fix: ensure writable temp dirs in CI container

Bun fails with "unable to write files to tempdir: AccessDenied" when
the container user doesn't own /tmp. This cascades to Playwright
(can't launch Chromium) and browse (server won't start).

Fix: create writable temp dirs at job start. If /tmp isn't writable,
fall back to $HOME/tmp via TMPDIR.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.github/docker/Dockerfile.ci

@@ -57,4 +57,5 @@ RUN mv /workspace/node_modules /opt/node_modules_cache \
 # the workflow must set options.user or use gosu/su-exec at runtime).
 RUN useradd -m -s /bin/bash runner \
     && chmod -R a+rX /opt/node_modules_cache \
-    && mkdir -p /home/runner/.gstack && chown -R runner:runner /home/runner/.gstack
+    && mkdir -p /home/runner/.gstack && chown -R runner:runner /home/runner/.gstack \
+    && mkdir -p /tmp/bun-cache && chmod 1777 /tmp/bun-cache

.github/workflows/evals.yml

@@ -98,6 +98,20 @@ jobs:
         with:
           fetch-depth: 0
 
+      # Ensure temp directories are writable (GH Actions container user may not own /tmp)
+      - name: Fix temp dirs
+        run: |
+          mkdir -p /tmp/bun-cache /tmp/playwright-tmp
+          chmod 1777 /tmp/bun-cache /tmp/playwright-tmp 2>/dev/null || true
+          # If /tmp isn't writable, use home dir
+          if ! touch /tmp/.write-test 2>/dev/null; then
+            export TMPDIR="$HOME/tmp"
+            mkdir -p "$TMPDIR"
+            echo "TMPDIR=$TMPDIR" >> "$GITHUB_ENV"
+          else
+            rm -f /tmp/.write-test
+          fi
+
       # Restore pre-installed node_modules from Docker image via symlink (~0s vs ~15s install)
       # If package.json changed since image was built, fall back to fresh install
       - name: Restore deps