chore: support building Coder Desktop .dylib (#15512)

Relates to #14734.

scripts/build_go.sh

@@ -2,7 +2,7 @@
 
 # This script builds a single Go binary of Coder with the given parameters.
 #
-# Usage: ./build_go.sh [--version 1.2.3-devel+abcdef] [--os linux] [--arch amd64] [--output path/to/output] [--slim] [--agpl] [--boringcrypto]
+# Usage: ./build_go.sh [--version 1.2.3-devel+abcdef] [--os linux] [--arch amd64] [--output path/to/output] [--slim] [--agpl] [--boringcrypto] [--dylib]
 #
 # Defaults to linux:amd64 with slim disabled, but can be controlled with GOOS,
 # GOARCH and CODER_SLIM_BUILD=1. If no version is specified, defaults to the
@@ -25,6 +25,9 @@
 #
 # If the --boringcrypto parameter is specified, builds use boringcrypto instead of
 # the standard go crypto libraries.
+#
+# If the --dylib parameter is specified, the Coder Desktop `.dylib` is built
+# instead of the standard binary. This is only supported on macOS arm64 & amd64.
 
 set -euo pipefail
 # shellcheck source=scripts/lib.sh
@@ -36,12 +39,14 @@ arch="${GOARCH:-amd64}"
 slim="${CODER_SLIM_BUILD:-0}"
 sign_darwin="${CODER_SIGN_DARWIN:-0}"
 sign_windows="${CODER_SIGN_WINDOWS:-0}"
+bin_ident="com.coder.cli"
 output_path=""
 agpl="${CODER_BUILD_AGPL:-0}"
 boringcrypto=${CODER_BUILD_BORINGCRYPTO:-0}
 debug=0
+dylib=0
 
-args="$(getopt -o "" -l version:,os:,arch:,output:,slim,agpl,sign-darwin,boringcrypto,debug -- "$@")"
+args="$(getopt -o "" -l version:,os:,arch:,output:,slim,agpl,sign-darwin,boringcrypto,dylib,debug -- "$@")"
 eval set -- "$args"
 while true; do
 	case "$1" in
@@ -78,6 +83,10 @@ while true; do
 		boringcrypto=1
 		shift
 		;;
+	--dylib)
+		dylib=1
+		shift
+		;;
 	--debug)
 		debug=1
 		shift
@@ -168,18 +177,31 @@ if [[ "$agpl" == 1 ]]; then
 fi
 
 cgo=0
+if [[ "$dylib" == 1 ]]; then
+	if [[ "$os" != "darwin" ]]; then
+		error "dylib builds are not supported on $os"
+	fi
+	cgo=1
+	cmd_path="./vpn/dylib/lib.go"
+	build_args+=("-buildmode=c-shared")
+	SDKROOT="$(xcrun --sdk macosx --show-sdk-path)"
+	export SDKROOT
+	bin_ident="com.coder.vpn"
+fi
+
 goexp=""
 if [[ "$boringcrypto" == 1 ]]; then
 	cgo=1
 	goexp="boringcrypto"
 fi
 
-GOEXPERIMENT="$goexp" CGO_ENABLED="$cgo" GOOS="$os" GOARCH="$arch" GOARM="$arm_version" go build \
+GOEXPERIMENT="$goexp" CGO_ENABLED="$cgo" GOOS="$os" GOARCH="$arch" GOARM="$arm_version" \
+	go build \
 	"${build_args[@]}" \
 	"$cmd_path" 1>&2
 
 if [[ "$sign_darwin" == 1 ]] && [[ "$os" == "darwin" ]]; then
-	execrelative ./sign_darwin.sh "$output_path" 1>&2
+	execrelative ./sign_darwin.sh "$output_path" "$bin_ident" 1>&2
 fi
 
 if [[ "$sign_windows" == 1 ]] && [[ "$os" == "windows" ]]; then

scripts/release/publish.sh

@@ -180,10 +180,13 @@ if [[ "$stable" == 1 ]]; then
 fi
 
 target_commitish=main # This is the default.
-release_branch_refname=$(git branch --remotes --contains "${new_tag}" --format '%(refname)' '*/release/*')
-if [[ -n "${release_branch_refname}" ]]; then
-	# refs/remotes/origin/release/2.9 -> release/2.9
-	target_commitish="release/${release_branch_refname#*release/}"
+# Skip during dry-runs
+if [[ "$dry_run" == 0 ]]; then
+	release_branch_refname=$(git branch --remotes --contains "${new_tag}" --format '%(refname)' '*/release/*')
+	if [[ -n "${release_branch_refname}" ]]; then
+		# refs/remotes/origin/release/2.9 -> release/2.9
+		target_commitish="release/${release_branch_refname#*release/}"
+	fi
 fi
 
 # We pipe `true` into `gh` so that it never tries to be interactive.

scripts/sign_darwin.sh

@@ -3,11 +3,14 @@
 # This script signs the provided darwin binary with an Apple Developer
 # certificate.
 #
-# Usage: ./sign_darwin.sh path/to/binary
+# Usage: ./sign_darwin.sh path/to/binary binary_identifier
 #
 # On success, the input file will be signed using the Apple Developer
 # certificate.
 #
+# For the Coder CLI, the binary_identifier should be "com.coder.cli".
+# For the CoderVPN `.dylib`, the binary_identifier should be "com.coder.vpn".
+#
 # You can check if a binary is signed by running the following command on a Mac:
 #   codesign -dvv path/to/binary
 #
@@ -25,15 +28,23 @@ set -euo pipefail
 # shellcheck source=scripts/lib.sh
 source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
 
+if [[ "$#" -lt 2 ]]; then
+	echo "Usage: $0 path/to/binary binary_identifier"
+	exit 1
+fi
+
+BINARY_PATH="$1"
+BINARY_IDENTIFIER="$2"
+
 # Check dependencies
 dependencies rcodesign
 requiredenvs AC_CERTIFICATE_FILE AC_CERTIFICATE_PASSWORD_FILE
 
 # -v is quite verbose, the default output is pretty good on it's own.
 rcodesign sign \
-	--binary-identifier "com.coder.cli" \
+	--binary-identifier "$BINARY_IDENTIFIER" \
 	--p12-file "$AC_CERTIFICATE_FILE" \
 	--p12-password-file "$AC_CERTIFICATE_PASSWORD_FILE" \
 	--code-signature-flags runtime \
-	"$@" \
+	"$BINARY_PATH" \
 	1>&2