Fix firewall logs not printing due to incorrect directory path

[Copilot]

Firewall logs were not appearing in step 31 of workflow runs because the parsing script looked in the wrong directory.

Root Cause

Path mismatch between where logs are written vs. read:

• Written by awf: /tmp/gh-aw/sandbox/firewall/logs/
• Read by parser: /tmp/gh-aw/squid-logs-${sanitizedName}/

This caused the parsing step to silently fail with "No firewall logs directory found".

Changes

• Updated pkg/workflow/js/parse_firewall_logs.cjs to use the correct hardcoded path
• Removed unnecessary workflow name sanitization logic
• Recompiled all workflow lock files to propagate the fix

// Before
const workflowName = process.env.GITHUB_WORKFLOW || "workflow";
const sanitizedName = sanitizeWorkflowName(workflowName);
const squidLogsDir = `/tmp/gh-aw/squid-logs-${sanitizedName}/`;

// After
const squidLogsDir = `/tmp/gh-aw/sandbox/firewall/logs/`;

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• go.googlesource.com
  • Triggering command: /update-job-proxy /update-job-proxy -o br-90f520d0cac6 -j DOCKER-ISOLATION-STAGE-2 Trus_Root_CA.pem test /usr/bin/basename 52c538d.0 git 2c2426be9c86c01e--global basename /usr�� CA1.pem test test t_Certificate_Au/usr/sbin/iptables git est test (dns block)
  • Triggering command: /update-job-proxy /update-job-proxy DROP est test -e /etc/ssl/certs/e-n1 hema-go /bin/git 2.pem -e /usr/bin/sed git conf�� --global b496654757886ef41ef5ac72:go.mod /bin/git 29b127/shallow.l/usr/sbin/iptables -e 1 git (dns block)
• go.uber.org
  • Triggering command: /update-job-proxy /update-job-proxy -o br-90f520d0cac6 -j DOCKER-ISOLATION-STAGE-2 Trus_Root_CA.pem test /usr/bin/basename 52c538d.0 git 2c2426be9c86c01e--global basename /usr�� CA1.pem test test t_Certificate_Au/usr/sbin/iptables git est test (dns block)
  • Triggering command: /update-job-proxy /update-job-proxy DROP est test -e /etc/ssl/certs/e-n1 hema-go /bin/git 2.pem -e /usr/bin/sed git conf�� --global b496654757886ef41ef5ac72:go.mod /bin/git 29b127/shallow.l/usr/sbin/iptables -e 1 git (dns block)
• go.yaml.in
  • Triggering command: /update-job-proxy /update-job-proxy -o br-90f520d0cac6 -j DOCKER-ISOLATION-STAGE-2 Trus_Root_CA.pem test /usr/bin/basename 52c538d.0 git 2c2426be9c86c01e--global basename /usr�� CA1.pem test test t_Certificate_Au/usr/sbin/iptables git est test (dns block)
  • Triggering command: /update-job-proxy /update-job-proxy DROP est test -e /etc/ssl/certs/e-n1 hema-go /bin/git 2.pem -e /usr/bin/sed git conf�� --global b496654757886ef41ef5ac72:go.mod /bin/git 29b127/shallow.l/usr/sbin/iptables -e 1 git (dns block)
• gopkg.in
  • Triggering command: /update-job-proxy /update-job-proxy -o br-90f520d0cac6 -j DOCKER-ISOLATION-STAGE-2 Trus_Root_CA.pem test /usr/bin/basename 52c538d.0 git 2c2426be9c86c01e--global basename /usr�� CA1.pem test test t_Certificate_Au/usr/sbin/iptables git est test (dns block)
  • Triggering command: /update-job-proxy /update-job-proxy DROP est test -e /etc/ssl/certs/e-n1 hema-go /bin/git 2.pem -e /usr/bin/sed git conf�� --global b496654757886ef41ef5ac72:go.mod /bin/git 29b127/shallow.l/usr/sbin/iptables -e 1 git (dns block)
• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login b-script.git b-script.git /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login 2256544/b357/_pkg_.a /tmp/go-build2242256544/b142/vet--log-format 2256544/b357=> (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login -bool -buildtags aae22e73e0881c93b4c32152cfdce94f612/log.json -errorsas -ifaceassert -nilfunc /opt/hostedtoolc--json -uns�� pload-artifact/git/ref/tags/v5 /tmp/go-build2242256544/b061/vet.cfg ache/node/24.11.1/x64/bin/node (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Investigate why the firewall logs are not printed in this workflow run
https://github.com/githubnext/gh-aw/actions/runs/20140908544/job/57808649450#step:31:1

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

---

Changeset

• Type: patch
• Description: Fix firewall logs not printing due to incorrect directory path. Parser now reads from /tmp/gh-aw/sandbox/firewall/logs/ and removed workflow name sanitization.

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

[github-actions]

📰🚀🔍👀📡🕵️ https://github.com/githubnext/gh-aw/actions/runs/20142056914

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

📰 BREAKING: Smoke Copilot Playwright is now investigating this pull request. Sources say the story is developing...

[github-actions]

💥 WHOOSH! Smoke Claude springs into action on this pull request! [Panel 1 begins...]

[github-actions]

🔮 The ancient spirits stir... Smoke Codex awakens to divine this pull request...

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

f0a9024

[github-actions]

Smoke Test: Copilot Engine ✅ PASS

• feat(cli): add campaign management cmds, specs, and examples #6082: feat(cli): add campaign management cmds
• Enable GH_DEBUG for gh CLI commands in shared/gh.md safe-input tool #6152: Enable GH_DEBUG for gh CLI commands
• ✅ File writing
• ✅ Bash execution
• ❌ get_me (not in default toolset - expected)
• ✅ Cache memory

Status: PASS

📰 BREAKING: Report filed by Smoke Copilot fer issue #6153 🗺️

[github-actions]

Smoke Test Results (Claude)

Last 2 merged PRs:

• Enable GH_DEBUG for gh CLI commands in shared/gh.md safe-input tool #6152: Enable GH_DEBUG for gh CLI commands
• Rename workflow overview to "Run details" and normalize step summary header levels #6149: Rename workflow overview to "Run details"

Test Results:
✅ GitHub MCP - List PRs
✅ File Writing - Agent directory
✅ Bash Tool - File verification
❌ Playwright MCP - 504 timeout
✅ Cache Memory - Write/read
❌ Safe Input gh Tool - Not tested (depends on workflow)

Status: PARTIAL PASS (5/6 core tests passed, Playwright network issue)

💥 [THE END] — Illustrated by Smoke Claude fer issue #6153 🗺️

[github-actions]

Smoke Test Results - Run 20142056907

✅ Playwright MCP: Successfully navigated to https://github.com - Page title: "GitHub · Change is constant. GitHub keeps you ahead. · GitHub"
✅ Cache Memory: File created at /tmp/gh-aw/cache-memory/smoke-test-20142056907.txt with correct content
❌ safeinputs-gh: Failed - TLS handshake error when accessing GitHub API

Status: FAIL (1/3 tests failed)

📰 BREAKING: Report filed by Smoke Copilot Playwright fer issue #6153 🗺️

[github-actions]

Copilot Smoke Test Results

Test Results:

• ❌ GitHub MCP Testing: safeinputs-gh tool TLS handshake failure
• ✅ File Writing Testing: Successfully created test file
• ✅ Bash Tool Testing: File read verification passed
• ❌ Serena MCP Testing: Unable to test due to MCP infrastructure issues
• ❌ Safe Input gh Tool Testing: TLS handshake failure

Overall Status: FAIL

Note: safeinputs-gh tool experiencing network/TLS issues preventing GitHub API access.

📰🔥📋 https://github.com/githubnext/gh-aw/actions/runs/20142056914 fer issue #6153 🗺️

[github-actions]

Recent merged PRs: feat(cli): add campaign management cmds, specs, and examples; Enable GH_DEBUG for gh CLI commands in shared/gh.md safe-input tool
GitHub MCP (last 2 merged PR titles): ✅
Agent file write/read: ✅
Playwright github.com title contains "GitHub": ❌ (github.com returned 504/timeouts)
Cache-memory file write/read: ✅
safeinputs-gh "gh issues list --limit 3": ❌ (command not found in PATH)
Overall: FAIL

🔮 The oracle has spoken through Smoke Codex fer issue #6153 🗺️