ci: add darwin CLI build check

sespiros · sespiros · commit 37d36da343d1 · 2026-03-24T19:17:17.000+02:00
Build the darwin CLI and formatter on a macOS runner to catch
darwin-specific build failures (broken nixpkgs deps, missing platform
guards, etc.). The job depends on cli-build so linux dependencies are
available in cachix — the macOS runner only builds the darwin-native
parts.

Make the setup_nix action cross-platform by gating linux-specific steps
(apparmor, btrfs) on runner.os == 'Linux'.

Signed-off-by: Spyros Seimenis &lt;sse@edgeless.systems&gt;
diff --git a/.github/actions/setup_nix/action.yml b/.github/actions/setup_nix/action.yml
@@ -13,13 +13,15 @@ runs:
   using: "composite"
   steps:
     - name: Allow unrestricted user namespaces
+      if: runner.os == 'Linux'
       # Ubuntu 24.04 ships strict apparmor defaults, so we have to disable them to be able to call
       # unshare in the Nix sansbox without beeing root.
       shell: bash
       run: |
         sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
         sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
     - name: use btrfs for nix builds
+      if: runner.os == 'Linux'
       shell: bash
       run: |
         echo "Setting up btrfs /nix volume..."
@@ -33,7 +35,7 @@ runs:
     - uses: cachix/install-nix-action@2126ae7fc54c9df00dd18f7f18754393182c73cd # v31.9.1
       with:
         github_access_token: ${{ inputs.githubToken }}
-        extra_nix_config: "build-dir = /nix/bld"
+        extra_nix_config: ${{ runner.os == 'Linux' && 'build-dir = /nix/bld' || '' }}
     - uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
       with:
         name: edgelesssys
diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml
@@ -158,3 +158,26 @@ jobs:
       - name: Build CLI
         run: |
           nix build ".#${SET}.contrast.cli"
+
+  darwin-cli-build:
+    needs: cli-build
+    runs-on: macos-latest
+    timeout-minutes: 60
+    permissions:
+      contents: read
+    env:
+      SET: base
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: ./.github/actions/setup_nix
+        with:
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - name: Build darwin formatter
+        run: |
+          nix build .#formatter.aarch64-darwin
+      - name: Build darwin CLI
+        run: |
+          nix build ".#${SET}.contrast.cli"
