fix: build macOS releases with keychain support

[rmanibus]

Summary

• run the release job on a native macOS runner instead of Ubuntu
• split GoReleaser builds so Linux/Windows stay CGO_ENABLED=0 while Darwin builds use CGO_ENABLED=1
• ensure Homebrew macOS artifacts include the real Keychain backend instead of the darwin && !cgo stub

Verification

• CGO_ENABLED=1 go build ./cmd/cloudstic
• GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build ./cmd/cloudstic
• GOOS=windows GOARCH=arm64 CGO_ENABLED=0 go build ./cmd/cloudstic
• go test ./internal/secretref ./cmd/cloudstic

Context

The previous release fix made cross-compiled macOS builds fall back to the stub keychain implementation so GoReleaser could succeed on Linux. That avoided the release failure, but it also meant Homebrew-installed macOS binaries could not use keychain://... secret refs. This change restores native Keychain support in macOS release artifacts.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

Updates the release pipeline to ship macOS binaries built with CGO enabled so the real Keychain backend is included in Homebrew-installed artifacts, while keeping Linux/Windows builds cross-compiled with CGO_ENABLED=0.

Changes:

• Split GoReleaser builds into cloudstic-cross (Linux/Windows, CGO_ENABLED=0) and cloudstic-darwin (macOS, CGO_ENABLED=1).
• Move the GitHub Actions release job to a native macos-latest runner to support CGO-based macOS builds.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
.goreleaser.yml	Separates darwin builds to enable CGO for Keychain support while keeping cross builds CGO-free.
.github/workflows/release.yml	Runs the release job on macOS so GoReleaser can build darwin artifacts with CGO enabled.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.