Work around Ubuntu 24.04 bubblewrap bug

.github/workflows/bwrap.apparmor

@@ -0,0 +1,13 @@
+# SPDX-FileCopyrightText: 2024 Russell Coker <russell@coker.com.au>
+# SPDX-License-Identifier: CC-BY-NC-SA-3.0
+# source: https://etbe.coker.com.au/2024/04/24/ubuntu-24-04-bubblewrap/
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile bwrap /usr/bin/bwrap flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/bwrap>
+}

.github/workflows/bwrap.yml

@@ -25,6 +25,8 @@ jobs:
           # There is a strange bug(?) in nongnu, when you clone a git repository
           # against a commit != HEAD with depth=1, it errors out.
           fetch-depth: 0
+      - name: Work around Ubuntu 24.04 bubblewrap bug
+        run: sudo cp .github/workflows/bwrap.apparmor /etc/apparmor.d/bwrap && sudo systemctl reload apparmor
       - name: Query cache for sources
         id: cache
         uses: actions/cache/restore@v4
@@ -72,6 +74,8 @@ jobs:
           # There is a strange bug(?) in nongnu, when you clone a git repository
           # against a commit != HEAD with depth=1, it errors out.
           fetch-depth: 0
+      - name: Work around Ubuntu 24.04 bubblewrap bug
+        run: sudo cp .github/workflows/bwrap.apparmor /etc/apparmor.d/bwrap && sudo systemctl reload apparmor
       - name: Get pass1_image
         uses: actions/download-artifact@v4
         with:
@@ -125,6 +129,8 @@ jobs:
           # There is a strange bug(?) in nongnu, when you clone a git repository
           # against a commit != HEAD with depth=1, it errors out.
           fetch-depth: 0
+      - name: Work around Ubuntu 24.04 bubblewrap bug
+        run: sudo cp .github/workflows/bwrap.apparmor /etc/apparmor.d/bwrap && sudo systemctl reload apparmor
       - name: Get pass2_image
         uses: actions/download-artifact@v4
         with: