diff --git a/.github/workflows/ab-testing-advisor.lock.yml b/.github/workflows/ab-testing-advisor.lock.yml index f4d2e45078f..d86e06e759a 100644 --- a/.github/workflows/ab-testing-advisor.lock.yml +++ b/.github/workflows/ab-testing-advisor.lock.yml @@ -1010,6 +1010,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1019,6 +1022,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-a-b-testing-advisor + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/ace-editor.lock.yml b/.github/workflows/ace-editor.lock.yml index 675e0019e28..902a3e15bcc 100644 --- a/.github/workflows/ace-editor.lock.yml +++ b/.github/workflows/ace-editor.lock.yml @@ -907,6 +907,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -916,6 +919,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-ace-editor-session + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index f17f2a603fe..3795796012f 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -1150,6 +1150,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1159,6 +1162,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-agent-performance-analyzer-meta-orchestrator + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index dda4fbbc1f2..316c89076b5 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -1103,6 +1103,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1112,6 +1115,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-agent-persona-explorer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/agentic-token-audit.lock.yml b/.github/workflows/agentic-token-audit.lock.yml index 0856b1efe46..9f640ba7d70 100644 --- a/.github/workflows/agentic-token-audit.lock.yml +++ b/.github/workflows/agentic-token-audit.lock.yml @@ -1084,6 +1084,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1093,6 +1096,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-agentic-workflow-aic-usage-audit + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/agentic-token-optimizer.lock.yml b/.github/workflows/agentic-token-optimizer.lock.yml index ebcd92ec5e6..bb28a84dead 100644 --- a/.github/workflows/agentic-token-optimizer.lock.yml +++ b/.github/workflows/agentic-token-optimizer.lock.yml @@ -964,6 +964,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -973,6 +976,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-agentic-workflow-aic-usage-optimizer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/agentic-token-trend-audit.lock.yml b/.github/workflows/agentic-token-trend-audit.lock.yml index 4e675d1978e..9cc03dc602e 100644 --- a/.github/workflows/agentic-token-trend-audit.lock.yml +++ b/.github/workflows/agentic-token-trend-audit.lock.yml @@ -1058,6 +1058,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1067,6 +1070,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-on-demand-agentic-workflow-aic-trend-audit + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index 7d068e62917..75d446a315e 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -1069,6 +1069,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1078,6 +1081,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-ai-moderator + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/api-consumption-report.lock.yml b/.github/workflows/api-consumption-report.lock.yml index 98c7131f5d5..d227e2e08ad 100644 --- a/.github/workflows/api-consumption-report.lock.yml +++ b/.github/workflows/api-consumption-report.lock.yml @@ -1411,6 +1411,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1420,6 +1423,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-github-api-consumption-report-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/approach-validator.lock.yml b/.github/workflows/approach-validator.lock.yml index 982035b3c1c..4e0a807ddca 100644 --- a/.github/workflows/approach-validator.lock.yml +++ b/.github/workflows/approach-validator.lock.yml @@ -1135,6 +1135,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1144,6 +1147,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-approach-validator + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 6837d95b810..6feb17e5010 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -1027,6 +1027,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1036,6 +1039,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-archie + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/architecture-guardian.lock.yml b/.github/workflows/architecture-guardian.lock.yml index 02ddede6f88..8e53421d8b1 100644 --- a/.github/workflows/architecture-guardian.lock.yml +++ b/.github/workflows/architecture-guardian.lock.yml @@ -1035,6 +1035,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1044,6 +1047,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-architecture-guardian + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index c892fe781b3..803ca065cc9 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -941,6 +941,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -950,6 +953,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-artifacts-summary + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 110844d68b7..fd990748ecc 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -1192,6 +1192,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1201,6 +1204,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-agentic-workflow-audit-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index d6dfaf7bc0b..5e2d05afe17 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -1017,6 +1017,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1026,6 +1029,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-auto-triage-issues + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/avenger.lock.yml b/.github/workflows/avenger.lock.yml index 6b92ea07251..7cf7bb41ac0 100644 --- a/.github/workflows/avenger.lock.yml +++ b/.github/workflows/avenger.lock.yml @@ -1071,6 +1071,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1080,6 +1083,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-avenger + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/aw-failure-investigator.lock.yml b/.github/workflows/aw-failure-investigator.lock.yml index 4620d91baf6..ca47489a163 100644 --- a/.github/workflows/aw-failure-investigator.lock.yml +++ b/.github/workflows/aw-failure-investigator.lock.yml @@ -1228,6 +1228,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1237,6 +1240,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs--aw-failure-investigator-6h- + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index e46b2ecd6e3..8ae0807fe71 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -1105,6 +1105,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1114,6 +1117,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-blog-auditor + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index a674d72ebb9..cf80dce9b2a 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -1032,6 +1032,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1041,6 +1044,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-bot-detection + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 81327a3cca8..7994ca78d98 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -1023,6 +1023,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1032,6 +1035,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-brave-web-search-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index c29c9a73843..8baa9894128 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -984,6 +984,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -993,6 +996,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-breaking-change-checker + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 52f22b6aa90..3903e516e03 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -1071,6 +1071,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1080,6 +1083,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-changeset-generator + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml b/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml index 35821799cdf..10ebdeee6f9 100644 --- a/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml +++ b/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml @@ -984,6 +984,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -993,6 +996,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-chaos-pr-bundle-fuzzer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 45284c37e70..ed90c74724c 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -1057,6 +1057,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1066,6 +1069,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-ci-optimization-coach + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index ee73c7a9ffc..9b5ba5edd1c 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -1228,6 +1228,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1237,6 +1240,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-ci-failure-doctor + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index a7d69c5a9c1..2e5f99e46ed 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -1055,6 +1055,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1064,6 +1067,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-claude-code-user-documentation-review + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 9a187acf664..7ef4e8cf0d9 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -957,6 +957,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -966,6 +969,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-cli-consistency-checker + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 3a2509e8fe2..da4c217d1f5 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -1050,6 +1050,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1059,6 +1062,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-cli-version-checker + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 437938398ad..4390c0b3662 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -1336,6 +1336,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1345,6 +1348,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs--cloclo + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index c011e6ada26..9b887f16cde 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -1023,6 +1023,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1032,6 +1035,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-code-scanning-fixer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 9f7a6e9319f..c9949f2ce99 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -1020,6 +1020,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1029,6 +1032,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-code-simplifier + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index 849ef249723..02fac899191 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -913,6 +913,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -922,6 +925,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-codex-github-remote-mcp-test + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index a5c020bdcdd..ce605f2b230 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -1006,6 +1006,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1015,6 +1018,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-commit-changes-analyzer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index c2f0735290b..71862a868bf 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -947,6 +947,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -956,6 +959,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-constraint-solving-problem-of-the-day + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 2051a6cc508..a2f67ef4147 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -1077,6 +1077,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1086,6 +1089,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-contribution-check + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 1fea93e1864..59cdf59058a 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -1115,6 +1115,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1124,6 +1127,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-copilot-agent-pr-analysis + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/copilot-centralization-drilldown.lock.yml b/.github/workflows/copilot-centralization-drilldown.lock.yml index f1ad3bad503..101deb16ec0 100644 --- a/.github/workflows/copilot-centralization-drilldown.lock.yml +++ b/.github/workflows/copilot-centralization-drilldown.lock.yml @@ -941,6 +941,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -950,6 +953,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-copilot-centralization-drilldown + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/copilot-centralization-optimizer.lock.yml b/.github/workflows/copilot-centralization-optimizer.lock.yml index c367ed2cb4f..4fc7a8ba8fc 100644 --- a/.github/workflows/copilot-centralization-optimizer.lock.yml +++ b/.github/workflows/copilot-centralization-optimizer.lock.yml @@ -973,6 +973,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -982,6 +985,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-copilot-centralization-optimizer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index ba23ef753cf..e4133bc7588 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -968,6 +968,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -977,6 +980,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-copilot-cli-deep-research-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/copilot-opt.lock.yml b/.github/workflows/copilot-opt.lock.yml index 60a8bd732c0..0fa32a92835 100644 --- a/.github/workflows/copilot-opt.lock.yml +++ b/.github/workflows/copilot-opt.lock.yml @@ -1036,6 +1036,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1045,6 +1048,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-copilot-opt + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 9c6326ef8d9..223fc45e596 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -903,6 +903,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -912,6 +915,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-copilot-pr-merged-report + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 69995c29194..21cd8875e3c 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -1065,6 +1065,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1074,6 +1077,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-copilot-pr-conversation-nlp-analysis + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index cf7f6355e3f..121d255aae3 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -1014,6 +1014,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1023,6 +1026,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-copilot-pr-prompt-pattern-analysis + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 58a14166bf5..3f2656972fb 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -1125,6 +1125,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1134,6 +1137,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-copilot-session-insights + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 3f7a69f2f4c..e17650c7ecf 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -1024,6 +1024,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1033,6 +1036,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-workflow-craft-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml index 7cc940a21eb..7e35f6f3b74 100644 --- a/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml +++ b/.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml @@ -1130,6 +1130,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1139,6 +1142,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-agent-of-the-day-blog-writer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-agentrx-trace-optimizer.lock.yml b/.github/workflows/daily-agentrx-trace-optimizer.lock.yml index 33422aa3200..1b23b2e1704 100644 --- a/.github/workflows/daily-agentrx-trace-optimizer.lock.yml +++ b/.github/workflows/daily-agentrx-trace-optimizer.lock.yml @@ -1174,6 +1174,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1183,6 +1186,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-agentrx-trace-optimizer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-ambient-context-optimizer.lock.yml b/.github/workflows/daily-ambient-context-optimizer.lock.yml index 3b20cbaa3bc..89e3685e205 100644 --- a/.github/workflows/daily-ambient-context-optimizer.lock.yml +++ b/.github/workflows/daily-ambient-context-optimizer.lock.yml @@ -1044,6 +1044,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1053,6 +1056,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-ambient-context-optimizer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index ab28dc0036c..abdd4378a85 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -1094,6 +1094,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1103,6 +1106,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-architecture-diagram-generator + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 456b6f36ebb..54e2c79589b 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -953,6 +953,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -962,6 +965,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-auto-assign-issue + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml b/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml index 5271fd2bc51..cbb80fa7d29 100644 --- a/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml +++ b/.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml @@ -1068,6 +1068,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1077,6 +1080,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-astrostylelite-markdown-spellcheck + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml b/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml index 47fab82c586..a596948ccfe 100644 --- a/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml +++ b/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml @@ -1046,6 +1046,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1055,6 +1058,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-aw-cross-repo-compile-check + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-awf-spec-compiler-surfacing.lock.yml b/.github/workflows/daily-awf-spec-compiler-surfacing.lock.yml index 24be3426fdd..ccdbfa4df24 100644 --- a/.github/workflows/daily-awf-spec-compiler-surfacing.lock.yml +++ b/.github/workflows/daily-awf-spec-compiler-surfacing.lock.yml @@ -1034,6 +1034,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1043,6 +1046,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-awf-spec-compiler-surfacing-review + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-byok-ollama-test.lock.yml b/.github/workflows/daily-byok-ollama-test.lock.yml index 209b153f9bb..ad23cf45a1c 100644 --- a/.github/workflows/daily-byok-ollama-test.lock.yml +++ b/.github/workflows/daily-byok-ollama-test.lock.yml @@ -944,6 +944,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -953,6 +956,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-byok-ollama-test + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-cache-strategy-analyzer.lock.yml b/.github/workflows/daily-cache-strategy-analyzer.lock.yml index fc2cfacb973..2336d39caa7 100644 --- a/.github/workflows/daily-cache-strategy-analyzer.lock.yml +++ b/.github/workflows/daily-cache-strategy-analyzer.lock.yml @@ -1180,6 +1180,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1189,6 +1192,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-cache-strategy-analyzer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-caveman-optimizer.lock.yml b/.github/workflows/daily-caveman-optimizer.lock.yml index 81ed242e1b0..a8c38971864 100644 --- a/.github/workflows/daily-caveman-optimizer.lock.yml +++ b/.github/workflows/daily-caveman-optimizer.lock.yml @@ -1087,6 +1087,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1096,6 +1099,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-caveman-optimizer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 2425a381f20..210be5fa5f3 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -1004,6 +1004,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1013,6 +1016,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-choice-type-test + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 33e7195e531..e98eb547621 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -1218,6 +1218,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1227,6 +1230,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-cli-performance-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 726a5f13946..4938ddadb9d 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -1068,6 +1068,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1077,6 +1080,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-cli-tools-exploratory-tester + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 2a2b206f74e..a24e2baae59 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -1142,6 +1142,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1151,6 +1154,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-code-metrics-and-trend-tracking-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-community-attribution.lock.yml b/.github/workflows/daily-community-attribution.lock.yml index 5002b6161fc..cee316cf75e 100644 --- a/.github/workflows/daily-community-attribution.lock.yml +++ b/.github/workflows/daily-community-attribution.lock.yml @@ -1109,6 +1109,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1118,6 +1121,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-community-attribution-updater + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 6550e943650..3105e6a62f9 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -1082,6 +1082,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1091,6 +1094,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-compiler-quality-check + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml b/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml index 2d8e7684c1f..1fe38677deb 100644 --- a/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml +++ b/.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml @@ -1026,6 +1026,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1035,6 +1038,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-compiler-threat-spec-optimizer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-credit-limit-test.lock.yml b/.github/workflows/daily-credit-limit-test.lock.yml index 5e66eb43e29..5cf08d7616b 100644 --- a/.github/workflows/daily-credit-limit-test.lock.yml +++ b/.github/workflows/daily-credit-limit-test.lock.yml @@ -923,6 +923,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -932,6 +935,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-credit-limit-test-intentionally-broken- + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index 1609d491f0b..a848c712130 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -1190,6 +1190,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1199,6 +1202,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-documentation-healer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 315fd8ac13e..20769bbc96e 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -1120,6 +1120,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1129,6 +1132,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-documentation-updater + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-experiment-report.lock.yml b/.github/workflows/daily-experiment-report.lock.yml index 5643406bb20..062c8060ea2 100644 --- a/.github/workflows/daily-experiment-report.lock.yml +++ b/.github/workflows/daily-experiment-report.lock.yml @@ -1068,6 +1068,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1077,6 +1080,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-experiment-report + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 535bf26b47a..1fafd110849 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -1193,6 +1193,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1202,6 +1205,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-fact-about-gh-aw + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index c0b4028845d..44f9175386e 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -1025,6 +1025,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1034,6 +1037,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-file-diet + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 4448c7021ad..5dc340ee406 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -1018,6 +1018,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1027,6 +1030,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-firewall-logs-collector-and-reporter + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-formal-spec-verifier.lock.yml b/.github/workflows/daily-formal-spec-verifier.lock.yml index 46aa789c3a0..9dbe39f6834 100644 --- a/.github/workflows/daily-formal-spec-verifier.lock.yml +++ b/.github/workflows/daily-formal-spec-verifier.lock.yml @@ -1036,6 +1036,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1045,6 +1048,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-formal-spec-verifier + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-function-namer.lock.yml b/.github/workflows/daily-function-namer.lock.yml index a9a6ef52012..2712045fe8d 100644 --- a/.github/workflows/daily-function-namer.lock.yml +++ b/.github/workflows/daily-function-namer.lock.yml @@ -1147,6 +1147,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1156,6 +1159,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-go-function-namer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-geo-optimizer.lock.yml b/.github/workflows/daily-geo-optimizer.lock.yml index 927d15bfc72..a113e69d942 100644 --- a/.github/workflows/daily-geo-optimizer.lock.yml +++ b/.github/workflows/daily-geo-optimizer.lock.yml @@ -977,6 +977,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -986,6 +989,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-geo-optimizer-daily-audit + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-hippo-learn.lock.yml b/.github/workflows/daily-hippo-learn.lock.yml index b3f6f1d17d7..331c2abaa88 100644 --- a/.github/workflows/daily-hippo-learn.lock.yml +++ b/.github/workflows/daily-hippo-learn.lock.yml @@ -1094,6 +1094,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1103,6 +1106,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-hippo-learn + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index d791f9f5322..13986c0e0a1 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -1221,6 +1221,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1230,6 +1233,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-issues-report-generator + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index 70f06bb6b86..bc59639ca0e 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -989,6 +989,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -998,6 +1001,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-malicious-code-scan-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-max-ai-credits-test.lock.yml b/.github/workflows/daily-max-ai-credits-test.lock.yml index ffe0e4c4088..913a7291a94 100644 --- a/.github/workflows/daily-max-ai-credits-test.lock.yml +++ b/.github/workflows/daily-max-ai-credits-test.lock.yml @@ -862,6 +862,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -871,6 +874,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-max-ai-credits-test-intentionally-fails- + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index f266443ec4e..ec65a926b3a 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -1087,6 +1087,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1096,6 +1099,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-mcp-tool-concurrency-analysis + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-model-inventory.lock.yml b/.github/workflows/daily-model-inventory.lock.yml index 43702d45e5f..bfa4923c86a 100644 --- a/.github/workflows/daily-model-inventory.lock.yml +++ b/.github/workflows/daily-model-inventory.lock.yml @@ -998,6 +998,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1007,6 +1010,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-model-inventory-checker + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 7d64e52b3f0..1c6855cd3c5 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -1143,6 +1143,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1152,6 +1155,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-multi-device-docs-tester + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index b3dae57db7f..1fb9e80818b 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -1205,6 +1205,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1214,6 +1217,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-news + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 48d85f2bd29..6da0a98a500 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -1072,6 +1072,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1081,6 +1084,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-observability-report-for-awf-firewall-and-mcp-gateway + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index b1e7f9ef268..8c9e326b1ad 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -1506,6 +1506,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1515,6 +1518,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-project-performance-summary-generator-using-mcp-scripts- + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 558a9edc7e6..7167fda482c 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -1464,6 +1464,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1473,6 +1476,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-regulatory-report-generator + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-reliability-review.lock.yml b/.github/workflows/daily-reliability-review.lock.yml index 40d72e74bc2..17ef69a89b0 100644 --- a/.github/workflows/daily-reliability-review.lock.yml +++ b/.github/workflows/daily-reliability-review.lock.yml @@ -1087,6 +1087,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1096,6 +1099,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-reliability-review + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index f1bf5e9c976..c6af6a7d2e8 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -1219,6 +1219,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1228,6 +1231,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-rendering-scripts-verifier + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 744f21d750d..d483608a764 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -1013,6 +1013,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1022,6 +1025,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-the-daily-repository-chronicle + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-safe-output-integrator.lock.yml b/.github/workflows/daily-safe-output-integrator.lock.yml index 62f53f984fa..ff7bc7de5b2 100644 --- a/.github/workflows/daily-safe-output-integrator.lock.yml +++ b/.github/workflows/daily-safe-output-integrator.lock.yml @@ -1025,6 +1025,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1034,6 +1037,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-safe-output-integrator + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index e627640a368..287499ec634 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -1240,6 +1240,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1249,6 +1252,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-safe-output-tool-optimizer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index d7dfc1db425..b4c606db9a9 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -1042,6 +1042,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1051,6 +1054,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-safe-outputs-conformance-checker + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-safeoutputs-git-simulator.lock.yml b/.github/workflows/daily-safeoutputs-git-simulator.lock.yml index 6e3d2b7f8c4..bdc0925bcc4 100644 --- a/.github/workflows/daily-safeoutputs-git-simulator.lock.yml +++ b/.github/workflows/daily-safeoutputs-git-simulator.lock.yml @@ -1096,6 +1096,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1105,6 +1108,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-safe-outputs-git-simulator + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index a303f1ed49e..3c395d640e1 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -944,6 +944,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -953,6 +956,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-secrets-analysis-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-security-observability.lock.yml b/.github/workflows/daily-security-observability.lock.yml index 1aceb946329..28ac2d2b51a 100644 --- a/.github/workflows/daily-security-observability.lock.yml +++ b/.github/workflows/daily-security-observability.lock.yml @@ -1139,6 +1139,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1148,6 +1151,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-security-observability-report + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index f71b53f7d61..cf6268fbb54 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -1119,6 +1119,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1128,6 +1131,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-security-red-team-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 00b36de95ff..ee388b57714 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -1023,6 +1023,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1032,6 +1035,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-semgrep-scan + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-sentrux-report.lock.yml b/.github/workflows/daily-sentrux-report.lock.yml index fdfd61e30ce..6fbf10e4845 100644 --- a/.github/workflows/daily-sentrux-report.lock.yml +++ b/.github/workflows/daily-sentrux-report.lock.yml @@ -985,6 +985,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -994,6 +997,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-sentrux-report + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-skill-optimizer.lock.yml b/.github/workflows/daily-skill-optimizer.lock.yml index 6addfa26107..ad2a4e429c3 100644 --- a/.github/workflows/daily-skill-optimizer.lock.yml +++ b/.github/workflows/daily-skill-optimizer.lock.yml @@ -967,6 +967,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -976,6 +979,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-skill-optimizer-improvements + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-spdd-spec-planner.lock.yml b/.github/workflows/daily-spdd-spec-planner.lock.yml index 5bd2c28e335..22fd3f493e0 100644 --- a/.github/workflows/daily-spdd-spec-planner.lock.yml +++ b/.github/workflows/daily-spdd-spec-planner.lock.yml @@ -1010,6 +1010,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1019,6 +1022,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-spdd-spec-planner + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index d4273cd92f9..ef1490801a9 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -969,6 +969,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -978,6 +981,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-syntax-error-quality-check + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index 08bfd23ff91..998911624d3 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -1011,6 +1011,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1020,6 +1023,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-team-evolution-insights + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 1f8201e674f..f1a97f8ac57 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -934,6 +934,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -943,6 +946,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-team-status + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 1d7a5037ae0..03bfadfccb3 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -1059,6 +1059,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1068,6 +1071,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-testify-uber-super-expert + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-token-consumption-report.lock.yml b/.github/workflows/daily-token-consumption-report.lock.yml index fb2f093db01..fb29b222c57 100644 --- a/.github/workflows/daily-token-consumption-report.lock.yml +++ b/.github/workflows/daily-token-consumption-report.lock.yml @@ -1165,6 +1165,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1174,6 +1177,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-aic-consumption-report-sentry-grafana-otel- + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-windows-terminal-integration-builder.lock.yml b/.github/workflows/daily-windows-terminal-integration-builder.lock.yml index d6aa6e4d1ef..fc03a75f132 100644 --- a/.github/workflows/daily-windows-terminal-integration-builder.lock.yml +++ b/.github/workflows/daily-windows-terminal-integration-builder.lock.yml @@ -920,6 +920,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -929,6 +932,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-windows-terminal-integration-builder + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 