[deep-report] Ensure firewall access.log artifact uploads even when the agent fails early

[github-actions]

Description

Observability Coverage sampled 19 firewall-enabled runs (7d): 17/19 uploaded sandbox/firewall/logs/access.log (89.5%). The 2 missing were both early Avenger failures (runs 27794601855, 27792293897) — exactly the failing runs where the egress log is most needed for debugging. When the agent aborts early, the firewall access.log is not captured/uploaded, removing the primary artifact for diagnosing egress enforcement on the very runs under investigation.

Note: the underlying Avenger ERR_CONFIG failure is already tracked (#40145) — this issue is the distinct observability gap, i.e. the log artifact should be uploaded regardless of agent conclusion.

Fix

Make the firewall access.log upload step run on failure (e.g. if: always() on the relevant upload, or capture the log before the early-abort path), so failed runs still produce the egress artifact.

Expected Impact

Restores debugging artifacts for failed firewall-enabled runs; raises access.log coverage toward 100% and unblocks root-causing of early-failure clusters.

Suggested Agent

Observability Coverage Agent / copilot-swe-agent.

Estimated Effort

Medium (1-4 hours).

Data Source

DeepReport 2026-06-19; Observability Coverage report #40172.

Generated by 🔬 DeepReport - Intelligence Gathering Agent · 277.2 AIC · ⌖ 19.5 AIC · ⊞ 10.5K · ◷

• expires on Jun 21, 2026, 7:56 AM UTC-08:00

[github-actions]

This issue was automatically closed because it expired on 2026-06-21T15:56:46.140Z.

Closed by Workflow