Address review: make GITHUB_ENV writes best-effort and rename test case

Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/8c6049c3-8a7e-4abf-93b8-615d1b4fb45a

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

Author: Copilot

internal/cmd/proxy.go

@@ -335,7 +335,7 @@ func configureTLSTrustEnvironment(caCertPath string) error {
 	}
 
 	// Best-effort append: the proxy should still start even if GITHUB_ENV cannot be opened.
-	f, err := os.OpenFile(githubEnvPath, os.O_APPEND|os.O_WRONLY, 0o644)
+	f, err := os.OpenFile(githubEnvPath, os.O_APPEND|os.O_WRONLY, 0)
 	if err != nil {
 		logger.LogWarn("startup", "Skipping GITHUB_ENV TLS trust export: open failed for %s: %v", githubEnvPath, err)
 		return nil
@@ -344,7 +344,8 @@ func configureTLSTrustEnvironment(caCertPath string) error {
 
 	for _, key := range tlsTrustEnvKeys {
 		if _, err := io.WriteString(f, key+"="+caCertPath+"\n"); err != nil {
-			return fmt.Errorf("failed writing %s to GITHUB_ENV file: %w", key, err)
+			logger.LogWarn("startup", "Skipping GITHUB_ENV TLS trust export: write failed for %s (%s): %v", githubEnvPath, key, err)
+			return nil
 		}
 	}
 

internal/cmd/proxy_test.go

@@ -428,7 +428,7 @@ func TestConfigureTLSTrustEnvironment(t *testing.T) {
 		}
 	})
 
-	t.Run("skips GITHUB_ENV append when env var is unset", func(t *testing.T) {
+	t.Run("skips GITHUB_ENV append when env var is unset or empty", func(t *testing.T) {
 		t.Setenv("GITHUB_ENV", "")
 		require.NoError(t, configureTLSTrustEnvironment(caPath))
 	})
@@ -452,6 +452,14 @@ func TestConfigureTLSTrustEnvironment(t *testing.T) {
 		}
 	})
 
+	t.Run("treats GITHUB_ENV write failures as best-effort", func(t *testing.T) {
+		if _, err := os.Stat("/dev/full"); err != nil {
+			t.Skip("/dev/full not available on this platform")
+		}
+		t.Setenv("GITHUB_ENV", "/dev/full")
+		require.NoError(t, configureTLSTrustEnvironment(caPath))
+	})
+
 	t.Run("rejects CA cert path with newline", func(t *testing.T) {
 		err := configureTLSTrustEnvironment("/tmp/ca.crt\nMALICIOUS=1")
 		require.Error(t, err)