Skip to content

Commit 009e6c4

Browse files
authored
fix: deflake zsh-fork approval test (#25669)
Fixes this flake: https://github.com/openai/codex/actions/runs/26773809591/job/78919970410?pr=25659 This test is about zsh-fork subcommand approval behavior, not workspace sandboxing, so it now runs with `DangerFullAccess` to avoid macOS sandbox setup failures before the second subcommand approval.
1 parent 53ac023 commit 009e6c4

1 file changed

Lines changed: 5 additions & 6 deletions

File tree

codex-rs/app-server/tests/suite/v2/turn_start_zsh_fork.rs

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -535,12 +535,11 @@ async fn turn_start_shell_zsh_fork_subcommand_decline_marks_parent_declined_v2()
535535
}],
536536
cwd: Some(workspace.clone()),
537537
approval_policy: Some(codex_app_server_protocol::AskForApproval::UnlessTrusted),
538-
sandbox_policy: Some(codex_app_server_protocol::SandboxPolicy::WorkspaceWrite {
539-
writable_roots: vec![workspace.clone().try_into()?],
540-
network_access: false,
541-
exclude_tmpdir_env_var: true,
542-
exclude_slash_tmp: true,
543-
}),
538+
// This test is about execve-intercept approval propagation, not
539+
// workspace sandboxing. Using full access avoids macOS sandbox
540+
// setup failures that can terminate the parent shell before the
541+
// second subcommand approval is observed.
542+
sandbox_policy: Some(codex_app_server_protocol::SandboxPolicy::DangerFullAccess),
544543
model: Some("mock-model".to_string()),
545544
effort: Some(codex_protocol::openai_models::ReasoningEffort::Medium),
546545
summary: Some(codex_protocol::config_types::ReasoningSummary::Auto),

0 commit comments

Comments
 (0)