Merge branch 'maint/6.6_in_ci'

PyQt 6.6 has been out for a while. Git uses on arch are already using
it. Likely our next pyinstaller release will be using it. This change
adds it to our test matrix, beyond the arch docker tests.

* Removing -dev tag from python 3.12 job
* Update ubuntu python 3.11 and 3.12 tests to use PyQt6.6
* Update macOS and windows tests to use PyQt6.6
* Allow running the nightly CI job on any branch, to get a pyinstaller
  build binary from your own branch

Closes: #7989

3 files changed, 81 insertions, 35 deletions

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ccfa69ca3..c2babf437 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -157,28 +157,28 @@ jobs:
           - testenv: py310-pyqt65
             os: ubuntu-22.04
             python: "3.10"
-          ### PyQt 6.5 (Python 3.11)
-          - testenv: py311-pyqt65
+          ### PyQt 6.6 (Python 3.11)
+          - testenv: py311-pyqt66
             os: ubuntu-22.04
             python: "3.11"
-          ### PyQt 6.5 (Python 3.12)
-          - testenv: py312-pyqt65
+          ### PyQt 6.6 (Python 3.12)
+          - testenv: py312-pyqt66
             os: ubuntu-22.04
-            python: "3.12-dev"
-          ### macOS Big Sur: PyQt 5.15 (Python 3.9 to match PyInstaller env)
-          - testenv: py39-pyqt515
+            python: "3.12"
+          ### macOS Big Sur
+          - testenv: py311-pyqt66
             os: macos-11
-            python: "3.9"
+            python: "3.11"
             args: "tests/unit"  # Only run unit tests on macOS
           ### macOS Monterey
-          - testenv: py39-pyqt515
+          - testenv: py311-pyqt66
             os: macos-12
-            python: "3.9"
+            python: "3.11"
             args: "tests/unit"  # Only run unit tests on macOS
-          ### Windows: PyQt 5.15 (Python 3.9 to match PyInstaller env)
-          - testenv: py39-pyqt515
+          ### Windows
+          - testenv: py311-pyqt66
             os: windows-2019
-            python: "3.9"
+            python: "3.11"
     runs-on: "${{ matrix.os }}"
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 76332e8ba..433cd3c0b 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -15,24 +15,19 @@ jobs:
       matrix:
         include:
           - os: macos-11
-            branch: main
             toxenv: build-release-qt5
             name: qt5-macos
           - os: windows-2019
-            branch: main
             toxenv: build-release-qt5
             name: qt5-windows
           - os: macos-11
             args: --debug
-            branch: main
             toxenv: build-release-qt5
             name: qt5-macos-debug
           - os: windows-2019
             args: --debug
-            branch: main
             toxenv: build-release-qt5
             name: qt5-windows-debug
-
           - os: macos-11
             toxenv: build-release
             name: macos
@@ -52,7 +47,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          ref: "${{ matrix.branch }}"
           persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v4
diff --git a/tests/end2end/test_invocations.py b/tests/end2end/test_invocations.py
index af81781f6..72e08af96 100644
--- a/tests/end2end/test_invocations.py
+++ b/tests/end2end/test_invocations.py
@@ -15,6 +15,7 @@ import re
 import json
 import platform
 from contextlib import nullcontext as does_not_raise
+from unittest.mock import ANY
 
 import pytest
 from qutebrowser.qt.core import QProcess, QPoint
@@ -885,27 +886,78 @@ def test_sandboxing(
     bpf_text = "Seccomp-BPF sandbox"
     yama_text = "Ptrace Protection with Yama LSM"
 
-    header, *lines, empty, result = text.split("\n")
-    assert not empty
+    if not utils.is_windows:
+        header, *lines, empty, result = text.split("\n")
+        assert not empty
 
-    expected_status = {
-        "Layer 1 Sandbox": "Namespace" if has_namespaces else "None",
+        expected_status = {
+            "Layer 1 Sandbox": "Namespace" if has_namespaces else "None",
 
-        "PID namespaces": "Yes" if has_namespaces else "No",
-        "Network namespaces": "Yes" if has_namespaces else "No",
+            "PID namespaces": "Yes" if has_namespaces else "No",
+            "Network namespaces": "Yes" if has_namespaces else "No",
 
-        bpf_text: "Yes" if has_seccomp else "No",
-        f"{bpf_text} supports TSYNC": "Yes" if has_seccomp else "No",
+            bpf_text: "Yes" if has_seccomp else "No",
+            f"{bpf_text} supports TSYNC": "Yes" if has_seccomp else "No",
 
-        f"{yama_text} (Broker)": "Yes" if has_yama else "No",
-        f"{yama_text} (Non-broker)": "Yes" if has_yama_non_broker else "No",
-    }
-
-    assert header == "Sandbox Status"
-    assert result == expected_result
+            f"{yama_text} (Broker)": "Yes" if has_yama else "No",
+            f"{yama_text} (Non-broker)": "Yes" if has_yama_non_broker else "No",
+        }
 
-    status = dict(line.split("\t") for line in lines)
-    assert status == expected_status
+        assert header == "Sandbox Status"
+        assert result == expected_result
+
+        status = dict(line.split("\t") for line in lines)
+        assert status == expected_status
+
+    else:  # utils.is_windows
+        # The sandbox page on Windows if different that Linux and macOS. It's
+        # a lot more complex. There is a table up top with lots of columns and
+        # a row per tab and helper process then a json object per row down
+        # below with even more detail (which we ignore).
+        # https://www.chromium.org/Home/chromium-security/articles/chrome-sandbox-diagnostics-for-windows/
+
+        # We're not getting full coverage of the table and there doesn't seem
+        # to be a simple summary like for linux. The "Sandbox" and "Lockdown"
+        # column are probably the key ones.
+        # We are looking at all the rows in the table for the sake of
+        # completeness, but I expect there will always be just one row with a
+        # renderer process in it for this test. If other helper processes pop
+        # up we might want to exclude them.
+        lines = text.split("\n")
+        assert lines.pop(0) == "Sandbox Status"
+        header = lines.pop(0).split("\t")
+        rows = []
+        current_line = lines.pop(0)
+        while current_line.strip():
+            if lines[0].startswith("\t"):
+                # Continuation line. Not sure how to 100% identify them
+                # but new rows should start with a process ID.
+                current_line += lines.pop(0)
+                continue
+
+            columns = current_line.split("\t")
+            assert len(header) == len(columns)
+            rows.append(dict(zip(header, columns)))
+            current_line = lines.pop(0)
+
+        assert rows
+
+        # I'm using has_namespaces as a proxy for "should be sandboxed" here,
+        # which is a bit lazy but its either that or match on the text
+        # "sandboxing" arg. The seccomp-bpf arg does nothing on windows, so
+        # we only have the off and on states.
+        for row in rows:
+            assert row == {
+                "Process": ANY,
+                "Type": "Renderer",
+                "Name": "",
+                "Sandbox": "Renderer" if has_namespaces else "Not Sandboxed",
+                "Lockdown": "Lockdown" if has_namespaces else "",
+                "Integrity": ANY if has_namespaces else "",
+                "Mitigations": ANY if has_namespaces else "",
+                "Component Filter": ANY if has_namespaces else "",
+                "Lowbox/AppContainer": "",
+            }
 
 
 @pytest.mark.not_frozen