fix: make audit artifacts world-readable to fix gh-aw post-job EACCES

lpcox · Copilot · lpcox · commit 63f4f87b014d · 2026-04-30T08:24:41.000-07:00
AWF creates audit files (squid.conf, docker-compose.redacted.yml,
policy-manifest.json) as root with 0o600 permissions. When gh-aw's
post-job secret scanner runs as the runner user, it gets EACCES
trying to stat/scan these files, causing job failures.

Since audit files already have secrets redacted, change permissions
from 0o700/0o600 to 0o755/0o644 so they're readable without needing
the chmod a+rX cleanup step to have run first.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/src/docker-manager.ts b/src/docker-manager.ts
@@ -2339,19 +2339,20 @@ export async function writeConfigs(config: WrapperConfig): Promise<void> {
   // Write audit artifacts (config snapshots for post-run forensics)
   const auditDir = config.auditDir || path.join(config.workDir, 'audit');
   if (!fs.existsSync(auditDir)) {
-    // Restrictive permissions initially; made readable during cleanup (chmod a+rX)
-    fs.mkdirSync(auditDir, { recursive: true, mode: 0o700 });
+    // World-readable so gh-aw post-job scanners can access audit artifacts
+    // (files are already secret-redacted, so 0o755 is safe)
+    fs.mkdirSync(auditDir, { recursive: true, mode: 0o755 });
   }
 
   // Save squid.conf for audit (no secrets — just domain ACLs and proxy config)
-  fs.writeFileSync(path.join(auditDir, 'squid.conf'), squidConfig, { mode: 0o600 });
+  fs.writeFileSync(path.join(auditDir, 'squid.conf'), squidConfig, { mode: 0o644 });
 
   // Save redacted docker-compose.yml (strip env vars that may contain secrets)
   const redactedCompose = redactDockerComposeSecrets(dockerCompose);
   fs.writeFileSync(
     path.join(auditDir, 'docker-compose.redacted.yml'),
     yaml.dump(redactedCompose, { lineWidth: -1 }),
-    { mode: 0o600 }
+    { mode: 0o644 }
   );
 
   // Generate and save policy manifest (structured description of all firewall rules)
@@ -2368,7 +2369,7 @@ export async function writeConfigs(config: WrapperConfig): Promise<void> {
   fs.writeFileSync(
     path.join(auditDir, 'policy-manifest.json'),
     JSON.stringify(policyManifest, null, 2),
-    { mode: 0o600 }
+    { mode: 0o644 }
   );
 
   logger.debug(`Audit artifacts written to: ${auditDir}`);
