From d7872dad88e3aab3814a653496e09281d937ad1a Mon Sep 17 00:00:00 2001
From: Dhi Aurrahman <dio@rockybars.com>
Date: Sun, 13 Nov 2022 17:33:18 +0700
Subject: [PATCH 1/4] Enable FIPS for Linux only

Signed-off-by: Dhi Aurrahman <dio@rockybars.com>
---
 .github/workflows/commit.yaml  | 6 +++---
 .github/workflows/release.yaml | 6 ++----
 Makefile                       | 4 ++--
 3 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/commit.yaml b/.github/workflows/commit.yaml
index 8d162304..2765a900 100644
--- a/.github/workflows/commit.yaml
+++ b/.github/workflows/commit.yaml
@@ -56,7 +56,7 @@ jobs:
       fail-fast: false # don't fail fast as sometimes failures are operating system specific.
       matrix:
         os:
-          - "macos-11"
+          - "macos-12"
           - "ubuntu-18.04"
         mode:
           - "default"
@@ -100,7 +100,7 @@ jobs:
 
       # Prepare clang tooling and config when it is required.
       - name: Setup clang
-        if: matrix.mode == 'clang' || matrix.mode == 'clang-fips'
+        if: runner.os == 'Linux' && (matrix.mode == 'clang' || matrix.mode == 'clang-fips')
         # This downloads the required clang tooling when it is not downloaded yet.
         run: |
           make clang.bazelrc
@@ -108,7 +108,7 @@ jobs:
 
       # Set BAZEL_FLAGS to FIPS mode only when it is required.
       - name: Setup FIPS mode
-        if: matrix.mode == 'clang-fips'
+        if: runner.os == 'Linux' && matrix.mode == 'clang-fips'
         run: echo "BAZEL_FLAGS=--config=libc++ --define=boringssl=fips" >> $GITHUB_ENV
 
       - name: Run all tests
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index b919fa8c..e22485bc 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -62,7 +62,7 @@ jobs:
 
       # Prepare clang tooling and config when it is required.
       - name: Setup clang
-        if: matrix.mode == 'clang' || matrix.mode == 'clang-fips'
+        if: runner.os == 'Linux' && (matrix.mode == 'clang' || matrix.mode == 'clang-fips')
         # This downloads the required clang tooling when it is not downloaded yet.
         # GITHUB_REF: refs/tags/0.5.1-rc1, resulted VERSION: "0.5.1".
         run: |
@@ -72,7 +72,7 @@ jobs:
 
       # Set BAZEL_FLAGS to FIPS mode only when it is required.
       - name: Setup FIPS mode
-        if: matrix.mode == 'clang-fips'
+        if: runner.os == 'Linux' && matrix.mode == 'clang-fips'
         run: echo "BAZEL_FLAGS=--config=libc++ --define=boringssl=fips" >> $GITHUB_ENV
 
       - name: Create artifacts
@@ -124,5 +124,3 @@ jobs:
             dist-Linux-clang/**/*.tar.gz
             dist-Linux-clang-fips/**/*.tar.gz
             dist-macOS-default/**/*.tar.gz
-            dist-macOS-clang/**/*.tar.gz
-            dist-macOS-clang-fips/**/*.tar.gz
diff --git a/Makefile b/Makefile
index 45fd4c3c..22b095de 100644
--- a/Makefile
+++ b/Makefile
@@ -51,7 +51,7 @@ main_target     := //src/main:$(binary_name)
 # Always use amd64 for bazelisk for build and test rules below, since we don't support for macOS
 # arm64 (with --host_javabase=@local_jdk//:jdk) yet (especially the protoc-gen-validate project:
 # "no matching toolchains found for types @io_bazel_rules_go//go:toolchain").
-bazel        := GOARCH=amd64 $(go) run $(bazelisk@v) --output_user_root=$(bazel_cache_dir)
+bazel        := GOARCH=amd64 $(go) run $(bazelisk@v) $(if $(CI),--output_user_root=$(bazel_cache_dir),)
 buildifier   := $(go_tools_dir)/buildifier
 envsubst     := $(go_tools_dir)/envsubst
 protodoc     := $(go_tools_dir)/protodoc
@@ -90,7 +90,7 @@ build-%:
 dist: dist/$(binary_name)_$(goos)_amd64_$(MODE)_$(VERSION).tar.gz
 
