vimspector icon indicating copy to clipboard operation
vimspector copied to clipboard
verified publisher icon puremourning

Re-enable macOS CI with DevToolsSecurity configuration and automatic code signing

Open Copilot opened this issue 1 month ago • 3 comments

Re-enable macOS CI with debugging support

Completed

  • [x] Uncomment the MacOS job in .github/workflows/build.yaml
  • [x] Add DevToolsSecurity step to enable debugging on macOS runner
  • [x] Modified Makefile to auto-sign binaries when built on macOS
  • [x] Use prerequisite instead of recursive make for signing
  • [x] Removed redundant pre-build step from workflow
  • [x] Update .mergify.yml to require macOS CI for merging

Latest Changes (commit addressing review feedback)

Makefile Improvement: Changed from using recursive make (@$(MAKE) sign) to using sign as a prerequisite of all. This is cleaner and more idiomatic:

  • all: $(TARGETS) sign ensures sign runs after building
  • sign: $(TARGETS) guarantees binaries exist before signing
  • Removed the file existence check since the dependency ensures binaries are built

How It Works

The run_tests script builds test binaries with make -j all. The Makefile now:

  1. Builds all targets in parallel when using -j
  2. Runs the sign target after all targets are built (dependency ensures correct order)
  3. Signs binaries on macOS with the required entitlements for debugging
Original prompt

Problem

In PR #949, macOS CI tests that use debuggers were disabled because upgrading from macos-13 to macos-14 caused debugger-related tests to fail. The issue is that newer macOS versions have stricter security requirements for debugging.

The previous attempt in PR #949 added:

  1. An entitlements.plist file with get-task-allow entitlement in tests/testdata/cpp/simple/
  2. A make sign target in the Makefile to codesign binaries with the entitlement

However, this wasn't sufficient because DevToolsSecurity needs to be enabled on the runner before debuggers can attach to processes.

Solution

Re-enable the macOS CI job in .github/workflows/build.yaml with the following changes:

  1. Uncomment the MacOS job (lines 99-179 approximately)
  2. Add a step to enable DevToolsSecurity before running tests: 
    - name: 'Enable Developer Mode for debugging'
  run: |
    sudo DevToolsSecurity -enable
    sudo security authorizationdb write system.privilege.taskport allow
  3. Add a step to sign test binaries before running tests: 
    - name: 'Sign test binaries for debugging'
  run: |
    cd tests/testdata/cpp/simple
    make clean all sign
  4. Update .mergify.yml to uncomment the status-success=MacOS (vim) lines so that macOS CI is required again for merging.

Files to modify

  1. .github/workflows/build.yaml - Uncomment the MacOS job and add the DevToolsSecurity and signing steps
  2. .mergify.yml - Uncomment all the # - status-success=MacOS (vim) lines

Testing

The PR should trigger the macOS CI job, which will validate that the fix works.

This pull request was created as a result of the following prompt from Copilot chat.

Problem

In PR #949, macOS CI tests that use debuggers were disabled because upgrading from macos-13 to macos-14 caused debugger-related tests to fail. The issue is that newer macOS versions have stricter security requirements for debugging.

The previous attempt in PR #949 added:

  1. An entitlements.plist file with get-task-allow entitlement in tests/testdata/cpp/simple/
  2. A make sign target in the Makefile to codesign binaries with the entitlement

However, this wasn't sufficient because DevToolsSecurity needs to be enabled on the runner before debuggers can attach to processes.

Solution

Re-enable the macOS CI job in .github/workflows/build.yaml with the following changes:

  1. Uncomment the MacOS job (lines 99-179 approximately)
  2. Add a step to enable DevToolsSecurity before running tests: 
    - name: 'Enable Developer Mode for debugging'
  run: |
    sudo DevToolsSecurity -enable
    sudo security authorizationdb write system.privilege.taskport allow
  3. Add a step to sign test binaries before running tests: 
    - name: 'Sign test binaries for debugging'
  run: |
    cd tests/testdata/cpp/simple
    make clean all sign
  4. Update .mergify.yml to uncomment the status-success=MacOS (vim) lines so that macOS CI is required again for merging.

Files to modify

  1. .github/workflows/build.yaml - Uncomment the MacOS job and add the DevToolsSecurity and signing steps
  2. .mergify.yml - Uncomment all the # - status-success=MacOS (vim) lines

Testing

The PR should trigger the macOS CI job, which will validate that the fix works.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot avatar Dec 09 '25 22:12 Copilot

This change is Reviewable

puremourning avatar Dec 09 '25 22:12 puremourning

@copilot it doesn't look like it's working. breakpoints.test.vim shouldn't take this long to run

puremourning avatar Dec 09 '25 22:12 puremourning

@copilot it doesn't look like it's working. breakpoints.test.vim shouldn't take this long to run

Fixed in commit 8459907. The issue was that run_tests builds binaries with make -j all, but they weren't being signed. I updated the Makefile to automatically sign binaries on macOS after building them, so now whenever the tests build the binaries, they'll be properly signed for debugging.

Copilot avatar Dec 09 '25 22:12 Copilot