feat(release): darwin/arm64 release workflow#137
Merged
Conversation
Adds release-darwin.yml on macos-14 runner. Trigger: same v*.*.* tag push that fires release-go.yml. Builds darwin/arm64 natively (CGO, clang, kuzudb + go-sqlite3 build cleanly), packages a tar.gz, generates SPDX SBOM via Syft, signs the archive directly with Cosign keyless (bundle format — matches the cosign v4 update in #136), then uploads to the existing Release created by release-go.yml. Why a separate workflow: - release-go.yml runs on ubuntu-latest. CGO + kuzudb won't cross-compile to darwin from linux. - macos-14 runners are arm64-native; cross-compile happens via native CC=clang. - Two workflows publish to the same tag → same Release. The upload step retries 3× (30s delay) to handle the race with release-go.yml creating the Release (linux completes first, darwin attaches to that Release). Follow-up: branch protection cleanup. The `build` required check is still satisfied by build-shim.yml; once an admin drops it from required-checks in the UI (Settings → Branches → main), build-shim.yml can be deleted. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Branch protection on main no longer requires the `build` context:
$ gh api -X DELETE .../branches/main/protection/required_status_checks/contexts \
-f 'contexts[]=build'
["OSV-Scanner (SCA)", "Trivy (filesystem + container scan)",
"Semgrep (SAST)", "Gitleaks (secret scan)",
"jscpd (duplication < 3% on touched code)",
"SBOM (SPDX + CycloneDX)"]
The shim existed only to satisfy that legacy required check after the
old ci-java.yml's `build` job got deleted in the Phase 6 cutover. The
real Go gates (go-ci.yml + perf-gate.yml) cover what `build` used to.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Semgrep flagged 5× `yaml.github-actions.security.run-shell-injection`
in release-darwin.yml. Pattern was:
run: |
TAG="${GITHUB_REF_NAME:-${{ github.event.inputs.tag }}}"
The `${{ github.event.inputs.tag }}` expression gets interpolated INTO
the shell script at workflow runtime — a malicious workflow_dispatch
caller could inject shell code via the `tag` input.
Fix: hoist the tag resolution into a workflow-level `env: TAG: …`,
then reference $TAG inside each shell block. Same effective value
(workflow_dispatch input wins; falls back to ref_name on tag push),
but the input never reaches a shell un-escaped.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
aksOps
added a commit
that referenced
this pull request
May 13, 2026
PR #138 deleted docs/project/ and the brews: block, but missed: - README.md linked to docs/project/architecture.md + conventions.md - PROJECT_SUMMARY.md listed HOMEBREW_TAP_GITHUB_TOKEN as a runtime env - shared/runbooks/release-go.md still had "Homebrew tap PR fails" recovery - release-go.yml + .goreleaser.yml carried stale "darwin/arm64 deferred" comments after release-darwin.yml landed (#137) Pure docs/comments fix; no code or workflow behavior changes.
aksOps
added a commit
that referenced
this pull request
May 13, 2026
) * chore: drop Homebrew + delete stale Java-era docs (CLI + MCP only) Three changes per the post-v0.3.0 cleanup goal: ## 1. Homebrew dropped - .goreleaser.yml: remove `brews:` block. - release-go.yml: remove HOMEBREW_TAP_OWNER/REPO/GITHUB_TOKEN env. - README.md: remove the `### Homebrew` install section. - shared/runbooks/release-go.md: remove `## Homebrew tap` section and related cross-references. - CHANGELOG.md / CLAUDE.md: scrub Homebrew mentions. Not pursuing a tap — pre-built binaries from Releases + Cosign-verified checksums cover the install surface. Saves repo creation + PAT churn. ## 2. Stale Java-era docs deleted The entire `docs/project/` tree (architecture.md, conventions.md, data-model.md, flows.md, ui.md, build-and-run.md) referenced Spring Boot, application.yml, REST controllers, the React SPA, Jacoco, etc. — all deleted in Phase 6 cutover. The content was wrong, not just stale. CLAUDE.md is the single source of truth. Updated PROJECT_SUMMARY.md links to point at CLAUDE.md instead. ## 3. `serve` subcommand decisively out of scope CLAUDE.md previously said `serve: (deferred — not ported in v0.3.0)`. Updated to state the position: codeiq has no REST API and no web UI. Consumers use the CLI or the stdio MCP server. Java's `codeiq serve` will not be reintroduced. The `golang-jwt/jwt/v5` dep is transitive via the MCP SDK's auth package (verified with `go mod why`) — not a serve-mode leftover. CLAUDE.md note corrected. Also drove (out-of-band) the branch-protection update: $ gh api -X POST .../branches/main/protection/required_status_checks/contexts \ -f 'contexts[]=vet / test / staticcheck / gosec / govulncheck' \ -f 'contexts[]=index perf gate (fixture-multi-lang)' → both Go gates now block merge on main. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: scrub stale Homebrew/docs refs left over from cleanup PR #138 deleted docs/project/ and the brews: block, but missed: - README.md linked to docs/project/architecture.md + conventions.md - PROJECT_SUMMARY.md listed HOMEBREW_TAP_GITHUB_TOKEN as a runtime env - shared/runbooks/release-go.md still had "Homebrew tap PR fails" recovery - release-go.yml + .goreleaser.yml carried stale "darwin/arm64 deferred" comments after release-darwin.yml landed (#137) Pure docs/comments fix; no code or workflow behavior changes. --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds `release-darwin.yml` on macos-14 runner. v0.3.0 shipped linux-only; this adds the macOS arm64 (M1+) binary attached to the same draft Release as the linux builds.
What it does
Closed in parallel
Pending follow-ups
🤖 Generated with Claude Code