fix(ci): pass --no-sandbox to Chrome in Lighthouse CI
Chrome's user-namespace sandbox is unusable inside the act runner container — the host kernel's AppArmor profile (Ubuntu 23.10+) blocks unprivileged user namespaces, so Chrome aborts at the zygote stage with `No usable sandbox`. Lighthouse never connects to the browser and the perf gate fails. `--no-sandbox` is the standard workaround documented by Lighthouse, Puppeteer, and Playwright for containerised CI. The residual risk is acceptable: the browser only loads our own freshly built bundle from http://localhost:4200/ inside an ephemeral self-hosted runner — no untrusted content reaches the renderer.
This commit is contained in:
@@ -23,6 +23,16 @@ module.exports = {
|
|||||||
// Slow-4G profile so scores are stable across CI runners and
|
// Slow-4G profile so scores are stable across CI runners and
|
||||||
// comparable to industry public benchmarks.
|
// comparable to industry public benchmarks.
|
||||||
preset: 'desktop',
|
preset: 'desktop',
|
||||||
|
// Chrome's user-namespace sandbox is disabled inside the act
|
||||||
|
// runner container (AppArmor restriction on the host kernel),
|
||||||
|
// so Chrome fails to launch with a "No usable sandbox" zygote
|
||||||
|
// error. `--no-sandbox` is the standard Lighthouse / Puppeteer
|
||||||
|
// / Playwright workaround for containerised CI: the residual
|
||||||
|
// risk is acceptable because Chrome only loads our own freshly
|
||||||
|
// built bundle from http://localhost:4200/ inside an ephemeral
|
||||||
|
// self-hosted runner container — no untrusted content reaches
|
||||||
|
// the browser process.
|
||||||
|
chromeFlags: '--no-sandbox',
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
assert: {
|
assert: {
|
||||||
|
|||||||
Reference in New Issue
Block a user