CI deployment broke after switching from the GitHub Actions runner’s system Chrome to Puppeteer’s bundled Chromium for mermaid diagram rendering. The fix required two coordinated changes: (1) an AppArmor sysctl workaround in deploy.yaml to allow bundled Chromium to launch on Ubuntu 24.04, and (2) upgrading jekyll-mermaid-prebuild to 0.4.0, which adds overflow_protection and text_centering postprocessing to handle cross-environment text measurement differences. The gem version bump also required migrating config to the new postprocessing: key structure.
.github/workflows/deploy.yaml: Added echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns step to disable Ubuntu 24.04’s AppArmor restriction on unprivileged user namespaces, which was preventing Puppeteer’s bundled Chromium from creating its sandbox.Gemfile: Upgraded jekyll-mermaid-prebuild from ~> 0.3 to ~> 0.4 (0.4.0 adds default-on overflow_protection and text_centering postprocessing)._config.yaml: Migrated mermaid config to 0.4.0’s postprocessing: key structure; added edge_label_padding: 6.Prior commit 78927f9 (separate PR) had already removed PUPPETEER_SKIP_CHROMIUM_DOWNLOAD and PUPPETEER_EXECUTABLE_PATH to switch to bundled Chromium.
ubuntu-latest image already ships all X11/GTK shared libraries. The gem’s error message pattern-matches on “browser process” in stderr and assumes library issues, but the actual failure was sandbox-related.dpkg -l or runner image docs before adding install steps. Would have saved one failed CI iteration.MmdcWrapper#test_render error detection could distinguish sandbox failures from library failures to provide more accurate guidance.--no-sandbox to mmdc via a puppeteer config, but this crosses a security boundary – the gem shouldn’t assume it knows the deployment environment’s posture.