From 0a5e5d0b39eaf48262cba19cd3ee1e2b0f36f6da Mon Sep 17 00:00:00 2001
From: josh <josh@thewrightserver.net>
Date: Sat, 18 Apr 2026 13:53:09 -0400
Subject: [PATCH] ci: add bubblewrap dep and bump mkosi to v25.3

v24.3 crashed in cp_version() during the copy-package-manager-trees
step because its sandbox needs bubblewrap (not present in the runner
apt list), and cp --version returned empty output inside the broken
sandbox. Installing bubblewrap and bumping to v25.3 which has tighter
sandbox fallback behavior.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/e2e.yml     | 4 ++--
 .gitea/workflows/release.yml | 7 ++++---
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/.gitea/workflows/e2e.yml b/.gitea/workflows/e2e.yml
index f4ff79a..88a9bd9 100644
--- a/.gitea/workflows/e2e.yml
+++ b/.gitea/workflows/e2e.yml
@@ -37,14 +37,14 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y --no-install-recommends \
             debootstrap squashfs-tools \
-            systemd-ukify systemd-boot kmod \
+            systemd-ukify systemd-boot kmod bubblewrap \
             debian-archive-keyring python3-pip git zstd \
             qemu-system-x86 qemu-utils \
             dnsmasq iperf3 ipxe-qemu
           # See release.yml for rationale — Ubuntu's apt mkosi is too old
           # to handle bookworm's non-free-firmware component correctly.
           sudo pip install --break-system-packages \
-            "git+https://github.com/systemd/mkosi.git@v24.3"
+            "git+https://github.com/systemd/mkosi.git@v25.3"
 
       - name: Install templ
         run: go install github.com/a-h/templ/cmd/templ@v0.3.1001
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 0741774..b3d23fd 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -34,14 +34,15 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y --no-install-recommends \
             debootstrap squashfs-tools dosfstools \
-            systemd-ukify systemd-boot kmod \
+            systemd-ukify systemd-boot kmod bubblewrap \
             debian-archive-keyring python3-pip git zstd
           # Ubuntu's apt-packaged mkosi is too old to wire
           # non-free-firmware shorthand through to debootstrap.
           # mkosi isn't published on PyPI under v24+ — install the
-          # pinned tag from upstream git instead.
+          # pinned tag from upstream git instead. bubblewrap provides
+          # the sandbox mkosi uses for its `cp`/chroot plumbing.
           sudo pip install --break-system-packages \
-            "git+https://github.com/systemd/mkosi.git@v24.3"
+            "git+https://github.com/systemd/mkosi.git@v25.3"
 
       - name: Install templ
         run: go install github.com/a-h/templ/cmd/templ@v0.3.1001