From 5c17fcdf90fdff4f621dbeca78f0633a07ecbbf9 Mon Sep 17 00:00:00 2001 From: didericis Date: Tue, 26 May 2026 23:03:57 -0400 Subject: [PATCH] test(integration): skip sandbox-escape suite under act_runner MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Gitea CI runner shares the host docker socket but not its filesystem, so pipelock_tls_init's host bind-mount path for CA files is invisible to the runner container — the same constraint that already gates the other bottle-bringup integration tests. PRD 0022's test suite was missing this guard; it failed on the post-merge main build with "pipelock tls init did not produce ca files". Mirror the existing skipIf pattern at the class level. Co-Authored-By: Claude Opus 4.7 --- tests/integration/test_sandbox_escape.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/integration/test_sandbox_escape.py b/tests/integration/test_sandbox_escape.py index 3bebc29..bd6c8ed 100644 --- a/tests/integration/test_sandbox_escape.py +++ b/tests/integration/test_sandbox_escape.py @@ -50,6 +50,13 @@ _FAKE_SECRETS = { @skip_unless_docker() +@unittest.skipIf( + os.environ.get("GITEA_ACTIONS") == "true", + "skipped under act_runner: pipelock_tls_init uses a host bind mount " + "the runner container can't see, and the network topology hides " + "sibling-sidecar visibility — same constraint as the other " + "bottle-bringup integration tests", +) class TestSandboxEscape(unittest.TestCase): """End-to-end attacks against a real bottle. The bottle stays up for the whole class — bringup is ~10-30s, so per-test