Allow running bubblewrap in container#22907
Conversation
|
Looks like Not sure how much |
|
Any way we can build it with this configuration instead? |
MikeMcQuaid
left a comment
There was a problem hiding this comment.
This makes sense, let's do it!
|
Thanks @cho-m! |
There was a problem hiding this comment.
Pull request overview
This PR experiments with enabling Bubblewrap-based sandboxing when Homebrew runs inside Linux containers by (a) tightening sandbox availability checks and (b) configuring GitHub Actions container execution to run with elevated privileges when needed.
Changes:
- Add
Sandbox.ensure_sandbox_available!and use it from sandbox execution paths. - Make
test-boton GitHub Actions raise (for Homebrew-owned repos) when sandbox configuration fails, instead of silently disabling sandboxing. - Update GitHub Actions runner/container configuration to add
--privilegedfor container-based Linux test-bot runs.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
Library/Homebrew/sandbox.rb |
Adds ensure_sandbox_available! and reuses it in run_command. |
Library/Homebrew/test_bot.rb |
Enforces sandbox availability for Homebrew-owned repos on GitHub Actions before disabling sandboxing. |
Library/Homebrew/github_runner_matrix.rb |
Adds conditional --privileged container options when Linux sandboxing is enabled. |
.github/workflows/tests.yml |
Refactors test-bot job container config to include options (intended for --privileged). |
Library/Homebrew/extend/os/linux/dev-cmd/tests.rb |
Switches to Sandbox.ensure_sandbox_available! during environment checks. |
Library/Homebrew/test/dev-cmd/tests_spec.rb |
Updates expectation to match the new exception type from sandbox availability checks. |
Library/Homebrew/test/test_bot_spec.rb |
Splits behavior between Homebrew-owned vs external repos and updates sandbox setup expectations. |
Comments suppressed due to low confidence (1)
Library/Homebrew/test/test_bot_spec.rb:226
- Similar to the previous example: prefer
with_envover stubbingENV[]to avoid interfering with unrelated environment lookups and keep the test isolated.
allow(described_class).to receive(:configure_sandbox!).and_return(false)
allow(ENV).to receive(:[]).with("GITHUB_REPOSITORY_OWNER").and_return("foo")
described_class.setup_github_actions_sandbox!
expect(ENV.fetch("HOMEBREW_NO_SANDBOX_LINUX")).to eq("1")
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| allow(described_class).to receive(:configure_sandbox!).and_return(false) | ||
| allow(ENV).to receive(:[]).with("GITHUB_REPOSITORY_OWNER").and_return("Homebrew") | ||
| allow(Sandbox).to receive(:available?).and_return(false) | ||
|
|
||
| expect { described_class.setup_github_actions_sandbox! }.to raise_error(RuntimeError) |
|
Will take a look at Copilot comments to see if we need any. EDIT: Don't think any are required. Test change could be cleaner to scope module-under-test boundary. |
Experimenting to see if it is possible to run bubblewrap inside container.
Currently, Homebrew/core always disables sandbox on Linux as container lacks necessary privileges to run bubblewrap. This means sandbox feature,
deny_network_access!, etc don't actually work yet.brewcommands to reproduce the bug?brew lgtm(style, typechecking and tests) locally?