test(core): install bubblewrap on Linux CI for sandbox integration tests (#23583)

2026-03-26 14:01:14 -07:00 · 2026-03-25 10:29:46 -04:00
parent 5e186bfb22
commit 109a7dc531
2 changed files with 23 additions and 9 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -158,6 +158,12 @@ jobs:
      - name: 'Build project'
        run: 'npm run build'

+      - name: 'Install system dependencies'
+        run: |
+          sudo apt-get update -qq && sudo DEBIAN_FRONTEND=noninteractive apt-get install -y -qq bubblewrap
+          # Ubuntu 24.04+ requires this to allow bwrap to function in CI
+          sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
+
      - name: 'Install dependencies for testing'
        run: 'npm ci'

--- a/packages/core/src/services/sandboxManager.integration.test.ts
+++ b/packages/core/src/services/sandboxManager.integration.test.ts
@@ -95,26 +95,34 @@ async function runCommand(command: SandboxedCommand) {

 /**
 * Determines if the system has the necessary binaries to run the sandbox.
+ * Throws an error if a supported platform is missing its required tools.
 */
-function isSandboxAvailable(): boolean {
-  if (os.platform() === 'win32') {
+function ensureSandboxAvailable(): boolean {
+  const platform = os.platform();
+
+  if (platform === 'win32') {
    // Windows sandboxing relies on icacls, which is a core system utility and
    // always available.
    return true;
  }

-  if (os.platform() === 'darwin') {
-    return fs.existsSync('/usr/bin/sandbox-exec');
+  if (platform === 'darwin') {
+    if (fs.existsSync('/usr/bin/sandbox-exec')) {
+      return true;
+    }
+    throw new Error(
+      'Sandboxing tests on macOS require /usr/bin/sandbox-exec to be present.',
+    );
  }

-  if (os.platform() === 'linux') {
-    // TODO: Install bubblewrap (bwrap) in Linux CI environments to enable full
-    // integration testing.
+  if (platform === 'linux') {
    try {
      execSync('which bwrap', { stdio: 'ignore' });
      return true;
    } catch {
-      return false;
+      throw new Error(
+        'Sandboxing tests on Linux require bubblewrap (bwrap) to be installed.',
+      );
    }
  }

@@ -129,7 +137,7 @@ describe('SandboxManager Integration', () => {
  const shouldSkip =
    manager instanceof NoopSandboxManager ||
    manager instanceof LocalSandboxManager ||
-    !isSandboxAvailable();
+    !ensureSandboxAvailable();

  describe.skipIf(shouldSkip)('Cross-platform Sandbox Behavior', () => {
    describe('Basic Execution', () => {