From eb4e20c6c4ccb819f0b995ecfb3a0da2479574cd Mon Sep 17 00:00:00 2001
From: Garry Tan <garrytan@gmail.com>
Date: Mon, 23 Mar 2026 16:40:31 -0700
Subject: [PATCH] fix: Playwright browser access in CI Docker container
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two issues preventing browse E2E from working in CI:
1. Playwright installed Chromium as root but container runs as runner —
   browser binaries were inaccessible. Fix: set PLAYWRIGHT_BROWSERS_PATH
   to /opt/playwright-browsers and chmod a+rX.
2. Browse binary needs ~/.gstack/ writable for server lock files.
   Fix: pre-create /home/runner/.gstack/ owned by runner.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/docker/Dockerfile.ci | 10 ++++++----
 .github/workflows/evals.yml  |  1 +
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/.github/docker/Dockerfile.ci b/.github/docker/Dockerfile.ci
index 9f499f68..b507200b 100644
--- a/.github/docker/Dockerfile.ci
+++ b/.github/docker/Dockerfile.ci
@@ -30,7 +30,6 @@ RUN curl -fsSL https://bun.sh/install | bash
 RUN npm i -g @anthropic-ai/claude-code
 
 # Playwright system deps (Chromium) — needed for browse E2E tests
-# Install deps first (large layer, changes rarely), then Playwright + browser
 RUN npx playwright install-deps chromium
 
 # Pre-install dependencies (cached layer — only rebuilds when package.json changes)
@@ -38,8 +37,10 @@ COPY package.json /workspace/
 WORKDIR /workspace
 RUN bun install && rm -rf /tmp/*
 
-# Install Playwright Chromium browser (uses deps installed above)
-RUN npx playwright install chromium
+# Install Playwright Chromium to a shared location accessible by all users
+ENV PLAYWRIGHT_BROWSERS_PATH=/opt/playwright-browsers
+RUN npx playwright install chromium \
+    && chmod -R a+rX /opt/playwright-browsers
 
 # Verify everything works
 RUN bun --version && node --version && claude --version && jq --version && gh --version \
@@ -55,4 +56,5 @@ RUN mv /workspace/node_modules /opt/node_modules_cache \
 # Create a non-root user for eval runs (GH Actions overrides USER, so
 # the workflow must set options.user or use gosu/su-exec at runtime).
 RUN useradd -m -s /bin/bash runner \
-    && chmod -R a+rX /opt/node_modules_cache
+    && chmod -R a+rX /opt/node_modules_cache \
+    && mkdir -p /home/runner/.gstack && chown -R runner:runner /home/runner/.gstack
diff --git a/.github/workflows/evals.yml b/.github/workflows/evals.yml
index a09834d1..61b8b5cf 100644
--- a/.github/workflows/evals.yml
+++ b/.github/workflows/evals.yml
@@ -116,6 +116,7 @@ jobs:
           OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
           GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
           EVALS_CONCURRENCY: "40"
+          PLAYWRIGHT_BROWSERS_PATH: /opt/playwright-browsers
         run: EVALS=1 bun test --retry 2 --concurrent --max-concurrency 40 ${{ matrix.suite.file }}
 
       - name: Upload eval results