fix(ci): pass --no-sandbox to Chrome in Lighthouse CI
CI / scan (pull_request) Failing after 6m4s
CI / commits (pull_request) Successful in 11m3s
CI / check (pull_request) Successful in 11m16s
CI / perf (pull_request) Successful in 10m49s
CI / a11y (pull_request) Successful in 10m4s

Chrome's user-namespace sandbox is unusable inside the act runner
container — the host kernel's AppArmor profile (Ubuntu 23.10+) blocks
unprivileged user namespaces, so Chrome aborts at the zygote stage
with `No usable sandbox`. Lighthouse never connects to the browser
and the perf gate fails.

`--no-sandbox` is the standard workaround documented by Lighthouse,
Puppeteer, and Playwright for containerised CI. The residual risk is
acceptable: the browser only loads our own freshly built bundle from
http://localhost:4200/ inside an ephemeral self-hosted runner — no
untrusted content reaches the renderer.
This commit is contained in:
Julien Gautier
2026-05-04 14:25:28 +02:00
parent e59d3a010b
commit 0ceb7fea68
+10
View File
@@ -23,6 +23,16 @@ module.exports = {
// Slow-4G profile so scores are stable across CI runners and
// comparable to industry public benchmarks.
preset: 'desktop',
// Chrome's user-namespace sandbox is disabled inside the act
// runner container (AppArmor restriction on the host kernel),
// so Chrome fails to launch with a "No usable sandbox" zygote
// error. `--no-sandbox` is the standard Lighthouse / Puppeteer
// / Playwright workaround for containerised CI: the residual
// risk is acceptable because Chrome only loads our own freshly
// built bundle from http://localhost:4200/ inside an ephemeral
// self-hosted runner container — no untrusted content reaches
// the browser process.
chromeFlags: '--no-sandbox',
},
},
assert: {