github · pelikhan · Apr 22, 2026 · Apr 22, 2026 · Apr 22, 2026 · Apr 22, 2026
diff --git a/pkg/workflow/engine_firewall_support.go b/pkg/workflow/engine_firewall_support.go
@@ -4,9 +4,11 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"path"
 	"strings"
 
 	"github.com/github/gh-aw/pkg/console"
+	"github.com/github/gh-aw/pkg/constants"
 	"github.com/github/gh-aw/pkg/logger"
 )
 
@@ -118,7 +120,8 @@ func generateSquidLogsUploadStep(workflowName string) GitHubActionStep {
 // generateFirewallLogParsingStep creates a GitHub Actions step to parse firewall logs and create step summary.
 func generateFirewallLogParsingStep(workflowName string) GitHubActionStep {
 	// Firewall logs are at a known location in the sandbox folder structure
-	firewallLogsDir := "/tmp/gh-aw/sandbox/firewall/logs"
+	firewallLogsDir := constants.AWFProxyLogsDir
+	firewallDir := path.Dir(firewallLogsDir)
 
 	stepLines := []string{
 		"      - name: Print firewall logs",
@@ -127,9 +130,9 @@ func generateFirewallLogParsingStep(workflowName string) GitHubActionStep {
 		"        env:",
 		"          AWF_LOGS_DIR: " + firewallLogsDir,
 		"        run: |",
-		"          # Fix permissions on firewall logs so they can be uploaded as artifacts",
+		"          # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts",
 		"          # AWF runs with sudo, creating files owned by root",
-		fmt.Sprintf("          sudo chmod -R a+r %s 2>/dev/null || true", firewallLogsDir),
+		fmt.Sprintf("          sudo chmod -R a+r %s 2>/dev/null || true", firewallDir),
 		"          # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)",
 		"          if command -v awf &> /dev/null; then",
 		"            awf logs summary | tee -a \"$GITHUB_STEP_SUMMARY\"",

diff --git a/pkg/workflow/engine_firewall_support_test.go b/pkg/workflow/engine_firewall_support_test.go
@@ -3,8 +3,11 @@
 package workflow
 
 import (
+	"path"
 	"strings"
 	"testing"
+
+	"github.com/github/gh-aw/pkg/constants"
 )
 
 func TestHasNetworkRestrictions(t *testing.T) {
@@ -267,3 +270,18 @@ func TestCheckFirewallDisable(t *testing.T) {
 		}
 	})
 }
+
+func TestGenerateFirewallLogParsingStepFixesFirewallPermissions(t *testing.T) {
+	step := generateFirewallLogParsingStep("test-workflow")
+	stepContent := strings.Join(step, "\n")
+	expectedLogsDir := constants.AWFProxyLogsDir
+	expectedFirewallDir := path.Dir(expectedLogsDir)
+
+	if !strings.Contains(stepContent, "AWF_LOGS_DIR: "+expectedLogsDir) {
+		t.Error("Expected firewall log parsing step to keep AWF_LOGS_DIR set to logs directory")
+	}
+
+	if !strings.Contains(stepContent, "sudo chmod -R a+r "+expectedFirewallDir+" 2>/dev/null || true") {
+		t.Error("Expected firewall log parsing step to chmod the parent firewall directory for logs and audit upload")
+	}
+}
diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden
@@ -505,9 +505,9 @@ jobs:
         env:
           AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs
         run: |
-          # Fix permissions on firewall logs so they can be uploaded as artifacts
+          # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts
           # AWF runs with sudo, creating files owned by root
-          sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true
+          sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall 2>/dev/null || true
           # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)
           if command -v awf &> /dev/null; then
             awf logs summary | tee -a "$GITHUB_STEP_SUMMARY"

diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/claude-with-network.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/claude-with-network.golden
@@ -507,9 +507,9 @@ jobs:
         env:
           AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs
         run: |
-          # Fix permissions on firewall logs so they can be uploaded as artifacts
+          # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts
           # AWF runs with sudo, creating files owned by root
-          sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true
+          sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall 2>/dev/null || true
           # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)
           if command -v awf &> /dev/null; then
             awf logs summary | tee -a "$GITHUB_STEP_SUMMARY"

diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden
@@ -673,9 +673,9 @@ jobs:
         env:
           AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs
         run: |
-          # Fix permissions on firewall logs so they can be uploaded as artifacts
+          # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts
           # AWF runs with sudo, creating files owned by root
-          sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true
+          sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall 2>/dev/null || true
           # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)
           if command -v awf &> /dev/null; then
             awf logs summary | tee -a "$GITHUB_STEP_SUMMARY"

diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-test-tools.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-test-tools.golden
@@ -572,9 +572,9 @@ jobs:
         env:
           AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs
         run: |
-          # Fix permissions on firewall logs so they can be uploaded as artifacts
+          # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts
           # AWF runs with sudo, creating files owned by root
-          sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true
+          sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall 2>/dev/null || true
           # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)
           if command -v awf &> /dev/null; then
             awf logs summary | tee -a "$GITHUB_STEP_SUMMARY"

diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden
@@ -506,9 +506,9 @@ jobs:
         env:
           AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs
         run: |
-          # Fix permissions on firewall logs so they can be uploaded as artifacts
+          # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts
           # AWF runs with sudo, creating files owned by root
-          sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true
+          sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall 2>/dev/null || true
           # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)
           if command -v awf &> /dev/null; then
             awf logs summary | tee -a "$GITHUB_STEP_SUMMARY"

diff --git a/pkg/workflow/testdata/wasm_golden/WasmBinary/basic-copilot.golden b/pkg/workflow/testdata/wasm_golden/WasmBinary/basic-copilot.golden
@@ -479,9 +479,9 @@ jobs:
         env:
           AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs
         run: |
-          # Fix permissions on firewall logs so they can be uploaded as artifacts
+          # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts
           # AWF runs with sudo, creating files owned by root
-          sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true
+          sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall 2>/dev/null || true
           # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)
           if command -v awf &> /dev/null; then
             awf logs summary | tee -a "$GITHUB_STEP_SUMMARY"

diff --git a/pkg/workflow/testdata/wasm_golden/WasmBinary/with-imports.golden b/pkg/workflow/testdata/wasm_golden/WasmBinary/with-imports.golden
@@ -482,9 +482,9 @@ jobs:
         env:
           AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs
         run: |
-          # Fix permissions on firewall logs so they can be uploaded as artifacts
+          # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts
           # AWF runs with sudo, creating files owned by root
-          sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall/logs 2>/dev/null || true
+          sudo chmod -R a+r /tmp/gh-aw/sandbox/firewall 2>/dev/null || true
           # Only run awf logs summary if awf command exists (it may not be installed if workflow failed before install step)
           if command -v awf &> /dev/null; then
             awf logs summary | tee -a "$GITHUB_STEP_SUMMARY"