Draft
Conversation
sespiros
added
changelog
sespiros
force-pushed
the
sse/darwin-cli
branch
from
ed4dc33 to
42a426c
Compare
|
sespiros
force-pushed
the
sse/darwin-cli
branch
from
42a426c to
12e9896
Compare
Do the documentation changes need to be backported?Changes to
|
The mdsh-fmt script only uses mdsh and jq. busybox was an unnecessary dependency that causes build failures on darwin since nixpkgs' darwin busybox is broken. Signed-off-by: Spyros Seimenis <sse@edgeless.systems>
Separate push scripts into container-scripts.nix so container images (linux-only) can be overridden independently from push scripts (which need to run natively on the developer's machine). Signed-off-by: Spyros Seimenis <sse@edgeless.systems>
The let/in binding was needed when containers.nix merged container images with push scripts. Now that push scripts are in a separate file, the wrapper is unnecessary. Signed-off-by: Spyros Seimenis <sse@edgeless.systems>
The contrast runtime (coordinator, initializer, kata, containers) only runs on x86_64-linux, but client-side tools (CLI, resourcegen, e2e) can run on any platform. Separate these by introducing a runtimePkgs overlay that replaces linux-only packages with their x86_64-linux equivalents on non-linux hosts (e.g. aarch64-darwin). This enables building and using the CLI natively on macOS while runtime packages are transparently sourced from x86_64-linux. Signed-off-by: Spyros Seimenis <sse@edgeless.systems>
The renovate package fails to build on darwin due to better-sqlite3 requiring libtool which is missing from the nixpkgs build environment. Since renovate-config-validator only validates a bot config file and the linux CI still checks it, skip it on non-linux systems. Signed-off-by: Spyros Seimenis <sse@edgeless.systems>
Signed-off-by: Spyros Seimenis <sse@edgeless.systems>
The Rust openssl-sys crate resolves OpenSSL on macOS by first checking hardcoded homebrew paths (/opt/homebrew/opt/openssl@3), then falling back to pkg-config. GitHub Actions macOS runners have homebrew pre-installed, so the path exists and openssl-sys commits to it, but the actual headers are inaccessible inside the nix sandbox — causing the build to fail before pkg-config is ever tried. On developer machines without homebrew the path doesn't exist, so openssl-sys falls through to pkg-config which finds nix's OpenSSL. Setting OPENSSL_DIR explicitly bypasses the search heuristic entirely, making the build work consistently regardless of what's installed on the host. Signed-off-by: Spyros Seimenis <sse@edgeless.systems>
Build the darwin CLI and formatter on a macOS runner to catch darwin-specific build failures (broken nixpkgs deps, missing platform guards, etc.). The job depends on cli-build so linux dependencies are available in cachix — the macOS runner only builds the darwin-native parts. Make the setup_nix action cross-platform by gating linux-specific steps (apparmor, btrfs) on runner.os == 'Linux'. Signed-off-by: Spyros Seimenis <sse@edgeless.systems>
Override contrastPkgsStatic on darwin: use linux static packages from runtimePkgs but keep genpolicy as a native darwin build since the CLI embeds and runs it on the host. The full darwin contrastPkgsStatic fails to evaluate because genpolicy's C deps (aws-lc-sys) don't build with darwin's static toolchain.
Copy the CLI binary from the nix store to workspace/contrast-${SYSTEM}
instead of referencing it through the nix out-link symlink. The symlink
points to a read-only nix store path, so writing additional files next
to the binary (needed for multi-arch releases) would fail. This also
updates the artifact paths output and update-contrast-releases.sh to
use the new path.
Add a release-aarch64-darwin job that builds the CLI on macos-latest and uploads it as an artifact. A separate attach-darwin-cli job waits for both the draft release and the darwin build, then attaches the binary to the GitHub release. The publish job now also waits for the darwin binary to be attached before marking the release as non-draft. The update-main job downloads the darwin artifact so that update-contrast-releases.sh can hash it into contrast-releases.json.
Add a tabbed platform selector (Linux/macOS) to the CLI install page. The macOS tab downloads the aarch64-darwin binary and includes a note about the Gatekeeper quarantine workaround for browser downloads. Signed-off-by: Spyros Seimenis <sse@edgeless.systems>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is rebased on top of #2260
Fixes #874