Skip to content

feat: sandbox-runtime integration with e2e Helm tests#16

Open
moshloop wants to merge 3 commits intomainfrom
feat/sandbox-e2e-tests
Open

feat: sandbox-runtime integration with e2e Helm tests#16
moshloop wants to merge 3 commits intomainfrom
feat/sandbox-e2e-tests

Conversation

@moshloop
Copy link
Member

@moshloop moshloop commented Mar 15, 2026

Summary

  • Add bubblewrap-based sandbox support via @anthropic-ai/sandbox-runtime for secure template execution
  • Configurable via --sandbox CLI flag and Helm chart values (sandbox.enabled, sandbox.settingsPath)
  • Add ConfigMap for srt-settings with network/filesystem isolation config
  • Add Ginkgo/Gomega e2e tests using commons-test/helm that build Docker image, install chart on Kind, and verify deployment
  • Update CI workflow to run Go e2e tests instead of manual curl scripts

Test plan

  • All 5 e2e tests pass locally (chart install, ConfigMap, healthz, render, sandbox disable/enable)
  • CI builds Docker image and runs tests on Kind cluster
  • Helm lint passes

moshloop added 2 commits March 15, 2026 17:29
@moshloop
feat: add sandbox-runtime (srt) integration for template isolation
320defb 
Add bubblewrap-based sandbox support via @anthropic-ai/sandbox-runtime
for secure template execution. Configurable via --sandbox flag and
Helm chart values (sandbox.enabled, sandbox.settingsPath).
@moshloop
test: add Ginkgo e2e tests for Helm chart with sandbox
253baf3 
Go-based e2e tests using commons-test/helm that build the Docker image,
install the chart on Kind, and verify healthz, ConfigMap, render endpoint,
and sandbox disable/enable. Updates CI workflow to run Go e2e tests.
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 15, 2026
View reviewed changes
.github/workflows/helm-test.yml Outdated

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 7 hours ago

In general, the problem is fixed by adding an explicit permissions block that scopes the GITHUB_TOKEN to the minimum required access. For this workflow, both jobs only need to read repository contents to check out the code; all other operations (Docker build, Kind cluster setup, Go tests, kubectl calls) happen locally or against the ephemeral cluster and do not require repository write permissions.

The best fix, without changing existing functionality, is to define a root-level permissions block alongside name and on, so it applies to both lint and e2e jobs. Setting it to contents: read is sufficient, as none of the steps need to write to the repo or other GitHub resources. Concretely, in .github/workflows/helm-test.yml, insert:

permissions:
  contents: read

between the name: line and the on: block (or just above jobs:; root-level is conventional and clear). No additional imports, actions, or other definitions are required.

Suggested changeset 1
.github/workflows/helm-test.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/helm-test.yml b/.github/workflows/helm-test.yml
--- a/.github/workflows/helm-test.yml
+++ b/.github/workflows/helm-test.yml
@@ -1,5 +1,8 @@
 name: Helm Chart Test
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [main]
EOF
@@ -1,5 +1,8 @@
name: Helm Chart Test

permissions:
contents: read

on:
push:
branches: [main]
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@moshloop