Conversation
Maintainer Otto-209 directive: "we are going to do macos once a day schedued, for both repos, unless acehack is getting it free." Ships the design from PR #345 (nightly-cross-platform workflow design doc) as a concrete workflow. Zeta-side lands here; lucent-ksk parallel workflow filed as BACKLOG row for cross-repo coordination. Matrix: ubuntu-22.04 + windows-2022 + macos-14. Cron: daily 09:00 UTC. Fork-scoping: scheduled trigger fires only on the canonical repo; manual dispatch + PR trigger on this workflow file still work on forks. Cost model (Otto-164 verification outcome): - Linux: free on public repos - Windows: free on public repos (standard runner) - macOS: $0.062/min (larger-runner billing). ~15min * 30 days = ~$28/month worst-case for Zeta canonical. PR-gate workflow (gate.yml) stays Linux-only — untouched. Rollback: delete macos-14 from matrix (one-line), or delete this workflow file entirely. No impact on gate.yml. Security: no user-authored github.event fields referenced (only github.repository / github.ref / github.event_name / runner.os / matrix.os are used). SHA-pinned actions per FACTORY-HYGIENE row #43. actionlint clean locally. Composes with PR #345 design doc (still in queue), PR #343 Otto-161-declined-verification history, FACTORY- HYGIENE row #51 cross-platform parity audit (detect-only → this workflow is the enforcement mechanism when baseline is green), and Otto-164 billing-verification memory. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds a new GitHub Actions workflow to run a daily cross-platform build/test matrix to increase confidence beyond the Linux-only PR gate, while keeping macOS usage cost-capped by cadence.
Changes:
- Introduces
.github/workflows/nightly-cross-platform.ymlwith schedule + workflow_dispatch triggers and a 3-OS matrix. - Adds caching (SDK + NuGet) and uploads TRX test results as artifacts.
- Adds fork-scoping logic intended to prevent scheduled runs on non-canonical repos.
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| os: [ubuntu-22.04, windows-2022, macos-14] | ||
| runs-on: ${{ matrix.os }} |
There was a problem hiding this comment.
P0: This workflow’s matrix includes windows-2022, but tools/setup/install.sh hard-fails on non-Linux/non-macOS (it exits with “unsupported OS … Windows backlogged”). As written, the Windows leg will fail every run. Either drop Windows from the matrix for now, or add Windows support to the toolchain bootstrap (and adjust the workflow accordingly).
| # Otto-164 pricing verification outcome (see | ||
| # docs/research/nightly-cross-platform-workflow-design.md | ||
| # and the BACKLOG "Otto-161 macOS CI enablement" | ||
| # history for the verification trace). |
There was a problem hiding this comment.
The header comment references docs/research/nightly-cross-platform-workflow-design.md, but there is no such file under docs/research/ in this repo. Please update the reference to an existing design doc (or add the referenced doc) so the breadcrumb doesn’t rot.
| # Otto-164 pricing verification outcome (see | |
| # docs/research/nightly-cross-platform-workflow-design.md | |
| # and the BACKLOG "Otto-161 macOS CI enablement" | |
| # history for the verification trace). | |
| # Otto-164 pricing verification outcome; see the | |
| # BACKLOG "Otto-161 macOS CI enablement" history for | |
| # the verification trace. |
| # Manual dispatch + PR trigger on the workflow file | ||
| # still work on forks so contributors can opt in. | ||
| if: >- | ||
| github.repository == 'Lucent-Financial-Group/Zeta' | ||
| || github.event_name == 'workflow_dispatch' | ||
| || github.event_name == 'pull_request' |
There was a problem hiding this comment.
Operational/security: pull_request is enabled and the job-level if: allows all PR runs. That means an external fork can open a PR that touches this workflow file and trigger the full matrix (including billed macOS) on the canonical repo. If the intent is only to exercise workflow edits for trusted branches, consider restricting PR runs to same-repo heads (e.g., gate on github.event.pull_request.head.repo.full_name == github.repository) and leaving forks to validate via workflow_dispatch on their fork.
| # Manual dispatch + PR trigger on the workflow file | |
| # still work on forks so contributors can opt in. | |
| if: >- | |
| github.repository == 'Lucent-Financial-Group/Zeta' | |
| || github.event_name == 'workflow_dispatch' | |
| || github.event_name == 'pull_request' | |
| # Manual dispatch still works on forks so contributors | |
| # can opt in there. PR runs are restricted to same-repo | |
| # heads so external forks cannot trigger the billed | |
| # matrix on the canonical repo. | |
| if: >- | |
| github.repository == 'Lucent-Financial-Group/Zeta' | |
| || github.event_name == 'workflow_dispatch' | |
| || ( | |
| github.event_name == 'pull_request' | |
| && github.event.pull_request.head.repo.full_name == github.repository | |
| ) |
| - name: Cache .NET SDK | ||
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | ||
| with: | ||
| path: ~/.dotnet | ||
| key: dotnet-${{ runner.os }}-${{ hashFiles('global.json', 'tools/setup/common/dotnet.sh') }} | ||
|
|
||
| - name: Cache NuGet packages | ||
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | ||
| with: | ||
| path: | | ||
| ~/.nuget/packages | ||
| ~/.local/share/NuGet | ||
| key: nuget-${{ runner.os }}-${{ hashFiles('Directory.Packages.props') }} | ||
|
|
||
| - name: Install toolchain (GOVERNANCE §24 single source) | ||
| shell: bash | ||
| run: ./tools/setup/install.sh | ||
|
|
There was a problem hiding this comment.
Cost/perf: compared to gate.yml, this workflow only caches ~/.dotnet and NuGet. Since macOS minutes may be billed, consider mirroring the other toolchain caches used in gate.yml (mise runtimes, elan, verifier jars) to keep daily runtime (and cost) down.
Summary
Maintainer Otto-209: "we are going to do macos once a day schedued, for both repos, unless acehack is getting it free."
Ships the design from PR #345 as a concrete workflow. Zeta-side lands here; lucent-ksk parallel workflow filed as BACKLOG row for cross-repo coordination (needs separate push + verification per Otto-140 authority).
Workflow shape
ubuntu-22.04+windows-2022+macos-140 9 * * *UTCCost (per Otto-164 billing verification)
15 min × 30 days = **$28/month worst-case** for Zeta canonical. Nightly cadence caps exposure regardless of PR activity.Untouched
gate.ymlPR-gate stays Linux-only — no change to that workflow.Rollback
Delete
macos-14from matrix (one-line diff) or delete the workflow file entirely.Security
No user-authored
github.event.*fields referenced. Only first-party trusted context (github.repository,github.ref,github.event_name,runner.os,matrix.os). SHA-pinned actions per FACTORY-HYGIENE row #43.Validation
Test plan
Composes with
🤖 Generated with Claude Code