Merge pull request #22458 from Homebrew/github-actions-install-bubblewrap

Install Bubblewrap on hosted Ubuntu

Author: MikeMcQuaid

Library/Homebrew/extend/os/linux/sandbox.rb

@@ -3,6 +3,7 @@
 
 require "fileutils"
 require "env_config"
+require "utils/github/actions"
 
 module OS
   module Linux
@@ -196,9 +197,21 @@ def configuration_command_messages
 
         sig { void }
         def configure!
-          unless bubblewrap_executable
-            ensure_sandbox_installed!(install_from_tests: true)
-            unless bubblewrap_executable
+          unless (bubblewrap = bubblewrap_executable)
+            if GitHub::Actions.env_set? &&
+               ENV["RUNNER_ENVIRONMENT"] == "github-hosted" &&
+               ENV.fetch("ImageOS", "").start_with?("ubuntu")
+              ohai "Installing Bubblewrap..."
+              system "sudo", "apt-get", "install", "--yes", "bubblewrap"
+              reset_state!
+              bubblewrap = bubblewrap_executable
+            end
+
+            unless bubblewrap
+              ensure_sandbox_installed!(install_from_tests: true)
+              bubblewrap = bubblewrap_executable
+            end
+            unless bubblewrap
               reset_state!
               return
             end

Library/Homebrew/test/sandbox_linux_spec.rb

@@ -124,6 +124,10 @@ def executable_candidate_paths = test_executable_candidate_paths
   describe "::configuration_commands" do
     let(:sandbox_class) { Class.new(klass) }
 
+    around do |example|
+      with_env(GITHUB_ACTIONS: nil, ImageOS: nil, RUNNER_ENVIRONMENT: nil) { example.run }
+    end
+
     def expect_sandbox_configuration_command(sandbox_class, assignment, result:)
       command = ["sudo", "sysctl", "-w", assignment]
 
@@ -160,6 +164,26 @@ def expect_sandbox_configuration_command(sandbox_class, assignment, result:)
       sandbox_class.configure!
     end
 
+    it "installs Bubblewrap with apt-get on default GitHub Actions Ubuntu runners" do
+      expect(sandbox_class).to receive(:bubblewrap_executable)
+        .twice
+        .and_return(nil, Pathname("/usr/bin/bwrap"))
+      expect(sandbox_class).to receive(:ohai).with("Installing Bubblewrap...")
+      expect(sandbox_class).to receive(:system)
+        .with("sudo", "apt-get", "install", "--yes", "bubblewrap")
+        .and_return(true)
+      expect(sandbox_class).not_to receive(:ensure_sandbox_installed!)
+      expect(sandbox_class).to receive(:ohai).with("Configuring Bubblewrap...").ordered
+      expect_sandbox_configuration_command(sandbox_class, "kernel.unprivileged_userns_clone=1", result: true)
+      expect_sandbox_configuration_command(sandbox_class, "user.max_user_namespaces=28633", result: true)
+      expect_sandbox_configuration_command(sandbox_class, "kernel.apparmor_restrict_unprivileged_userns=0",
+                                           result: false)
+
+      with_env(GITHUB_ACTIONS: "true", ImageOS: "ubuntu24", RUNNER_ENVIRONMENT: "github-hosted") do
+        sandbox_class.configure!
+      end
+    end
+
     it "installs Bubblewrap and configures Linux sandbox sysctls" do
       expect(sandbox_class).to receive(:bubblewrap_executable)
         .twice