sandbox-runtime/.github/workflows/integration-tests.yml

name: Tests

on:
  push:
    branches: [ "**" ]
  pull_request:
    branches: [ "**" ]

jobs:
  integration-tests:
    name: Tests (${{ matrix.os }} / ${{ matrix.arch }})
    runs-on: ${{ matrix.runner }}

    strategy:
      fail-fast: false
      matrix:
        include:
          - arch: x86-64
            runner: ubuntu-latest
            os: linux
          - arch: arm64
            runner: ubuntu-24.04-arm
            os: linux
          - arch: x86-64
            runner: macos-15-large
            os: macos
          - arch: arm64
            runner: macos-14
            os: macos

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '18'

      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: 1.3.1

      - name: Install system dependencies (Linux)
        if: matrix.os == 'linux'
        run: |
          sudo apt-get update
          sudo apt-get install -y bubblewrap libseccomp-dev gcc socat ripgrep apparmor-profiles zsh

      - name: Enable unprivileged user namespaces (Linux)
        if: matrix.os == 'linux'
        run: |
          # Ubuntu 24.04+ restricts unprivileged user namespaces by default
          # Set setuid bit on bwrap to allow namespace creation
          echo "Setting setuid bit on bwrap..."
          sudo chmod u+s $(which bwrap)

          # Verify bwrap can create namespaces
          echo "Testing bwrap namespace creation..."
          bwrap --ro-bind / / --unshare-net true && echo "✓ bwrap namespace creation works" || echo "✗ bwrap namespace creation still fails"

      - name: Install system dependencies (macOS)
        if: matrix.os == 'macos'
        run: |
          brew install ripgrep zsh

      - name: Install Node dependencies
        run: npm install

      - name: Build project
        run: npm run build

      - name: Run unit tests
        run: npm run test:unit

      - name: Run Node.js fallback tests
        run: node test/utils/which-node-test.mjs

      - name: Run integration tests
        run: npm run test:integration

      - name: Upload test results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: test-results-${{ matrix.os }}-${{ matrix.arch }}
          path: |
            test-results/
            *.log
          if-no-files-found: ignore