fix(build): tighten Touch ID build tags for cgo-disabled cross-builds#37
Merged
Conversation
…work KLA-412 added stepup_touchid_darwin.go (cgo wrapper around LocalAuthentication.framework) with //go:build darwin and a sibling stepup_touchid_other.go with //go:build !darwin holding the non-darwin stubs. That worked for native darwin builds (cgo on) and native non-darwin builds, but broke cross-compilation: any cross-build (e.g. Linux runner → darwin/amd64, or local darwin/arm64 → darwin/amd64) defaults to CGO_ENABLED=0. With cgo off, the darwin file is silently excluded (it uses `import "C"`), and the //go:build !darwin tag on the stub doesn't match either → touchIDAvailable + newTouchIDStepUpIfSupported end up undefined. This is why every release run since KLA-412 merged has failed at `make dist` — the GHA ubuntu runner cross-builds the darwin artifacts with cgo off, and the build aborted before producing any binaries. Fix: tighten the constraints so the stub picks up the cgo-off case: stepup_touchid_darwin.go → //go:build darwin && cgo stepup_touchid_darwin_test.go → //go:build darwin && cgo stepup_touchid_other.go → //go:build !darwin || !cgo stepup_touchid_other_test.go → //go:build !darwin || !cgo A darwin binary built without cgo now compiles cleanly and falls back to TTY at runtime — the same behavior already exhibited on Macs without Touch ID hardware. Touch ID itself only works in native cgo-enabled darwin builds, which is what `make install` and `go install` produce on developer machines anyway. Verified locally: `make dist` now produces all five archives (darwin amd64/arm64, linux amd64/arm64, windows amd64). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jrennichjc
approved these changes
May 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PR #36's workflow fix got the auto-release running again, but it failed at
make distwith:Root cause: KLA-412 added
stepup_touchid_darwin.go(cgo wrapper aroundLocalAuthentication.framework) with//go:build darwin, plusstepup_touchid_other.gowith//go:build !darwin. That works for native darwin and native non-darwin builds — but cross-builds default toCGO_ENABLED=0, which silently excludes the cgo file without the stub being picked up. Cross-darwin builds (Linux runner → darwin, or local darwin/arm64 → darwin/amd64) end up with neither.This is why every release run since KLA-412 has failed at
make dist.Fix
Tighten the tags so the stub covers cgo-disabled darwin too:
stepup_touchid_darwin.godarwindarwin && cgostepup_touchid_darwin_test.godarwindarwin && cgostepup_touchid_other.go!darwin!darwin || !cgostepup_touchid_other_test.go!darwin!darwin || !cgoA darwin binary built without cgo now compiles cleanly and falls back to TTY at runtime — same behavior already exhibited on Macs without Touch ID hardware. Touch ID itself only works in native cgo-enabled darwin builds, which is what
make installandgo installproduce on developer machines anyway.What ships after this merges
Labeled
minorso the (now-working) release workflow producesv1.17.0with auto-generated notes covering every PR since1.16.0:Test plan
make distlocally produces all 5 archives (darwin amd64/arm64, linux amd64/arm64, windows amd64)go test ./internal/mcp/ -run "Touch|StepUp"passes natively (cgo on, darwin path exercised)v1.17.0with all 5 binaries attached🤖 Generated with Claude Code
Note
Low Risk
Build-tag-only change with no runtime logic edits; native cgo darwin builds still get real Touch ID.
Overview
Fixes release
make distfailures where darwin cross-builds (CGO_ENABLED=0) compiled neither the cgo Touch ID implementation nor the non-darwin stub, leavingtouchIDAvailable/newTouchIDStepUpIfSupportedundefined instepup.go.Build tags are aligned so one path always provides those symbols: the LocalAuthentication-backed files require
darwin && cgo; the stub and its tests compile for!darwin || !cgo(including cgo-disabled darwin). Runtime behavior for shipped cross-compiled darwin binaries is unchanged—TTY step-up fallback, same as Macs without Touch ID.Reviewed by Cursor Bugbot for commit b442232. Bugbot is set up for automated code reviews on this repo. Configure here.