Publish darwin_arm64 server release artifact

[jarugupj]

Summary

Adds a release-darwin CI job so cutting a release also publishes a macOS server artifact: hypeman_<version>_darwin_arm64.tar.gz.

Today the release workflow builds Linux server artifacts only, so on Apple Silicon macOS curl -fsSL https://get.hypeman.sh | bash fails — the installer looks for hypeman_<version>_darwin_arm64.tar.gz, which is never published, and aborts before the server install completes.

The macOS server links cgo against Apple's Virtualization.framework (via Code-Hex/vz), so it cannot be cross-compiled from the existing Linux release runner. This adds a second job on a GitHub-hosted macos-14 (Apple Silicon) runner that builds and uploads the artifact. macOS runners are free for this public repo.

What the job does

• needs: release — runs after the Linux job, which creates the GitHub Release to attach to.
• make build-darwin builds the server (with the vz-shim embedded), plus go build ./cmd/gen-jwt for the token tool.
• Packages hypeman-api (renamed from the Makefile's bin/hypeman), hypeman-token, and config.example.darwin.yaml into hypeman_<version>_darwin_arm64.tar.gz and uploads it to the release.

Deliberately excluded: hypeman-uffd-pager (Linux userfaultfd only) and any standalone vz-shim (it's embedded into the server binary and re-signed at runtime). Binaries ship unsigned — the installer ad-hoc codesigns hypeman-api with the vz entitlements at install time, so no notarization/Developer-ID is needed for the curl | bash flow.

Notes / limitations

• The darwin archive is uploaded via gh release upload after GoReleaser runs, so it is not listed in GoReleaser's checksums.txt. The installer does not verify checksums, so this doesn't affect installs.
• .goreleaser.yaml is intentionally untouched — GoReleaser can't run the multi-step make build-darwin embed flow in a single go build, so the Mac job builds and uploads directly.

Test plan

• Built end-to-end on real Apple Silicon: make build-darwin + go build ./cmd/gen-jwt succeed, and the staged tarball contains hypeman-api, hypeman-token, and config.example.darwin.yaml at root — matching what scripts/install.sh extracts on macOS.
• Workflow YAML validates.
• The CI job itself (make build-darwin on macos-14 + gh release upload) hasn't fired yet — only a real v* tag exercises the upload. Recommend a test/prerelease tag (or a temporary workflow_dispatch run) before relying on it.

---

Note

Medium Risk
Touches the release pipeline and publishes new production binaries; failure or wrong archive layout would break macOS installs until fixed.

Overview
Adds a release-darwin GitHub Actions job so version tags also ship hypeman_<version>_darwin_arm64.tar.gz, unblocking the macOS installer that expects that asset.

The new job runs on macos-14 after the existing Linux GoReleaser release job (cgo/Virtualization.framework prevents cross-building from Linux). It runs make build-darwin, builds hypeman-token from ./cmd/gen-jwt, stages hypeman-api, hypeman-token, and config.example.darwin.yaml, then gh release uploads the tarball to the same tag (outside GoReleaser/checksums).

^{Reviewed by Cursor Bugbot for commit a61a292. Bugbot is set up for automated code reviews on this repo. Configure here.}

[firetiger-agent]

Created a monitoring plan for this PR.

What this PR does: Adds a macOS arm64 build and release artifact to the hypeman release pipeline — users installing hypeman on Apple Silicon Macs will now get a native darwin_arm64 binary in each release.

Intended effect:

• release-darwin CI job: baseline — no job existed before; confirmed if the job completes with status success on the next v* tag push and a hypeman_*_darwin_arm64.tar.gz asset appears on the GitHub release page.
• Linux release job: baseline — unaffected and continues to run independently; confirmed if its success status is unchanged (the darwin job runs after it, never blocking it).

Risks:

• darwin build failure — make build-darwin cgo/Virtualization.framework link error on macos-14 runner; alert if release-darwin job status = failure on a tag push.
• Upload race / permission error — gh release upload fails if release doesn't exist yet or token lacks write access; alert if no darwin_arm64 asset is present after job completion (the --clobber flag mitigates re-runs).
• Missing config file — config.example.darwin.yaml must exist in the repo root; if deleted before the next tag, the packaging step fails; alert if the build step errors with a cp: no such file message.

Status updates will be posted automatically on this PR as monitoring progresses.

View monitor