mirror of
https://github.com/anthropic-experimental/sandbox-runtime.git
synced 2026-05-06 21:52:30 +08:00
21206e6b73
These exercise enableWeakerNestedSandbox — the two tests that broke when apply-seccomp started nesting namespaces. Add explicitly until the full-suite CI change lands.
101 lines
2.9 KiB
YAML
101 lines
2.9 KiB
YAML
name: Tests
|
|
|
|
on:
|
|
push:
|
|
branches: ['**']
|
|
pull_request:
|
|
branches: ['**']
|
|
|
|
jobs:
|
|
integration-tests:
|
|
name: Tests (${{ matrix.os }} / ${{ matrix.arch }})
|
|
runs-on: ${{ matrix.runner }}
|
|
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- arch: x86-64
|
|
runner: ubuntu-latest
|
|
os: linux
|
|
- arch: arm64
|
|
runner: ubuntu-24.04-arm
|
|
os: linux
|
|
- arch: x86-64
|
|
runner: macos-15-large
|
|
os: macos
|
|
- arch: arm64
|
|
runner: macos-14
|
|
os: macos
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '18'
|
|
|
|
- name: Setup Bun
|
|
uses: oven-sh/setup-bun@v2
|
|
with:
|
|
bun-version: 1.3.1
|
|
|
|
- name: Install system dependencies (Linux)
|
|
if: matrix.os == 'linux'
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y bubblewrap libseccomp-dev gcc socat ripgrep apparmor-profiles zsh
|
|
|
|
- name: Enable unprivileged user namespaces (Linux)
|
|
if: matrix.os == 'linux'
|
|
run: |
|
|
# Ubuntu 24.04+ sets kernel.apparmor_restrict_unprivileged_userns=1 which
|
|
# allows unshare(CLONE_NEWUSER) but grants the new namespace zero
|
|
# capabilities. Disable it so bwrap and apply-seccomp can nest
|
|
# namespaces without needing setuid.
|
|
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
|
|
sudo sysctl -w kernel.unprivileged_userns_clone=1 || true
|
|
|
|
# Verify bwrap can create namespaces
|
|
echo "Testing bwrap namespace creation..."
|
|
bwrap --ro-bind / / --unshare-net true && echo "✓ bwrap namespace creation works" || echo "✗ bwrap namespace creation still fails"
|
|
|
|
- name: Install system dependencies (macOS)
|
|
if: matrix.os == 'macos'
|
|
run: |
|
|
brew install ripgrep zsh
|
|
|
|
- name: Install Node dependencies
|
|
run: npm install
|
|
|
|
- name: Build project
|
|
run: npm run build
|
|
|
|
- name: Run unit tests
|
|
run: npm run test:unit
|
|
|
|
- name: Run Node.js fallback tests
|
|
run: node test/utils/which-node-test.mjs
|
|
|
|
- name: Run integration tests
|
|
run: npm run test:integration
|
|
|
|
- name: Run mandatory-deny-paths tests (Linux)
|
|
if: matrix.os == 'linux'
|
|
# Exercises enableWeakerNestedSandbox — the two tests that broke
|
|
# when apply-seccomp started nesting namespaces. Add explicitly
|
|
# until the full-suite CI change lands.
|
|
run: bun test test/sandbox/mandatory-deny-paths.test.ts
|
|
|
|
- name: Upload test results
|
|
if: always()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: test-results-${{ matrix.os }}-${{ matrix.arch }}
|
|
path: |
|
|
test-results/
|
|
*.log
|
|
if-no-files-found: ignore
|