Skip to content

Fix Chrome sandbox failures in CI by updating test configuration and workflow #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jonrohan merged 4 commits into from
Dec 2, 2025
Merged

Fix Chrome sandbox failures in CI by updating test configuration and workflow #48

jonrohan merged 4 commits into from
Dec 2, 2025

Conversation

Copy link
Contributor

Copilot AI commented Nov 25, 2025
edited
Loading

The Node.js CI workflow was failing due to Chrome sandbox initialization errors on Ubuntu 23.10+ runners, where unprivileged user namespaces are disabled by default.

Changes

karma.config.js

  • Added custom Chrome launcher with sandbox-disabling flags (--no-sandbox, --disable-gpu, --disable-dev-shm-usage)
  • Improved chromium binary detection to handle missing npm package paths gracefully

.github/workflows/nodejs.yml

  • Enabled unprivileged user namespaces via sysctl before test execution
  • Updated actions to v4 and Node.js to 20.x (LTS)
// karma.config.js
customLaunchers: {
  ChromeHeadlessCI: {
    base: 'ChromeHeadless',
    flags: ['--no-sandbox', '--disable-gpu', '--disable-dev-shm-usage']
  }
}

Security Note: The --no-sandbox flag and sysctl change are standard practice for Chrome in containerized CI environments. See actions/runner-images#9621.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • accounts.google.com
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=network --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=3970 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-89943923 --change-stack-guard-on-fork=enable --shared-files=network_parent_dirs_pipe:100,v8_context_snapshot_data:101 --field-trial-handle=3,i,15167316132418396870,14596457868925568561,262144 --disable-features=PaintHolding --variations-seed-version --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /usr/bin/chromium-browser /usr/bin/chromium-browser --user-data-dir=/tmp/karma-89943923 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications --no-sandbox --disable-gpu --disable-dev-shm-usage http://localhost:9876/?id=89943923 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4216 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-21567554 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,1911390630848799663,14155344660997571127,262144 --disable-features=PaintHolding --variations-seed-version --trace-process-track-uuid=3190708989122997041 (dns block)
  • clients2.google.com
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=network --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=3970 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-89943923 --change-stack-guard-on-fork=enable --shared-files=network_parent_dirs_pipe:100,v8_context_snapshot_data:101 --field-trial-handle=3,i,15167316132418396870,14596457868925568561,262144 --disable-features=PaintHolding --variations-seed-version --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /usr/bin/chromium-browser /usr/bin/chromium-browser --user-data-dir=/tmp/karma-89943923 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications --no-sandbox --disable-gpu --disable-dev-shm-usage http://localhost:9876/?id=89943923 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4216 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-21567554 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,1911390630848799663,14155344660997571127,262144 --disable-features=PaintHolding --variations-seed-version --trace-process-track-uuid=3190708989122997041 (dns block)
  • clientservices.googleapis.com
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4216 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-21567554 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,1911390630848799663,14155344660997571127,262144 --disable-features=PaintHolding --variations-seed-version --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-21567554 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications --no-sandbox --disable-gpu --disable-dev-shm-usage http://localhost:9876/?id=21567554 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4521 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-17498028 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,909143507436331077,17578682525767971269,262144 --disable-features=PaintHolding --variations-seed-version --trace-process-track-uuid=3190708989122997041 (dns block)
  • https://api.github.com//advisories
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (http block)
  • redirector.gvt1.com
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=network --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=3970 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-89943923 --change-stack-guard-on-fork=enable --shared-files=network_parent_dirs_pipe:100,v8_context_snapshot_data:101 --field-trial-handle=3,i,15167316132418396870,14596457868925568561,262144 --disable-features=PaintHolding --variations-seed-version --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /usr/bin/chromium-browser /usr/bin/chromium-browser --user-data-dir=/tmp/karma-89943923 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications --no-sandbox --disable-gpu --disable-dev-shm-usage http://localhost:9876/?id=89943923 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4216 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-21567554 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,1911390630848799663,14155344660997571127,262144 --disable-features=PaintHolding --variations-seed-version --trace-process-track-uuid=3190708989122997041 (dns block)
  • safebrowsingohttpgateway.googleapis.com
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4216 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-21567554 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,1911390630848799663,14155344660997571127,262144 --disable-features=PaintHolding --variations-seed-version --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-21567554 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications --no-sandbox --disable-gpu --disable-dev-shm-usage http://localhost:9876/?id=21567554 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4521 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-17498028 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,909143507436331077,17578682525767971269,262144 --disable-features=PaintHolding --variations-seed-version --trace-process-track-uuid=3190708989122997041 (dns block)
  • www.google.com
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=network --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=3970 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-89943923 --change-stack-guard-on-fork=enable --shared-files=network_parent_dirs_pipe:100,v8_context_snapshot_data:101 --field-trial-handle=3,i,15167316132418396870,14596457868925568561,262144 --disable-features=PaintHolding --variations-seed-version --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /usr/bin/chromium-browser /usr/bin/chromium-browser --user-data-dir=/tmp/karma-89943923 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications --no-sandbox --disable-gpu --disable-dev-shm-usage http://localhost:9876/?id=89943923 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4216 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-21567554 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,1911390630848799663,14155344660997571127,262144 --disable-features=PaintHolding --variations-seed-version --trace-process-track-uuid=3190708989122997041 (dns block)
  • www.googleapis.com
    • Triggering command: /usr/local/bin/node node install.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

