repo-compile-check.lock.yml | 13 +-- ...daily-awf-spec-compiler-surfacing.lock.yml | 13 +-- .../workflows/daily-byok-ollama-test.lock.yml | 13 +-- .../daily-cache-strategy-analyzer.lock.yml | 13 +-- .../daily-caveman-optimizer.lock.yml | 13 +-- .github/workflows/daily-choice-test.lock.yml | 13 +-- .../workflows/daily-cli-performance.lock.yml | 13 +-- .../workflows/daily-cli-tools-tester.lock.yml | 13 +-- .github/workflows/daily-code-metrics.lock.yml | 13 +-- .../daily-community-attribution.lock.yml | 13 +-- .../workflows/daily-compiler-quality.lock.yml | 13 +-- ...ly-compiler-threat-spec-optimizer.lock.yml | 13 +-- .../daily-credit-limit-test.lock.yml | 13 +-- .github/workflows/daily-doc-healer.lock.yml | 13 +-- .github/workflows/daily-doc-updater.lock.yml | 13 +-- .../daily-experiment-report.lock.yml | 13 +-- .github/workflows/daily-fact.lock.yml | 13 +-- .github/workflows/daily-file-diet.lock.yml | 13 +-- .../workflows/daily-firewall-report.lock.yml | 13 +-- .../daily-formal-spec-verifier.lock.yml | 13 +-- .../workflows/daily-function-namer.lock.yml | 13 +-- .../workflows/daily-geo-optimizer.lock.yml | 13 +-- .github/workflows/daily-hippo-learn.lock.yml | 13 +-- .../workflows/daily-issues-report.lock.yml | 13 +-- .../daily-malicious-code-scan.lock.yml | 13 +-- .../daily-max-ai-credits-test.lock.yml | 13 +-- .../daily-mcp-concurrency-analysis.lock.yml | 13 +-- .../workflows/daily-model-inventory.lock.yml | 13 +-- .../workflows/daily-model-resolution.lock.yml | 13 +-- .../daily-multi-device-docs-tester.lock.yml | 13 +-- .github/workflows/daily-news.lock.yml | 13 +-- .../daily-observability-report.lock.yml | 13 +-- .../daily-performance-summary.lock.yml | 13 +-- .github/workflows/daily-regulatory.lock.yml | 13 +-- .../daily-reliability-review.lock.yml | 13 +-- .../daily-rendering-scripts-verifier.lock.yml | 13 +-- .../workflows/daily-repo-chronicle.lock.yml | 13 +-- .../daily-safe-output-integrator.lock.yml | 13 +-- .../daily-safe-output-optimizer.lock.yml | 13 +-- .../daily-safe-outputs-conformance.lock.yml | 13 +-- .../daily-safeoutputs-git-simulator.lock.yml | 13 +-- .../workflows/daily-secrets-analysis.lock.yml | 13 +-- .../daily-security-observability.lock.yml | 13 +-- .../daily-security-red-team.lock.yml | 13 +-- .github/workflows/daily-semgrep-scan.lock.yml | 13 +-- .../workflows/daily-sentrux-report.lock.yml | 13 +-- .../workflows/daily-skill-optimizer.lock.yml | 13 +-- .../daily-spdd-spec-planner.lock.yml | 13 +-- .../daily-syntax-error-quality.lock.yml | 13 +-- .../daily-team-evolution-insights.lock.yml | 13 +-- .github/workflows/daily-team-status.lock.yml | 13 +-- .../daily-testify-uber-super-expert.lock.yml | 13 +-- .../daily-token-consumption-report.lock.yml | 13 +-- ...dows-terminal-integration-builder.lock.yml | 13 +-- .../workflows/daily-workflow-updater.lock.yml | 13 +-- .../workflows/daily-yamllint-fixer.lock.yml | 13 +-- .../dataflow-pr-discussion-dataset.lock.yml | 13 +-- .github/workflows/dead-code-remover.lock.yml | 13 +-- .github/workflows/deep-report.lock.yml | 13 +-- .github/workflows/delight.lock.yml | 13 +-- .github/workflows/dependabot-burner.lock.yml | 13 +-- .../workflows/dependabot-go-checker.lock.yml | 13 +-- .github/workflows/dependabot-repair.lock.yml | 13 +-- .../deployment-incident-monitor.lock.yml | 13 +-- .../workflows/design-decision-gate.lock.yml | 13 +-- .../workflows/designer-drift-audit.lock.yml | 13 +-- .../detection-analysis-report.lock.yml | 13 +-- .github/workflows/dev-hawk.lock.yml | 13 +-- .github/workflows/dev.lock.yml | 13 +-- .../developer-docs-consolidator.lock.yml | 13 +-- .github/workflows/dictation-prompt.lock.yml | 13 +-- .../workflows/discussion-task-miner.lock.yml | 13 +-- .github/workflows/docs-noob-tester.lock.yml | 13 +-- .github/workflows/draft-pr-cleanup.lock.yml | 13 +-- .../duplicate-code-detector.lock.yml | 13 +-- .github/workflows/eslint-miner.lock.yml | 13 +-- .github/workflows/eslint-monster.lock.yml | 13 +-- .github/workflows/eslint-refiner.lock.yml | 13 +-- .../example-failure-category-filter.lock.yml | 13 +-- .../example-permissions-warning.lock.yml | 13 +-- .../example-workflow-analyzer.lock.yml | 13 +-- .github/workflows/firewall-escape.lock.yml | 13 +-- .github/workflows/firewall.lock.yml | 13 +-- .../workflows/functional-pragmatist.lock.yml | 13 +-- .../github-mcp-structural-analysis.lock.yml | 13 +-- .../github-mcp-tools-report.lock.yml | 13 +-- .../github-remote-mcp-auth-test.lock.yml | 13 +-- .../workflows/glossary-maintainer.lock.yml | 13 +-- .github/workflows/go-fan.lock.yml | 13 +-- .github/workflows/go-logger.lock.yml | 13 +-- .../workflows/go-pattern-detector.lock.yml | 13 +-- .github/workflows/gpclean.lock.yml | 13 +-- .github/workflows/grumpy-reviewer.lock.yml | 13 +-- .github/workflows/hippo-embed.lock.yml | 13 +-- .github/workflows/hourly-ci-cleaner.lock.yml | 13 +-- .../impeccable-skills-reviewer.lock.yml | 13 +-- .../workflows/instructions-janitor.lock.yml | 13 +-- .github/workflows/issue-arborist.lock.yml | 13 +-- .github/workflows/issue-monster.lock.yml | 13 +-- .github/workflows/issue-triage-agent.lock.yml | 13 +-- .github/workflows/jsweep.lock.yml | 13 +-- .../workflows/layout-spec-maintainer.lock.yml | 13 +-- .github/workflows/lint-monster.lock.yml | 13 +-- .github/workflows/linter-miner.lock.yml | 13 +-- .github/workflows/lockfile-stats.lock.yml | 13 +-- .../mattpocock-skills-reviewer.lock.yml | 13 +-- .github/workflows/mcp-inspector.lock.yml | 13 +-- .github/workflows/mergefest.lock.yml | 13 +-- .github/workflows/metrics-collector.lock.yml | 13 +-- .github/workflows/necromancer.lock.yml | 13 +-- .../workflows/notion-issue-summary.lock.yml | 13 +-- .../objective-impact-report.lock.yml | 13 +-- .github/workflows/org-health-report.lock.yml | 13 +-- .github/workflows/outcome-collector.lock.yml | 13 +-- .github/workflows/pdf-summary.lock.yml | 13 +-- .github/workflows/plan.lock.yml | 13 +-- .github/workflows/poem-bot.lock.yml | 13 +-- .github/workflows/portfolio-analyst.lock.yml | 13 +-- .../pr-code-quality-reviewer.lock.yml | 13 +-- .../workflows/pr-description-caveman.lock.yml | 13 +-- .../workflows/pr-nitpick-reviewer.lock.yml | 13 +-- .github/workflows/pr-sous-chef.lock.yml | 13 +-- .github/workflows/pr-triage-agent.lock.yml | 13 +-- .../prompt-clustering-analysis.lock.yml | 13 +-- .github/workflows/python-data-charts.lock.yml | 13 +-- .github/workflows/q.lock.yml | 13 +-- .../workflows/refactoring-cadence.lock.yml | 13 +-- .github/workflows/refiner.lock.yml | 13 +-- .github/workflows/release.lock.yml | 13 +-- .../workflows/repo-audit-analyzer.lock.yml | 13 +-- .github/workflows/repo-tree-map.lock.yml | 13 +-- .../repository-quality-improver.lock.yml | 13 +-- .github/workflows/research.lock.yml | 13 +-- .github/workflows/ruflo-backed-task.lock.yml | 13 +-- .github/workflows/safe-output-health.lock.yml | 13 +-- .../schema-consistency-checker.lock.yml | 13 +-- .../schema-feature-coverage.lock.yml | 13 +-- .github/workflows/scout.lock.yml | 13 +-- .../workflows/security-compliance.lock.yml | 13 +-- .github/workflows/security-review.lock.yml | 13 +-- .../semantic-function-refactor.lock.yml | 13 +-- .github/workflows/sergo.lock.yml | 13 +-- .github/workflows/skillet.lock.yml | 13 +-- .../workflows/slide-deck-maintainer.lock.yml | 13 +-- .../workflows/smoke-agent-all-merged.lock.yml | 13 +-- .../workflows/smoke-agent-all-none.lock.yml | 13 +-- .../smoke-agent-public-approved.lock.yml | 13 +-- .../smoke-agent-public-none.lock.yml | 13 +-- .../smoke-agent-scoped-approved.lock.yml | 13 +-- .github/workflows/smoke-antigravity.lock.yml | 13 +-- .../workflows/smoke-call-workflow.lock.yml | 13 +-- .github/workflows/smoke-ci.lock.yml | 13 +-- .../smoke-claude-on-copilot.lock.yml | 13 +-- .github/workflows/smoke-claude.lock.yml | 13 +-- .github/workflows/smoke-codex.lock.yml | 13 +-- .../smoke-copilot-aoai-apikey.lock.yml | 13 +-- .../smoke-copilot-aoai-entra.lock.yml | 13 +-- .github/workflows/smoke-copilot-arm.lock.yml | 13 +-- .github/workflows/smoke-copilot-sdk.lock.yml | 13 +-- .../smoke-copilot-sub-agents.lock.yml | 13 +-- .github/workflows/smoke-copilot.lock.yml | 13 +-- .../smoke-create-cross-repo-pr.lock.yml | 13 +-- .github/workflows/smoke-crush.lock.yml | 13 +-- .github/workflows/smoke-gemini.lock.yml | 13 +-- .github/workflows/smoke-multi-pr.lock.yml | 13 +-- .github/workflows/smoke-opencode.lock.yml | 13 +-- .../workflows/smoke-otel-backends.lock.yml | 13 +-- .github/workflows/smoke-pi.lock.yml | 13 +-- .github/workflows/smoke-project.lock.yml | 13 +-- .../workflows/smoke-service-ports.lock.yml | 13 +-- .github/workflows/smoke-temporary-id.lock.yml | 13 +-- .github/workflows/smoke-test-tools.lock.yml | 13 +-- .../smoke-update-cross-repo-pr.lock.yml | 13 +-- .../smoke-workflow-call-with-inputs.lock.yml | 13 +-- .../workflows/smoke-workflow-call.lock.yml | 13 +-- .github/workflows/spec-enforcer.lock.yml | 13 +-- .github/workflows/spec-extractor.lock.yml | 13 +-- .github/workflows/spec-librarian.lock.yml | 13 +-- .github/workflows/stale-pr-cleanup.lock.yml | 13 +-- .../workflows/stale-repo-identifier.lock.yml | 13 +-- .../workflows/static-analysis-report.lock.yml | 13 +-- .../workflows/step-name-alignment.lock.yml | 13 +-- .github/workflows/sub-issue-closer.lock.yml | 13 +-- .github/workflows/super-linter.lock.yml | 13 +-- .../workflows/technical-doc-writer.lock.yml | 13 +-- .github/workflows/terminal-stylist.lock.yml | 13 +-- .../test-create-pr-error-handling.lock.yml | 13 +-- .github/workflows/test-dispatcher.lock.yml | 13 +-- .../test-project-url-default.lock.yml | 13 +-- .../workflows/test-quality-sentinel.lock.yml | 13 +-- .github/workflows/test-workflow.lock.yml | 13 +-- .github/workflows/tidy.lock.yml | 13 +-- .github/workflows/typist.lock.yml | 13 +-- .../workflows/ubuntu-image-analyzer.lock.yml | 13 +-- .../uk-ai-operational-resilience.lock.yml | 13 +-- .github/workflows/unbloat-docs.lock.yml | 13 +-- .github/workflows/update-astro.lock.yml | 13 +-- .github/workflows/video-analyzer.lock.yml | 13 +-- .../visual-regression-checker.lock.yml | 13 +-- .../weekly-blog-post-writer.lock.yml | 13 +-- .../weekly-editors-health-check.lock.yml | 13 +-- .../workflows/weekly-issue-summary.lock.yml | 13 +-- .../weekly-safe-outputs-spec-review.lock.yml | 13 +-- .github/workflows/workflow-generator.lock.yml | 13 +-- .../workflow-health-manager.lock.yml | 13 +-- .../workflows/workflow-normalizer.lock.yml | 13 +-- .../workflow-skill-extractor.lock.yml | 13 +-- actions/setup/sh/print_firewall_logs.sh | 45 ++++++++ actions/setup/sh/print_firewall_logs_test.sh | 107 ++++++++++++++++++ pkg/workflow/engine_firewall_support.go | 53 ++------- pkg/workflow/engine_firewall_support_test.go | 45 +++----- .../TestWasmGolden_AllEngines/claude.golden | 13 +-- .../TestWasmGolden_AllEngines/codex.golden | 13 +-- .../TestWasmGolden_AllEngines/copilot.golden | 13 +-- .../TestWasmGolden_AllEngines/gemini.golden | 13 +-- .../TestWasmGolden_AllEngines/pi.golden | 13 +-- .../basic-copilot.golden | 13 +-- .../playwright-cli-mode.golden | 13 +-- .../smoke-copilot.golden | 13 +-- .../with-imports.golden | 13 +-- 271 files changed, 442 insertions(+), 3279 deletions(-) create mode 100755 actions/setup/sh/print_firewall_logs.sh create mode 100755 actions/setup/sh/print_firewall_logs_test.sh diff --git a/.github/workflows/ab-testing-advisor.lock.yml b/.github/workflows/ab-testing-advisor.lock.yml index 0a9d0e3ec23..310b0eeda06 100644 --- a/.github/workflows/ab-testing-advisor.lock.yml +++ b/.github/workflows/ab-testing-advisor.lock.yml @@ -957,18 +957,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/ace-editor.lock.yml b/.github/workflows/ace-editor.lock.yml index 8a696325409..47ca758d5ad 100644 --- a/.github/workflows/ace-editor.lock.yml +++ b/.github/workflows/ace-editor.lock.yml @@ -917,18 +917,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 90ce908bd02..1a226b7117a 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -1163,18 +1163,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index b62d97593c4..a3d91872fef 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -1080,18 +1080,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/agentic-token-audit.lock.yml b/.github/workflows/agentic-token-audit.lock.yml index b163d55b24f..35e0695a2de 100644 --- a/.github/workflows/agentic-token-audit.lock.yml +++ b/.github/workflows/agentic-token-audit.lock.yml @@ -1090,18 +1090,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/agentic-token-optimizer.lock.yml b/.github/workflows/agentic-token-optimizer.lock.yml index 70071509aaf..473c206ffbe 100644 --- a/.github/workflows/agentic-token-optimizer.lock.yml +++ b/.github/workflows/agentic-token-optimizer.lock.yml @@ -976,18 +976,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/agentic-token-trend-audit.lock.yml b/.github/workflows/agentic-token-trend-audit.lock.yml index 2828588d9db..877267087bb 100644 --- a/.github/workflows/agentic-token-trend-audit.lock.yml +++ b/.github/workflows/agentic-token-trend-audit.lock.yml @@ -1064,18 +1064,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index b25b6ccb799..1e8a8d33fa7 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -1084,18 +1084,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/api-consumption-report.lock.yml b/.github/workflows/api-consumption-report.lock.yml index 44087804917..dcdbe75e201 100644 --- a/.github/workflows/api-consumption-report.lock.yml +++ b/.github/workflows/api-consumption-report.lock.yml @@ -1414,18 +1414,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/approach-validator.lock.yml b/.github/workflows/approach-validator.lock.yml index f430654923b..78db2f6fe44 100644 --- a/.github/workflows/approach-validator.lock.yml +++ b/.github/workflows/approach-validator.lock.yml @@ -1141,18 +1141,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index cf91f5fb916..7e0f995b431 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -1040,18 +1040,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/architecture-guardian.lock.yml b/.github/workflows/architecture-guardian.lock.yml index 27a122cb41f..ff379c4a4f7 100644 --- a/.github/workflows/architecture-guardian.lock.yml +++ b/.github/workflows/architecture-guardian.lock.yml @@ -1040,18 +1040,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 439845117c0..621e82d360a 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -953,18 +953,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 157a2f7e489..bef5d6fa8e4 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -1234,18 +1234,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index f8c0f77bb3a..38ff6c83ad7 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -995,18 +995,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/avenger.lock.yml b/.github/workflows/avenger.lock.yml index a57827d4978..ca9fb45af5b 100644 --- a/.github/workflows/avenger.lock.yml +++ b/.github/workflows/avenger.lock.yml @@ -1065,18 +1065,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/aw-failure-investigator.lock.yml b/.github/workflows/aw-failure-investigator.lock.yml index d66d365e1fd..a68bfb62b6d 100644 --- a/.github/workflows/aw-failure-investigator.lock.yml +++ b/.github/workflows/aw-failure-investigator.lock.yml @@ -1234,18 +1234,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 20dbf75f2c6..d95381d70a6 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -1110,18 +1110,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index f4883b8ba01..5bb1c7888c2 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -1034,18 +1034,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 9f17753104f..d0f7cb33dfa 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -1029,18 +1029,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 591ae6e4543..ffcfab831d4 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -1037,18 +1037,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index fe402f37a59..f41b8b6496b 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -1077,18 +1077,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml b/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml index f7194a70068..90e7bf9ae2f 100644 --- a/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml +++ b/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml @@ -960,18 +960,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index bf89b1b16ef..c8541acd86d 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -1070,18 +1070,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 91f2e96f161..4e3cbd230a8 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -1234,18 +1234,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 32fa6c6a1e2..0c117bf5d9a 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -1062,18 +1062,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 66a36ef5036..5594b7cd91a 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -967,18 +967,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index d03be1ebac1..0c0399952c3 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -1055,18 +1055,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 20d130c98bd..e35215990f9 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -1339,18 +1339,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index b5dfd0603a4..3affcc24af0 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -1023,18 +1023,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index e1f5cc4fbfd..b8990d18353 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -993,18 +993,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index 5b694e1017b..1db2f416ad8 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -919,18 +919,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 11127c94902..865260dd0b7 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -924,18 +924,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index 2fbdbae37da..307ef7ab38b 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -952,18 +952,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index ff2a13e5f55..f09f942ab39 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -1106,18 +1106,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 6a92862d5d4..5702b5c6365 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -1120,18 +1120,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/copilot-centralization-drilldown.lock.yml b/.github/workflows/copilot-centralization-drilldown.lock.yml index 23619e18ead..4f3c9820c1b 100644 --- a/.github/workflows/copilot-centralization-drilldown.lock.yml +++ b/.github/workflows/copilot-centralization-drilldown.lock.yml @@ -947,18 +947,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/copilot-centralization-optimizer.lock.yml b/.github/workflows/copilot-centralization-optimizer.lock.yml index d4d5068f5e4..56786f30b69 100644 --- a/.github/workflows/copilot-centralization-optimizer.lock.yml +++ b/.github/workflows/copilot-centralization-optimizer.lock.yml @@ -978,18 +978,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 0e8982d56b0..878f6f5413b 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -990,18 +990,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/copilot-opt.lock.yml b/.github/workflows/copilot-opt.lock.yml index 4c65703f0ab..7b2433abb11 100644 --- a/.github/workflows/copilot-opt.lock.yml +++ b/.github/workflows/copilot-opt.lock.yml @@ -1047,18 +1047,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index cc15ec47227..5c198ce2368 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -910,18 +910,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index ae7d5c37b35..27a884ac3aa 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -1068,18 +1068,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 57ac38fa1cb..231b38eab0e 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -1017,18 +1017,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index c9b25494b25..f2c94233fce 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -1132,18 +1132,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 4acd1736435..fed7b84bc4e 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -1036,18 +1036,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml index a2ba9661ee2..6264ddae7d7 100644 --- a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml +++ b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml @@ -1155,18 +1155,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-agentrx-trace-optimizer.lock.yml b/.github/workflows/daily-agentrx-trace-optimizer.lock.yml index cb2cbdcdfa0..0083ce69972 100644 --- a/.github/workflows/daily-agentrx-trace-optimizer.lock.yml +++ b/.github/workflows/daily-agentrx-trace-optimizer.lock.yml @@ -1175,18 +1175,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-ambient-context-optimizer.lock.yml b/.github/workflows/daily-ambient-context-optimizer.lock.yml index 5e95658a245..4a076de0366 100644 --- a/.github/workflows/daily-ambient-context-optimizer.lock.yml +++ b/.github/workflows/daily-ambient-context-optimizer.lock.yml @@ -1068,18 +1068,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index 9b570ea233c..eff5e5c22b1 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -1100,18 +1100,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 2c32bf184da..cbfe7c8b19b 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -965,18 +965,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml b/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml index 3c7a2628fba..822ec68a953 100644 --- a/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml +++ b/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml @@ -1069,18 +1069,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml b/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml index 180815469c7..53014fcea04 100644 --- a/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml +++ b/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml @@ -1054,18 +1054,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-awf-spec-compiler-surfacing.lock.yml b/.github/workflows/daily-awf-spec-compiler-surfacing.lock.yml index b9e0bce466b..35f8226d466 100644 --- a/.github/workflows/daily-awf-spec-compiler-surfacing.lock.yml +++ b/.github/workflows/daily-awf-spec-compiler-surfacing.lock.yml @@ -952,18 +952,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-byok-ollama-test.lock.yml b/.github/workflows/daily-byok-ollama-test.lock.yml index 80e3e2a2557..00e3fefc899 100644 --- a/.github/workflows/daily-byok-ollama-test.lock.yml +++ b/.github/workflows/daily-byok-ollama-test.lock.yml @@ -981,18 +981,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-cache-strategy-analyzer.lock.yml b/.github/workflows/daily-cache-strategy-analyzer.lock.yml index 8002b4a066e..5aa7dd0d176 100644 --- a/.github/workflows/daily-cache-strategy-analyzer.lock.yml +++ b/.github/workflows/daily-cache-strategy-analyzer.lock.yml @@ -1191,18 +1191,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-caveman-optimizer.lock.yml b/.github/workflows/daily-caveman-optimizer.lock.yml