Fix: pass --no-sandbox flags to Lighthouse Chrome launcher#109
Open
tsira wants to merge 3 commits into
Open
Conversation
The generated lighthouserc.yml already passes --no-sandbox and related flags via puppeteerLaunchOptions, but those only apply to the Puppeteer browser used for cookie setup. The Lighthouse audit runs a separate Chrome process via LH:ChromeLauncher, which does not inherit those flags. When running in Docker as root (the default on GitHub-hosted runners), Chrome 147+ exits immediately with: Running as root without --no-sandbox is not supported. Add a settings.chromeFlags field to the collect block so both Chrome processes receive the same flags.
settings maps to Lighthouse config options; chromeFlags is a top-level ci.collect option in LHCI that gets passed as --chrome-flags to the Chrome launcher. Placing it under settings silently has no effect. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
chromeFlags in lighthouserc.yml is not picked up by chrome-launcher. Instead, create a wrapper at /usr/local/bin/chrome-no-sandbox that always prepends --no-sandbox, and point both PUPPETEER_EXECUTABLE_PATH and CHROME_PATH (used by chrome-launcher / lhci) at the wrapper. Also set collect.chromePath so lhci's own Chrome launch uses it. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The generated `lighthouserc.yml` already passes `--no-sandbox` and related flags via `puppeteerLaunchOptions`, but those only apply to the Puppeteer browser used to set preview cookies. The actual Lighthouse audit runs a separate Chrome process via `LH:ChromeLauncher`, which does not inherit those flags.
When the action runs in a Docker container as root (the default on GitHub-hosted runners), Chrome 147+ exits immediately with:
```
LH:ChromeLauncher:error [167:167:...] Running as root without --no-sandbox is not supported.
See https://crbug.com/638180.
```
This causes `lhci collect` to fail with `Run #1...failed!` and `Error: Lighthouse failed with exit code 1`. The failure is environment-dependent — runners with a more permissive seccomp profile will pass, making the failure appear flaky.
Root cause
`chromeFlags` in `lighthouserc.yml` (whether under `collect` or `collect.settings`) is not reliably picked up by chrome-launcher. The reliable path is the `CHROME_PATH` environment variable, which chrome-launcher uses to locate and launch Chrome.
Fix
Create a wrapper script that unconditionally prepends `--no-sandbox` to every Chrome launch, then point both `PUPPETEER_EXECUTABLE_PATH` and `CHROME_PATH` at it:
```bash
cat > /usr/local/bin/chrome-no-sandbox <<'WRAPPER'
#!/bin/sh
exec /usr/bin/google-chrome-stable --no-sandbox --disable-setuid-sandbox --disable-dev-shm-usage --disable-gpu "$@"
WRAPPER
chmod +x /usr/local/bin/chrome-no-sandbox
export PUPPETEER_EXECUTABLE_PATH='/usr/local/bin/chrome-no-sandbox'
export CHROME_PATH='/usr/local/bin/chrome-no-sandbox'
```
Also set `collect.chromePath` in `lighthouserc.yml` as a belt-and-suspenders fallback for any LHCI code path that reads config instead of env.
This means every Chrome launch in the action — Puppeteer cookie setup and Lighthouse audits — goes through the same wrapper and always has `--no-sandbox`.
Testing
🤖 Generated with Claude Code