Human Dan here: below is fully AI gen, though I reviewed it and believe it to the best of my understanding of the code

Summary

When the DIFC proxy is active, the MCP Gateway fails to write rpc-messages.jsonl due to a UID mismatch between containers sharing /tmp/gh-aw/mcp-logs/. The agent job succeeds but the run is marked failed by the "Parse MCP Gateway logs" post-step.

Regression

Steps to Reproduce

1. Workflow with tools.github configured (triggers DIFC proxy with default min-integrity: none)
2. Run completes successfully — agent produces correct output
3. "Parse MCP Gateway logs for step summary" fails:

   ERR_SYSTEM: rpc-messages.jsonl is present but zero bytes — MCP telemetry capture failed
   

Root Cause

actions/setup/sh/start_difc_proxy.sh line 42:

docker run -d --name awmg-proxy --network host \
  -e GH_TOKEN \
  ...

No --user flag → container defaults to root (UID 0) → creates rpc-messages.jsonl as root-owned.

MCP Gateway starts later with --user "$(id -u):$(id -g)" (UID 1001) → permission denied on the same file.

Same issue in actions/setup/sh/start_cli_proxy.sh line 43.

Gateway log confirms:

2026/05/21 20:31:08 Warning: Failed to initialize JSONL logger: failed to open log file:
  open /tmp/gh-aw/mcp-logs/rpc-messages.jsonl: permission denied

Suggested Fix

--- a/actions/setup/sh/start_difc_proxy.sh
+++ b/actions/setup/sh/start_difc_proxy.sh
@@ -42,6 +42,7 @@
 docker run -d --name awmg-proxy --network host \
+  --user "$(id -u):$(id -g)" \
   -e GH_TOKEN \

--- a/actions/setup/sh/start_cli_proxy.sh
+++ b/actions/setup/sh/start_cli_proxy.sh
@@ -43,6 +43,7 @@
 docker run -d --name awmg-cli-proxy --network host \
+  --user "$(id -u):$(id -g)" \
   -e GH_TOKEN \

Workaround

tools:
  github:
    integrity-proxy: false