46d19bb55e6..e055de773b9 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -955,6 +955,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -964,6 +967,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-daily-workflow-updater + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/dataflow-pr-discussion-dataset.lock.yml b/.github/workflows/dataflow-pr-discussion-dataset.lock.yml index de8457c731e..33e25f3b403 100644 --- a/.github/workflows/dataflow-pr-discussion-dataset.lock.yml +++ b/.github/workflows/dataflow-pr-discussion-dataset.lock.yml @@ -1270,6 +1270,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1279,6 +1282,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-dataflow-pr-discussion-dataset-builder + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index 403644a96e8..c5f07f85663 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -1008,6 +1008,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1017,6 +1020,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-dead-code-removal-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 9a61245767a..360cf58fa83 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -1466,6 +1466,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1475,6 +1478,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-deepreport-intelligence-gathering-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 32d5cbf455a..b1c5f4f239b 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -1040,6 +1040,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1049,6 +1052,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-delight + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index 516667f2d7a..d8aabd5d2b6 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -953,6 +953,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -962,6 +965,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-dependabot-burner + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/dependabot-campaign.lock.yml b/.github/workflows/dependabot-campaign.lock.yml index 7dc26cca831..82b6a921b92 100644 --- a/.github/workflows/dependabot-campaign.lock.yml +++ b/.github/workflows/dependabot-campaign.lock.yml @@ -1000,6 +1000,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1009,6 +1012,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-dependabot-campaign + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 7981db42d5d..80ecc3e4ac7 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -1015,6 +1015,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1024,6 +1027,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-dependabot-dependency-checker + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/dependabot-repair.lock.yml b/.github/workflows/dependabot-repair.lock.yml index 83e772c3d80..ad7af0f6516 100644 --- a/.github/workflows/dependabot-repair.lock.yml +++ b/.github/workflows/dependabot-repair.lock.yml @@ -1054,6 +1054,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1063,6 +1066,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-dependabot-local-repair + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/dependabot-worker.lock.yml b/.github/workflows/dependabot-worker.lock.yml index fac79238fe2..fe5acfb02a3 100644 --- a/.github/workflows/dependabot-worker.lock.yml +++ b/.github/workflows/dependabot-worker.lock.yml @@ -1105,6 +1105,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1114,6 +1117,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-dependabot-worker + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/deployment-incident-monitor.lock.yml b/.github/workflows/deployment-incident-monitor.lock.yml index 7e8e829b577..df365e92f30 100644 --- a/.github/workflows/deployment-incident-monitor.lock.yml +++ b/.github/workflows/deployment-incident-monitor.lock.yml @@ -966,6 +966,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -975,6 +978,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-deployment-incident-monitor + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/design-decision-gate.lock.yml b/.github/workflows/design-decision-gate.lock.yml index 143c03a9d66..7568acb4a5f 100644 --- a/.github/workflows/design-decision-gate.lock.yml +++ b/.github/workflows/design-decision-gate.lock.yml @@ -1152,6 +1152,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1161,6 +1164,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-design-decision-gate- + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/designer-drift-audit.lock.yml b/.github/workflows/designer-drift-audit.lock.yml index 23f75404964..5cb0c9c2610 100644 --- a/.github/workflows/designer-drift-audit.lock.yml +++ b/.github/workflows/designer-drift-audit.lock.yml @@ -926,6 +926,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -935,6 +938,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-designer-drift-audit + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index dc2ff96f94b..6abf804c578 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -1073,6 +1073,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1082,6 +1085,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-dev-hawk + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index f107e9d25f5..24143d6baa8 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -1034,6 +1034,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1043,6 +1046,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-dev + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 6cbc11746ac..c2a6e42e6d6 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -1172,6 +1172,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1181,6 +1184,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-developer-documentation-consolidator + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index ed7a9041c56..aaaa58a0277 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -957,6 +957,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -966,6 +969,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-dictation-prompt-generator + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 66c32ed86dc..cb80c5b302e 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -1021,6 +1021,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1030,6 +1033,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-discussion-task-miner-code-quality-improvement-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index c408aebd2e4..7973f324622 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -999,6 +999,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1008,6 +1011,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-documentation-noob-tester + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index 858871794ba..319a53b8cb5 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -991,6 +991,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1000,6 +1003,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-draft-pr-cleanup + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 9590b5be224..618ba593fd4 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -1051,6 +1051,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1060,6 +1063,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-duplicate-code-detector + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/example-failure-category-filter.lock.yml b/.github/workflows/example-failure-category-filter.lock.yml index 4fffe0018b7..2156f90180e 100644 --- a/.github/workflows/example-failure-category-filter.lock.yml +++ b/.github/workflows/example-failure-category-filter.lock.yml @@ -914,6 +914,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -923,6 +926,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-example-failure-category-filter + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/example-permissions-warning.lock.yml b/.github/workflows/example-permissions-warning.lock.yml index f26257f0ac7..a9343c1f945 100644 --- a/.github/workflows/example-permissions-warning.lock.yml +++ b/.github/workflows/example-permissions-warning.lock.yml @@ -874,6 +874,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -883,6 +886,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-example-properly-provisioned-permissions + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 537da9b32ea..b68e3d21e4d 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -1091,6 +1091,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1100,6 +1103,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-weekly-workflow-analysis + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 15e0d01fa40..dd8c1c3d36e 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -1014,6 +1014,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1023,6 +1026,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-the-great-escapi + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/firewall.lock.yml b/.github/workflows/firewall.lock.yml index 82a854d3486..860f4fe7552 100644 --- a/.github/workflows/firewall.lock.yml +++ b/.github/workflows/firewall.lock.yml @@ -882,6 +882,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -891,6 +894,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-firewall-test-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index 76af4012f86..bdda94a9c23 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -963,6 +963,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -972,6 +975,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-functional-pragmatist + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index bfc3ac93577..1d450fdb8b3 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -1085,6 +1085,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1094,6 +1097,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-github-mcp-structural-analysis + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index bfa55e4bffe..813fb50072e 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -1085,6 +1085,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1094,6 +1097,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-github-mcp-remote-server-tools-report-generator + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 4a9cce57a22..f2184153ae8 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -960,6 +960,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -969,6 +972,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-github-remote-mcp-authentication-test + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index f005c77d511..db8aa5abb9e 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -1072,6 +1072,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1081,6 +1084,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-glossary-maintainer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index fdbaab91358..e02d7d34091 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -1119,6 +1119,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1128,6 +1131,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-go-fan + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index c41c96b13c0..ec6a9bc892c 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -1102,6 +1102,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1111,6 +1114,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-go-logger-enhancement + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index c5578d48dfc..2590affc9f4 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -1042,6 +1042,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1051,6 +1054,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-go-pattern-detector + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index 260239ab928..1cfe88143ba 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -1025,6 +1025,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1034,6 +1037,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-gpl-dependency-cleaner-gpclean- + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 1d74f7ee51e..ae50e879989 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -1083,6 +1083,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1092,6 +1095,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-grumpy-code-reviewer- + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/hippo-embed.lock.yml b/.github/workflows/hippo-embed.lock.yml index 37d6f5ebba0..f5e42710bd2 100644 --- a/.github/workflows/hippo-embed.lock.yml +++ b/.github/workflows/hippo-embed.lock.yml @@ -1036,6 +1036,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1045,6 +1048,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-hippo-embed + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 1ebe4b9711c..1ad8acddb76 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -1065,6 +1065,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1074,6 +1077,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-ci-cleaner + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 9cfa1fde7e7..3b843a64bf9 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -1077,6 +1077,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1086,6 +1089,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-instructions-janitor + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 4b73c634c2e..6918431041b 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -1113,6 +1113,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1122,6 +1125,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-issue-arborist + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index b5fe6b1d8e2..ab06784d52f 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -1362,6 +1362,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1371,6 +1374,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-issue-monster + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 863260eb348..a9cf8d2f885 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -937,6 +937,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -946,6 +949,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-issue-triage-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 3e2a0e273dc..aaa9351e82e 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -996,6 +996,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1005,6 +1008,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-jsweep-javascript-unbloater + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index cc427a85cda..26063c499e1 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -1003,6 +1003,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1012,6 +1015,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-layout-specification-maintainer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/lint-monster.lock.yml b/.github/workflows/lint-monster.lock.yml index 5c859affdb1..755592864c8 100644 --- a/.github/workflows/lint-monster.lock.yml +++ b/.github/workflows/lint-monster.lock.yml @@ -1101,6 +1101,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1110,6 +1113,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-lintmonster + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/linter-miner.lock.yml b/.github/workflows/linter-miner.lock.yml index 8e10a4af6eb..073727f0358 100644 --- a/.github/workflows/linter-miner.lock.yml +++ b/.github/workflows/linter-miner.lock.yml @@ -1026,6 +1026,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1035,6 +1038,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-linter-miner + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 37f474b2888..238faf44cb4 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -1037,6 +1037,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1046,6 +1049,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-lockfile-statistics-analysis-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/mattpocock-skills-reviewer.lock.yml b/.github/workflows/mattpocock-skills-reviewer.lock.yml index 417890cdfc1..8f17b7904b0 100644 --- a/.github/workflows/mattpocock-skills-reviewer.lock.yml +++ b/.github/workflows/mattpocock-skills-reviewer.lock.yml @@ -1078,6 +1078,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1087,6 +1090,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-matt-pocock-skills-reviewer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 439af27ddf9..59ad16942f9 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -1503,6 +1503,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1512,6 +1515,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-mcp-inspector-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 50cac23d71a..39bdc303060 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -1043,6 +1043,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1052,6 +1055,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-mergefest + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 1315b996b10..dd810e7e7f6 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -1069,6 +1069,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1078,6 +1081,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-metrics-collector-infrastructure-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/necromancer.lock.yml b/.github/workflows/necromancer.lock.yml index bc2747d4c90..6df3ecef5df 100644 --- a/.github/workflows/necromancer.lock.yml +++ b/.github/workflows/necromancer.lock.yml @@ -1060,6 +1060,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1069,6 +1072,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-necromancer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 7ca70560df6..4c27a252232 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -958,6 +958,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -967,6 +970,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-issue-summary-to-notion + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/objective-impact-report.lock.yml b/.github/workflows/objective-impact-report.lock.yml index 4eeb4b91a28..a9bda9d2e79 100644 --- a/.github/workflows/objective-impact-report.lock.yml +++ b/.github/workflows/objective-impact-report.lock.yml @@ -973,6 +973,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -982,6 +985,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-impact-efficiency-report + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index a2be3fe033f..09ebe32e950 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -1017,6 +1017,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1026,6 +1029,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-organization-health-report + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/outcome-collector.lock.yml b/.github/workflows/outcome-collector.lock.yml index d895c8fa359..76e1132523d 100644 --- a/.github/workflows/outcome-collector.lock.yml +++ b/.github/workflows/outcome-collector.lock.yml @@ -986,6 +986,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -995,6 +998,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-outcome-collector + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 68fa3c403ed..580c78575e6 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -1096,6 +1096,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1105,6 +1108,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-resource-summarizer-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index a8714b05a6a..615afc7ce2c 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -1043,6 +1043,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1052,6 +1055,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-plan-command + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index d506be740d1..48bce9838f5 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1359,6 +1359,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1368,6 +1371,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-poem-bot-a-creative-agentic-workflow + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index a403d4119af..5107686fce7 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -1167,6 +1167,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1176,6 +1179,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-workflow-portfolio-analyst + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/pr-code-quality-reviewer.lock.yml b/.github/workflows/pr-code-quality-reviewer.lock.yml index 92a85dff791..2434dd90522 100644 --- a/.github/workflows/pr-code-quality-reviewer.lock.yml +++ b/.github/workflows/pr-code-quality-reviewer.lock.yml @@ -1039,6 +1039,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1048,6 +1051,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-pr-code-quality-reviewer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/pr-description-caveman.lock.yml b/.github/workflows/pr-description-caveman.lock.yml index cb4f4438711..926f71c362c 100644 --- a/.github/workflows/pr-description-caveman.lock.yml +++ b/.github/workflows/pr-description-caveman.lock.yml @@ -975,6 +975,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -984,6 +987,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-pr-description-updater + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 3f234f3e950..ab2984a6be5 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -1081,6 +1081,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1090,6 +1093,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-pr-nitpick-reviewer- + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/pr-sous-chef.lock.yml b/.github/workflows/pr-sous-chef.lock.yml index 1f3c2fd09f6..1da5ad8d920 100644 --- a/.github/workflows/pr-sous-chef.lock.yml +++ b/.github/workflows/pr-sous-chef.lock.yml @@ -1083,6 +1083,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1092,6 +1095,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-pr-sous-chef + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index b331e8ebbd5..eea92029a6a 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -1090,6 +1090,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1099,6 +1102,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-pr-triage-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 54ac956ba9c..e6b5100af38 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -1198,6 +1198,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1207,6 +1210,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-copilot-agent-prompt-clustering-analysis + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 5590704ce82..8745d0811c5 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -1102,6 +1102,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1111,6 +1114,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-python-data-visualization-generator + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index c7f1e5f208c..f5e1c9eef33 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -1185,6 +1185,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1194,6 +1197,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-q + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/refactoring-cadence.lock.yml b/.github/workflows/refactoring-cadence.lock.yml index 060d4de8923..a2f5064cfbb 100644 --- a/.github/workflows/refactoring-cadence.lock.yml +++ b/.github/workflows/refactoring-cadence.lock.yml @@ -979,6 +979,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -988,6 +991,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-refactoring-cadence + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index d8cb617a59c..11915a63222 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -1082,6 +1082,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1091,6 +1094,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-code-refiner + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index cfd5db19d6d..5840a019bfe 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -998,6 +998,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1007,6 +1010,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-release + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 199de405905..f709e82704e 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -976,6 +976,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -985,6 +988,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-repository-audit-agentic-workflow-opportunity-analyzer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 7fa900d094f..0b6f9fa0d0d 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -944,6 +944,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -953,6 +956,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-repository-tree-map-generator + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index fdee87814e5..657d98717a5 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -979,6 +979,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -988,6 +991,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-repository-quality-improvement-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 4e3190a89fb..0bb2ac2b3ef 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -974,6 +974,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -983,6 +986,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-basic-research-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/ruflo-backed-task.lock.yml b/.github/workflows/ruflo-backed-task.lock.yml index 6a91afd32f2..a31431ffe39 100644 --- a/.github/workflows/ruflo-backed-task.lock.yml +++ b/.github/workflows/ruflo-backed-task.lock.yml @@ -1166,6 +1166,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1175,6 +1178,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-ruflo-backed-task + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 79fd4c16da9..b6fcabe55e7 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -1153,6 +1153,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1162,6 +1165,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-safe-output-health-monitor + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 9ea85f11aae..58028dd9fb5 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -1049,6 +1049,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1058,6 +1061,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-schema-consistency-checker + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/schema-feature-coverage.lock.yml b/.github/workflows/schema-feature-coverage.lock.yml index 74d3b99f063..2bb5c46b6ae 100644 --- a/.github/workflows/schema-feature-coverage.lock.yml +++ b/.github/workflows/schema-feature-coverage.lock.yml @@ -1015,6 +1015,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1024,6 +1027,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-schema-feature-coverage-checker + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index f1f431dca2a..bca4132f79a 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1233,6 +1233,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1242,6 +1245,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-scout + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 98b35dc177e..c1ad801f7b3 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -988,6 +988,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -997,6 +1000,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-security-compliance-campaign + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 7820914463d..029f7894e39 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -1127,6 +1127,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1136,6 +1139,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-security-review-agent- + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index f5e82f1d112..1824a3fc428 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -1092,6 +1092,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1101,6 +1104,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-semantic-function-refactoring + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 795371c7c39..dae692c8456 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -1125,6 +1125,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1134,6 +1137,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-sergo-serena-go-expert + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 8af260ca886..240b6dfd633 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -1076,6 +1076,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1085,6 +1088,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-slide-deck-maintainer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index bf55b7036e3..179975bc3b6 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -1055,6 +1055,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1064,6 +1067,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-agent-all-merged + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index e0e063e4db2..5ecaad8c3dc 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -1055,6 +1055,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1064,6 +1067,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-agent-all-none + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index 3e9e05e74cc..dbc3b572859 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -1086,6 +1086,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1095,6 +1098,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-agent-public-approved + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index 7c71baf51e2..5cfd87a09de 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -1055,6 +1055,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1064,6 +1067,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-agent-public-none + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index 7a01ae5ced3..d863192edb2 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -1062,6 +1062,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1071,6 +1074,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-agent-scoped-approved + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-antigravity.lock.yml b/.github/workflows/smoke-antigravity.lock.yml index 8b81bad5eb7..3b2b88b9322 100644 --- a/.github/workflows/smoke-antigravity.lock.yml +++ b/.github/workflows/smoke-antigravity.lock.yml @@ -1105,6 +1105,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1114,6 +1117,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-antigravity + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-call-workflow.lock.yml b/.github/workflows/smoke-call-workflow.lock.yml index 5e68e01ec17..a944544bd6f 100644 --- a/.github/workflows/smoke-call-workflow.lock.yml +++ b/.github/workflows/smoke-call-workflow.lock.yml @@ -1037,6 +1037,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1046,6 +1049,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-call-workflow + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-ci.lock.yml b/.github/workflows/smoke-ci.lock.yml index 73c3c296b61..2029399ffe3 100644 --- a/.github/workflows/smoke-ci.lock.yml +++ b/.github/workflows/smoke-ci.lock.yml @@ -1227,6 +1227,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1236,6 +1239,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-ci + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 34faa843282..fb286c92759 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1869,6 +1869,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1878,6 +1881,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-claude + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 80212d7002a..4466aff9d99 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1365,6 +1365,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1374,6 +1377,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-codex + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-copilot-aoai-apikey.lock.yml b/.github/workflows/smoke-copilot-aoai-apikey.lock.yml index c3f1a86b8c0..efc8f059c0d 100644 --- a/.github/workflows/smoke-copilot-aoai-apikey.lock.yml +++ b/.github/workflows/smoke-copilot-aoai-apikey.lock.yml @@ -2021,6 +2021,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -2030,6 +2033,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-copilot-aoai-apikey- + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-copilot-aoai-entra.lock.yml b/.github/workflows/smoke-copilot-aoai-entra.lock.yml index f8fa3a18615..a8366b85317 100644 --- a/.github/workflows/smoke-copilot-aoai-entra.lock.yml +++ b/.github/workflows/smoke-copilot-aoai-entra.lock.yml @@ -2024,6 +2024,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -2033,6 +2036,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-copilot-aoai-entra- + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 5cbf5a741ff..daf05dffa24 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -1894,6 +1894,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1903,6 +1906,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-copilot-arm64 + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-copilot-sdk.lock.yml b/.github/workflows/smoke-copilot-sdk.lock.yml index 0a6c02807c8..181e943df3e 100644 --- a/.github/workflows/smoke-copilot-sdk.lock.yml +++ b/.github/workflows/smoke-copilot-sdk.lock.yml @@ -1005,6 +1005,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1014,6 +1017,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-copilot-sdk + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index d64f8730275..2495e2f1351 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -2023,6 +2023,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -2032,6 +2035,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-copilot + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 1ce6fa51eb3..eaa890eef96 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -1114,6 +1114,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1123,6 +1126,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-create-cross-repo-pr + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-crush.lock.yml b/.github/workflows/smoke-crush.lock.yml index c504811a749..425b0c611c2 100644 --- a/.github/workflows/smoke-crush.lock.yml +++ b/.github/workflows/smoke-crush.lock.yml @@ -1024,6 +1024,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1033,6 +1036,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-crush + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index b5e508fdbd6..646ceb278ba 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -1108,6 +1108,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1117,6 +1120,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-gemini + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index e5a9f6404de..fc28b4adbb8 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -1068,6 +1068,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1077,6 +1080,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-multi-pr + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml index 0b02f45ff85..90a2f243b76 100644 --- a/.github/workflows/smoke-opencode.lock.yml +++ b/.github/workflows/smoke-opencode.lock.yml @@ -1029,6 +1029,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1038,6 +1041,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-opencode + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-otel-backends.lock.yml b/.github/workflows/smoke-otel-backends.lock.yml index 4984268abb5..9544736c338 100644 --- a/.github/workflows/smoke-otel-backends.lock.yml +++ b/.github/workflows/smoke-otel-backends.lock.yml @@ -1166,6 +1166,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1175,6 +1178,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-otel + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-pi.lock.yml b/.github/workflows/smoke-pi.lock.yml index c4f73c41c80..d4eeddb9061 100644 --- a/.github/workflows/smoke-pi.lock.yml +++ b/.github/workflows/smoke-pi.lock.yml @@ -1011,6 +1011,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1020,6 +1023,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-pi + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index 59c564c0ae5..b20e801bc6b 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -1249,6 +1249,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1258,6 +1261,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-project + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-service-ports.lock.yml b/.github/workflows/smoke-service-ports.lock.yml index c801aa0bbb2..772caf691c2 100644 --- a/.github/workflows/smoke-service-ports.lock.yml +++ b/.github/workflows/smoke-service-ports.lock.yml @@ -994,6 +994,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1003,6 +1006,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-service-ports + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 5ade7d7fba8..a328704b4d3 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -1094,6 +1094,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1103,6 +1106,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-temporary-id + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index ae24355bdc8..f40a33d88d1 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -1025,6 +1025,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1034,6 +1037,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-agent-container-smoke-test + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index 5c76f233b80..36a3197b38b 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -1126,6 +1126,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1135,6 +1138,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-update-cross-repo-pr + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml index 3d7c8d178c9..f9a3a909f7b 100644 --- a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml +++ b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml @@ -1051,6 +1051,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1060,6 +1063,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-workflow-call-with-inputs + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index e7b08edcf03..d6fb9866879 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -1039,6 +1039,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1048,6 +1051,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-workflow-call + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/spec-enforcer.lock.yml b/.github/workflows/spec-enforcer.lock.yml index 92346737e8e..13d95b0cbe5 100644 --- a/.github/workflows/spec-enforcer.lock.yml +++ b/.github/workflows/spec-enforcer.lock.yml @@ -1108,6 +1108,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1117,6 +1120,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-package-specification-enforcer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/spec-extractor.lock.yml b/.github/workflows/spec-extractor.lock.yml index 6d2829133a8..c236bea369c 100644 --- a/.github/workflows/spec-extractor.lock.yml +++ b/.github/workflows/spec-extractor.lock.yml @@ -1059,6 +1059,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1068,6 +1071,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-package-specification-extractor + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/spec-librarian.lock.yml b/.github/workflows/spec-librarian.lock.yml index ac8103a86e4..29c7767d9c3 100644 --- a/.github/workflows/spec-librarian.lock.yml +++ b/.github/workflows/spec-librarian.lock.yml @@ -1040,6 +1040,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1049,6 +1052,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-package-specification-librarian + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/stale-pr-cleanup.lock.yml b/.github/workflows/stale-pr-cleanup.lock.yml index b2a2114cb35..09edf556d18 100644 --- a/.github/workflows/stale-pr-cleanup.lock.yml +++ b/.github/workflows/stale-pr-cleanup.lock.yml @@ -986,6 +986,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -995,6 +998,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-stale-pr-cleanup + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 29a822646c2..ab559be3c5a 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -1145,6 +1145,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1154,6 +1157,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-stale-repository-identifier + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index b897533a52b..abc8f2b0b09 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1178,6 +1178,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1187,6 +1190,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-static-analysis-report + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 1fb7b0cd275..b5425341756 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -1065,6 +1065,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1074,6 +1077,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-step-name-alignment + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index cc66443db02..af90e0a5bc8 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -987,6 +987,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -996,6 +999,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-sub-issue-closer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index b14cba346ec..505e9b3c9df 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -996,6 +996,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1005,6 +1008,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-super-linter-report + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index d0ace4b5d15..c66a500cf7c 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -1061,6 +1061,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1070,6 +1073,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-rebuild-the-documentation-after-making-changes + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 7e88dcde201..97d41327bdd 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -977,6 +977,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -986,6 +989,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-terminal-stylist + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index 0e9030540ba..d7f6793ef8e 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -1045,6 +1045,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1054,6 +1057,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-test-create-pr-error-handling + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index 11a0d4c018c..e5f4fe89a99 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -945,6 +945,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -954,6 +957,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-test-dispatcher-workflow + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index a331197145c..8ccfc2ab29a 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -990,6 +990,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -999,6 +1002,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-test-project-url-explicit-requirement + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/test-quality-sentinel.lock.yml b/.github/workflows/test-quality-sentinel.lock.yml index b9e417901b9..8ead4c5a1c7 100644 --- a/.github/workflows/test-quality-sentinel.lock.yml +++ b/.github/workflows/test-quality-sentinel.lock.yml @@ -1056,6 +1056,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1065,6 +1068,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-test-quality-sentinel + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/test-workflow.lock.yml b/.github/workflows/test-workflow.lock.yml index ba654d87b97..b3fdb5fb0df 100644 --- a/.github/workflows/test-workflow.lock.yml +++ b/.github/workflows/test-workflow.lock.yml @@ -874,6 +874,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -883,6 +886,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-test-workflow + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 701c71d1e1d..09e21bfc67f 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -1084,6 +1084,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1093,6 +1096,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-tidy + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 5f6a3bc89c0..9d01c678e97 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -1103,6 +1103,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1112,6 +1115,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-typist-go-type-analysis + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 865f51beb36..8eda5ecc794 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -998,6 +998,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1007,6 +1010,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-ubuntu-actions-image-analyzer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/uk-ai-operational-resilience.lock.yml b/.github/workflows/uk-ai-operational-resilience.lock.yml index 9e886e512fb..1983994d75e 100644 --- a/.github/workflows/uk-ai-operational-resilience.lock.yml +++ b/.github/workflows/uk-ai-operational-resilience.lock.yml @@ -978,6 +978,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -987,6 +990,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-uk-ai-operational-resilience + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 8d337e47561..368701350b7 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -1191,6 +1191,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1200,6 +1203,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-documentation-unbloat + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/update-astro.lock.yml b/.github/workflows/update-astro.lock.yml index ff923f73458..2c492496298 100644 --- a/.github/workflows/update-astro.lock.yml +++ b/.github/workflows/update-astro.lock.yml @@ -979,6 +979,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -988,6 +991,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-update-astro + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 75f80b97ee6..dfc0dd6d006 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -966,6 +966,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -975,6 +978,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-video-analysis-agent + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/visual-regression-checker.lock.yml b/.github/workflows/visual-regression-checker.lock.yml index eb5c9ec04d2..b8d82dc41a6 100644 --- a/.github/workflows/visual-regression-checker.lock.yml +++ b/.github/workflows/visual-regression-checker.lock.yml @@ -1035,6 +1035,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1044,6 +1047,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-visual-regression-checker + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index 14f34ad5b70..57eaddc10de 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -1144,6 +1144,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1153,6 +1156,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-weekly-blog-post-writer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index e5b92a7b27a..95a5f01a5dc 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -1022,6 +1022,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1031,6 +1034,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-weekly-editors-health-check + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 141d3a3ec3f..bd0c0844485 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -989,6 +989,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -998,6 +1001,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-weekly-issue-summary + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index c7dcc41d58d..7b30535db54 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -953,6 +953,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -962,6 +965,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-weekly-safe-outputs-specification-review + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 074b563b139..f30da93e238 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -1026,6 +1026,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1035,6 +1038,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-workflow-generator + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 48d75a1263e..a07d91ba707 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -1058,6 +1058,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1067,6 +1070,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-workflow-health-manager-meta-orchestrator + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 9fa8e9e8d3e..3cff96adc42 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -1039,6 +1039,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1048,6 +1051,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-workflow-normalizer + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 347a7dfb490..241f85b7ef1 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -1009,6 +1009,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -1018,6 +1021,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-workflow-skill-extractor + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/docs/adr/40360-dedicated-always-run-firewall-logs-artifact.md b/docs/adr/40360-dedicated-always-run-firewall-logs-artifact.md new file mode 100644 index 00000000000..65e51d399df --- /dev/null +++ b/docs/adr/40360-dedicated-always-run-firewall-logs-artifact.md @@ -0,0 +1,45 @@ +# ADR-40360: Publish Firewall Logs as a Dedicated, Always-Run Artifact + +**Date**: 2026-06-19 +**Status**: Draft + +## Context + +Firewall-enabled workflows route agent egress through a squid proxy that writes an `access.log` capturing every outbound request — the primary forensic record of what an agent reached out to. In a sample of 19 firewall-enabled runs, 2 were missing `access.log` from the uploaded artifact, and both were early `ERR_CONFIG` startup failures — precisely the runs where egress logs matter most. The root cause: the unified upload step ran with `if: always()`, but the firewall logs directory was empty or absent when AWF exited before the proxy wrote anything, so `actions/upload-artifact`'s `if-no-files-found: ignore` silently dropped