Skip to content

fix: handle EPERM when chmod'ing pre-existing mcp-logs directory#5956

Merged
lpcox merged 2 commits into
mainfrom
fix/workdir-chmod-eperm
Jul 6, 2026
Merged

fix: handle EPERM when chmod'ing pre-existing mcp-logs directory#5956
lpcox merged 2 commits into
mainfrom
fix/workdir-chmod-eperm

Conversation

@lpcox

@lpcox lpcox commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Problem

When the MCP Gateway step creates /tmp/gh-aw/mcp-logs before AWF starts (e.g., in smoke-chroot workflows), the directory is owned by a different user. AWF's writeConfigs() unconditionally calls chmodSync on it, which crashes with:

[ERROR] Fatal error: Error: EPERM: operation not permitted, chmod '/tmp/gh-aw/mcp-logs'

This causes unrelated PRs to fail CI (e.g., #5941).

Fix

Wrap the chmodSync in a try/catch for the "directory already exists" branch in src/workdir-setup.ts. The chmod is best-effort since the AWF container uses a tmpfs overlay for this path anyway — the host directory permissions don't matter for container operation.

Testing

  • Added test case verifying EPERM on the mcp-logs directory doesn't throw
  • Existing tests continue to pass

When the MCP Gateway creates /tmp/gh-aw/mcp-logs before AWF starts,
the directory may be owned by a different user. The unconditional
chmodSync call would crash with EPERM, failing the entire workflow.

Wrap the chmod in a try/catch for the 'directory already exists' branch
so AWF proceeds gracefully. The directory permissions are best-effort
since the container uses a tmpfs overlay for this path anyway.

Fixes smoke-chroot CI failures like:
  EPERM: operation not permitted, chmod '/tmp/gh-aw/mcp-logs'

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 6, 2026 13:34

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR prevents AWF from crashing when /tmp/gh-aw/mcp-logs already exists and chmodSync fails with EPERM (e.g., created by the MCP Gateway under a different owner), by making the permission fix best-effort and adding a regression test.

Changes:

  • Wrap chmodSync for the pre-existing MCP logs directory in a try/catch to avoid fatal EPERM failures.
  • Add a Jest test ensuring EPERM during the pre-existing directory chmod does not throw.
Show a summary per file
File Description
src/workdir-setup.ts Makes the “fix permissions for pre-existing mcp-logs directory” chmod best-effort.
src/workdir-setup.test.ts Adds coverage for the EPERM-on-chmod scenario.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 2
  • Review effort level: Low

Comment thread src/workdir-setup.ts
Comment on lines +199 to +204
try {
fs.chmodSync(mcpLogsDir, 0o777);
logger.debug(`MCP logs directory permissions fixed at: ${mcpLogsDir}`);
} catch {
logger.debug(`MCP logs directory already exists at: ${mcpLogsDir} (chmod skipped, owned by another user)`);
}
Comment thread src/workdir-setup.test.ts
Comment on lines +145 to +150
// Simulate EPERM: directory owned by another user (e.g., MCP gateway)
const eperm = new Error("EPERM: operation not permitted, chmod '/tmp/gh-aw/mcp-logs'") as NodeJS.ErrnoException;
eperm.code = 'EPERM';
(fs.chmodSync as jest.Mock).mockImplementation((target: string) => {
if (target === mcpLogsDir) throw eperm;
});
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@lpcox Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@lpcox

lpcox commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator Author

@copilot address review feedback

Copilot AI commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

@copilot address review feedback

Addressed in 64318ae. The pre-existing mcp-logs chmod path now only swallows EPERM and rethrows other errors, and the regression test now delegates non-target chmodSync calls to the real fs implementation while covering the non-EPERM case too.

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) reports failed. AOAI BYOK (Entra) mode investigation needed...

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

PR #5956 follows the applicable CONTRIBUTING.md guidelines based on the provided metadata, diff, and contribution guide; no review comment needed.

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Chroot tests failed Smoke Chroot failed - See logs for details.

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) reports failed. AOAI BYOK (api-key) mode investigation needed...

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API Status ✅ PASS
GH Check ✅ PASS
File Status ✅ PASS

Overall Result: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #5956 · 55.7 AIC · ⊞ 3.3K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Services Connectivity

  • Redis (PING): ❌ Network is unreachable
  • PostgreSQL pg_isready: ❌ No response
  • PostgreSQL SELECT 1: ❌ Network is unreachable

Overall: FAILhost.docker.internal (172.17.0.1) is unreachable from this runner. Service containers may not be running or the network bridge is not configured.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot Engine — PASS

Test Status
GitHub MCP connectivity
GitHub.com HTTP
File write/read (smoke-test-copilot-28799015494.txt)

Overall: PASS @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

🔥 Smoke Test: Copilot BYOK (Direct) — PASS

Test Result
GitHub MCP connectivity
GitHub.com HTTP (200)
File write/read (smoke-test-copilot-byok.txt)
BYOK inference (agent → api-proxy → api.githubcopilot.com)

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY) via api-proxy → api.githubcopilot.com

Overall: PASS@lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot PAT Auth

Test Result
GitHub MCP connectivity
GitHub.com HTTP ✅ 200
File write/read

Overall: PASS

Author: @lpcox · Auth mode: PAT (COPILOT_GITHUB_TOKEN)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

🔭 OTEL Tracing Smoke Test Results

Scenario Status Detail
Module Loading otel.js loads; isEnabled()=true; exports startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled
Test Suite 59 tests passed, 0 failed across otel.test.js + otel-fanout.test.js
Env Var Forwarding api-proxy-env-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
Token Tracker Integration onUsage callback present in token-tracker-http.js (line 283/324); onSpanEnd hook also wired
OTEL Diagnostics FileSpanExporter active when no OTLP endpoint configured; spans written to /var/log/api-proxy/otel.jsonl as local fallback

All scenarios pass. Graceful degradation confirmed (file fallback when no OTLP endpoint configured).

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx All passed ✅ PASS
Node.js execa All passed ✅ PASS
Node.js p-limit All passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #5956 · 33.5 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Gemini Smoke Test Results

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Smoke test results:\n- PRs reviewed: #5950 fix(test): update BYOK workflow test to match recompiled lock files\n- PRs reviewed: #5946 chore: upgrade gh-aw to v0.82.2 pre-release and recompile workflows\n- GitHub title check ✅\n- File write/read ✅\n- Discussion lookup/comment ✅\n- npm ci && npm run build ❌\n- Overall: FAIL

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • awmgmcpg
  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@lpcox lpcox merged commit 3b6d0c6 into main Jul 6, 2026
84 of 88 checks passed
@lpcox lpcox deleted the fix/workdir-chmod-eperm branch July 6, 2026 14:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants