fix(ci): pass --no-sandbox to Chrome in Lighthouse CI
Chrome's user-namespace sandbox is unusable inside the act runner container — the host kernel's AppArmor profile (Ubuntu 23.10+) blocks unprivileged user namespaces, so Chrome aborts at the zygote stage with `No usable sandbox`. Lighthouse never connects to the browser and the perf gate fails. `--no-sandbox` is the standard workaround documented by Lighthouse, Puppeteer, and Playwright for containerised CI. The residual risk is acceptable: the browser only loads our own freshly built bundle from http://localhost:4200/ inside an ephemeral self-hosted runner — no untrusted content reaches the renderer.
This commit is contained in:
@@ -23,6 +23,16 @@ module.exports = {
|
||||
// Slow-4G profile so scores are stable across CI runners and
|
||||
// comparable to industry public benchmarks.
|
||||
preset: 'desktop',
|
||||
// Chrome's user-namespace sandbox is disabled inside the act
|
||||
// runner container (AppArmor restriction on the host kernel),
|
||||
// so Chrome fails to launch with a "No usable sandbox" zygote
|
||||
// error. `--no-sandbox` is the standard Lighthouse / Puppeteer
|
||||
// / Playwright workaround for containerised CI: the residual
|
||||
// risk is acceptable because Chrome only loads our own freshly
|
||||
// built bundle from http://localhost:4200/ inside an ephemeral
|
||||
// self-hosted runner container — no untrusted content reaches
|
||||
// the browser process.
|
||||
chromeFlags: '--no-sandbox',
|
||||
},
|
||||
},
|
||||
assert: {
|
||||
|
||||
Reference in New Issue
Block a user