From d506f56a47287b94b71eb749db72d0305fdc3dc4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Daoust?= Date: Tue, 7 Jan 2025 10:17:38 +0100 Subject: [PATCH] Disable AppArmor in jobs that use Puppeteer (#1630) Needed now that GitHub Actions switched to Ubuntu 24. --- .github/workflows/build.yml | 7 +++++++ .github/workflows/check-suggested-spec.yml | 7 +++++++ .github/workflows/lint.yml | 7 +++++++ .github/workflows/report-new-specs.yml | 7 +++++++ .github/workflows/submit-suggested-spec.yml | 7 +++++++ 5 files changed, 35 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b55c91bf..0c505f7a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,6 +9,13 @@ jobs: fetch: runs-on: ubuntu-latest steps: + # Starting with Ubuntu 23+, a security feature prevents running Puppeteer + # by default. It needs to be disabled. Using the "easiest" option, see: + # https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md + # https://github.com/puppeteer/puppeteer/pull/13196/files + - name: Disable AppArmor + run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns + - name: Checkout repo uses: actions/checkout@v4 with: diff --git a/.github/workflows/check-suggested-spec.yml b/.github/workflows/check-suggested-spec.yml index 79f38b01..8a3904fe 100644 --- a/.github/workflows/check-suggested-spec.yml +++ b/.github/workflows/check-suggested-spec.yml @@ -19,6 +19,13 @@ jobs: # We're only interested in "new spec" issues if: ${{ contains(github.event.issue.labels.*.name, 'new spec') }} steps: + # Starting with Ubuntu 23+, a security feature prevents running Puppeteer + # by default. It needs to be disabled. Using the "easiest" option, see: + # https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md + # https://github.com/puppeteer/puppeteer/pull/13196/files + - name: Disable AppArmor + run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns + - name: Setup node.js uses: actions/setup-node@v4 with: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 61ebceca..284daa53 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -13,6 +13,13 @@ jobs: lint: runs-on: ubuntu-latest steps: + # Starting with Ubuntu 23+, a security feature prevents running Puppeteer + # by default. It needs to be disabled. Using the "easiest" option, see: + # https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md + # https://github.com/puppeteer/puppeteer/pull/13196/files + - name: Disable AppArmor + run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns + - name: Checkout latest version of release script uses: actions/checkout@v4 diff --git a/.github/workflows/report-new-specs.yml b/.github/workflows/report-new-specs.yml index 068e725f..d055abfd 100644 --- a/.github/workflows/report-new-specs.yml +++ b/.github/workflows/report-new-specs.yml @@ -10,6 +10,13 @@ jobs: name: Find potential new specs runs-on: ubuntu-latest steps: + # Starting with Ubuntu 23+, a security feature prevents running Puppeteer + # by default. It needs to be disabled. Using the "easiest" option, see: + # https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md + # https://github.com/puppeteer/puppeteer/pull/13196/files + - name: Disable AppArmor + run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns + - name: Checkout latest version of release script uses: actions/checkout@v4 diff --git a/.github/workflows/submit-suggested-spec.yml b/.github/workflows/submit-suggested-spec.yml index 50199694..f5a07f45 100644 --- a/.github/workflows/submit-suggested-spec.yml +++ b/.github/workflows/submit-suggested-spec.yml @@ -19,6 +19,13 @@ jobs: # https://docs.github.com/en/rest/collaborators/collaborators?apiVersion=2022-11-28#get-repository-permissions-for-a-user if: ${{ github.event.comment.author_association == 'MEMBER' && contains(github.event.comment.body, '@browser-specs-bot ') }} steps: + # Starting with Ubuntu 23+, a security feature prevents running Puppeteer + # by default. It needs to be disabled. Using the "easiest" option, see: + # https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md + # https://github.com/puppeteer/puppeteer/pull/13196/files + - name: Disable AppArmor + run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns + - name: Setup node.js uses: actions/setup-node@v4 with: