diff --git a/pkg/workflow/engine_firewall_support.go b/pkg/workflow/engine_firewall_support.go index 7ff4de19144..27cee2c5488 100644 --- a/pkg/workflow/engine_firewall_support.go +++ b/pkg/workflow/engine_firewall_support.go @@ -4,9 +4,11 @@ import ( "errors" "fmt" "os" + "path" "strings" "github.com/github/gh-aw/pkg/console" + "github.com/github/gh-aw/pkg/constants" "github.com/github/gh-aw/pkg/logger" ) @@ -118,7 +120,8 @@ func generateSquidLogsUploadStep(workflowName string) GitHubActionStep { // generateFirewallLogParsingStep creates a GitHub Actions step to parse firewall logs and create step summary. func generateFirewallLogParsingStep(workflowName string) GitHubActionStep { // Firewall logs are at a known location in the sandbox folder structure - firewallLogsDir := "/tmp/gh-aw/sandbox/firewall/logs" + firewallLogsDir := constants.AWFProxyLogsDir + firewallDir := path.Dir(firewallLogsDir) stepLines := []string{ " - name: Print firewall logs", @@ -127,9 +130,9 @@ func generateFirewallLogParsingStep(workflowName string) GitHubActionStep { " env:", " AWF_LOGS_DIR: " + firewallLogsDir, " run: |", - " # Fix permissions on firewall logs so they can be uploaded as artifacts", + " # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts", " # AWF runs with sudo, creating files owned by root", - fmt.Sprintf(" sudo chmod -R a+r %s 2>/dev/null || true", firewallLogsDir), + fmt.Sprintf(" sudo chmod -R a+r %s 2>/dev/null || true", firewallDir), " # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)", " if command -v awf &> /dev/null; then", " awf logs summary | tee -a \"$GITHUB_STEP_SUMMARY\"", diff --git a/pkg/workflow/engine_firewall_support_test.go b/pkg/workflow/engine_firewall_support_test.go index e70fa04e59a..8939e8c8695 100644 --- a/pkg/workflow/engine_firewall_support_test.go +++ b/pkg/workflow/engine_firewall_support_test.go @@ -3,8 +3,11 @@ package workflow import ( + "path" "strings" "testing" + + "github.com/github/gh-aw/pkg/constants" ) func TestHasNetworkRestrictions(t *testing.T) { @@ -267,3 +270,18 @@ func TestCheckFirewallDisable(t *testing.T) { } }) } + +func TestGenerateFirewallLogParsingStepFixesFirewallPermissions(t *testing.T) { + step := generateFirewallLogParsingStep("test-workflow") + stepContent := strings.Join(step, "\n") + expectedLogsDir := constants.AWFProxyLogsDir + expectedFirewallDir := path.Dir(expectedLogsDir) + + if !strings.Contains(stepContent, "AWF_LOGS_DIR: "+expectedLogsDir) { + t.Error("Expected firewall log parsing step to keep AWF_LOGS_DIR set to logs directory") + } + + if !strings.Contains(stepContent, "sudo chmod -R a+r "+expectedFirewallDir+" 2>/dev/null || true") { + t.Error("Expected firewall log parsing step to chmod the parent firewall directory for logs and audit upload") + } +} diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden index dc2cd637737..97e86e73c31 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden @@ -505,9 +505,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Fix permissions on firewall logs so they can be uploaded as artifacts + # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root - sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/claude-with-network.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/claude-with-network.golden index 4ac3bd54ec8..7e90aaf3a6e 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/claude-with-network.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/claude-with-network.golden @@ -507,9 +507,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Fix permissions on firewall logs so they can be uploaded as artifacts + # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root - sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden index 51d92f759b4..1235063f790 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden @@ -673,9 +673,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Fix permissions on firewall logs so they can be uploaded as artifacts + # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root - sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-test-tools.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-test-tools.golden index 2891a51800b..77cd02ae6ef 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-test-tools.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-test-tools.golden @@ -572,9 +572,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Fix permissions on firewall logs so they can be uploaded as artifacts + # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root - sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden index bafbfe67533..905637124d5 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden @@ -506,9 +506,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Fix permissions on firewall logs so they can be uploaded as artifacts + # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root - sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" diff --git a/pkg/workflow/testdata/wasm_golden/WasmBinary/basic-copilot.golden b/pkg/workflow/testdata/wasm_golden/WasmBinary/basic-copilot.golden index c130bf6ea03..3fbfa3d56a9 100644 --- a/pkg/workflow/testdata/wasm_golden/WasmBinary/basic-copilot.golden +++ b/pkg/workflow/testdata/wasm_golden/WasmBinary/basic-copilot.golden @@ -479,9 +479,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Fix permissions on firewall logs so they can be uploaded as artifacts + # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root - sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then awf logs summary | tee -a "$GITHUB_STEP_SUMMARY" diff --git a/pkg/workflow/testdata/wasm_golden/WasmBinary/with-imports.golden b/pkg/workflow/testdata/wasm_golden/WasmBinary/with-imports.golden index 892ac747456..9257a294f15 100644 --- a/pkg/workflow/testdata/wasm_golden/WasmBinary/with-imports.golden +++ b/pkg/workflow/testdata/wasm_golden/WasmBinary/with-imports.golden @@ -482,9 +482,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | - # Fix permissions on firewall logs so they can be uploaded as artifacts + # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root - sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true + sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall 2>/dev/null || true # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step) if command -v awf &> /dev/null; then awf logs summary | tee -a "$GITHUB_STEP_SUMMARY"