From b442232d6eb54f508815f851a692c29ef11371aa Mon Sep 17 00:00:00 2001 From: Juergen Klaassen Date: Tue, 26 May 2026 08:02:35 -0600 Subject: [PATCH] fix(build): tighten Touch ID build tags so cgo-disabled cross-builds work MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit KLA-412 added stepup_touchid_darwin.go (cgo wrapper around LocalAuthentication.framework) with //go:build darwin and a sibling stepup_touchid_other.go with //go:build !darwin holding the non-darwin stubs. That worked for native darwin builds (cgo on) and native non-darwin builds, but broke cross-compilation: any cross-build (e.g. Linux runner → darwin/amd64, or local darwin/arm64 → darwin/amd64) defaults to CGO_ENABLED=0. With cgo off, the darwin file is silently excluded (it uses `import "C"`), and the //go:build !darwin tag on the stub doesn't match either → touchIDAvailable + newTouchIDStepUpIfSupported end up undefined. This is why every release run since KLA-412 merged has failed at `make dist` — the GHA ubuntu runner cross-builds the darwin artifacts with cgo off, and the build aborted before producing any binaries. Fix: tighten the constraints so the stub picks up the cgo-off case: stepup_touchid_darwin.go → //go:build darwin && cgo stepup_touchid_darwin_test.go → //go:build darwin && cgo stepup_touchid_other.go → //go:build !darwin || !cgo stepup_touchid_other_test.go → //go:build !darwin || !cgo A darwin binary built without cgo now compiles cleanly and falls back to TTY at runtime — the same behavior already exhibited on Macs without Touch ID hardware. Touch ID itself only works in native cgo-enabled darwin builds, which is what `make install` and `go install` produce on developer machines anyway. Verified locally: `make dist` now produces all five archives (darwin amd64/arm64, linux amd64/arm64, windows amd64). Co-Authored-By: Claude Opus 4.7 (1M context) --- internal/mcp/stepup_touchid_darwin.go | 2 +- internal/mcp/stepup_touchid_darwin_test.go | 2 +- internal/mcp/stepup_touchid_other.go | 7 +++++-- internal/mcp/stepup_touchid_other_test.go | 2 +- 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/internal/mcp/stepup_touchid_darwin.go b/internal/mcp/stepup_touchid_darwin.go index a304e9a..2934dc5 100644 --- a/internal/mcp/stepup_touchid_darwin.go +++ b/internal/mcp/stepup_touchid_darwin.go @@ -1,4 +1,4 @@ -//go:build darwin +//go:build darwin && cgo package mcp diff --git a/internal/mcp/stepup_touchid_darwin_test.go b/internal/mcp/stepup_touchid_darwin_test.go index 64a6f86..4519f87 100644 --- a/internal/mcp/stepup_touchid_darwin_test.go +++ b/internal/mcp/stepup_touchid_darwin_test.go @@ -1,4 +1,4 @@ -//go:build darwin +//go:build darwin && cgo package mcp diff --git a/internal/mcp/stepup_touchid_other.go b/internal/mcp/stepup_touchid_other.go index 73d9b4a..d692868 100644 --- a/internal/mcp/stepup_touchid_other.go +++ b/internal/mcp/stepup_touchid_other.go @@ -1,9 +1,12 @@ -//go:build !darwin +//go:build !darwin || !cgo package mcp // touchIDAvailable is the platform stub matching the darwin probe. Non- -// darwin builds have no biometric stack to consult, so it's always false. +// darwin builds have no biometric stack to consult; darwin builds +// without cgo (cross-compiled binaries shipped from a non-darwin CI +// runner) can't link against LocalAuthentication.framework either. Both +// paths fall through to TTY, so the stub returns false. func touchIDAvailable() bool { return false } diff --git a/internal/mcp/stepup_touchid_other_test.go b/internal/mcp/stepup_touchid_other_test.go index 6c69fef..eaa3c8f 100644 --- a/internal/mcp/stepup_touchid_other_test.go +++ b/internal/mcp/stepup_touchid_other_test.go @@ -1,4 +1,4 @@ -//go:build !darwin +//go:build !darwin || !cgo package mcp