it. The compiler had a `generateSquidLogsUploadStep` function but never invoked it. [TODO: verify the 19-run sample is representative across engines.] + +## Decision + +We will guarantee firewall log capture in two ways. First, `generateFirewallLogParsingStep` will `sudo mkdir -p` the `firewall/logs` and `firewall/audit` directories before `chmod`, so those paths exist in the artifact even when the proxy wrote nothing. Second, `generateSummarySteps` will emit a dedicated **`Upload Firewall Logs`** step (`if: always()`, artifact name `firewall-logs-{workflow}`) for every firewall-enabled workflow, wiring up the previously-dead `generateSquidLogsUploadStep`. Firewall logs thus land in their own artifact, decoupled from the bundled `agent` artifact and easy to locate on failed runs. + +## Decision Analysis + +1. **Decision**: Pre-create firewall log directories and emit a dedicated always-run upload step producing a separate `firewall-logs-{workflow}` artifact. +2. **Driver**: Egress logs vanished on early startup failures because an empty/absent logs directory triggered `if-no-files-found: ignore`. +3. **Alternatives**: Keep bundling into the `agent` artifact while forcing directory creation; or seed a placeholder file so the upload is never skipped. +4. **Consequences**: Reliable capture on early failure and easier discovery, at the cost of an extra artifact and an additional compiler-emitted step. + +## Alternatives Considered + +### Alternative 1: Keep logs in the bundled `agent` artifact, only fix the empty-directory case +Continue uploading firewall logs as part of the existing `agent` artifact and rely solely on the `mkdir -p` fix to prevent the empty-directory skip. Rejected because firewall logs would remain buried inside a large mixed artifact, making them hard to locate on failed runs, and the bundled upload's failure modes are coupled to unrelated agent outputs. + +### Alternative 2: Seed a placeholder/sentinel file in the logs directory +Write a placeholder file (e.g., `.keep` or a "no traffic recorded" notice) into the logs directory so `if-no-files-found: ignore` never triggers. Rejected because it pollutes the artifact with non-log content and obscures the genuine "proxy never started" signal that an empty-but-present directory communicates clearly. + +## Consequences + +### Positive +- `access.log` is reliably present in the artifact even when AWF fails before the proxy writes any traffic. +- Firewall logs live in a dedicated `firewall-logs-{workflow}` artifact, decoupled from the `agent` bundle and quick to find on failed runs. + +### Negative +- Each firewall-enabled workflow now produces an additional artifact, increasing artifact count and storage footprint. +- The compiler carries another emitted step to maintain, and golden fixtures for ~250 workflows had to be regenerated. + +### Neutral +- The dedicated artifact name `firewall-logs-{workflow}` establishes a naming convention that downstream tooling or docs may need to reference. +- An empty-but-present logs directory now meaningfully signals "no egress traffic / early failure" rather than a missing upload. + +--- + +*This is a DRAFT ADR generated by the [Design Decision Gate](https://github.com/github/gh-aw/actions/runs/27840909414) workflow. The PR author must review, complete, and finalize this document before the PR can merge.* diff --git a/pkg/workflow/compiler_yaml_main_job.go b/pkg/workflow/compiler_yaml_main_job.go index 604a76c3267..2b9f2398f3d 100644 --- a/pkg/workflow/compiler_yaml_main_job.go +++ b/pkg/workflow/compiler_yaml_main_job.go @@ -685,6 +685,17 @@ func (c *Compiler) generateSummarySteps(yaml *strings.Builder, data *WorkflowDat yaml.WriteString(line) yaml.WriteByte('\n') } + + // Add a dedicated firewall-logs artifact upload that runs with if: always() so the + // access.log is captured even when the agent fails early (e.g. ERR_CONFIG). + // This is separate from the unified agent artifact upload to make firewall logs + // easy to locate and to ensure they are uploaded independently. + firewallLogsUpload := generateSquidLogsUploadStep(data.Name) + for _, line := range firewallLogsUpload { + yaml.WriteString(line) + yaml.WriteByte('\n') + } + c.stepOrderTracker.RecordArtifactUpload("Upload Firewall Logs", []string{constants.AWFProxyLogsDir + "/"}) } // Parse token-usage.jsonl and append to step summary (requires AWF v0.25.8+) diff --git a/pkg/workflow/engine_firewall_support.go b/pkg/workflow/engine_firewall_support.go index c049b0864d4..38e4dc4764a 100644 --- a/pkg/workflow/engine_firewall_support.go +++ b/pkg/workflow/engine_firewall_support.go @@ -121,6 +121,7 @@ func generateSquidLogsUploadStep(workflowName string) GitHubActionStep { func generateFirewallLogParsingStep(workflowName string) GitHubActionStep { // Firewall logs are at a known location in the sandbox folder structure firewallLogsDir := constants.AWFProxyLogsDir + firewallAuditDir := constants.AWFAuditDir firewallDir := path.Dir(firewallLogsDir) stepLines := []string{ @@ -130,6 +131,9 @@ func generateFirewallLogParsingStep(workflowName string) GitHubActionStep { " env:", " AWF_LOGS_DIR: " + firewallLogsDir, " run: |", + " # Ensure log and audit directories exist so the artifact upload always captures them", + " # even when the agent fails before AWF writes any proxy logs", + fmt.Sprintf(" sudo mkdir -p %s %s 2>/dev/null || true", firewallLogsDir, firewallAuditDir), " # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts", " # AWF runs with sudo, creating files owned by root", fmt.Sprintf(" sudo chmod -R a+rX %s 2>/dev/null || true", firewallDir), diff --git a/pkg/workflow/engine_firewall_support_test.go b/pkg/workflow/engine_firewall_support_test.go index 81b6abfd5e8..c45474c367b 100644 --- a/pkg/workflow/engine_firewall_support_test.go +++ b/pkg/workflow/engine_firewall_support_test.go @@ -275,13 +275,53 @@ func TestGenerateFirewallLogParsingStepFixesFirewallPermissions(t *testing.T) { step := generateFirewallLogParsingStep("test-workflow") stepContent := strings.Join(step, "\n") expectedLogsDir := constants.AWFProxyLogsDir + expectedAuditDir := constants.AWFAuditDir expectedFirewallDir := path.Dir(expectedLogsDir) if !strings.Contains(stepContent, "AWF_LOGS_DIR: "+expectedLogsDir) { t.Error("Expected firewall log parsing step to keep AWF_LOGS_DIR set to logs directory") } + if !strings.Contains(stepContent, "sudo mkdir -p "+expectedLogsDir+" "+expectedAuditDir+" 2>/dev/null || true") { + t.Error("Expected firewall log parsing step to mkdir -p the logs and audit directories so they exist even on agent failure") + } + if !strings.Contains(stepContent, "sudo chmod -R a+rX "+expectedFirewallDir+" 2>/dev/null || true") { t.Error("Expected firewall log parsing step to chmod the parent firewall directory for logs and audit upload") } } + +func TestGenerateSummaryStepsIncludesFirewallLogsUpload(t *testing.T) { + compiler := NewCompiler() + compiler.stepOrderTracker = NewStepOrderTracker() + compiler.stepOrderTracker.MarkAgentExecutionComplete() + // Record a secret redaction step so the upload ordering is valid + compiler.stepOrderTracker.RecordSecretRedaction("Redact secrets in logs") + + workflowData := &WorkflowData{ + Name: "test-workflow", + NetworkPermissions: &NetworkPermissions{ + Allowed: []string{"api.example.com"}, + Firewall: &FirewallConfig{ + Enabled: true, + }, + }, + } + + var yaml strings.Builder + compiler.generateSummarySteps(&yaml, workflowData, NewClaudeEngine()) + output := yaml.String() + + if !strings.Contains(output, "- name: Upload Firewall Logs") { + t.Error("Expected generateSummarySteps to include a dedicated 'Upload Firewall Logs' step when firewall is enabled") + } + if !strings.Contains(output, "if: always()") { + t.Error("Expected the 'Upload Firewall Logs' step to have 'if: always()'") + } + if !strings.Contains(output, "name: firewall-logs-test-workflow") { + t.Error("Expected the 'Upload Firewall Logs' step to use artifact name 'firewall-logs-test-workflow'") + } + if !strings.Contains(output, "if-no-files-found: ignore") { + t.Error("Expected the 'Upload Firewall Logs' step to use 'if-no-files-found: ignore'") + } +} diff --git a/pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden b/pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden index 590b33ddd8f..dce8ee74a8d 100644 --- a/pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden +++ b/pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden @@ -699,6 +699,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -708,6 +711,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-engine-claude-test + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden b/pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden index 60a6c183f40..6e9955c3457 100644 --- a/pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden +++ b/pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden @@ -664,6 +664,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -673,6 +676,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-engine-codex-test + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden b/pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden index bec8ddd456f..45ff5032a2e 100644 --- a/pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden +++ b/pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden @@ -637,6 +637,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -646,6 +649,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-engine-copilot-test + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden b/pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden index fcc3c95abc2..6c9dc2a89fb 100644 --- a/pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden +++ b/pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden @@ -619,6 +619,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -628,6 +631,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-engine-gemini-test + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden b/pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden index 2cd75d25801..5b6b89731fc 100644 --- a/pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden +++ b/pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden @@ -554,6 +554,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -563,6 +566,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-engine-pi-test + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden index a86b158d367..d477a9fe9f9 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden @@ -637,6 +637,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -646,6 +649,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-basic-copilot-test + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden index 9b15a71c323..1431fde3e84 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden @@ -657,6 +657,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -666,6 +669,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-test-playwright-cli-mode + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden index 675bff7891a..b1b4870b054 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden @@ -894,6 +894,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -903,6 +906,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-smoke-copilot + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden index d7f5edf98e1..fb385908ee4 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden @@ -638,6 +638,9 @@ jobs: env: AWF_LOGS_DIR: /tmp/gh-aw/sandbox/firewall/logs run: | + # Ensure log and audit directories exist so the artifact upload always captures them + # even when the agent fails before AWF writes any proxy logs + sudo mkdir -p /tmp/gh-aw/sandbox/firewall/logs /tmp/gh-aw/sandbox/firewall/audit 2>/dev/null || true # Fix permissions on firewall logs/audit dirs so they can be uploaded as artifacts # AWF runs with sudo, creating files owned by root sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewall 2>/dev/null || true @@ -647,6 +650,14 @@ jobs: else echo 'AWF binary not installed, skipping firewall log summary' fi + - name: Upload Firewall Logs + if: always() + continue-on-error: true + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: firewall-logs-with-imports-test + path: /tmp/gh-aw/sandbox/firewall/logs/ + if-no-files-found: ignore - name: Parse token usage for step summary if: always() continue-on-error: true