ci: add macOS matrix coverage on main pushes#901
Merged
Conversation
Add an `os` dimension to the preset CI matrix that expands to both ubuntu-latest and macos-latest on main pushes, and stays ubuntu-only on PRs. macOS runners are billed at 10x Linux on GHA, so PR cost is unchanged; only post-merge runs pay for the macOS legs. This catches Apple-Silicon-only breakage that the Linux matrix can't — e.g. the gcr.io/distroless/base linux/arm64/v8 manifest bug that broke `aspect build //...` for Go projects on Macs while CI stayed green. Also makes the actionlint download OS/arch-aware (uname-derived) so the lint step works on the macOS arm64 runners. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The macOS legs failed at the render step with "403 API rate limit exceeded": on the first-ever macOS run the cache is cold, so all 12 presets stampede the unauthenticated GitHub releases API (60 req/hr by IP) that the aspect-launcher and bazelisk use to resolve their versions. Set GH_TOKEN / GITHUB_TOKEN / BAZELISK_GITHUB_TOKEN from the job token so those calls get the 5000 req/hr authenticated limit, and add the contents:read permission the token needs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The hermetic C++ toolchain failed to build on macOS 15.5 / Xcode 16.4
(surfaced by the new macOS CI legs) for cpp, rust, and kitchen-sink:
1. clang 15 can't parse the macOS 15 SDK's libc++ headers ("unknown type
name '__remove_cv'"). Bump to LLVM 19.1.7 — clang 19 handles the SDK,
and 19.1.7 ships linux-x64 + darwin-arm64 + darwin-x64, so the
per-platform version map collapses to a single entry.
2. toolchains_llvm 1.8.0's generated cc_toolchain selects on the rules_cc
target //cc/toolchains/args/archiver_flags:use_libtool_on_macos_setting,
which rules_cc 0.2.19 renamed away → macOS analysis failed with "no
such target". Pin rules_cc to 0.2.18 (newest version that still has it)
and widen its gate from `cpp` to `cpp or (rust and lint)` to match the
condition under which the LLVM toolchain is registered — rust+lint
pulls in the toolchain too, so it needs the same pin.
Verified locally on macOS 15.5 SDK (Apple Silicon): cpp builds + tests
pass, rust builds (incl. the C++-backed formatter that previously failed).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The per-task --task:name values were keyed only on the preset, so a macOS leg and its Linux counterpart emitted the same task name (e.g. test-go), colliding in the PR summary comment / status checks. Append matrix.os to each so they're distinct (test-go-ubuntu-latest vs test-go-macos-latest). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The clang-tidy lint aspect fails on macOS for cpp and kitchen-sink: rules_lint's _update_flag strips absolute `-isystem` paths as if they were MSVC `/flags`, dropping the macOS SDK libc++ include so clang-tidy can't find <string>/<iostream>. It's an unfixed upstream bug with no released fix and no public knob on the aspect. Skip the Lint step for those two presets on macOS legs only; build, test, and format still run there. Re-enable once aspect-build/rules_lint#924 ships (PR #779). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Each preset runs ~7 aspect tasks across 12 presets × 2 OSes; every task posting a GitHub status comment + check run hammered the App-installation API limit (HTTP 403 "API rate limit exceeded for installation"). Disable --github-status-comments and --github-status-checks on every task call — the GHA check itself is the source of truth for the matrix. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
gregmagolan
force-pushed
the
ci-macos-matrix-main-only
branch
from
b3375f5 to
5be0550
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds macOS coverage to the preset CI matrix so Apple-Silicon-only breakage can't slip through a green Linux build — the way the
gcr.io/distroless/baselinux/arm64/v8manifest bug (#900) did, breakingaspect build //...for Go projects on Macs while CI stayed green.macOS runners are billed at 10x Linux on GHA, so the
osdimension expands to[ubuntu-latest, macos-latest]only on main pushes and stays[ubuntu-latest]on PRs. PR cost is unchanged; only post-merge runs pay for the macOS legs.Standing up the macOS legs surfaced three real, latent issues this matrix now guards against — two are genuine template fixes that also help anyone building locally on Apple Silicon:
403. Fixed by authenticating those calls with the job token (GH_TOKEN/GITHUB_TOKEN/BAZELISK_GITHUB_TOKEN) +contents: read.unknown type name '__remove_cv'). Bumped to LLVM 19.1.7 (single entry — 19.1.7 ships linux-x64 + darwin-arm64 + darwin-x64).toolchains_llvm1.8.0's generated cc_toolchain selects on//cc/toolchains/args/archiver_flags:use_libtool_on_macos_setting, which rules_cc 0.2.19 renamed away. Pinned rules_cc to 0.2.18 (newest with the target) and widened its gate fromcpptocpp or (rust and lint)to match where the LLVM toolchain is registered.Two follow-ups, both scoped out deliberately:
_update_flagstrips absolute-isystemlibc++ paths as MSVC/flags(rules_lint#924, open PR #779). Build/test/format still run on macOS for cpp. Re-enable once that ships.--github-status-comments:enabled=false --github-status-checks:enabled=false) on all task calls — ~7 tasks × 12 presets × 2 OSes was tripping the App-installation API limit. The GHA check is the source of truth for the matrix.The
actionlintdownload step is nowuname-derived (OS + arch) so it works on the macOS arm64 runners.Scope note: this only touches the template repo's own validation CI (
.github/workflows/ci.yaml). The stamped CI shipped into generated projects (template/.github/workflows/ci.yaml) is unchanged — macOS billing there is the user's call. (The LLVM/rules_cc bumps in #2/#3 are in the shippedtemplate/MODULE.bazel, since they fix real local builds for users.)Changes are visible to end-users: yes
Searched for relevant documentation and updated as needed: yes
Breaking change (forces users to change their own code or config): no
Suggested release notes appear below: yes
Fixed the hermetic C++ toolchain on Apple Silicon / macOS 15 SDK: bumped LLVM 15 → 19.1.7 and pinned rules_cc to 0.2.18, so
aspect build //...works locally for cpp and rust+lint projects on Macs (previously failed withunknown type name '__remove_cv'/ missinguse_libtool_on_macos_setting).Test plan
os:expression keeps PRs ubuntu-only and was confirmed to produce 0 macOS / 12 ubuntu legs on this PR.