index 7d0373ecaf3..519b895cc63 100644 --- a/.github/workflows/daily-caveman-optimizer.lock.yml +++ b/.github/workflows/daily-caveman-optimizer.lock.yml @@ -1094,18 +1094,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 96253a238ff..c16bad18450 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -1011,18 +1011,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 485e4fef6f5..f52ee68c31b 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -1232,18 +1232,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 76598119074..2c05b69aa74 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -1074,18 +1074,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 85c92a2f3ab..80e14fe616c 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -1154,18 +1154,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-community-attribution.lock.yml b/.github/workflows/daily-community-attribution.lock.yml index 0087e32b666..40e3c285b92 100644 --- a/.github/workflows/daily-community-attribution.lock.yml +++ b/.github/workflows/daily-community-attribution.lock.yml @@ -1121,18 +1121,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 7b8130ea0f1..75a55bfdeb9 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -1095,18 +1095,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml b/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml index d1540303df3..e0298cc475f 100644 --- a/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml +++ b/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml @@ -1036,18 +1036,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-credit-limit-test.lock.yml b/.github/workflows/daily-credit-limit-test.lock.yml index 44a5324003d..0aa00349d03 100644 --- a/.github/workflows/daily-credit-limit-test.lock.yml +++ b/.github/workflows/daily-credit-limit-test.lock.yml @@ -928,18 +928,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index ff77b6cd46f..383ecac65ce 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -1198,18 +1198,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 312abf2e008..df312dcc0dc 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -1013,18 +1013,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-experiment-report.lock.yml b/.github/workflows/daily-experiment-report.lock.yml index 568880c12da..8cab6d3967e 100644 --- a/.github/workflows/daily-experiment-report.lock.yml +++ b/.github/workflows/daily-experiment-report.lock.yml @@ -1071,18 +1071,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 94a08be5b44..fc18d33b887 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -1204,18 +1204,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 86576db62b0..4ffbb444183 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -1038,18 +1038,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index d5aa2d503d2..f484e72c71e 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -1030,18 +1030,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-formal-spec-verifier.lock.yml b/.github/workflows/daily-formal-spec-verifier.lock.yml index 8c52181af52..e24862312e6 100644 --- a/.github/workflows/daily-formal-spec-verifier.lock.yml +++ b/.github/workflows/daily-formal-spec-verifier.lock.yml @@ -1048,18 +1048,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-function-namer.lock.yml b/.github/workflows/daily-function-namer.lock.yml index 1609d58f3fa..7121d81007e 100644 --- a/.github/workflows/daily-function-namer.lock.yml +++ b/.github/workflows/daily-function-namer.lock.yml @@ -1022,18 +1022,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-geo-optimizer.lock.yml b/.github/workflows/daily-geo-optimizer.lock.yml index 4d2f570538f..07d6ae64903 100644 --- a/.github/workflows/daily-geo-optimizer.lock.yml +++ b/.github/workflows/daily-geo-optimizer.lock.yml @@ -1028,18 +1028,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-hippo-learn.lock.yml b/.github/workflows/daily-hippo-learn.lock.yml index 06146359100..7c13b2d9c64 100644 --- a/.github/workflows/daily-hippo-learn.lock.yml +++ b/.github/workflows/daily-hippo-learn.lock.yml @@ -1115,18 +1115,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 35b6cc447f8..a74c5f7396b 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -1252,18 +1252,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index f478133e4a0..eb3b0317fd9 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -996,18 +996,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-max-ai-credits-test.lock.yml b/.github/workflows/daily-max-ai-credits-test.lock.yml index 27e21b47b21..5301143919e 100644 --- a/.github/workflows/daily-max-ai-credits-test.lock.yml +++ b/.github/workflows/daily-max-ai-credits-test.lock.yml @@ -869,18 +869,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index 57238651e39..6de76299d98 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -1101,18 +1101,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-model-inventory.lock.yml b/.github/workflows/daily-model-inventory.lock.yml index 7aaa162acf0..af770ed5041 100644 --- a/.github/workflows/daily-model-inventory.lock.yml +++ b/.github/workflows/daily-model-inventory.lock.yml @@ -1002,18 +1002,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-model-resolution.lock.yml b/.github/workflows/daily-model-resolution.lock.yml index ee38255e9b7..1f5ee5fe637 100644 --- a/.github/workflows/daily-model-resolution.lock.yml +++ b/.github/workflows/daily-model-resolution.lock.yml @@ -1048,18 +1048,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 0dcbd394d78..ae3d47394d3 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -1011,18 +1011,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 856c315e994..30c94dc80d3 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -1182,18 +1182,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index dddd473e16b..cb5ad168821 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -1085,18 +1085,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 67376e85e2e..a3041ab9161 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -1545,18 +1545,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 62b90dd8cdc..2dbebd0e308 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -1469,18 +1469,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-reliability-review.lock.yml b/.github/workflows/daily-reliability-review.lock.yml index 54e30a74ca3..195c39fe4af 100644 --- a/.github/workflows/daily-reliability-review.lock.yml +++ b/.github/workflows/daily-reliability-review.lock.yml @@ -1095,18 +1095,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index 18b3de560ed..b42d32f0ce4 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -1229,18 +1229,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index cec1980bb13..05caddc9a02 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -1025,18 +1025,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-safe-output-integrator.lock.yml b/.github/workflows/daily-safe-output-integrator.lock.yml index d01a5a4cb5d..6595fedde9f 100644 --- a/.github/workflows/daily-safe-output-integrator.lock.yml +++ b/.github/workflows/daily-safe-output-integrator.lock.yml @@ -1001,18 +1001,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index cb553ce9001..a8f33eaf4ec 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -1240,18 +1240,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index 711afc65697..acfa04e7983 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -1049,18 +1049,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-safeoutputs-git-simulator.lock.yml b/.github/workflows/daily-safeoutputs-git-simulator.lock.yml index 7d7ac47d02c..873a3442fa5 100644 --- a/.github/workflows/daily-safeoutputs-git-simulator.lock.yml +++ b/.github/workflows/daily-safeoutputs-git-simulator.lock.yml @@ -1103,18 +1103,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 486ce5cacf9..8923866d196 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -956,18 +956,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-security-observability.lock.yml b/.github/workflows/daily-security-observability.lock.yml index 229a669a1d4..bcbf5c4608c 100644 --- a/.github/workflows/daily-security-observability.lock.yml +++ b/.github/workflows/daily-security-observability.lock.yml @@ -1151,18 +1151,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index b7e60c904ea..9e6f3ab65c9 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -1126,18 +1126,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 33d5011a5f2..ef0c1219adb 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -1029,18 +1029,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-sentrux-report.lock.yml b/.github/workflows/daily-sentrux-report.lock.yml index f9cf25b5466..41041b97df7 100644 --- a/.github/workflows/daily-sentrux-report.lock.yml +++ b/.github/workflows/daily-sentrux-report.lock.yml @@ -989,18 +989,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-skill-optimizer.lock.yml b/.github/workflows/daily-skill-optimizer.lock.yml index c28f931fd1b..14a01fdd129 100644 --- a/.github/workflows/daily-skill-optimizer.lock.yml +++ b/.github/workflows/daily-skill-optimizer.lock.yml @@ -972,18 +972,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-spdd-spec-planner.lock.yml b/.github/workflows/daily-spdd-spec-planner.lock.yml index 321bdc37039..9e75a6fe31a 100644 --- a/.github/workflows/daily-spdd-spec-planner.lock.yml +++ b/.github/workflows/daily-spdd-spec-planner.lock.yml @@ -1024,18 +1024,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index 893c157dad3..57b4feb7511 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -974,18 +974,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index 76f63ea08ce..975a951119e 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -1015,18 +1015,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 51ee9b45cd1..6ecce13ba77 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -951,18 +951,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 652e19f420f..58989493335 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -1072,18 +1072,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-token-consumption-report.lock.yml b/.github/workflows/daily-token-consumption-report.lock.yml index 41300034015..39b1f8506ec 100644 --- a/.github/workflows/daily-token-consumption-report.lock.yml +++ b/.github/workflows/daily-token-consumption-report.lock.yml @@ -1167,18 +1167,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-windows-terminal-integration-builder.lock.yml b/.github/workflows/daily-windows-terminal-integration-builder.lock.yml index 1b5f05254af..c8d01e56e56 100644 --- a/.github/workflows/daily-windows-terminal-integration-builder.lock.yml +++ b/.github/workflows/daily-windows-terminal-integration-builder.lock.yml @@ -932,18 +932,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index d56d9c0bad9..16676d848ba 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -967,18 +967,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-yamllint-fixer.lock.yml b/.github/workflows/daily-yamllint-fixer.lock.yml index 9c6bb445b31..77c41a1b44a 100644 --- a/.github/workflows/daily-yamllint-fixer.lock.yml +++ b/.github/workflows/daily-yamllint-fixer.lock.yml @@ -1046,18 +1046,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/dataflow-pr-discussion-dataset.lock.yml b/.github/workflows/dataflow-pr-discussion-dataset.lock.yml index 065bb58c201..b72e53fcd9b 100644 --- a/.github/workflows/dataflow-pr-discussion-dataset.lock.yml +++ b/.github/workflows/dataflow-pr-discussion-dataset.lock.yml @@ -1300,18 +1300,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index 1ffdd332229..47241160aae 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -1021,18 +1021,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 4ac65c37095..1ec2d4bbc20 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -1474,18 +1474,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 475826fd4f5..0986c9f674e 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -1055,18 +1055,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index 663da0b5606..effece7f56b 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -1111,18 +1111,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 89135821423..987d6156e59 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -1019,18 +1019,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/dependabot-repair.lock.yml b/.github/workflows/dependabot-repair.lock.yml index ba0309a8fb7..e4a40a8259f 100644 --- a/.github/workflows/dependabot-repair.lock.yml +++ b/.github/workflows/dependabot-repair.lock.yml @@ -1060,18 +1060,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/deployment-incident-monitor.lock.yml b/.github/workflows/deployment-incident-monitor.lock.yml index f1ba157171d..10b04406cc6 100644 --- a/.github/workflows/deployment-incident-monitor.lock.yml +++ b/.github/workflows/deployment-incident-monitor.lock.yml @@ -978,18 +978,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/design-decision-gate.lock.yml b/.github/workflows/design-decision-gate.lock.yml index 760ea09b5b4..2c53057820a 100644 --- a/.github/workflows/design-decision-gate.lock.yml +++ b/.github/workflows/design-decision-gate.lock.yml @@ -1159,18 +1159,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/designer-drift-audit.lock.yml b/.github/workflows/designer-drift-audit.lock.yml index 8915cacddba..4679bab6e21 100644 --- a/.github/workflows/designer-drift-audit.lock.yml +++ b/.github/workflows/designer-drift-audit.lock.yml @@ -938,18 +938,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/detection-analysis-report.lock.yml b/.github/workflows/detection-analysis-report.lock.yml index 58db75892f9..1ca040a1df3 100644 --- a/.github/workflows/detection-analysis-report.lock.yml +++ b/.github/workflows/detection-analysis-report.lock.yml @@ -1171,18 +1171,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 55b8da8ec06..e4d7b972a0b 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -1086,18 +1086,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 3ee80523221..907063ba7c3 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -1051,18 +1051,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 6d1e9e87b64..0b4f51ea7fa 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -1179,18 +1179,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index ed042b14d50..f82e443c675 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -969,18 +969,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 89ac103d692..bb4be7e3fce 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -1045,18 +1045,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 414c3fe0105..7dc18de6d20 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -1005,18 +1005,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index f994b197c53..70871d557ed 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -1000,18 +1000,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index e222cca4846..d1aad3e492b 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -1057,18 +1057,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/eslint-miner.lock.yml b/.github/workflows/eslint-miner.lock.yml index d00a68754db..da10bbe4d75 100644 --- a/.github/workflows/eslint-miner.lock.yml +++ b/.github/workflows/eslint-miner.lock.yml @@ -977,18 +977,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/eslint-monster.lock.yml b/.github/workflows/eslint-monster.lock.yml index b4ddaa41897..80ebb87c958 100644 --- a/.github/workflows/eslint-monster.lock.yml +++ b/.github/workflows/eslint-monster.lock.yml @@ -1062,18 +1062,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/eslint-refiner.lock.yml b/.github/workflows/eslint-refiner.lock.yml index 425a94cf056..718834e032d 100644 --- a/.github/workflows/eslint-refiner.lock.yml +++ b/.github/workflows/eslint-refiner.lock.yml @@ -1091,18 +1091,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/example-failure-category-filter.lock.yml b/.github/workflows/example-failure-category-filter.lock.yml index 0da1d480823..0fe1dec6289 100644 --- a/.github/workflows/example-failure-category-filter.lock.yml +++ b/.github/workflows/example-failure-category-filter.lock.yml @@ -919,18 +919,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index 4db5596df50..84ce6d78bc7 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -884,18 +884,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index ac8a3de6822..9b10f79eae0 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -1098,18 +1098,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 05ca5316d96..c744fbc1491 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -1026,18 +1026,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml index 90390548ef3..719987b515c 100644 --- a/.github/workflows/firewall.lock.yml +++ b/.github/workflows/firewall.lock.yml @@ -887,18 +887,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index b880854a9d4..bfef0beabd9 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -967,18 +967,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index f4d79ebb882..d28024c7b89 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -1084,18 +1084,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index aca0b78da0d..4b90108ed43 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -1085,18 +1085,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index b8b28a6436a..02ed44ab2bb 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -964,18 +964,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 635119fcbca..9cccbc27395 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -1084,18 +1084,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index e34af1fea5e..ba0c9335e4f 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -1126,18 +1126,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index dac7e6dfb8f..826e3b26114 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -1107,18 +1107,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 5431b621c1e..bb5b5d71e53 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -1042,18 +1042,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 02b3fc189c3..186ad64a205 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -1034,18 +1034,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index ecf65bfd53d..d9cf3fa9f6e 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -1099,18 +1099,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/hippo-embed.lock.yml b/.github/workflows/hippo-embed.lock.yml index 69c70a0b8cf..0b1ac4d807a 100644 --- a/.github/workflows/hippo-embed.lock.yml +++ b/.github/workflows/hippo-embed.lock.yml @@ -1013,18 +1013,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index cc8d1457f3f..69aa91c4c2c 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -1072,18 +1072,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/impeccable-skills-reviewer.lock.yml b/.github/workflows/impeccable-skills-reviewer.lock.yml index ed826e81de2..b3a7beb10f9 100644 --- a/.github/workflows/impeccable-skills-reviewer.lock.yml +++ b/.github/workflows/impeccable-skills-reviewer.lock.yml @@ -1060,18 +1060,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 6d95049a40f..2ee887260f7 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -1083,18 +1083,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 8633c4a80d9..ba39e319aac 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -1143,18 +1143,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 55675c36993..0dd87321045 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -1349,18 +1349,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index d9ecfaeac4c..6bb41233c75 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -950,18 +950,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index cb42ce69950..765071b1203 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -1012,18 +1012,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index c0aefee92fa..c9297ec672c 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -1014,18 +1014,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/lint-monster.lock.yml b/.github/workflows/lint-monster.lock.yml index 98abd9f3070..c48685a77d9 100644 --- a/.github/workflows/lint-monster.lock.yml +++ b/.github/workflows/lint-monster.lock.yml @@ -1057,18 +1057,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/linter-miner.lock.yml b/.github/workflows/linter-miner.lock.yml index da10f3e959b..68f9e63c6d0 100644 --- a/.github/workflows/linter-miner.lock.yml +++ b/.github/workflows/linter-miner.lock.yml @@ -1040,18 +1040,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 80da825f6b8..e2faff9376c 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -1036,18 +1036,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/mattpocock-skills-reviewer.lock.yml b/.github/workflows/mattpocock-skills-reviewer.lock.yml index 2d0ed316089..5f1def325f7 100644 --- a/.github/workflows/mattpocock-skills-reviewer.lock.yml +++ b/.github/workflows/mattpocock-skills-reviewer.lock.yml @@ -1208,18 +1208,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index ffa48f776e4..ed82efa6565 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -1527,18 +1527,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 231b4511a91..bdf71ec3213 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -1054,18 +1054,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index c72c7a645f1..8b1810f706e 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -1081,18 +1081,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/necromancer.lock.yml b/.github/workflows/necromancer.lock.yml index 65b07bd4555..3291d9f5fee 100644 --- a/.github/workflows/necromancer.lock.yml +++ b/.github/workflows/necromancer.lock.yml @@ -1072,18 +1072,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 48503f746c5..51aa455ae08 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -964,18 +964,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/objective-impact-report.lock.yml b/.github/workflows/objective-impact-report.lock.yml index 8922c7e0088..8ffc56ab7e8 100644 --- a/.github/workflows/objective-impact-report.lock.yml +++ b/.github/workflows/objective-impact-report.lock.yml @@ -993,18 +993,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 16307757967..c9b3f0733da 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -1040,18 +1040,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/outcome-collector.lock.yml b/.github/workflows/outcome-collector.lock.yml index 34da5ad7a83..441eb6d57e0 100644 --- a/.github/workflows/outcome-collector.lock.yml +++ b/.github/workflows/outcome-collector.lock.yml @@ -998,18 +998,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 067d843c4eb..810d5bdb818 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -1101,18 +1101,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 605b252bc0d..ccadf03edb4 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -1107,18 +1107,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 9e163e48a54..64b6c3e5db9 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1306,18 +1306,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 03d0352f848..e6d4891b1e4 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -1168,18 +1168,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/pr-code-quality-reviewer.lock.yml b/.github/workflows/pr-code-quality-reviewer.lock.yml index b2df510a4d3..58882aafca4 100644 --- a/.github/workflows/pr-code-quality-reviewer.lock.yml +++ b/.github/workflows/pr-code-quality-reviewer.lock.yml @@ -1071,18 +1071,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/pr-description-caveman.lock.yml b/.github/workflows/pr-description-caveman.lock.yml index 1d85b6ee95a..10610ec281b 100644 --- a/.github/workflows/pr-description-caveman.lock.yml +++ b/.github/workflows/pr-description-caveman.lock.yml @@ -992,18 +992,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 216822a975f..d98ed1ed497 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -1097,18 +1097,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/pr-sous-chef.lock.yml b/.github/workflows/pr-sous-chef.lock.yml index 7534a7e9ed9..6758da6dd2b 100644 --- a/.github/workflows/pr-sous-chef.lock.yml +++ b/.github/workflows/pr-sous-chef.lock.yml @@ -1335,18 +1335,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 579201b32c2..331bf3a34e3 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -1110,18 +1110,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index de59804f7fc..11e89ec2621 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -1205,18 +1205,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 7f60992c767..a5f199edcdb 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -1107,18 +1107,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 7ea719ad218..7386273a42e 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -1206,18 +1206,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/refactoring-cadence.lock.yml b/.github/workflows/refactoring-cadence.lock.yml index 42344fecd26..0f5f38c600a 100644 --- a/.github/workflows/refactoring-cadence.lock.yml +++ b/.github/workflows/refactoring-cadence.lock.yml @@ -992,18 +992,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 838d57a401b..884051b9ce2 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -1105,18 +1105,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 6c45150d4ea..2c243abedd0 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -1002,18 +1002,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 31a7bb2c2eb..ee2ea85b0f3 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -980,18 +980,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index e697efb004d..635b67d59af 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -948,18 +948,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 29d0002aca8..b29cd86af8e 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -990,18 +990,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 4e291124155..ceced71a7df 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -979,18 +979,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/ruflo-backed-task.lock.yml b/.github/workflows/ruflo-backed-task.lock.yml index 2a8e6f5beb3..3bbff873d83 100644 --- a/.github/workflows/ruflo-backed-task.lock.yml +++ b/.github/workflows/ruflo-backed-task.lock.yml @@ -1173,18 +1173,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index c852f755659..153db13e17c 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -1153,18 +1153,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 4785a1fdf79..f84218ba6cb 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -963,18 +963,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/schema-feature-coverage.lock.yml b/.github/workflows/schema-feature-coverage.lock.yml index 1414aa8765f..eb801a7161b 100644 --- a/.github/workflows/schema-feature-coverage.lock.yml +++ b/.github/workflows/schema-feature-coverage.lock.yml @@ -1020,18 +1020,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 78617b96c28..2ef4fbdbbb5 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1254,18 +1254,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 385c7c4bfd9..99d661c6d09 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -999,18 +999,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 8c72f59dae2..ee70075a4dc 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -1145,18 +1145,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index c8e965d2abe..92b35161fce 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -1099,18 +1099,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 081903f4df1..d539d786c2a 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -1132,18 +1132,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/skillet.lock.yml b/.github/workflows/skillet.lock.yml index d93bfc2b6b3..d4f76343264 100644 --- a/.github/workflows/skillet.lock.yml +++ b/.github/workflows/skillet.lock.yml @@ -1076,18 +1076,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 11f6d1ce73e..a1a2a821174 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -1081,18 +1081,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index 27219385e49..9baaa997eba 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -1069,18 +1069,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index 8228f0ecd30..5519c0f343e 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -1069,18 +1069,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index 6aa21b82de4..3771d2f2669 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -1100,18 +1100,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index 91e0bb98fa4..30eed4e4560 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -1069,18 +1069,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index d289d0a0a57..e11452e86a8 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -1076,18 +1076,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-antigravity.lock.yml b/.github/workflows/smoke-antigravity.lock.yml index 34931c9eae5..e1313febaae 100644 --- a/.github/workflows/smoke-antigravity.lock.yml +++ b/.github/workflows/smoke-antigravity.lock.yml @@ -1113,18 +1113,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-call-workflow.lock.yml b/.github/workflows/smoke-call-workflow.lock.yml index eba95a524a1..b05f424e85d 100644 --- a/.github/workflows/smoke-call-workflow.lock.yml +++ b/.github/workflows/smoke-call-workflow.lock.yml @@ -1042,18 +1042,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-ci.lock.yml b/.github/workflows/smoke-ci.lock.yml index fa4030ee503..672f526e8e1 100644 --- a/.github/workflows/smoke-ci.lock.yml +++ b/.github/workflows/smoke-ci.lock.yml @@ -1230,18 +1230,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-claude-on-copilot.lock.yml b/.github/workflows/smoke-claude-on-copilot.lock.yml index 27817ba6ff0..3f031690d93 100644 --- a/.github/workflows/smoke-claude-on-copilot.lock.yml +++ b/.github/workflows/smoke-claude-on-copilot.lock.yml @@ -1031,18 +1031,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index a85fdec1b25..191b0678038 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1871,18 +1871,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index ce5a8b4527e..12ee58a4c0e 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1400,18 +1400,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-copilot-aoai-apikey.lock.yml b/.github/workflows/smoke-copilot-aoai-apikey.lock.yml index 5c24121f234..8de4335acf7 100644 --- a/.github/workflows/smoke-copilot-aoai-apikey.lock.yml +++ b/.github/workflows/smoke-copilot-aoai-apikey.lock.yml @@ -2070,18 +2070,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-copilot-aoai-entra.lock.yml b/.github/workflows/smoke-copilot-aoai-entra.lock.yml index a49a22d0497..3c0272ddc20 100644 --- a/.github/workflows/smoke-copilot-aoai-entra.lock.yml +++ b/.github/workflows/smoke-copilot-aoai-entra.lock.yml @@ -2073,18 +2073,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 6570d586a2a..3ecc1f3bf8e 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -1898,18 +1898,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-copilot-sdk.lock.yml b/.github/workflows/smoke-copilot-sdk.lock.yml index b3be288bd95..ff5dfecfcd9 100644 --- a/.github/workflows/smoke-copilot-sdk.lock.yml +++ b/.github/workflows/smoke-copilot-sdk.lock.yml @@ -1012,18 +1012,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-copilot-sub-agents.lock.yml b/.github/workflows/smoke-copilot-sub-agents.lock.yml index df2ee723756..f5d2d6200f4 100644 --- a/.github/workflows/smoke-copilot-sub-agents.lock.yml +++ b/.github/workflows/smoke-copilot-sub-agents.lock.yml @@ -929,18 +929,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 7613fe2db30..06109116a4a 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -2083,18 +2083,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 3122776303a..1127da0dc9d 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -1122,18 +1122,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-crush.lock.yml b/.github/workflows/smoke-crush.lock.yml index da2ffb8e931..f12e657c431 100644 --- a/.github/workflows/smoke-crush.lock.yml +++ b/.github/workflows/smoke-crush.lock.yml @@ -1027,18 +1027,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index d1490e47a62..b1855a6e639 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -1117,18 +1117,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index 65c0dd0e530..4e79a64708e 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -1073,18 +1073,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml index 446562fc121..fb248eca833 100644 --- a/.github/workflows/smoke-opencode.lock.yml +++ b/.github/workflows/smoke-opencode.lock.yml @@ -1031,18 +1031,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-otel-backends.lock.yml b/.github/workflows/smoke-otel-backends.lock.yml index 71d4e2afd85..21862a264a2 100644 --- a/.github/workflows/smoke-otel-backends.lock.yml +++ b/.github/workflows/smoke-otel-backends.lock.yml @@ -1183,18 +1183,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-pi.lock.yml b/.github/workflows/smoke-pi.lock.yml index 47dfd38e8d8..ca411c1594f 100644 --- a/.github/workflows/smoke-pi.lock.yml +++ b/.github/workflows/smoke-pi.lock.yml @@ -1070,18 +1070,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index 483fc165457..39c93d19029 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -1250,18 +1250,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-service-ports.lock.yml b/.github/workflows/smoke-service-ports.lock.yml index fe1c7fa2c2e..3ca27d23c1e 100644 --- a/.github/workflows/smoke-service-ports.lock.yml +++ b/.github/workflows/smoke-service-ports.lock.yml @@ -1002,18 +1002,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index e43d3bb8935..4f41ab7d6dc 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -1101,18 +1101,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 8cce0ae735f..fef9d4630d3 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -1032,18 +1032,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index 63a726f6c3e..00f22f01b21 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -1134,18 +1134,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml index ecbf3a14f3e..6c574dcff79 100644 --- a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml +++ b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml @@ -1057,18 +1057,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index 3819c7b3793..08952a32ebe 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -1044,18 +1044,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/spec-enforcer.lock.yml