fix(smoke-tests): make SIGINT/SIGTERM signal tests robust on macOS bash 3.2 #456

Workflow file for this run

.github/workflows/binary-preview.yaml at 2e5fe1f

	name: Preview varlock CLI binaries

	# Build SEA binaries as downloadable artifacts for PR testing.
	# Triggered by adding the "preview:standalone" label to a PR,
	# and re-runs on each push while the label is present.
	on:
	pull_request:
	types: [labeled, synchronize]
	workflow_dispatch:

	permissions:
	contents: read

	concurrency:
	group: ${{ github.workflow }}-${{ github.head_ref \|\| github.ref }}
	cancel-in-progress: true

	jobs:
	# Gate: only run when the "preview:standalone" label is present
	check-label:
	if: >-
	github.event_name == 'workflow_dispatch' \|\|
	(github.event.action == 'labeled' && github.event.label.name == 'preview:standalone') \|\|
	(github.event.action == 'synchronize' && contains(github.event.pull_request.labels.*.name, 'preview:standalone'))
	runs-on: ubuntu-latest
	steps:
	- run: echo "preview:standalone label detected — building preview binaries"

	# Build and sign the macOS native binary (cache-aware)
	build-native-macos:
	needs: check-label
	uses: ./.github/workflows/build-native-macos.yaml
	with:
	mode: preview
	artifact-name: native-bin-macos-preview
	secrets:
	OP_CI_TOKEN: ${{ secrets.OP_CI_TOKEN }}

	# Build Rust native binaries for Linux and Windows
	build-native-rust:
	needs: check-label
	# Preview builds never sign, so no id-token is granted (signing is gated on
	# the `sign` input, which only the release workflows pass).
	permissions:
	contents: read
	uses: ./.github/workflows/build-native-rust.yaml
	with:
	artifact-name: native-bin-rust-preview

	# Build SEA binaries for all platforms and upload as artifacts
	build-sea-binaries:
	needs: [build-native-macos, build-native-rust]
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v6
	- name: Setup Bun
	uses: oven-sh/setup-bun@v2
	- name: Use Node.js 24.x
	uses: actions/setup-node@v6
	with:
	node-version: "24.x"
	- name: Install node deps
	run: bun install
	- name: Enable turborepo build cache
	uses: rharkor/caching-for-turbo@56219402aacc0d06b650d898c222996dbc1191ec # v2.3.14

	# Download macOS native binary
	- name: Download macOS native binary
	uses: actions/download-artifact@v8
	with:
	name: native-bin-macos-preview
	path: packages/varlock/native-bins/darwin/VarlockEnclave.app
	- name: Restore macOS binary permissions
	run: chmod +x packages/varlock/native-bins/darwin/VarlockEnclave.app/Contents/MacOS/varlock-local-encrypt

	# Download Rust native binaries
	- name: Download Linux x64 native binary
	uses: actions/download-artifact@v8
	with:
	name: native-bin-rust-preview-linux-x64
	path: packages/varlock/native-bins/linux-x64
	- name: Download Linux arm64 native binary
	uses: actions/download-artifact@v8
	with:
	name: native-bin-rust-preview-linux-arm64
	path: packages/varlock/native-bins/linux-arm64
	- name: Download Windows x64 native binary
	uses: actions/download-artifact@v8
	with:
	name: native-bin-rust-preview-win32-x64
	path: packages/varlock/native-bins/win32-x64
	- name: Restore Rust binary permissions
	run: \|
	chmod +x packages/varlock/native-bins/linux-x64/varlock-local-encrypt
	chmod +x packages/varlock/native-bins/linux-arm64/varlock-local-encrypt

	# Build SEA binaries
	- name: Build libraries
	run: bun run build:libs
	env:
	BUILD_TYPE: preview
	- name: Build varlock SEA binaries
	run: bun run packages/varlock/scripts/build-binaries.ts

	# Upload each platform archive as its own artifact so consumers
	# only need to download the one they need (~60-90 MB each)
	- name: Upload platform artifacts
	run: \|
	for f in packages/varlock/dist-sea/varlock-.tar.gz packages/varlock/dist-sea/varlock-.zip; do
	[ -f "$f" ] \|\| continue
	# extract platform name: varlock-macos-arm64.tar.gz -> macos-arm64
	BASENAME=$(basename "$f")
	PLATFORM=$(echo "$BASENAME" \| sed 's/^varlock-//' \| sed 's/\.tar\.gz$//' \| sed 's/\.zip$//')
	echo "Uploading $BASENAME as varlock-preview-$PLATFORM"
	done
	- uses: actions/upload-artifact@v7
	with:
	name: varlock-preview-macos-x64
	path: packages/varlock/dist-sea/varlock-macos-x64.tar.gz
	retention-days: 14
	- uses: actions/upload-artifact@v7
	with:
	name: varlock-preview-macos-arm64
	path: packages/varlock/dist-sea/varlock-macos-arm64.tar.gz
	retention-days: 14
	- uses: actions/upload-artifact@v7
	with:
	name: varlock-preview-linux-x64
	path: packages/varlock/dist-sea/varlock-linux-x64.tar.gz
	retention-days: 14
	- uses: actions/upload-artifact@v7
	with:
	name: varlock-preview-linux-arm64
	path: packages/varlock/dist-sea/varlock-linux-arm64.tar.gz
	retention-days: 14
	- uses: actions/upload-artifact@v7
	with:
	name: varlock-preview-linux-musl-x64
	path: packages/varlock/dist-sea/varlock-linux-musl-x64.tar.gz
	retention-days: 14
	- uses: actions/upload-artifact@v7
	with:
	name: varlock-preview-linux-musl-arm64
	path: packages/varlock/dist-sea/varlock-linux-musl-arm64.tar.gz
	retention-days: 14
	- uses: actions/upload-artifact@v7
	with:
	name: varlock-preview-win-x64
	path: packages/varlock/dist-sea/varlock-win-x64.zip
	retention-days: 14
	- uses: actions/upload-artifact@v7
	with:
	name: varlock-preview-checksums
	path: packages/varlock/dist-sea/checksums.txt
	retention-days: 14

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(smoke-tests): make SIGINT/SIGTERM signal tests robust on macOS bash 3.2 #456

Workflow file

fix(smoke-tests): make SIGINT/SIGTERM signal tests robust on macOS bash 3.2 #456

Uh oh!

Workflow file for this run