fix: use 0o777 permissions for mcp-logs and squid-logs directories

[Copilot]

GitHub Actions workflows fail with "Permission denied" when creating subdirectories in /tmp/gh-aw/mcp-logs/safeoutputs after AWF runs with sudo. The directory is created by root with 755 permissions, preventing non-root workflow steps from writing.

Changes

• Set directory permissions to 0o777: Changed from 0o755 to allow any user to create subdirectories
• Added explicit chmodSync(): Bypasses umask (0002) which would reduce 0o777 to 0o775
• Fix existing directories: Apply correct permissions if directory already exists from previous run
• Applied to both directories: mcpLogsDir (/tmp/gh-aw/mcp-logs) and squidLogsDir for consistency

Implementation

const mcpLogsDir = '/tmp/gh-aw/mcp-logs';
if (!fs.existsSync(mcpLogsDir)) {
  fs.mkdirSync(mcpLogsDir, { recursive: true, mode: 0o777 });
  fs.chmodSync(mcpLogsDir, 0o777);  // Explicit chmod bypasses umask
  logger.debug(`MCP logs directory created at: ${mcpLogsDir}`);
} else {
  fs.chmodSync(mcpLogsDir, 0o777);
  logger.debug(`MCP logs directory permissions fixed at: ${mcpLogsDir}`);
}

Safe for these temp log directories: already in /tmp, hidden from AWF container via tmpfs, no sensitive data.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Chroot tests failed Smoke Chroot was cancelled - See logs for details.

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

Build Test: Bun - Results

Project	Install	Tests	Status
elysia	✅	1/1	PASS
hono	✅	1/1	PASS

Overall: PASS ✅

All Bun projects built and tested successfully.

AI generated by Build Test Bun

[github-actions]

Deno Build Test Results ✅

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: ✅ PASS

All Deno tests completed successfully.

AI generated by Build Test Deno

[github-actions]

Build Test: Go - Results

All Go projects tested successfully! ✅

Project	Download	Tests	Status
color	✅	1/1	PASS
env	✅	1/1	PASS
uuid	✅	1/1	PASS

Overall: PASS

AI generated by Build Test Go

[github-actions]

Smoke Test Results (Claude)

Last 2 merged PRs:

• fix: create /tmp/gh-aw/mcp-logs before Docker mount #707: fix: create /tmp/gh-aw/mcp-logs before Docker mount
• fix(docker): mount CLI state directories in chroot mode for Copilot and Claude #702: fix(docker): mount CLI state directories in chroot mode for Copilot and Claude

✅ GitHub MCP - Retrieved PRs
✅ Playwright - Page title: "GitHub · Change is constant. GitHub keeps you ahead. · GitHub"
✅ File Writing - Created /tmp/gh-aw/agent/smoke-test-claude-21933071664.txt
✅ Bash Tool - Verified file contents

Status: PASS

AI generated by Smoke Claude

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• fix: create /tmp/gh-aw/mcp-logs before Docker mount #707: fix: create /tmp/gh-aw/mcp-logs before Docker mount
• fix(docker): mount CLI state directories in chroot mode for Copilot and Claude #702: fix(docker): mount CLI state directories in chroot mode for Copilot and Claude

Tests:

• ✅ GitHub MCP (reviewed PRs)
• ✅ Playwright (GitHub page title verified)
• ✅ File writing (created smoke-test-copilot-21933071672.txt)
• ✅ Bash commands (verified file content)

Overall Status: PASS

cc @Copilot @lpcox

AI generated by Smoke Copilot

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS

All C++ projects built successfully.

AI generated by Build Test C++

[github-actions]

Node.js Build Test Results

Project	Install	Tests	Status
clsx	✅	PASS	PASS
execa	✅	PASS	PASS
p-limit	✅	PASS	PASS

Overall: PASS ✅

All Node.js test projects built and tested successfully.

AI generated by Build Test Node.js

[github-actions]

Build Test: .NET

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: PASS

All .NET projects successfully restored, built, and ran with expected output.

