From 3feb67163498675e5c44ef56a543211fd9bcea28 Mon Sep 17 00:00:00 2001 From: TsunamiNoAi Date: Sat, 6 Jun 2026 15:13:34 -0400 Subject: [PATCH 1/2] fix: add apparmor userns sysctl to release build job for aarch64 bwrap fails with 'setting up uid map: Permission denied' on ubuntu-24.04-arm because AppArmor restricts unprivileged user namespaces by default. CI already has this sysctl; release didn't. --- .github/workflows/release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c026948..cdc917e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -36,6 +36,9 @@ jobs: extra-conf: | sandbox = false + - name: Configure permissions + run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true + - name: Setup Nix cache uses: DeterminateSystems/flakehub-cache-action@v3 with: From a854fb3809c94eb6c635534b3234a212797e1b62 Mon Sep 17 00:00:00 2001 From: TsunamiNoAi Date: Sat, 6 Jun 2026 17:17:21 -0400 Subject: [PATCH 2/2] fix: add apparmor userns sysctl to wasm and bench-regression CI jobs wasm and bench-regression had sandbox=false but not the sysctl, so bwrap fails when zig2nix must be built from source (e.g. on GHA cache throttle). Matches the fix already in the build job. --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d922ea7..8d1466e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -78,6 +78,8 @@ jobs: with: extra-conf: | sandbox = false + - name: Configure permissions + run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true - name: Setup Nix cache uses: DeterminateSystems/flakehub-cache-action@v3 with: @@ -103,6 +105,8 @@ jobs: with: extra-conf: | sandbox = false + - name: Configure permissions + run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true - name: Setup Nix cache uses: DeterminateSystems/flakehub-cache-action@v3 with: