# THROWAWAY build smoke-test for the macOS (Tart) runner. Verifies both
# *-apple-darwin targets actually compile and link (incl. arboard's AppKit)
# through the flake on the real Mac, before the full release-macos workflow is
# wired. Delete once that lands.
#
# Push-triggered (workflow_dispatch only works for workflows on the default
# branch; our CI is on `ci`). Runs when the flake/toolchain or this file change.
# Bring the Mac up before pushing so the run isn't left queued.
name: macos-build-test
on:
  push:
    paths:
      - '.gitea/workflows/macos-probe.yaml'
      - 'flake.nix'
      - 'rust-toolchain.toml'
  workflow_dispatch:

jobs:
  build:
    # Label NAME only — `:host` in the runner registration is the execution
    # backend (run on host), not part of the label.
    runs-on: macos
    env:
      # Guarantee flakes regardless of the Mac's nix config.
      NIX_CONFIG: "experimental-features = nix-command flakes"
    steps:
      - uses: actions/checkout@v4
      - name: build, de-nix, sign, verify both darwin targets
        run: |
          set -e
          for t in aarch64-apple-darwin x86_64-apple-darwin; do
            echo "==================== $t ===================="
            nix develop -c cargo build --release --target "$t"
            f="target/$t/release/rdbms-playground"

            # The darwin stdenv bakes a /nix/store libiconv load path into the
            # binary. Rewrite it to the system libiconv (every Mac has it, ABI-
            # compatible), then re-sign ad-hoc — install_name_tool invalidates
            # the signature and arm64 won't run an unsigned/broken-sig binary.
            for l in $(otool -L "$f" | awk '/\/nix\/store.*libiconv.*dylib/ {print $1}'); do
              echo "rewrite $l -> /usr/lib/libiconv.2.dylib"
              install_name_tool -change "$l" /usr/lib/libiconv.2.dylib "$f"
            done
            codesign --force --sign - "$f"

            echo "--- linked libs ---"; otool -L "$f"
            if otool -L "$f" | grep -q /nix/store; then
              echo "ERROR: $t still links a /nix/store dylib"; exit 1
            fi
            codesign --verify --verbose=2 "$f" && echo "signature OK"

            # Smoke-run the natively-runnable target (this VM is arm64).
            if [ "$t" = "aarch64-apple-darwin" ]; then
              echo "--- run --help ---"; "$f" --help | head -1
            else
              echo "(skip run: $t needs Rosetta)"
            fi
            echo "OK: $t portable"
          done
          echo "=== both darwin targets built, de-nixed, signed, verified ==="