ci: macOS build smoke-test + flake darwin support

Add the two *-apple-darwin targets to rust-toolchain.toml and apple-sdk +
libiconv to the flake devShell (darwin only) so the nix toolchain links
AppKit; make cargo-zigbuild/zig Linux-only (macOS builds natively). Repoint
the throwaway macOS workflow to actually build both darwin targets through
the flake on the Tart runner — the first real check of the macOS leg, which
can't be verified locally. Delete once release-macos lands.

.gitea/workflows/macos-probe.yaml

@@ -1,49 +1,39 @@
-# THROWAWAY DIAGNOSTIC for the macOS (Tart) runner — delete once the macOS
-# release leg is wired.
+# THROWAWAY build smoke-test for the macOS (Tart) runner. Verifies both
+# *-apple-darwin targets actually compile and link (incl. arboard's AppKit)
+# through the flake on the real Mac, before the full release-macos workflow is
+# wired. Delete once that lands.
 #
-# Trigger: runs on a push that touches THIS file. workflow_dispatch is kept too,
-# but Gitea only exposes manual dispatch for workflows on the DEFAULT branch
-# (main) — and all our CI is still on `ci` — so push is how we drive it for now.
-# Bring the Mac up before pushing a change here so the run isn't left queued.
-#
-# Answers: does the `macos:host` runner pick up jobs, does it run on the host,
-# what arch + macOS version, is the Xcode SDK present (needed to link arboard's
-# AppKit), and which build toolchain is available (nix? rustup? bare cargo?) —
-# plus git/node for actions/checkout.
-name: macos-probe
+# Push-triggered (workflow_dispatch only works for workflows on the default
+# branch; our CI is on `ci`). Runs when the flake/toolchain or this file change.
+# Bring the Mac up before pushing so the run isn't left queued.
+name: macos-build-test
 on:
   push:
     paths:
       - '.gitea/workflows/macos-probe.yaml'
+      - 'flake.nix'
+      - 'rust-toolchain.toml'
   workflow_dispatch:
 
 jobs:
-  probe:
-    # Label NAME only. The runner was registered as `macos:host`, but `:host` is
-    # act_runner's execution-backend schema (run on the host, no container), not
-    # part of the label — so the label is just `macos`.
+  build:
+    # Label NAME only — `:host` in the runner registration is the execution
+    # backend (run on host), not part of the label.
     runs-on: macos
+    env:
+      # Guarantee flakes regardless of the Mac's nix config.
+      NIX_CONFIG: "experimental-features = nix-command flakes"
     steps:
-      - name: identity, SDK, toolchains
+      - uses: actions/checkout@v4
+      - name: build both darwin targets through the flake
         run: |
-          echo "=== uname ==="; uname -a; echo "arch: $(uname -m)"
-          echo "=== macOS version ==="; sw_vers 2>&1 || echo "(sw_vers?)"
-          echo "=== host or container? ==="
-          if [ -f /.dockerenv ]; then echo "/.dockerenv PRESENT -> container"; else echo "host (no /.dockerenv)"; fi
-          echo "=== identity ==="; whoami; id
-          echo ""
-          echo "=== Xcode CLT / SDK (needed to link AppKit) ==="
-          xcode-select -p 2>&1 || echo "(no CLT)"
-          xcrun --show-sdk-path 2>&1 || echo "(no sdk)"
-          clang --version 2>&1 | head -1 || echo "(no clang)"
-          echo ""
-          echo "=== build toolchains on PATH ==="
-          echo "nix:    $(command -v nix    || echo NO)"
-          echo "rustup: $(command -v rustup || echo NO)"
-          echo "cargo:  $(command -v cargo  || echo NO)"
-          echo "rustc:  $(command -v rustc  || echo NO)"
-          rustc --version 2>/dev/null || true
-          echo ""
-          echo "=== git / node (for actions/checkout) ==="
-          echo "git:  $(command -v git  || echo NO)  $(git --version 2>/dev/null)"
-          echo "node: $(command -v node || echo NO)  $(node --version 2>/dev/null)"
+          set -e
+          for t in aarch64-apple-darwin x86_64-apple-darwin; do
+            echo "==================== $t ===================="
+            nix develop -c cargo build --release --target "$t"
+            f="target/$t/release/rdbms-playground"
+            file "$f"
+            echo "--- linked libs (otool -L) ---"
+            otool -L "$f" 2>/dev/null | head -8 || true
+          done
+          echo "=== both darwin targets built ==="

flake.nix

@@ -60,7 +60,15 @@
         packages.rdbms-playground = rdbms-playground;
 
         devShells.default = pkgs.mkShell {
-          inherit buildInputs;
+          buildInputs = buildInputs ++ pkgs.lib.optionals pkgs.stdenv.isDarwin [
+            # macOS release builds (aarch64/x86_64-apple-darwin) link AppKit
+            # (arboard) + libSystem; the nix toolchain's own clang resolves the
+            # frameworks via the Apple SDK provided here. (The Mac runner also
+            # has full Xcode, but the devShell stays self-contained.) `libiconv`
+            # is linked by several crates on darwin.
+            pkgs.apple-sdk
+            pkgs.libiconv
+          ];
           nativeBuildInputs = nativeBuildInputs ++ [
             rust
             # Dev-disk maintenance: cargo never garbage-collects stale per-hash
@@ -68,12 +76,12 @@
             # CLAUDE.md "Build hygiene"). cargo-sweep prunes them; run it
             # periodically between milestones.
             pkgs.cargo-sweep
-            # Cross-compilation for the D1 release matrix. `cargo zigbuild` uses
-            # Zig's bundled clang + libc as one universal cross cc/linker for
-            # every non-macOS target (Linux musl x64/arm64, Windows gnu/gnullvm
-            # x64/arm64) — including the `cc`-crate compile of rusqlite's bundled
-            # SQLite C — with no per-target toolchain or SDK. It auto-discovers
-            # `zig` on PATH, so no extra env is needed.
+          ] ++ pkgs.lib.optionals pkgs.stdenv.isLinux [
+            # Cross-compilation for the non-macOS D1 targets: `cargo zigbuild`
+            # uses Zig's bundled clang + libc as one universal cross cc/linker
+            # (incl. the `cc`-crate compile of rusqlite's bundled SQLite C) for
+            # Linux musl + Windows gnu/gnullvm. macOS builds natively with the
+            # Apple toolchain on the Mac runner, so these are Linux-only.
             pkgs.cargo-zigbuild
             pkgs.zig
           ];
@@ -82,7 +90,6 @@
             echo "RDBMS Playground dev shell ($(uname -s))"
             echo "  rust:   $(rustc --version | cut -d' ' -f1-2)"
             echo "  cargo:  $(cargo --version | cut -d' ' -f1-2)"
-            echo "  zig:    $(zig version 2>/dev/null || echo '?')  (cargo-zigbuild cross targets)"
           '';
         };
       });

rust-toolchain.toml

@@ -18,4 +18,9 @@ targets = [
   "aarch64-unknown-linux-musl",
   "x86_64-pc-windows-gnu",
   "aarch64-pc-windows-gnullvm",
+  # macOS — built natively on the Apple-Silicon Mac runner (aarch64 native,
+  # x86_64 cross). These need Apple's SDK to link, which a Linux runner can't
+  # supply, so they are produced only on the Mac (see docs/ci/adr ADR-ci-003).
+  "aarch64-apple-darwin",
+  "x86_64-apple-darwin",
 ]