Released macOS binaries fail closed: .goreleaser sets CGO_ENABLED=0 and the release job runs on Linux, so 99designs/keyring's //go:build darwin && cgo Keychain backend is never compiled in and credstore fails closed on macOS. Verified macOS-only (wincred / godbus secret-service are pure Go).
Fix = the proven INT-446 slck pilot template (open-cli-collective/slack-chat-api#164, merged 37540f7, shipped v3.1.49, verified on a non-dev Mac):
.goreleaser*: split builds — darwin CGO_ENABLED=1 with fully-keyed per-arch overrides ({goos:darwin,goarch:amd64,goamd64:v1,env:[CGO_ENABLED=1,"CC=xcrun clang -arch x86_64"]} and arm64 / goarm64:v8.0 / -arch arm64); linux/windows stay CGO_ENABLED=0 static; nfpms.ids → the unix/win build id (not the deprecated builds).release.yml: goreleaser job → pinned macos-15; restructure to goreleaser check → release --snapshot --clean (no publish) → pre-publish gate (parse dist/artifacts.json; arm64 functional <cli> config show --output json must report backend=keychain / backend_source=auto + the seeded credential_ref; amd64 otool -L Security.framework; both darwin archives present exactly once) → release --clean --release-notes.ci: commit; release cut by a deliberate annotated-tag push (auto-release Gate-1 is a path filter that excludes pipeline-only diffs).
Pipeline-only, no Go source change. Both macOS arches retained. Adapt per-repo. Reference implementation: the two changed files in slack-chat-api commit 37540f7 (.goreleaser.yaml, .github/workflows/release.yml).
Repo-specific (gro): confirm groas config-show-equivalent JSON backend/source field names against source for the gate; verify command likely gro me / gro config show.
Released macOS binaries fail closed:
.goreleasersetsCGO_ENABLED=0and the release job runs on Linux, so99designs/keyring's//go:build darwin && cgoKeychain backend is never compiled in andcredstorefails closed on macOS. Verified macOS-only (wincred / godbus secret-service are pure Go).Fix = the proven INT-446 slck pilot template (open-cli-collective/slack-chat-api#164, merged
37540f7, shipped v3.1.49, verified on a non-dev Mac):.goreleaser*: split builds — darwinCGO_ENABLED=1with fully-keyed per-arch overrides ({goos:darwin,goarch:amd64,goamd64:v1,env:[CGO_ENABLED=1,"CC=xcrun clang -arch x86_64"]}and arm64 /goarm64:v8.0/-arch arm64);linux/windowsstayCGO_ENABLED=0static;nfpms.ids→ the unix/win build id (not the deprecatedbuilds).release.yml: goreleaser job → pinnedmacos-15; restructure togoreleaser check→release --snapshot --clean(no publish) → pre-publish gate (parsedist/artifacts.json; arm64 functional<cli> config show --output jsonmust reportbackend=keychain/backend_source=auto+ the seededcredential_ref; amd64otool -LSecurity.framework; both darwin archives present exactly once) →release --clean --release-notes.ci:commit; release cut by a deliberate annotated-tag push (auto-release Gate-1 is a path filter that excludes pipeline-only diffs).Pipeline-only, no Go source change. Both macOS arches retained. Adapt per-repo. Reference implementation: the two changed files in slack-chat-api commit
37540f7(.goreleaser.yaml,.github/workflows/release.yml).Repo-specific (gro): confirm groas config-show-equivalent JSON backend/source field names against source for the gate; verify command likely
gro me/gro config show.