Skip to content

Commit

Permalink
misc(ci): workaround new ubuntu 23 security issue for chromium (#16296)
Browse files Browse the repository at this point in the history
  • Loading branch information
connorjclark authored Jan 6, 2025
1 parent c813b02 commit 1837726
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 0 deletions.
4 changes: 4 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,10 @@ jobs:
- run: yarn type-check
- run: yarn build-all

# Since Ubuntu 23, dev builds of Chromium need this.
# https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
- run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

# Run pptr tests using ToT Chrome instead of stable default.
- name: Install Chrome ToT
run: bash $GITHUB_WORKSPACE/core/scripts/download-chrome.sh
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/devtools.yml
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,10 @@ jobs:
- run: yarn build-report
working-directory: ${{ github.workspace }}/lighthouse

# Since Ubuntu 23, dev builds of Chromium need this.
# https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
- run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

- name: Install Chrome ToT
run: bash ${{ github.workspace }}/lighthouse/core/scripts/download-chrome.sh

Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/smoke.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@ jobs:
with:
node-version: 18.x

# Since Ubuntu 23, dev builds of Chromium need this.
# https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
- run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

# Chrome Stable is already installed by default.
- name: Install Chrome ToT
if: matrix.chrome-channel == 'ToT'
Expand Down Expand Up @@ -151,6 +155,10 @@ jobs:
- run: yarn build-report
- run: yarn build-devtools

# Since Ubuntu 23, dev builds of Chromium need this.
# https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
- run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

- name: Install Chrome ToT
run: bash $GITHUB_WORKSPACE/core/scripts/download-chrome.sh

Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/unit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,10 @@ jobs:
- run: yarn build-report
- run: yarn reset-link

# Since Ubuntu 23, dev builds of Chromium need this.
# https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
- run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

# Run pptr tests using ToT Chrome instead of stable default.
- name: Install Chrome ToT
run: bash $GITHUB_WORKSPACE/core/scripts/download-chrome.sh
Expand Down

0 comments on commit 1837726

Please sign in to comment.