b/.github/workflows/spec-enforcer.lock.yml index 9cb81bc5ee0..dadf32d61e8 100644 --- a/.github/workflows/spec-enforcer.lock.yml +++ b/.github/workflows/spec-enforcer.lock.yml @@ -977,18 +977,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/spec-extractor.lock.yml b/.github/workflows/spec-extractor.lock.yml index b5f2626d1d5..b8b0b459f28 100644 --- a/.github/workflows/spec-extractor.lock.yml +++ b/.github/workflows/spec-extractor.lock.yml @@ -1072,18 +1072,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/spec-librarian.lock.yml b/.github/workflows/spec-librarian.lock.yml index b29879c2e06..1a636e29f1f 100644 --- a/.github/workflows/spec-librarian.lock.yml +++ b/.github/workflows/spec-librarian.lock.yml @@ -1053,18 +1053,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/stale-pr-cleanup.lock.yml b/.github/workflows/stale-pr-cleanup.lock.yml index 7b95206f9e7..89aaaeecec3 100644 --- a/.github/workflows/stale-pr-cleanup.lock.yml +++ b/.github/workflows/stale-pr-cleanup.lock.yml @@ -995,18 +995,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index bc6f964d689..df6d0110a7a 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -1177,18 +1177,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 83ab9992920..489a321c5cf 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1185,18 +1185,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 0a03e9ea4d6..eb4482b7076 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -1071,18 +1071,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index d84e24b9961..af7709ef750 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -995,18 +995,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index cf81a571039..6ebb18beeda 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -1000,18 +1000,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 08cf47efa13..1d457b88ed1 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -1072,18 +1072,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index f1299d89e46..70cee286916 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -989,18 +989,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index 682e9e421b3..7f8aaf7c0e9 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -1045,18 +1045,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index 2c0b2af910b..ca1b9ad09f5 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -949,18 +949,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index 9c95c81255c..bbf0906b685 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -994,18 +994,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/test-quality-sentinel.lock.yml b/.github/workflows/test-quality-sentinel.lock.yml index e9c2a188a97..528ba68198d 100644 --- a/.github/workflows/test-quality-sentinel.lock.yml +++ b/.github/workflows/test-quality-sentinel.lock.yml @@ -1098,18 +1098,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/test-workflow.lock.yml b/.github/workflows/test-workflow.lock.yml index d730f36610c..65225503a68 100644 --- a/.github/workflows/test-workflow.lock.yml +++ b/.github/workflows/test-workflow.lock.yml @@ -880,18 +880,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index fc6af792f5e..3b25afb363b 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -1095,18 +1095,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 286d3d90e49..b79e3823e17 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -1110,18 +1110,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 911ac9d647e..dea0d1bcd16 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -1009,18 +1009,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/uk-ai-operational-resilience.lock.yml b/.github/workflows/uk-ai-operational-resilience.lock.yml index 4372e6683df..c0d8585781a 100644 --- a/.github/workflows/uk-ai-operational-resilience.lock.yml +++ b/.github/workflows/uk-ai-operational-resilience.lock.yml @@ -1027,18 +1027,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index f21910957d0..90bfe26ff69 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -1068,18 +1068,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/update-astro.lock.yml b/.github/workflows/update-astro.lock.yml index 30673184a1b..8159f8a65ef 100644 --- a/.github/workflows/update-astro.lock.yml +++ b/.github/workflows/update-astro.lock.yml @@ -984,18 +984,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index fdddddc9a34..16dbf6fe588 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -970,18 +970,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/visual-regression-checker.lock.yml b/.github/workflows/visual-regression-checker.lock.yml index 7dfc95abb69..967adde65a7 100644 --- a/.github/workflows/visual-regression-checker.lock.yml +++ b/.github/workflows/visual-regression-checker.lock.yml @@ -1040,18 +1040,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index 3636fa673b0..3c2db0e2e9f 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -1177,18 +1177,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index e6e774ba44d..55dc5fe6cbd 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -1026,18 +1026,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 93311631e72..d9242c1b4f7 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -1012,18 +1012,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index e1b75b157ee..db37ad0c688 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -976,18 +976,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 34bb6556817..9d96ebd3885 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -1046,18 +1046,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index c8ad380aa81..f9a6da7e8f9 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -1066,18 +1066,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 730e361941d..f69f51b73a9 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -1044,18 +1044,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 850c6359560..9ffe6c78dda 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -1013,18 +1013,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/actions/setup/sh/print_firewall_logs.sh b/actions/setup/sh/print_firewall_logs.sh new file mode 100755 index 00000000000..60618d78c96 --- /dev/null +++ b/actions/setup/sh/print_firewall_logs.sh @@ -0,0 +1,45 @@ +#!/usr/bin/env bash +set +o histexpand + +# print_firewall_logs.sh - Reclaim firewall sandbox dir ownership and print AWF firewall log summary. +# +# Usage: bash print_firewall_logs.sh [--rootless] +# +# Options: +# --rootless Use non-interactive sudo (sudo -n) with a non-sudo chmod fallback. +# Default: use plain sudo (AWF ran with full sudo access). +# +# Environment: +# AWF_LOGS_DIR Path to the AWF firewall logs directory. +# The parent directory (firewall sandbox root) is used for chown/chmod. + +ROOTLESS=false +while [[ $# -gt 0 ]]; do + case "$1" in + --rootless) ROOTLESS=true; shift ;; + *) echo "Unknown argument: $1" >&2; exit 1 ;; + esac +done + +FIREWALL_DIR="$(dirname "${AWF_LOGS_DIR}")" + +if [[ "${ROOTLESS}" == "true" ]]; then + # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). + # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw + # without requiring sudo, preventing EACCES failures on reused runners. + sudo -n chown -R "$(id -u):$(id -g)" "${FIREWALL_DIR}" 2>/dev/null || true + sudo -n chmod -R a+rX "${FIREWALL_DIR}" 2>/dev/null || chmod -R a+rX "${FIREWALL_DIR}" 2>/dev/null || true +else + # Reclaim ownership and fix permissions on firewall dirs for artifact upload and next-run cleanup. + # AWF runs with sudo, creating files owned by root; chown transfers ownership back to the runner + # user so the next run's setup.sh can rm -rf /tmp/gh-aw without requiring sudo. + sudo chown -R "$(id -u):$(id -g)" "${FIREWALL_DIR}" 2>/dev/null || true + sudo chmod -R a+rX "${FIREWALL_DIR}" 2>/dev/null || true +fi + +# Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) +if command -v awf &> /dev/null; then + awf logs summary | tee -a "${GITHUB_STEP_SUMMARY}" +else + echo 'AWF binary not installed, skipping firewall log summary' +fi diff --git a/actions/setup/sh/print_firewall_logs_test.sh b/actions/setup/sh/print_firewall_logs_test.sh new file mode 100755 index 00000000000..d213d3c15bf --- /dev/null +++ b/actions/setup/sh/print_firewall_logs_test.sh @@ -0,0 +1,107 @@ +#!/usr/bin/env bash +set +o histexpand + +# Test script for print_firewall_logs.sh +# Run: bash print_firewall_logs_test.sh + +set -euo pipefail + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +SCRIPT="${SCRIPT_DIR}/print_firewall_logs.sh" + +TESTS_PASSED=0 +TESTS_FAILED=0 +WORKSPACE="$(mktemp -d)" + +cleanup() { + rm -rf "${WORKSPACE}" +} +trap cleanup EXIT + +assert() { + local name="$1" + local condition="$2" + if eval "${condition}" 2>/dev/null; then + echo " ✓ ${name}" + TESTS_PASSED=$((TESTS_PASSED + 1)) + else + echo " ✗ ${name}" + TESTS_FAILED=$((TESTS_FAILED + 1)) + fi +} + +echo "Testing print_firewall_logs.sh" +echo "" + +# ── Test 1: Script syntax is valid ────────────────────────────────────────── +echo "Test 1: Script syntax is valid" +assert "script passes bash -n" "bash -n '${SCRIPT}'" +echo "" + +# ── Test 2: Unknown argument exits 1 ──────────────────────────────────────── +echo "Test 2: Unknown argument exits 1" +set +e +AWF_LOGS_DIR="/tmp/logs" GITHUB_STEP_SUMMARY="/dev/null" bash "${SCRIPT}" --unknown-flag 2>/dev/null +UNKNOWN_EXIT=$? +set -e +assert "exits non-zero for unknown argument" "[ '${UNKNOWN_EXIT}' -ne 0 ]" +echo "" + +# ── Test 3: AWF not installed prints informational message ────────────────── +echo "Test 3: AWF not installed prints informational message" +FIREWALL_DIR="${WORKSPACE}/test3/sandbox/firewall" +mkdir -p "${FIREWALL_DIR}/logs" +set +e +OUTPUT="$( + PATH="/usr/bin:/bin" \ + AWF_LOGS_DIR="${FIREWALL_DIR}/logs" \ + GITHUB_STEP_SUMMARY="${WORKSPACE}/test3-summary.md" \ + bash "${SCRIPT}" 2>&1 +)" +EXIT_CODE=$? +set -e +assert "exits successfully when awf is not installed" "[ '${EXIT_CODE}' -eq 0 ]" +assert "prints 'AWF binary not installed' message" "printf '%s' \"${OUTPUT}\" | grep -q 'AWF binary not installed'" +echo "" + +# ── Test 4: --rootless flag is accepted without error ─────────────────────── +echo "Test 4: --rootless flag is accepted without error" +FIREWALL_DIR="${WORKSPACE}/test4/sandbox/firewall" +mkdir -p "${FIREWALL_DIR}/logs" +set +e +OUTPUT="$( + PATH="/usr/bin:/bin" \ + AWF_LOGS_DIR="${FIREWALL_DIR}/logs" \ + GITHUB_STEP_SUMMARY="${WORKSPACE}/test4-summary.md" \ + bash "${SCRIPT}" --rootless 2>&1 +)" +EXIT_CODE=$? +set -e +assert "exits successfully with --rootless" "[ '${EXIT_CODE}' -eq 0 ]" +assert "prints 'AWF binary not installed' message (not an arg-parse error)" "printf '%s' \"${OUTPUT}\" | grep -q 'AWF binary not installed'" +echo "" + +# ── Test 5: FIREWALL_DIR is computed as dirname of AWF_LOGS_DIR ───────────── +echo "Test 5: FIREWALL_DIR is computed as dirname of AWF_LOGS_DIR" +LOGS_DIR="${WORKSPACE}/test5/sandbox/firewall/logs" +mkdir -p "${LOGS_DIR}" +set +e +OUTPUT="$( + PATH="/usr/bin:/bin" \ + AWF_LOGS_DIR="${LOGS_DIR}" \ + GITHUB_STEP_SUMMARY="${WORKSPACE}/test5-summary.md" \ + bash "${SCRIPT}" 2>&1 +)" +set -e +EXPECTED_DIR="${WORKSPACE}/test5/sandbox/firewall" +assert "script does not error on a valid logs dir" "[ -d '${EXPECTED_DIR}' ]" +echo "" + +echo "Tests passed: ${TESTS_PASSED}" +echo "Tests failed: ${TESTS_FAILED}" + +if [ "${TESTS_FAILED}" -gt 0 ]; then + exit 1 +fi + +echo "✓ All tests passed!" diff --git a/pkg/workflow/engine_firewall_support.go b/pkg/workflow/engine_firewall_support.go