Generated cleanup step missing chmod for firewall/audit directory

[zkoppert]

Bug

The compiled .lock.yml workflow includes a cleanup step that runs:

sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true

This only makes the firewall/logs directory readable, but the subsequent Upload firewall audit logs step tries to upload both logs/ and audit/:

path: |
  /tmp/gh-aw/sandbox/firewall/logs
  /tmp/gh-aw/sandbox/firewall/audit

Since the AWF agent runs with sudo, both directories are owned by root. The missing chmod on firewall/audit causes the upload step to fail with:

EACCES: permission denied, scandir '/tmp/gh-aw/sandbox/firewall/audit'

Impact

The failure is cosmetic - the actual agent work completes successfully. Only the artifact upload of firewall audit logs fails, which means those logs are lost for post-run inspection.

Reproduction

1. Any agentic workflow compiled with gh-aw (tested on v0.65.4 and v0.68.3)
2. Wait for a scheduled run (or trigger manually)
3. The Upload firewall audit logs step fails with EACCES

Example failed run: https://github.com/github/new-user-experience/actions/runs/24717928533

Suggested fix

Change the generated chmod to target the parent directory instead of just logs/:

sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall 2>/dev/null || true

Or add a second chmod line for the audit directory:

sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true
sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true

Environment

• gh-aw: v0.68.3 (also reproduced on v0.65.4)
• Firewall: v0.25.20 (also reproduced on v0.25.6)