ci: point libfuse at the setuid fusermount3 via FUSERMOUNT_PROG

The PATH prepend didn't help: tup/libfuse invokes fusermount3 by an
absolute nix-store path (non-setuid), ignoring PATH, so the FUSE mount
still failed with "Operation not permitted". Set libfuse's FUSERMOUNT_PROG
to NixOS's setuid wrapper (/run/wrappers/bin/fusermount3) so tup mounts
through the privileged helper. Adds diagnostics to confirm the wrapper
exists + its setuid bit on the runner.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: zah

.github/workflows/ci.yml

@@ -170,13 +170,17 @@ jobs:
           set -euo pipefail
           ct_root="$(cd "${{ github.workspace }}/../codetracer" && pwd)"
           direnv allow "$ct_root"
-          # codetracer's build uses tup, which mounts a FUSE filesystem. The dev
-          # shell puts the nixpkgs `fuse` package's NON-setuid fusermount3 on
-          # PATH, which can't mount (EPERM). Prepend NixOS's setuid wrapper dir
-          # (programs.fuse provides /run/wrappers/bin/fusermount3) INSIDE the
-          # dev-shell env so tup uses the privileged wrapper.
+          # codetracer's build uses tup, which mounts a FUSE filesystem. libfuse
+          # invokes fusermount3 by an absolute (nix-store, NON-setuid) path, so a
+          # PATH prepend is ignored — it must be pointed at NixOS's setuid wrapper
+          # via libfuse's FUSERMOUNT_PROG. (programs.fuse provides
+          # /run/wrappers/bin/fusermount3.) Diagnostics below confirm the wrapper
+          # exists + its setuid bit on the runner.
+          echo "RBDIAG wrapper:"; ls -l /run/wrappers/bin/fusermount3 2>&1 || echo "  NO WRAPPER on runner"
+          echo "RBDIAG id: $(id)"
+          fuse_wrapper=/run/wrappers/bin/fusermount3
           ( cd "$ct_root" && direnv exec "$ct_root" \
-              bash -c 'export PATH=/run/wrappers/bin:"$PATH"; just build' )
+              bash -c 'export FUSERMOUNT_PROG='"$fuse_wrapper"'; export PATH=/run/wrappers/bin:"$PATH"; just build' )
           ct_bin="$ct_root/src/build-debug/bin/ct"
           test -x "$ct_bin" || { echo "ct not built at $ct_bin" >&2; exit 1; }
           echo "CT_BIN=$ct_bin" >> "$GITHUB_ENV"