index 09af25a01b3..8a813e3a7de 100644 --- a/pkg/workflow/engine_firewall_support.go +++ b/pkg/workflow/engine_firewall_support.go @@ -4,7 +4,6 @@ import ( "errors" "fmt" "os" - "path" "strings" "github.com/github/gh-aw/pkg/console" @@ -125,14 +124,19 @@ func generateSquidLogsUploadStep(workflowName string, workflowData *WorkflowData func generateFirewallLogParsingStep(workflowName string, workflowData *WorkflowData) GitHubActionStep { // Firewall logs are at a known location in the sandbox folder structure. // On ARC/DinD, /tmp/gh-aw is not daemon-visible so logs land under runner.temp/gh-aw. - firewallLogsDir := constants.AWFProxyLogsDir // For env: blocks, use ${{ runner.temp }} (Actions expression) since shell vars aren't expanded there. firewallLogsDirEnv := constants.AWFProxyLogsDir if isArcDindTopology(workflowData) { - firewallLogsDir = constants.AWFProxyLogsDirShell firewallLogsDirEnv = constants.AWFProxyLogsDirExpr } - firewallDir := path.Dir(firewallLogsDir) + + // In network-isolation (rootless) mode, pass --rootless so the script uses + // non-interactive sudo (sudo -n) with a non-sudo chmod fallback. In non-network-isolation + // mode, the script uses plain sudo (AWF ran with full sudo access). + scriptArg := "" + if isAWFNetworkIsolationEnabled(workflowData) { + scriptArg = " --rootless" + } stepLines := []string{ " - name: Print firewall logs", @@ -140,48 +144,9 @@ func generateFirewallLogParsingStep(workflowName string, workflowData *WorkflowD " continue-on-error: true", " env:", " AWF_LOGS_DIR: " + firewallLogsDirEnv, - " run: |", - } - - // Docker containers write files as non-runner UIDs (e.g., Squid as UID 13). - // AWF's own post-run cleanup (fixArtifactPermissionsForRootless) normally handles - // this, but if AWF is killed by timeout or OOM, the cleanup never runs. - // - // chown reclaims ownership back to the runner user so the NEXT run's setup.sh - // can remove /tmp/gh-aw with a plain `rm -rf` (no sudo required). Without chown, - // the root-owned sandbox/firewall tree causes EACCES in consecutive runs on reused - // runners and the agent never starts. - // - // When AWF runs with sudo (non-network-isolation mode), plain `sudo chown/chmod` are - // used. In network-isolation (rootless) mode, `sudo -n` (non-interactive) is used with - // a non-sudo chmod as a best-effort fallback for artifact upload accessibility. - if !isAWFNetworkIsolationEnabled(workflowData) { - stepLines = append(stepLines, - " # Reclaim ownership and fix permissions on firewall dirs for artifact upload and next-run cleanup.", - " # AWF runs with sudo, creating files owned by root; chown transfers ownership back to the runner", - " # user so the next run's setup.sh can rm -rf /tmp/gh-aw without requiring sudo.", - fmt.Sprintf(" sudo chown -R \"$(id -u):$(id -g)\" %[1]s 2>/dev/null || true", firewallDir), - fmt.Sprintf(" sudo chmod -R a+rX %[1]s 2>/dev/null || true", firewallDir), - ) - } else { - stepLines = append(stepLines, - " # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run).", - " # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw", - " # without requiring sudo, preventing EACCES failures on reused runners.", - fmt.Sprintf(" sudo -n chown -R \"$(id -u):$(id -g)\" %[1]s 2>/dev/null || true", firewallDir), - fmt.Sprintf(" sudo -n chmod -R a+rX %[1]s 2>/dev/null || chmod -R a+rX %[1]s 2>/dev/null || true", firewallDir), - ) + ` run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh"` + scriptArg, } - stepLines = append(stepLines, - " # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)", - " if command -v awf &> /dev/null; then", - " awf logs summary | tee -a \"$GITHUB_STEP_SUMMARY\"", - " else", - " echo 'AWF binary not installed, skipping firewall log summary'", - " fi", - ) - return GitHubActionStep(stepLines) } diff --git a/pkg/workflow/engine_firewall_support_test.go b/pkg/workflow/engine_firewall_support_test.go index e0a1a1d6f97..cca2a28cd5d 100644 --- a/pkg/workflow/engine_firewall_support_test.go +++ b/pkg/workflow/engine_firewall_support_test.go @@ -3,7 +3,6 @@ package workflow import ( - "path" "strings" "testing" @@ -275,19 +274,19 @@ func TestGenerateFirewallLogParsingStepFixesFirewallPermissions(t *testing.T) { step := generateFirewallLogParsingStep("test-workflow", nil) stepContent := strings.Join(step, "\n") expectedLogsDir := constants.AWFProxyLogsDir - expectedFirewallDir := path.Dir(expectedLogsDir) if !strings.Contains(stepContent, "AWF_LOGS_DIR: "+expectedLogsDir) { t.Error("Expected firewall log parsing step to keep AWF_LOGS_DIR set to logs directory") } - if !strings.Contains(stepContent, "sudo chmod -R a+rX "+expectedFirewallDir+" 2>/dev/null || true") { - t.Error("Expected firewall log parsing step to chmod the parent firewall directory for logs and audit upload") + // Step should invoke the extracted script (not --rootless for non-network-isolation) + if !strings.Contains(stepContent, `bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh"`) { + t.Error("Expected firewall log parsing step to invoke print_firewall_logs.sh") } - // chown reclaims ownership back to the runner user so the next run can rm -rf /tmp/gh-aw without sudo - if !strings.Contains(stepContent, `sudo chown -R "$(id -u):$(id -g)" `+expectedFirewallDir) { - t.Error("Expected firewall log parsing step to chown the firewall directory back to runner user to prevent EACCES on reused runners") + // Default (non-network-isolation) mode must NOT pass --rootless + if strings.Contains(stepContent, "--rootless") { + t.Error("Expected firewall log parsing step to not pass --rootless when network isolation is disabled") } } @@ -304,23 +303,9 @@ func TestGenerateFirewallLogParsingStepNetworkIsolationOmitsSudo(t *testing.T) { step := generateFirewallLogParsingStep("test-workflow", workflowData) stepContent := strings.Join(step, "\n") - if strings.Contains(stepContent, "sudo chmod") { - t.Error("Expected firewall log parsing step to use non-sudo chmod when network isolation is enabled") - } - - // Should contain best-effort non-sudo chmod for artifact upload - if !strings.Contains(stepContent, "chmod -R a+rX") { - t.Error("Expected firewall log parsing step to contain best-effort chmod for artifact upload even in network-isolation mode") - } - - // Should contain best-effort sudo -n chown (non-interactive sudo) to reclaim ownership for next run - if !strings.Contains(stepContent, `sudo -n chown -R "$(id -u):$(id -g)"`) { - t.Error("Expected firewall log parsing step to contain best-effort chown to reclaim ownership for next-run cleanup") - } - - // Should still contain the awf logs summary logic - if !strings.Contains(stepContent, "awf logs summary") { - t.Error("Expected firewall log parsing step to contain awf logs summary") + // Step should invoke the extracted script with --rootless for network-isolation mode + if !strings.Contains(stepContent, `bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless`) { + t.Error("Expected firewall log parsing step to invoke print_firewall_logs.sh --rootless in network-isolation mode") } } @@ -337,13 +322,11 @@ func TestGenerateFirewallLogParsingStepWithNetworkIsolationFalse(t *testing.T) { step := generateFirewallLogParsingStep("test-workflow", workflowData) stepContent := strings.Join(step, "\n") - // With NetworkIsolation explicitly false, should still use sudo chmod - if !strings.Contains(stepContent, "sudo chmod -R a+rX") { - t.Error("Expected sudo chmod when NetworkIsolation is explicitly false") + // With NetworkIsolation explicitly false, should invoke script without --rootless + if !strings.Contains(stepContent, `bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh"`) { + t.Error("Expected firewall log parsing step to invoke print_firewall_logs.sh when NetworkIsolation is explicitly false") } - - // And sudo chown to reclaim ownership for next run - if !strings.Contains(stepContent, `sudo chown -R "$(id -u):$(id -g)"`) { - t.Error("Expected sudo chown to reclaim ownership when NetworkIsolation is explicitly false") + if strings.Contains(stepContent, "--rootless") { + t.Error("Expected no --rootless flag when NetworkIsolation is explicitly false") } } diff --git a/pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden b/pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden index 513b7909e7f..d82c1421f67 100644 --- a/pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden +++ b/pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden @@ -694,18 +694,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden b/pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden index 84a1e49ebb8..27eb76d1717 100644 --- a/pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden +++ b/pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden @@ -664,18 +664,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden b/pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden index 985350f80ec..3ab0887fd70 100644 --- a/pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden +++ b/pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden @@ -638,18 +638,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden b/pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden index 798c4488c80..6daeaf755d8 100644 --- a/pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden +++ b/pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden @@ -618,18 +618,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden b/pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden index 76ff318f770..f31fbdb0b0d 100644 --- a/pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden +++ b/pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden @@ -564,18 +564,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden index 37c47adcbd1..14c09abc6c4 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden @@ -638,18 +638,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden index ffa108d2b7d..7d9caff21e1 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden @@ -658,18 +658,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden index 1446a0ac23a..d04d04b9ed7 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden @@ -898,18 +898,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden index 2204f2a4402..d76cd5c0e27 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden @@ -639,18 +639,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort: reclaim ownership and fix permissions (AWF cleanup may not have run). - # Chown transfers ownership back to the runner user so the next run can rm -rf /tmp/gh-aw - # without requiring sudo, preventing EACCES failures on reused runners. - sudo -n chown -R "$(id -u):$(id -g)" /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true From 3d4e5252fb6345b426efe94b29032498be9af8d0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Jul 2026 16:13:27 +0000 Subject: [PATCH 7/8] recompile: update smoke-copilot-small.lock.yml to use print_firewall_logs.sh script Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com> --- .github/workflows/smoke-copilot-small.lock.