From a22586829a02c735945a6e19922f19d4fcdbcee0 Mon Sep 17 00:00:00 2001 From: Q Workflow Date: Mon, 23 Feb 2026 01:14:45 +0000 Subject: [PATCH 1/2] fix: disable Chromium sandbox in Playwright MCP to allow localhost access When Playwright runs in a Docker container with --network host, Chromium's process sandbox still creates isolated network namespaces for renderer processes. This prevents connecting to localhost services (like the docs preview server on port 4321). Add --browser-arg --no-sandbox to the default Playwright MCP entrypointArgs. This disables Chromium's process sandbox, allowing renderer processes to reach localhost. The Docker container itself provides sufficient isolation (seccomp=unconfined, ipc=host, network=host). Fixes: screenshots failing with 'ERR_CONNECTION_REFUSED' to localhost in workflows like unbloat-docs that serve a local docs server. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- pkg/workflow/mcp_config_playwright_renderer.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/workflow/mcp_config_playwright_renderer.go b/pkg/workflow/mcp_config_playwright_renderer.go index 294fdbb245a..9c26ed758be 100644 --- a/pkg/workflow/mcp_config_playwright_renderer.go +++ b/pkg/workflow/mcp_config_playwright_renderer.go @@ -128,7 +128,10 @@ func renderPlaywrightMCPConfigWithOptions(yaml *strings.Builder, playwrightConfi } // Build entrypoint args for Playwright MCP server (goes after container image) - entrypointArgs := []string{"--output-dir", "/tmp/gh-aw/mcp-logs/playwright"} + // --browser-arg --no-sandbox: Disables Chromium's process sandbox, which otherwise + // creates a network namespace for renderer processes that cannot reach localhost. + // This is required for screenshot workflows that serve docs on localhost. + entrypointArgs := []string{"--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--browser-arg", "--no-sandbox"} // Append custom args if present if len(customArgs) > 0 { entrypointArgs = append(entrypointArgs, customArgs...) From 183be8d2213351800170b78dfa7c50bc60b2cc17 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Sun, 22 Feb 2026 18:50:28 -0800 Subject: [PATCH 2/2] chore: recompile workflow lock files (#17813) --- .github/workflows/blog-auditor.lock.yml | 4 +++- .github/workflows/cloclo.lock.yml | 4 +++- .github/workflows/daily-multi-device-docs-tester.lock.yml | 4 +++- .github/workflows/docs-noob-tester.lock.yml | 2 +- .github/workflows/slide-deck-maintainer.lock.yml | 2 +- .github/workflows/smoke-claude.lock.yml | 4 +++- .github/workflows/smoke-codex.lock.yml | 4 +++- .github/workflows/smoke-copilot-arm.lock.yml | 2 +- .github/workflows/smoke-copilot.lock.yml | 2 +- .github/workflows/unbloat-docs.lock.yml | 2 ++ .github/workflows/weekly-editors-health-check.lock.yml | 2 +- 11 files changed, 22 insertions(+), 10 deletions(-) diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 0f2dbbede30..8ad318cf177 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -637,7 +637,9 @@ jobs: ], "entrypointArgs": [ "--output-dir", - "/tmp/gh-aw/mcp-logs/playwright" + "/tmp/gh-aw/mcp-logs/playwright", + "--browser-arg", + "--no-sandbox" ], "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] }, diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index ccddf2a2512..9ec4e511b51 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -875,7 +875,9 @@ jobs: ], "entrypointArgs": [ "--output-dir", - "/tmp/gh-aw/mcp-logs/playwright" + "/tmp/gh-aw/mcp-logs/playwright", + "--browser-arg", + "--no-sandbox" ], "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] }, diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index e26509a833f..609e470da0f 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -701,7 +701,9 @@ jobs: ], "entrypointArgs": [ "--output-dir", - "/tmp/gh-aw/mcp-logs/playwright" + "/tmp/gh-aw/mcp-logs/playwright", + "--browser-arg", + "--no-sandbox" ], "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] }, diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index f4f1bcd8e38..5c309c33dec 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -653,7 +653,7 @@ jobs: "type": "stdio", "container": "mcr.microsoft.com/playwright/mcp", "args": ["--init", "--network", "host", "--security-opt", "seccomp=unconfined", "--ipc=host"], - "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright"], + "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--browser-arg", "--no-sandbox"], "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] }, "safeoutputs": { diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 721d318b4dc..8dff7e98a09 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -685,7 +685,7 @@ jobs: "type": "stdio", "container": "mcr.microsoft.com/playwright/mcp", "args": ["--init", "--network", "host", "--security-opt", "seccomp=unconfined", "--ipc=host"], - "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright"], + "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--browser-arg", "--no-sandbox"], "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] }, "safeoutputs": { diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 95c1a9e3c01..4380adf818e 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -2099,7 +2099,9 @@ jobs: ], "entrypointArgs": [ "--output-dir", - "/tmp/gh-aw/mcp-logs/playwright" + "/tmp/gh-aw/mcp-logs/playwright", + "--browser-arg", + "--no-sandbox" ], "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] }, diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 88d322a1ef7..4f77b05a37c 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1118,7 +1118,9 @@ jobs: ], "entrypointArgs": [ "--output-dir", - "/tmp/gh-aw/mcp-logs/playwright" + "/tmp/gh-aw/mcp-logs/playwright", + "--browser-arg", + "--no-sandbox" ], "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] }, diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index 5ac4e2faddf..9f2409b8aa2 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -1620,7 +1620,7 @@ jobs: "type": "stdio", "container": "mcr.microsoft.com/playwright/mcp", "args": ["--init", "--network", "host", "--security-opt", "seccomp=unconfined", "--ipc=host"], - "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright"], + "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--browser-arg", "--no-sandbox"], "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] }, "safeinputs": { diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index f65d4b342d2..66b47f26213 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1622,7 +1622,7 @@ jobs: "type": "stdio", "container": "mcr.microsoft.com/playwright/mcp", "args": ["--init", "--network", "host", "--security-opt", "seccomp=unconfined", "--ipc=host"], - "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright"], + "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--browser-arg", "--no-sandbox"], "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] }, "safeinputs": { diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index a86eb254342..35071046b0d 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -792,6 +792,8 @@ jobs: "entrypointArgs": [ "--output-dir", "/tmp/gh-aw/mcp-logs/playwright", + "--browser-arg", + "--no-sandbox", "--viewport-size", "1920x1080" ], diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index 4ae90d21099..12cc2b35198 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -669,7 +669,7 @@ jobs: "type": "stdio", "container": "mcr.microsoft.com/playwright/mcp", "args": ["--init", "--network", "host", "--security-opt", "seccomp=unconfined", "--ipc=host"], - "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright"], + "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--browser-arg", "--no-sandbox"], "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] }, "safeoutputs": {