fix: handle EPERM when chmod'ing pre-existing mcp-logs directory#5956
Conversation
When the MCP Gateway creates /tmp/gh-aw/mcp-logs before AWF starts, the directory may be owned by a different user. The unconditional chmodSync call would crash with EPERM, failing the entire workflow. Wrap the chmod in a try/catch for the 'directory already exists' branch so AWF proceeds gracefully. The directory permissions are best-effort since the container uses a tmpfs overlay for this path anyway. Fixes smoke-chroot CI failures like: EPERM: operation not permitted, chmod '/tmp/gh-aw/mcp-logs' Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR prevents AWF from crashing when /tmp/gh-aw/mcp-logs already exists and chmodSync fails with EPERM (e.g., created by the MCP Gateway under a different owner), by making the permission fix best-effort and adding a regression test.
Changes:
- Wrap
chmodSyncfor the pre-existing MCP logs directory in atry/catchto avoid fatalEPERMfailures. - Add a Jest test ensuring
EPERMduring the pre-existing directory chmod does not throw.
Show a summary per file
| File | Description |
|---|---|
| src/workdir-setup.ts | Makes the “fix permissions for pre-existing mcp-logs directory” chmod best-effort. |
| src/workdir-setup.test.ts | Adds coverage for the EPERM-on-chmod scenario. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 2
- Review effort level: Low
| try { | ||
| fs.chmodSync(mcpLogsDir, 0o777); | ||
| logger.debug(`MCP logs directory permissions fixed at: ${mcpLogsDir}`); | ||
| } catch { | ||
| logger.debug(`MCP logs directory already exists at: ${mcpLogsDir} (chmod skipped, owned by another user)`); | ||
| } |
| // Simulate EPERM: directory owned by another user (e.g., MCP gateway) | ||
| const eperm = new Error("EPERM: operation not permitted, chmod '/tmp/gh-aw/mcp-logs'") as NodeJS.ErrnoException; | ||
| eperm.code = 'EPERM'; | ||
| (fs.chmodSync as jest.Mock).mockImplementation((target: string) => { | ||
| if (target === mcpLogsDir) throw eperm; | ||
| }); |
|
✅ Copilot review passed with no inline comments. @lpcox Add the |
|
@copilot address review feedback |
|
✅ Smoke Claude passed |
|
📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅ |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓 |
|
🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅ |
|
❌ Smoke Copilot BYOK AOAI (Entra) reports failed. AOAI BYOK (Entra) mode investigation needed... |
|
✅ Contribution Check completed successfully! PR #5956 follows the applicable CONTRIBUTING.md guidelines based on the provided metadata, diff, and contribution guide; no review comment needed. |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
✅ Build Test Suite completed successfully! |
|
🔌 Smoke Services — All services reachable! ✅ |
|
Chroot tests failed Smoke Chroot failed - See logs for details. |
|
❌ Smoke Copilot BYOK AOAI (api-key) reports failed. AOAI BYOK (api-key) mode investigation needed... |
|
🚀 Security Guard has started processing this pull request |
|
✅ Smoke Gemini completed. All facets verified. 💎 |
Smoke Test: Claude Engine Validation
Overall Result: PASS ✅ Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: Services Connectivity
Overall: FAIL — Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: Copilot Engine — PASS
Overall: PASS @lpcox Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
🔥 Smoke Test: Copilot BYOK (Direct) — PASS
Running in direct BYOK mode ( Overall: PASS — @lpcox Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: Copilot PAT Auth
Overall: PASS Author: @lpcox · Auth mode: PAT (COPILOT_GITHUB_TOKEN) Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
🔭 OTEL Tracing Smoke Test Results
All scenarios pass. Graceful degradation confirmed (file fallback when no OTLP endpoint configured). Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Gemini Smoke Test Results
Overall Status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
|
Smoke test results:\n- PRs reviewed: #5950 fix(test): update BYOK workflow test to match recompiled lock files\n- PRs reviewed: #5946 chore: upgrade gh-aw to v0.82.2 pre-release and recompile workflows\n- GitHub title check ✅\n- File write/read ✅\n- Discussion lookup/comment ✅\n- npm ci && npm run build ❌\n- Overall: FAIL Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Problem
When the MCP Gateway step creates
/tmp/gh-aw/mcp-logsbefore AWF starts (e.g., in smoke-chroot workflows), the directory is owned by a different user. AWF'swriteConfigs()unconditionally callschmodSyncon it, which crashes with:This causes unrelated PRs to fail CI (e.g., #5941).
Fix
Wrap the
chmodSyncin a try/catch for the "directory already exists" branch insrc/workdir-setup.ts. The chmod is best-effort since the AWF container uses a tmpfs overlay for this path anyway — the host directory permissions don't matter for container operation.Testing