ci: isolate unit tests from network

screendriver · screendriver · commit 86c45da42eb6 · 2026-04-24T17:05:12.000+02:00
Ensure no unit test can make network requests in continuous integration
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -69,7 +69,7 @@ jobs:
         run: yarn nx run-many -t lint --all
 
       - name: Test
-        run: yarn nx run-many -t test --all --configuration=ci --detectOpenHandles=false
+        run: ./bin/run-with-network-isolation.sh yarn nx run-many -t test --all --configuration=ci --detectOpenHandles=false
 
       - name: Upload webapp coverage to Codecov
         uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
diff --git a/bin/run-with-network-isolation.sh b/bin/run-with-network-isolation.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if [[ $# -eq 0 ]]; then
+  echo "Usage: $0 <command> [arguments...]" >&2
+  exit 1
+fi
+
+if [[ "$(uname -s)" != "Linux" ]]; then
+  exec "$@"
+fi
+
+if ! command -v unshare >/dev/null 2>&1; then
+  echo "The 'unshare' command is required on Linux to isolate network access during tests." >&2
+  exit 1
+fi
+
+original_user="$(id -un)"
+original_home="${HOME}"
+original_path="${PATH}"
+
+if unshare --map-root-user -n true >/dev/null 2>&1; then
+  exec unshare --map-root-user -n "$@"
+fi
+
+if unshare -n true >/dev/null 2>&1; then
+  exec unshare -n "$@"
+fi
+
+if command -v sudo >/dev/null 2>&1; then
+  if sudo unshare -n true >/dev/null 2>&1; then
+    if command -v runuser >/dev/null 2>&1; then
+      exec sudo unshare -n runuser -u "${original_user}" -- env HOME="${original_home}" PATH="${original_path}" "$@"
+    fi
+
+    echo "The 'runuser' command is required for the privileged unshare fallback on this Linux runner." >&2
+    exit 1
+  fi
+fi
+
+echo "Unable to create a network-isolated namespace with unshare on this Linux runner." >&2
+exit 1