The Node.js CI / build workflow on this repository is failing can you investigate?

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 3 commits November 25, 2025 21:52
@jonrohan
Initial investigation of Node.js CI failure
1b12ff3 
Co-authored-by: jonrohan <54012+jonrohan@users.noreply.github.com>
@jonrohan
Fix Chrome sandbox issues in CI and update workflow
46f6bc7 
Co-authored-by: jonrohan <54012+jonrohan@users.noreply.github.com>
@jonrohan
Add documentation for sysctl security requirement
6ab549e 
Co-authored-by: jonrohan <54012+jonrohan@users.noreply.github.com>
Copilot AI changed the title [WIP] Investigate failing Node.js CI/build workflow Fix Chrome sandbox failures in CI by updating test configuration and workflow Nov 25, 2025
Copilot AI requested a review from jonrohan November 25, 2025 22:03
@jonrohan jonrohan marked this pull request as ready for review December 2, 2025 20:59
@jonrohan jonrohan requested a review from a team as a code owner December 2, 2025 20:59
Copilot AI review requested due to automatic review settings December 2, 2025 20:59
@jonrohan jonrohan enabled auto-merge December 2, 2025 21:00
Copilot AI reviewed Dec 2, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses Chrome sandbox initialization failures in CI environments running on Ubuntu 23.10+ runners by implementing a dual-approach fix: enabling unprivileged user namespaces at the system level and configuring Chrome to run with sandbox-disabling flags.

Key Changes:

  • Added custom Chrome launcher configuration with CI-specific flags (--no-sandbox, --disable-gpu, --disable-dev-shm-usage)
  • Updated GitHub Actions workflow to enable user namespaces and upgrade to latest action versions
  • Improved Chrome binary detection with graceful fallback handling

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File Description
karma.config.js Adds custom ChromeHeadlessCI launcher with sandbox-disabling flags and improves Chrome binary path detection with try-catch error handling
.github/workflows/nodejs.yml Updates actions to v4, Node.js to 20.x LTS, and adds sysctl command to enable unprivileged user namespaces for Chrome sandbox support

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/nodejs.yml
Comment on lines +15 to +16
- name: Enable user namespaces
run: sudo sysctl -w kernel.unprivileged_userns_clone=1
Copy link

Copilot AI Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The approach is contradictory: the workflow enables user namespaces to support Chrome's sandbox (line 16), but the Karma config disables the sandbox entirely with --no-sandbox (line 30).

If user namespaces are enabled, the sandbox should work without needing --no-sandbox. Consider either:

  1. Remove the --no-sandbox flag and rely only on the sysctl setting
  2. Remove the sysctl step and rely only on --no-sandbox

The current implementation works but maintains both workarounds unnecessarily, which could be confusing for future maintainers.

Copilot uses AI. Check for mistakes.
francinelucca
francinelucca approved these changes Dec 2, 2025
View reviewed changes
.github/workflows/nodejs.yml
node-version: '20.x'
# Enable unprivileged user namespaces for Chrome sandbox
# This is required because Ubuntu 23.10+ disables them by default
# See: https://github.com/actions/runner-images/issues/9621
Copy link
Contributor

@francinelucca francinelucca Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

confused about this issue link here

@jonrohan jonrohan merged commit c490695 into main Dec 2, 2025
12 checks passed
@jonrohan jonrohan deleted the copilot/investigate-ci-build-failure branch December 2, 2025 21:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@francinelucca francinelucca francinelucca approved these changes

@jonrohan jonrohan Awaiting requested review from jonrohan

Assignees

@jonrohan jonrohan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@francinelucca @jonrohan