From 3feb67163498675e5c44ef56a543211fd9bcea28 Mon Sep 17 00:00:00 2001
From: TsunamiNoAi <spam@falseblue.com>
Date: Sat, 6 Jun 2026 15:13:34 -0400
Subject: [PATCH] fix: add apparmor userns sysctl to release build job for
 aarch64

bwrap fails with 'setting up uid map: Permission denied' on
ubuntu-24.04-arm because AppArmor restricts unprivileged user
namespaces by default. CI already has this sysctl; release didn't.
---
 .github/workflows/release.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c026948..cdc917e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -36,6 +36,9 @@ jobs:
           extra-conf: |
             sandbox = false
 
+      - name: Configure permissions
+        run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
+
       - name: Setup Nix cache
         uses: DeterminateSystems/flakehub-cache-action@v3
         with: