Skip to content

Commit 875dbb7

Browse files
Copilotpelikhan
andcommitted
Add Docker security flags for Playwright MCP Chromium compatibility
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
1 parent f50b4ac commit 875dbb7

3 files changed

Lines changed: 38 additions & 1 deletion

File tree

docs/src/content/docs/reference/tools.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -175,6 +175,8 @@ tools:
175175

176176
**Domain Access**: Uses `network:` ecosystem bundles (`defaults`, `github`, `node`, `python`, etc.). Defaults to `["localhost", "127.0.0.1"]`. Domains auto-include subdomains.
177177

178+
**GitHub Actions Compatibility**: Playwright runs in a Docker container with security flags required for Chromium to function on GitHub Actions runners (`--security-opt seccomp=unconfined` and `--ipc=host`). These flags are automatically configured by gh-aw version 0.41.0 and later.
179+
178180
## Built-in MCP Tools
179181

180182
### Agentic Workflows (`agentic-workflows:`)

docs/src/content/docs/troubleshooting/common-issues.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -209,6 +209,31 @@ await mcp__playwright__browser_run_code({
209209

210210
See the [Playwright Tool documentation](/gh-aw/reference/tools/#playwright-tool-playwright) for complete details.
211211

212+
### Playwright MCP Initialization Failure (EOF Error)
213+
214+
**Error Message:**
215+
216+
```text
217+
Failed to register tools error="initialize: EOF" name=playwright
218+
Tool 'browser_navigate' does not exist
219+
```
220+
221+
**Cause:** The Playwright MCP server starts but fails during initialization because the Chromium browser crashes before tool registration completes. This happens when required Docker security flags are missing, causing the MCP init pipe to close (EOF) before tools are registered.
222+
223+
**Solution:** This issue was fixed in version 0.41.0 and later. The Playwright container now includes the required Docker security flags (`--security-opt seccomp=unconfined` and `--ipc=host`) for Chromium to function properly on GitHub Actions runners.
224+
225+
**If you're on an older version:**
226+
227+
Upgrade to version 0.41.0 or later:
228+
229+
```bash wrap
230+
gh extension upgrade gh-aw
231+
```
232+
233+
**Why this happens:**
234+
235+
GitHub Actions runners use security constraints that prevent Chromium from starting without specific Docker flags. The browser tries to initialize during MCP server startup, crashes due to sandbox restrictions, and causes the MCP protocol to fail before any tools are registered. The gateway may still report the server as "connected" because the container started successfully, but no tools are available because initialization never completed.
236+
212237
## Permission Issues
213238

214239
### Write Operations Fail

pkg/workflow/mcp_config_playwright_renderer.go

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,9 +20,16 @@
2020
// MCP image (mcr.microsoft.com/playwright/mcp). The container is configured with:
2121
// - --init flag for proper signal handling
2222
// - --network host for network access
23+
// - --security-opt seccomp=unconfined for Chromium sandbox compatibility
24+
// - --ipc=host for shared memory access required by Chromium
2325
// - Volume mounts for log storage
2426
// - Output directory for screenshots and artifacts
2527
//
28+
// GitHub Actions compatibility:
29+
// The security flags are required for Chromium to function properly on GitHub Actions
30+
// runners. Without these flags, Playwright initialization fails with "EOF" error because
31+
// Chromium crashes during startup due to sandbox constraints.
32+
//
2633
// Domain restrictions:
2734
// For security, Playwright is restricted to specific allowed domains configured
2835
// in the workflow frontmatter. These domains are passed via:
@@ -106,7 +113,10 @@ func renderPlaywrightMCPConfigWithOptions(yaml *strings.Builder, playwrightConfi
106113

107114
// Docker runtime args (goes before container image in docker run command)
108115
// These are additional flags for docker run like --init and --network
109-
dockerArgs := []string{"--init", "--network", "host"}
116+
// Add security-opt and ipc flags for Chromium browser compatibility in GitHub Actions
117+
// --security-opt seccomp=unconfined: Required for Chromium sandbox to function properly
118+
// --ipc=host: Provides shared memory access required by Chromium
119+
dockerArgs := []string{"--init", "--network", "host", "--security-opt", "seccomp=unconfined", "--ipc=host"}
110120
if inlineArgs {
111121
yaml.WriteString(" \"args\": [")
112122
for i, arg := range dockerArgs {

0 commit comments

Comments
 (0)