From 7d29420df3cb5ef2e94f3e289a6b5073e6e0542e Mon Sep 17 00:00:00 2001 From: Carlos Villela Date: Sat, 23 May 2026 15:19:14 -0700 Subject: [PATCH 1/2] test(ci): stabilize WSL platform vitest fixtures Signed-off-by: Carlos Villela --- src/lib/sandbox-base-image.test.ts | 14 ++++++++++++-- test/onboard-selection.test.ts | 1 + 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src/lib/sandbox-base-image.test.ts b/src/lib/sandbox-base-image.test.ts index d8e35e30ca..b5532b388f 100644 --- a/src/lib/sandbox-base-image.test.ts +++ b/src/lib/sandbox-base-image.test.ts @@ -5,7 +5,7 @@ import { spawnSync } from "node:child_process"; import fs from "node:fs"; import os from "node:os"; import path from "node:path"; -import { afterEach, describe, expect, it } from "vitest"; +import { afterAll, afterEach, describe, expect, it } from "vitest"; import { baseImageInputsChangedSinceMain, @@ -17,9 +17,15 @@ import { } from "../../dist/lib/sandbox-base-image"; const tmpRoots: string[] = []; +const emptyGitConfig = path.join( + os.tmpdir(), + `nemoclaw-empty-gitconfig-${process.pid}-${Date.now()}`, +); +fs.writeFileSync(emptyGitConfig, ""); + const gitEnv = { ...process.env, - GIT_CONFIG_GLOBAL: "/dev/null", + GIT_CONFIG_GLOBAL: emptyGitConfig, GIT_CONFIG_NOSYSTEM: "1", GIT_TERMINAL_PROMPT: "0", GIT_AUTHOR_NAME: "Test User", @@ -81,6 +87,10 @@ afterEach(() => { } }); +afterAll(() => { + fs.rmSync(emptyGitConfig, { force: true }); +}); + describe("sandbox base image helpers", () => { it("parses glibc versions from ldd output", () => { expect(parseGlibcVersion("ldd (Debian GLIBC 2.41-12+deb13u2) 2.41")).toBe("2.41"); diff --git a/test/onboard-selection.test.ts b/test/onboard-selection.test.ts index a58dce1e25..4c28bf2052 100644 --- a/test/onboard-selection.test.ts +++ b/test/onboard-selection.test.ts @@ -5801,6 +5801,7 @@ runner.runShell = (command, opts = {}) => { registry.updateSandbox = (_name, update) => updates.push(update); Object.defineProperty(process, "platform", { value: "linux" }); +Object.defineProperty(process, "getuid", { value: () => 1000 }); platform.isWsl = () => false; const { setupNim } = require(${onboardPath}); From 7aa1ee26d9fda1eaa92cb16951026fba563e0d95 Mon Sep 17 00:00:00 2001 From: Carlos Villela Date: Sat, 23 May 2026 16:12:26 -0700 Subject: [PATCH 2/2] Potential fix for pull request finding 'CodeQL / Insecure temporary file' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- src/lib/sandbox-base-image.test.ts | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/lib/sandbox-base-image.test.ts b/src/lib/sandbox-base-image.test.ts index b5532b388f..2cfb22c296 100644 --- a/src/lib/sandbox-base-image.test.ts +++ b/src/lib/sandbox-base-image.test.ts @@ -17,11 +17,11 @@ import { } from "../../dist/lib/sandbox-base-image"; const tmpRoots: string[] = []; -const emptyGitConfig = path.join( - os.tmpdir(), - `nemoclaw-empty-gitconfig-${process.pid}-${Date.now()}`, -); -fs.writeFileSync(emptyGitConfig, ""); +const emptyGitConfigDir = fs.mkdtempSync(path.join(os.tmpdir(), "nemoclaw-empty-gitconfig-")); +tmpRoots.push(emptyGitConfigDir); +const emptyGitConfig = path.join(emptyGitConfigDir, "gitconfig"); +const emptyGitConfigFd = fs.openSync(emptyGitConfig, "wx", 0o600); +fs.closeSync(emptyGitConfigFd); const gitEnv = { ...process.env,