AI generated by Build Test .NET

[github-actions]

Rust Build Test Results

Project	Build	Tests	Status
fd	✅	1/1	PASS
zoxide	✅	1/1	PASS

Overall: PASS

All Rust projects built and tested successfully.

AI generated by Build Test Rust

[github-actions]

Chroot Version Comparison Results ❌

Runtime	Host Version	Chroot Version	Match?
Python	3.12.12	3.12.3	❌ NO
Node.js	v24.13.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: Tests did not pass. Python and Node.js versions differ between host and chroot environments.

AI generated by Smoke Chroot

[Copilot]

Pull request overview

This PR addresses GitHub Actions permission failures by making the host log directories used by AWF world-writable, ensuring non-root steps can create subdirectories even when AWF is run via sudo.

Changes:

• Create /tmp/gh-aw/mcp-logs with 0o777 and explicitly chmod it to bypass umask.
• Create squid-logs with 0o777 and explicitly chmod it on creation.
• Extend writeConfigs test coverage to assert mcp-logs permissions are 0777.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
src/docker-manager.ts	Adjusts creation/permissions logic for mcp-logs and squid-logs directories.
src/docker-manager.test.ts	Updates the writeConfigs test to assert mcp-logs is created with 0777.

Comments suppressed due to low confidence (1)

src/docker-manager.ts:878

• squidLogsDir only gets chmodSync(..., 0o777) when the directory is newly created. If it already exists from a previous run with more restrictive permissions, this code won’t fix it (unlike mcpLogsDir below) and the debug log still says "created" even when it wasn’t. Consider adding an else branch (and adjusting the log message) to normalize permissions consistently, in line with the PR description.

  const squidLogsDir = config.proxyLogsDir || path.join(config.workDir, 'squid-logs');
  if (!fs.existsSync(squidLogsDir)) {
    fs.mkdirSync(squidLogsDir, { recursive: true, mode: 0o777 });
    // Explicitly set permissions to 0o777 (not affected by umask)
    fs.chmodSync(squidLogsDir, 0o777);
  }
  logger.debug(`Squid logs directory created at: ${squidLogsDir}`);

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In the else branch, chmodSync(mcpLogsDir, 0o777) is unconditional. If /tmp/gh-aw/mcp-logs already exists and is owned by a different user (e.g., created by a prior sudo run) but already has 0777, a non-root run will still throw EPERM here and fail the workflow unnecessarily. Consider stat’ing first and only chmod’ing when the mode isn’t already 0777, and handle EPERM with a clearer error or a non-fatal warning when permissions are already sufficient.

This issue also appears on line 872 of the same file.

Suggested change

	fs.chmodSync(mcpLogsDir, 0o777);
	logger.debug(`MCP logs directory permissions fixed at: ${mcpLogsDir}`);
	try {
	const stats = fs.statSync(mcpLogsDir);
	const currentMode = stats.mode & 0o777;
	if (currentMode !== 0o777) {
	try {
	fs.chmodSync(mcpLogsDir, 0o777);
	logger.debug(`MCP logs directory permissions fixed at: ${mcpLogsDir}`);
	} catch (err: any) {
	const code = (err as NodeJS.ErrnoException).code;
	if (code === 'EPERM') {
	logger.warn(
	`MCP logs directory exists at ${mcpLogsDir} but permissions could not be changed to 0o777 due to EPERM. ` +
	`Current mode is ${currentMode.toString(8)}.`
	);
	} else {
	throw err;
	}
	}
	} else {
	logger.debug(`MCP logs directory permissions already set to 0o777: ${mcpLogsDir}`);
	}
	} catch (err) {
	logger.warn(`Unable to verify or adjust MCP logs directory permissions at ${mcpLogsDir}: ${err}`);
	}

[Copilot]

This test writes to a global path (/tmp/gh-aw/mcp-logs) but doesn’t clean it up, which can make the test suite order/environment-dependent on developer machines or persistent runners. Consider removing /tmp/gh-aw/mcp-logs (and possibly /tmp/gh-aw if empty) in setup/teardown for this test, or mocking the fs calls so the test remains isolated.