From 665f6703e6bd544289d145d46ef5c0d6461a618f Mon Sep 17 00:00:00 2001
From: Jon Cluce <jon.clucas@childmind.org>
Date: Fri, 10 Jan 2025 13:04:23 -0500
Subject: [PATCH] :alien: Allow unprivileged user namespaces for Apptainer in
 GH Actions

---
 .github/workflows/test_cpac.yaml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/test_cpac.yaml b/.github/workflows/test_cpac.yaml
index 1cf2bca9..3974f647 100644
--- a/.github/workflows/test_cpac.yaml
+++ b/.github/workflows/test_cpac.yaml
@@ -75,7 +75,7 @@ jobs:
         tag: [latest, nightly]
         exclude:
         - platform: apptainer
-          python: 3.11
+          python: '3.10'
         - platform: apptainer
           python: 3.12
     steps:
@@ -102,6 +102,11 @@ jobs:
       uses: eWaterCycle/setup-apptainer@v2
       with:
         apptainer-version: ${{ matrix.apptainer }}
+    - name: Allow unprivileged user namespaces
+      if: ${{ matrix.platform == 'applainer' }}
+      run: |
+        sudo sh -c 'echo kernel.apparmor_restrict_unprivileged_userns=0 >/etc/sysctl.d/90-disable-userns-restrictions.conf'
+        sudo sysctl -p /etc/sysctl.d/90-disable-userns-restrictions.conf
     - name: Install cpac
       run: cd $GITHUB_WORKSPACE && pip install -e ".[dev,testing,tsconcat]"
     - name: Pull images