Skip to content

Change macOS version and deal with code-signing #1484

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
milindl wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Change macOS version and deal with code-signing #1484

milindl wants to merge 6 commits into from

Conversation

@milindl
Copy link
Contributor

@milindl milindl commented Oct 13, 2025
edited by k-raina
Loading

Summary

This PR migrates our Semaphore CI pipeline from macOS 13 to macOS 15 in response to the company-wide infrastructure update, and addresses code-signing compatibility issues that arose with the newer macOS version.

Changes Made:

  • Updated Semaphore machine type from s1-prod-macos-13-5-arm64 to s1-macos-15-arm64-8
  • Added conditional logic to handle stricter code-signing requirements on macOS 15
  • Modified test execution to use go run instead of pre-built binaries when code-signing is detected

Technical Challenge:

  • macOS 15 has stricter security measures that prevent unsigned binaries from executing
  • Our existing test pipeline was failing because test binaries weren't code-signed
  • Solution: Use go run to compile and execute code in one step, bypassing unsigned binary restrictions
  • Solution: Added conditional execution logic in both regular and integration test scripts:
if [[ $(command -v codesign) ]]; then
    # macOS 15: Use go run to avoid unsigned binary issues
    go run $GO_TAGS examples/library-version/library-version.go
else
    # macOS 13 and older: Continue using pre-built binaries
    library-version
fi

@milindl milindl requested review from a team as code owners October 13, 2025 10:22
Copilot AI review requested due to automatic review settings October 13, 2025 10:22
Copilot AI reviewed Oct 13, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the macOS CI environment and addresses code-signing issues on newer macOS versions. The changes ensure tests can run properly by conditionally using go run instead of executing unsigned binaries.

  • Updated macOS version from 13.5 to 15 for ARM64 builds
  • Added conditional logic to handle code-signing requirements on newer macOS
  • Modified test execution to use go run when code-signing is available

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
.semaphore/semaphore.yml Updated macOS machine type from 13.5 to 15 for ARM64
.semaphore/semaphore_commands.sh Added conditional code-signing logic for test execution
.semaphore/semaphore_integration_commands.sh Added conditional code-signing logic for integration test execution

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

.semaphore/semaphore_commands.sh

# If we're on newer macOS, avoid running binaries that are not code-signed, rather, use go run.
# Running go-kafkacat with `go run` needs some `go get` commands, so just check existence instead.
if [[ $(command -v codesign) ]]; then which go-kafkacat; go run $GO_TAGS examples/library-version/library-version.go; (go run $GO_TAGS examples/library-version/library-version.go | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false); else go-kafkacat --help; library-version; (library-version | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false); fi
Copy link

Copilot AI Oct 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line is extremely long and difficult to read. Consider breaking it into multiple lines or using separate conditional blocks for better readability and maintainability.

Suggested change
if [[ $(command -v codesign) ]]; then which go-kafkacat; go run $GO_TAGS examples/library-version/library-version.go; (go run $GO_TAGS examples/library-version/library-version.go | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false); else go-kafkacat --help; library-version; (library-version | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false); fi
if [[ $(command -v codesign) ]]; then
which go-kafkacat
go run $GO_TAGS examples/library-version/library-version.go
(go run $GO_TAGS examples/library-version/library-version.go | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false)
else
go-kafkacat --help
library-version
(library-version | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false)
fi

Copilot uses AI. Check for mistakes.
.semaphore/semaphore_integration_commands.sh

# If we're on newer macOS, avoid running binaries that are not code-signed, rather, use go run.
# Running go-kafkacat with `go run` needs some `go get` commands, so just check existence instead.
if [[ $(command -v codesign) ]]; then which go-kafkacat; go run $GO_TAGS examples/library-version/library-version.go; (go run $GO_TAGS examples/library-version/library-version.go | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false); else go-kafkacat --help; library-version; (library-version | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false); fi
Copy link

Copilot AI Oct 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line is extremely long and difficult to read. Consider breaking it into multiple lines or using separate conditional blocks for better readability and maintainability.

