test(integration): skip sandbox-escape suite under act_runner #52

Merged

didericis merged 1 commits from fix-sandbox-escape-ci-skip into main 2026-05-26 23:06:48 -04:00

Conversation 0 Commits 1 Files Changed 1

+7

didericis commented 2026-05-26 23:04:07 -04:00

Owner

Copy Link

Copy Source

Summary

PRD 0022's sandbox-escape suite needs a skipIf(GITEA_ACTIONS == "true") guard at the class level — the same one every other bottle-bringup integration test already carries. Under act_runner the runner container shares the host docker socket but not the host filesystem, so pipelock_tls_init's CA-file bind mount lands somewhere the runner can't see, and the suite fails with pipelock tls init did not produce ca files in …/pipelock-ca.

The CI failure on the post-merge main build (run #445, integration job) is exactly this. Adding the skip mirrors the constraint already enforced by test_pipelock_apply.py, test_pipelock_blocks_secret_post.py, et al.

Locally:

GITEA_ACTIONS=true python3 -m unittest tests.integration.test_sandbox_escape -v
Ran 5 tests in 0.000s
OK (skipped=5)

## Summary PRD 0022's sandbox-escape suite needs a `skipIf(GITEA_ACTIONS == "true")` guard at the class level — the same one every other bottle-bringup integration test already carries. Under act_runner the runner container shares the host docker socket but not the host filesystem, so `pipelock_tls_init`'s CA-file bind mount lands somewhere the runner can't see, and the suite fails with `pipelock tls init did not produce ca files in …/pipelock-ca`. The CI failure on the post-merge `main` build (run #445, integration job) is exactly this. Adding the skip mirrors the constraint already enforced by `test_pipelock_apply.py`, `test_pipelock_blocks_secret_post.py`, et al. Locally: ``` GITEA_ACTIONS=true python3 -m unittest tests.integration.test_sandbox_escape -v Ran 5 tests in 0.000s OK (skipped=5) ```

didericis added 1 commit 2026-05-26 23:04:07 -04:00

test(integration): skip sandbox-escape suite under act_runner ... 5c17fcdf90

The Gitea CI runner shares the host docker socket but not its
filesystem, so pipelock_tls_init's host bind-mount path for CA
files is invisible to the runner container — the same constraint
that already gates the other bottle-bringup integration tests.

PRD 0022's test suite was missing this guard; it failed on the
post-merge main build with "pipelock tls init did not produce ca
files". Mirror the existing skipIf pattern at the class level.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

didericis merged commit e8a14fd860 into main 2026-05-26 23:06:48 -04:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

Compat/Breaking

Breaking change that won't be backward compatible

Kind/Bug

Something is not working

Kind/Documentation

Documentation changes

Kind/Enhancement

Improve existing functionality

Kind/Feature

New functionality

Kind/Security

This is security issue

Kind/Testing

Issue or pull request related to testing

Priority

Critical

1

The priority is critical

Priority

High

2

The priority is high

Priority

Low

4

The priority is low

Priority

Medium

3

The priority is medium

Reviewed

Confirmed

1

Issue has been confirmed

Reviewed

Duplicate

2

This issue or pull request already exists

Reviewed

Invalid

3

Invalid issue

Reviewed

Won't Fix

3

This issue won't be fixed

Status

Abandoned

3

Somebody has started to work on this but abandoned work

Status

Blocked

1

Something is blocking this issue or pull request

Status

Need More Info

2

Feedback is required to reproduce issue or to continue work

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

didericis-claude (didericis (claude)) didericis-codex (didericis (codex)) didericis-gemma (gemma) didericis

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: didericis/bot-bottle#52