From 117723864a09a3e4406c256726beb5f4acac9edf Mon Sep 17 00:00:00 2001
From: Stefan Frijters <sfrijters@gmail.com>
Date: Tue, 1 Oct 2024 22:02:33 +0200
Subject: [PATCH] Try ubuntu-latest with a hack for CI

---
 .github/workflows/compile-check-blink.yml | 24 ++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/compile-check-blink.yml b/.github/workflows/compile-check-blink.yml
index 1a477e8..367485f 100644
--- a/.github/workflows/compile-check-blink.yml
+++ b/.github/workflows/compile-check-blink.yml
@@ -8,7 +8,7 @@ on:
       - 'README.md'
 jobs:
   nix-flake-check:
-    runs-on: ubuntu-22.04  # Work around https://github.com/containers/bubblewrap/issues/632
+    runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
     - uses: cachix/install-nix-action@v29
@@ -16,6 +16,28 @@ jobs:
         github_access_token: ${{ secrets.GITHUB_TOKEN }}
     - uses: DeterminateSystems/magic-nix-cache-action@v8
 
+    - name: AppArmor fixes
+      # Work around https://github.com/containers/bubblewrap/issues/632
+      run: |
+        arduino_cli_path="$(nix develop --command which arduino-cli)"
+        bwrap_path="$(grep '/bwrap' /nix/store/z2afvf8vnczxd09xpcc6nkn0zd83nacl-arduino-cli-1.0.4/bin/arduino-cli)"
+
+        cat << EOF | sudo tee /etc/apparmor.d/local-bwrap
+        abi <abi/4.0>,
+        include <tunables/global>
+
+        profile local-bwrap ${bwrap_path} flags=(unconfined) {
+          userns,
+
+          # Site-specific additions and overrides. See local/README for details.
+          include if exists <local/bwrap>
+        }
+        EOF
+
+        sudo cat /etc/apparmor.d/local-bwrap
+
+        sudo systemctl reload apparmor
+
     - name: Compile test
       run: |
         nix develop --command make -C blink compile