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/.github/workflows/smoke-copilot-small.lock.yml b/.github/workflows/smoke-copilot-small.lock.yml index 488491ba64b..147283a0996 100644 --- a/.github/workflows/smoke-copilot-small.lock.yml +++ b/.github/workflows/smoke-copilot-small.lock.yml @@ -1006,15 +1006,7 @@ jobs: continue-on-error: true env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs - run: | - # Best-effort permission fix for artifact upload (AWF cleanup may not have run) - sudo -n chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true - # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) - if command -v awf &> /dev/null; then - awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" - else - echo 'AWF binary not installed, skipping firewall log summary' - fi + run: bash "${RUNNER_TEMP}/gh-aw/actions/print_firewall_logs.sh" --rootless - name: Parse token usage for step summary if: always() continue-on-error: true From e9f10cd625abfb9c210f30cb2c50ffd7407c2139 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 9 Jul 2026 02:13:42 +0000 Subject: [PATCH 8/8] fix: address Matt Pocock Skills review - subdir guard, GITHUB_STEP_SUMMARY guard, path comment, and tests Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- actions/setup/sh/create_gh_aw_tmp_dir.sh | 18 +++- actions/setup/sh/create_gh_aw_tmp_dir_test.sh | 96 +++++++++++++++++++ actions/setup/sh/print_firewall_logs.sh | 13 ++- actions/setup/sh/print_firewall_logs_test.sh | 62 +++++++++++- 4 files changed, 180 insertions(+), 9 deletions(-) create mode 100644 actions/setup/sh/create_gh_aw_tmp_dir_test.sh diff --git a/actions/setup/sh/create_gh_aw_tmp_dir.sh b/actions/setup/sh/create_gh_aw_tmp_dir.sh index b56db0ec145..1e5d9323963 100755 --- a/actions/setup/sh/create_gh_aw_tmp_dir.sh +++ b/actions/setup/sh/create_gh_aw_tmp_dir.sh @@ -3,13 +3,21 @@ set +o histexpand set -euo pipefail # Reclaim stale root-owned /tmp/gh-aw/sandbox/firewall before creating it fresh. -# A previous AWF run can leave this directory owned by root (Docker containers run as root, -# e.g. Squid runs as UID 13 inside a container, writing files to the host-mounted volume). +# A previous AWF run can leave this directory (or its subdirectories) owned by root +# (Docker containers run as root, e.g. Squid runs as UID 13 inside a container, writing +# files to the host-mounted volume). # setup.sh removes the entire /tmp/gh-aw tree using sudo, but if that cleanup partially # failed (e.g. sudo was unavailable), the stale directory persists here. -# This targeted cleanup is defense-in-depth: it removes the specific directory that AWF's -# writeConfigs step will try to populate, so AWF can always create it fresh as the runner user. -if [ -d /tmp/gh-aw/sandbox/firewall ] && [ ! -w /tmp/gh-aw/sandbox/firewall ]; then +# This targeted cleanup is defense-in-depth: it removes the specific directory tree that +# AWF's writeConfigs step will try to populate, so AWF can always create it fresh as the +# runner user. +# Note: the writability check covers both the firewall root AND its subdirectories (logs/, +# audit/) because Docker/Squid may own only the subdirectories when the parent was +# pre-created by the runner user on a prior clean run. +if [ -d /tmp/gh-aw/sandbox/firewall ] && \ + { [ ! -w /tmp/gh-aw/sandbox/firewall ] || \ + { [ -d /tmp/gh-aw/sandbox/firewall/logs ] && [ ! -w /tmp/gh-aw/sandbox/firewall/logs ]; } || \ + { [ -d /tmp/gh-aw/sandbox/firewall/audit ] && [ ! -w /tmp/gh-aw/sandbox/firewall/audit ]; }; }; then echo "Pre-flight: /tmp/gh-aw/sandbox/firewall is not writable (likely root-owned from prior AWF run); reclaiming with sudo" if command -v sudo >/dev/null 2>&1; then sudo -n rm -rf /tmp/gh-aw/sandbox/firewall 2>/dev/null || echo "::warning::sudo rm failed for /tmp/gh-aw/sandbox/firewall; AWF may fail with EACCES" diff --git a/actions/setup/sh/create_gh_aw_tmp_dir_test.sh b/actions/setup/sh/create_gh_aw_tmp_dir_test.sh new file mode 100644 index 00000000000..089c03fa4e9 --- /dev/null +++ b/actions/setup/sh/create_gh_aw_tmp_dir_test.sh @@ -0,0 +1,96 @@ +#!/usr/bin/env bash +set +o histexpand + +# Test script for create_gh_aw_tmp_dir.sh +# Run: bash create_gh_aw_tmp_dir_test.sh + +set -euo pipefail + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +SCRIPT="${SCRIPT_DIR}/create_gh_aw_tmp_dir.sh" + +TESTS_PASSED=0 +TESTS_FAILED=0 + +cleanup() { + # Restore /tmp/gh-aw to a clean, writable state before removing it. + chmod -R u+rw /tmp/gh-aw 2>/dev/null || true + rm -rf /tmp/gh-aw 2>/dev/null || true +} +trap cleanup EXIT + +assert() { + local name="$1" + local condition="$2" + if eval "${condition}" 2>/dev/null; then + echo " ✓ ${name}" + TESTS_PASSED=$((TESTS_PASSED + 1)) + else + echo " ✗ ${name}" + TESTS_FAILED=$((TESTS_FAILED + 1)) + fi +} + +echo "Testing create_gh_aw_tmp_dir.sh" +echo "" + +# ── Test 1: Script syntax is valid ────────────────────────────────────────── +echo "Test 1: Script syntax is valid" +assert "script passes bash -n" "bash -n '${SCRIPT}'" +echo "" + +# ── Test 2: Creates expected directories when starting clean ──────────────── +echo "Test 2: Creates expected directories when starting clean" +rm -rf /tmp/gh-aw +bash "${SCRIPT}" >/dev/null 2>&1 +assert "creates /tmp/gh-aw/agent" "[ -d /tmp/gh-aw/agent ]" +assert "creates /tmp/gh-aw/sandbox/firewall/logs" "[ -d /tmp/gh-aw/sandbox/firewall/logs ]" +assert "creates /tmp/gh-aw/sandbox/firewall/audit" "[ -d /tmp/gh-aw/sandbox/firewall/audit ]" +echo "" + +# ── Test 3: No-op when firewall dir already exists and is writable ─────────── +echo "Test 3: No-op (no reclaim message) when firewall dir is already writable" +rm -rf /tmp/gh-aw +mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit +set +e +OUTPUT="$(bash "${SCRIPT}" 2>&1)" +EXIT_CODE=$? +set -e +assert "exits 0 when firewall dir is writable" "[ '${EXIT_CODE}' -eq 0 ]" +assert "does not print reclaim message" "! printf '%s' \"${OUTPUT}\" | grep -q 'Pre-flight'" +echo "" + +# ── Test 4: Guard fires when firewall parent dir is not writable ───────────── +echo "Test 4: Guard fires when firewall dir is not writable" +rm -rf /tmp/gh-aw +mkdir -p /tmp/gh-aw/sandbox/firewall +chmod 000 /tmp/gh-aw/sandbox/firewall +set +e +OUTPUT="$(bash "${SCRIPT}" 2>&1)" +EXIT_CODE=$? +set -e +chmod u+rwx /tmp/gh-aw/sandbox/firewall 2>/dev/null || true +assert "prints Pre-flight reclaim message when parent is non-writable" "printf '%s' \"${OUTPUT}\" | grep -q 'Pre-flight'" +echo "" + +# ── Test 5: Guard fires when subdirs are non-writable (parent is writable) ─── +echo "Test 5: Guard fires when a firewall subdir is non-writable even if parent is writable" +rm -rf /tmp/gh-aw +mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit +chmod 000 /tmp/gh-aw/sandbox/firewall/logs # parent writable, subdir not +set +e +OUTPUT="$(bash "${SCRIPT}" 2>&1)" +EXIT_CODE=$? +set -e +chmod u+rwx /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true +assert "prints Pre-flight reclaim message when subdir is non-writable" "printf '%s' \"${OUTPUT}\" | grep -q 'Pre-flight'" +echo "" + +echo "Tests passed: ${TESTS_PASSED}" +echo "Tests failed: ${TESTS_FAILED}" + +if [ "${TESTS_FAILED}" -gt 0 ]; then + exit 1 +fi + +echo "✓ All tests passed!" diff --git a/actions/setup/sh/print_firewall_logs.sh b/actions/setup/sh/print_firewall_logs.sh index 60618d78c96..66cc637db68 100755 --- a/actions/setup/sh/print_firewall_logs.sh +++ b/actions/setup/sh/print_firewall_logs.sh @@ -10,8 +10,12 @@ set +o histexpand # Default: use plain sudo (AWF ran with full sudo access). # # Environment: -# AWF_LOGS_DIR Path to the AWF firewall logs directory. -# The parent directory (firewall sandbox root) is used for chown/chmod. +# AWF_LOGS_DIR Path to the AWF logs directory (must be set). +# The Go compiler (engine_firewall_support.go) sets this to +# "${RUNNER_TEMP}/gh-aw/sandbox/firewall/logs"; the parent +# directory (firewall sandbox root) is used for chown/chmod. +# GITHUB_STEP_SUMMARY Path to the GitHub Actions step summary file. +# If unset or empty, log output is printed to stdout only. ROOTLESS=false while [[ $# -gt 0 ]]; do @@ -21,6 +25,9 @@ while [[ $# -gt 0 ]]; do esac done +# FIREWALL_DIR is the firewall sandbox root, derived as the parent of AWF_LOGS_DIR. +# The Go compiler sets AWF_LOGS_DIR="${RUNNER_TEMP}/gh-aw/sandbox/firewall/logs", +# so FIREWALL_DIR resolves to "${RUNNER_TEMP}/gh-aw/sandbox/firewall". FIREWALL_DIR="$(dirname "${AWF_LOGS_DIR}")" if [[ "${ROOTLESS}" == "true" ]]; then @@ -39,7 +46,7 @@ fi # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then - awf logs summary | tee -a "${GITHUB_STEP_SUMMARY}" + awf logs summary | tee -a "${GITHUB_STEP_SUMMARY:-/dev/null}" else echo 'AWF binary not installed, skipping firewall log summary' fi diff --git a/actions/setup/sh/print_firewall_logs_test.sh b/actions/setup/sh/print_firewall_logs_test.sh index d213d3c15bf..9c02ee95eb7 100755 --- a/actions/setup/sh/print_firewall_logs_test.sh +++ b/actions/setup/sh/print_firewall_logs_test.sh @@ -97,6 +97,66 @@ EXPECTED_DIR="${WORKSPACE}/test5/sandbox/firewall" assert "script does not error on a valid logs dir" "[ -d '${EXPECTED_DIR}' ]" echo "" +# ── Test 6: Rootless mode - non-sudo chmod fallback succeeds when sudo absent ─ +echo "Test 6: Rootless mode - non-sudo chmod fallback succeeds when sudo unavailable" +FIREWALL_DIR="${WORKSPACE}/test6/sandbox/firewall" +mkdir -p "${FIREWALL_DIR}/logs" +chmod 500 "${FIREWALL_DIR}" # owner read+exec only — chmod a+rX fallback must run +set +e +OUTPUT="$( + PATH="/usr/bin:/bin" \ + AWF_LOGS_DIR="${FIREWALL_DIR}/logs" \ + GITHUB_STEP_SUMMARY="${WORKSPACE}/test6-summary.md" \ + bash "${SCRIPT}" --rootless 2>&1 +)" +EXIT_CODE=$? +set -e +chmod -R u+rwx "${FIREWALL_DIR}" 2>/dev/null || true +assert "exits 0 in rootless mode when sudo unavailable" "[ '${EXIT_CODE}' -eq 0 ]" +assert "prints 'AWF binary not installed' (not a chown/chmod crash)" "printf '%s' \"${OUTPUT}\" | grep -q 'AWF binary not installed'" +echo "" + +# ── Test 7: Default mode - exits 0 when sudo unavailable (|| true catches it) ─ +echo "Test 7: Default mode (non-rootless) - exits 0 even when sudo unavailable" +FIREWALL_DIR="${WORKSPACE}/test7/sandbox/firewall" +mkdir -p "${FIREWALL_DIR}/logs" +set +e +OUTPUT="$( + PATH="/usr/bin:/bin" \ + AWF_LOGS_DIR="${FIREWALL_DIR}/logs" \ + GITHUB_STEP_SUMMARY="${WORKSPACE}/test7-summary.md" \ + bash "${SCRIPT}" 2>&1 +)" +EXIT_CODE=$? +set -e +assert "exits 0 in default mode when sudo unavailable" "[ '${EXIT_CODE}' -eq 0 ]" +assert "prints 'AWF binary not installed' (not a sudo crash)" "printf '%s' \"${OUTPUT}\" | grep -q 'AWF binary not installed'" +echo "" + +# ── Test 8: GITHUB_STEP_SUMMARY guard — no error when variable is unset ────── +echo "Test 8: GITHUB_STEP_SUMMARY guard - no error or tee failure when variable is unset" +FIREWALL_DIR="${WORKSPACE}/test8/sandbox/firewall" +MOCK_BIN="${WORKSPACE}/bin8" +mkdir -p "${FIREWALL_DIR}/logs" "${MOCK_BIN}" +cat > "${MOCK_BIN}/awf" << 'AWFMOCK' +#!/usr/bin/env bash +if [[ "$1 $2" == "logs summary" ]]; then echo "mock firewall summary"; fi +AWFMOCK +chmod +x "${MOCK_BIN}/awf" +set +e +# Run WITHOUT GITHUB_STEP_SUMMARY set - should not error +OUTPUT="$( + PATH="${MOCK_BIN}:/usr/bin:/bin" \ + AWF_LOGS_DIR="${FIREWALL_DIR}/logs" \ + bash "${SCRIPT}" 2>&1 +)" +EXIT_CODE=$? +set -e +assert "exits 0 when GITHUB_STEP_SUMMARY is unset" "[ '${EXIT_CODE}' -eq 0 ]" +assert "prints summary output to stdout" "printf '%s' \"${OUTPUT}\" | grep -q 'mock firewall summary'" +assert "no tee error about empty filename" "! printf '%s' \"${OUTPUT}\" | grep -q 'No such file or directory'" +echo "" + echo "Tests passed: ${TESTS_PASSED}" echo "Tests failed: ${TESTS_FAILED}" @@ -104,4 +164,4 @@ if [ "${TESTS_FAILED}" -gt 0 ]; then exit 1 fi -echo "✓ All tests passed!" +echo "✓ All tests passed!" \ No newline at end of file