Suggested change
if [[ $(command -v codesign) ]]; then which go-kafkacat; go run $GO_TAGS examples/library-version/library-version.go; (go run $GO_TAGS examples/library-version/library-version.go | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false); else go-kafkacat --help; library-version; (library-version | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false); fi
if [[ $(command -v codesign) ]]; then
which go-kafkacat
go run $GO_TAGS examples/library-version/library-version.go
if ! go run $GO_TAGS examples/library-version/library-version.go | grep "$EXPECT_LINK_INFO"; then
echo "Incorrect linkage, expected $EXPECT_LINK_INFO"
false
fi
else
go-kafkacat --help
library-version
if ! library-version | grep "$EXPECT_LINK_INFO"; then
echo "Incorrect linkage, expected $EXPECT_LINK_INFO"
false
fi
fi

Copilot uses AI. Check for mistakes.
.semaphore/semaphore_commands.sh

# If we're on newer macOS, avoid running binaries that are not code-signed, rather, use go run.
# Running go-kafkacat with `go run` needs some `go get` commands, so just check existence instead.
if [[ $(command -v codesign) ]]; then which go-kafkacat; go run $GO_TAGS examples/library-version/library-version.go; (go run $GO_TAGS examples/library-version/library-version.go | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false); else go-kafkacat --help; library-version; (library-version | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false); fi
Copy link

Copilot AI Oct 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The command go run examples/library-version/library-version.go is executed twice in the same line, which is inefficient. Consider storing the output in a variable and reusing it.

Suggested change
if [[ $(command -v codesign) ]]; then which go-kafkacat; go run $GO_TAGS examples/library-version/library-version.go; (go run $GO_TAGS examples/library-version/library-version.go | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false); else go-kafkacat --help; library-version; (library-version | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false); fi
if [[ $(command -v codesign) ]]; then
which go-kafkacat
output="$(go run $GO_TAGS examples/library-version/library-version.go)"
echo "$output"
(echo "$output" | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false)
else
go-kafkacat --help
library-version
(library-version | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false)
fi

Copilot uses AI. Check for mistakes.
.semaphore/semaphore_integration_commands.sh

# If we're on newer macOS, avoid running binaries that are not code-signed, rather, use go run.
# Running go-kafkacat with `go run` needs some `go get` commands, so just check existence instead.
if [[ $(command -v codesign) ]]; then which go-kafkacat; go run $GO_TAGS examples/library-version/library-version.go; (go run $GO_TAGS examples/library-version/library-version.go | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false); else go-kafkacat --help; library-version; (library-version | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false); fi
Copy link

Copilot AI Oct 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The command go run examples/library-version/library-version.go is executed twice in the same line, which is inefficient. Consider storing the output in a variable and reusing it.

Suggested change
if [[ $(command -v codesign) ]]; then which go-kafkacat; go run $GO_TAGS examples/library-version/library-version.go; (go run $GO_TAGS examples/library-version/library-version.go | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false); else go-kafkacat --help; library-version; (library-version | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false); fi
if [[ $(command -v codesign) ]]; then which go-kafkacat; output=$(go run $GO_TAGS examples/library-version/library-version.go); echo "$output"; (echo "$output" | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false); else go-kafkacat --help; library-version; (library-version | grep "$EXPECT_LINK_INFO") || (echo "Incorrect linkage, expected $EXPECT_LINK_INFO" ; false); fi

Copilot uses AI. Check for mistakes.
@sonarqube-confluent
Copy link

sonarqube-confluent bot commented Oct 13, 2025

Passed

Analysis Details

0 Issues

  • Bug 0 Bugs
  • Vulnerability 0 Vulnerabilities
  • Code Smell 0 Code Smells

Coverage and Duplications

  • Coverage No coverage information (55.70% Estimated after merge)
  • Duplications No duplication information (0.00% Estimated after merge)

Project ID: confluent-kafka-go

View in SonarQube

@airlock-confluentinc airlock-confluentinc bot force-pushed the dev_change_macos_verison branch from 222059b to 9cfa3f1 Compare December 10, 2025 13:31
@sonarqube-confluent
Copy link

sonarqube-confluent bot commented Dec 10, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@milindl @k-raina