feat(release): darwin/arm64 release workflow

aksOps · claude · aksOps · commit 4cf0e93d7472 · 2026-05-13T06:36:47.000Z
Adds release-darwin.yml on macos-14 runner. Trigger: same v*.*.* tag push that fires release-go.yml. Builds darwin/arm64 natively (CGO, clang, kuzudb + go-sqlite3 build cleanly), packages a tar.gz, generates SPDX SBOM via Syft, signs the archive directly with Cosign keyless (bundle format — matches the cosign v4 update in #136), then uploads to the existing Release created by release-go.yml. Why a separate workflow: - release-go.yml runs on ubuntu-latest. CGO + kuzudb won't cross-compile to darwin from linux. - macos-14 runners are arm64-native; cross-compile happens via native CC=clang. - Two workflows publish to the same tag → same Release. The upload step retries 3× (30s delay) to handle the race with release-go.yml creating the Release (linux completes first, darwin attaches to that Release). Follow-up: branch protection cleanup. The `build` required check is still satisfied by build-shim.yml; once an admin drops it from required-checks in the UI (Settings → Branches → main), build-shim.yml can be deleted. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/release-darwin.yml b/.github/workflows/release-darwin.yml
@@ -0,0 +1,122 @@
+name: release-darwin
+
+# darwin/arm64 release on a macos-14 runner. Attaches binaries to the
+# existing GitHub Release created by release-go.yml (which only builds
+# linux). Runs after the linux release lands so the target Release
+# already exists.
+#
+# Why a separate workflow:
+#   - release-go.yml runs on ubuntu-latest. CGO + kuzudb won't
+#     cross-compile cleanly to darwin from linux.
+#   - macos-14 runners are arm64 (M1+); cross-compile to darwin/arm64
+#     happens via native CC = clang.
+#   - The two workflows publish to the same tag → same Release.
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Tag to release (e.g. v0.3.0). Release must already exist.'
+        required: true
+
+permissions:
+  contents: write
+  id-token: write      # Sigstore keyless via GitHub OIDC
+  attestations: write
+
+jobs:
+  release-darwin:
+    name: release (darwin / arm64)
+    runs-on: macos-14
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version: '1.25.10'
+          cache: true
+          cache-dependency-path: go/go.sum
+
+      - name: Build darwin/arm64 binary
+        working-directory: go
+        env:
+          CGO_ENABLED: '1'
+          GOOS: darwin
+          GOARCH: arm64
+        run: |
+          TAG="${GITHUB_REF_NAME:-${{ github.event.inputs.tag }}}"
+          VERSION="${TAG#v}"
+          go build \
+            -trimpath \
+            -ldflags "-s -w \
+              -X 'github.com/randomcodespace/codeiq/go/internal/buildinfo.Version=${VERSION}' \
+              -X 'github.com/randomcodespace/codeiq/go/internal/buildinfo.Commit=$(git rev-parse --short HEAD)' \
+              -X 'github.com/randomcodespace/codeiq/go/internal/buildinfo.Date=$(date -u +%Y-%m-%dT%H:%M:%SZ)' \
+              -X 'github.com/randomcodespace/codeiq/go/internal/buildinfo.Dirty=false'" \
+            -o codeiq ./cmd/codeiq
+
+      - name: Package archive
+        working-directory: go
+        run: |
+          TAG="${GITHUB_REF_NAME:-${{ github.event.inputs.tag }}}"
+          VERSION="${TAG#v}"
+          ARCHIVE_DIR="codeiq_${VERSION}_darwin_arm64"
+          mkdir -p "${ARCHIVE_DIR}"
+          cp codeiq "${ARCHIVE_DIR}/"
+          cp ../LICENSE "${ARCHIVE_DIR}/" 2>/dev/null || true
+          cp ../README.md "${ARCHIVE_DIR}/" 2>/dev/null || true
+          cp ../CHANGELOG.md "${ARCHIVE_DIR}/" 2>/dev/null || true
+          tar czf "../${ARCHIVE_DIR}.tar.gz" "${ARCHIVE_DIR}"
+
+      - name: Install Syft (SBOM)
+        uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
+      - name: Generate SBOM
+        run: |
+          TAG="${GITHUB_REF_NAME:-${{ github.event.inputs.tag }}}"
+          VERSION="${TAG#v}"
+          ARCHIVE="codeiq_${VERSION}_darwin_arm64.tar.gz"
+          syft "$ARCHIVE" --output spdx-json="${ARCHIVE}.sbom.spdx.json"
+
+      - name: Install Cosign (signing)
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
+      - name: Sign archive (Sigstore keyless, bundle format)
+        run: |
+          TAG="${GITHUB_REF_NAME:-${{ github.event.inputs.tag }}}"
+          VERSION="${TAG#v}"
+          ARCHIVE="codeiq_${VERSION}_darwin_arm64.tar.gz"
+          cosign sign-blob \
+            --yes \
+            --bundle "${ARCHIVE}.cosign.bundle" \
+            "$ARCHIVE"
+
+      - name: Upload to GitHub Release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          TAG="${GITHUB_REF_NAME:-${{ github.event.inputs.tag }}}"
+          VERSION="${TAG#v}"
+          # Retry up to 3 times to handle race with release-go.yml
+          # creating the Release.
+          for i in 1 2 3; do
+            if gh release view "$TAG" >/dev/null 2>&1; then
+              gh release upload "$TAG" \
+                "codeiq_${VERSION}_darwin_arm64.tar.gz" \
+                "codeiq_${VERSION}_darwin_arm64.tar.gz.sbom.spdx.json" \
+                "codeiq_${VERSION}_darwin_arm64.tar.gz.cosign.bundle" \
+                --clobber
+              exit 0
+            fi
+            echo "Release $TAG not yet visible, waiting 30s ($i/3)..."
+            sleep 30
+          done
+          echo "::error::Release $TAG never appeared; release-go.yml may have failed"
+          exit 1
+
+      - name: Attest darwin archive (build provenance)
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-path: 'codeiq_*_darwin_arm64.tar.gz'