 # Since we don't do cross-compilation yet (probably we can do it later via `zig cc`), we can only
-# build artifact for the current `os` and `mode` pair (e.g. {os: 'macOS', mode: 'clang-fips'}).
+# build artifact for the current `os` and `mode` pair (e.g. {os: 'linux', mode: 'clang-fips'}).
 dist/$(binary_name)_$(goos)_amd64_$(MODE)_$(VERSION).tar.gz: $(stripped_binary) ## Create build artifacts
 	@$(eval DIST_DIR := $(shell mktemp -d))
 	@cp -f LICENSE $(DIST_DIR)

From 05034eaf118ed93c72c48d36b18d4838f6f372d4 Mon Sep 17 00:00:00 2001
From: Dhi Aurrahman <dio@rockybars.com>
Date: Sun, 13 Nov 2022 17:34:14 +0700
Subject: [PATCH 2/4] Fix

Signed-off-by: Dhi Aurrahman <dio@rockybars.com>
---
 .github/workflows/commit.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/commit.yaml b/.github/workflows/commit.yaml
index 2765a900..2d4d9e47 100644
--- a/.github/workflows/commit.yaml
+++ b/.github/workflows/commit.yaml
@@ -56,7 +56,7 @@ jobs:
       fail-fast: false # don't fail fast as sometimes failures are operating system specific.
       matrix:
         os:
-          - "macos-12"
+          - "macos-11"
           - "ubuntu-18.04"
         mode:
           - "default"

From 749def001fab313d1cb95dccc70547aa75c898ea Mon Sep 17 00:00:00 2001
From: Dhi Aurrahman <dio@rockybars.com>
Date: Sun, 13 Nov 2022 18:06:22 +0700
Subject: [PATCH 3/4] Use include

Signed-off-by: Dhi Aurrahman <dio@rockybars.com>
---
 .github/workflows/commit.yaml  | 15 +++++++--------
 .github/workflows/release.yaml | 15 +++++++--------
 2 files changed, 14 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/commit.yaml b/.github/workflows/commit.yaml
index 2d4d9e47..b3c6d2fe 100644
--- a/.github/workflows/commit.yaml
+++ b/.github/workflows/commit.yaml
@@ -55,14 +55,13 @@ jobs:
     strategy:
       fail-fast: false # don't fail fast as sometimes failures are operating system specific.
       matrix:
-        os:
-          - "macos-11"
-          - "ubuntu-18.04"
-        mode:
-          - "default"
-          # On CI, by default, we use libc++.
-          - "clang"
-          - "clang-fips"
+        include:
+          - os: macos-11
+            mode: default
+          - os: ubuntu-18.04
+            mode: clang
+          - os: ubuntu-18.04
+            mode: clang-fips
     steps:
       - name: Cancel when duplicated
         uses: styfle/cancel-workflow-action@0.4.1
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index e22485bc..670cca56 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -17,14 +17,13 @@ jobs:
     strategy:
       fail-fast: false # don't fail fast as sometimes failures are operating system specific.
       matrix:
-        os:
-          - "macos-11"
-          - "ubuntu-18.04"
-        mode:
-          - "default"
-          # By default we use libc++.
-          - "clang"
-          - "clang-fips"
+        include:
+          - os: macos-11
+            mode: default
+          - os: ubuntu-18.04
+            mode: clang
+          - os: ubuntu-18.04
+            mode: clang-fips
     steps:
       - name: Cancel when duplicated
         uses: styfle/cancel-workflow-action@0.4.1

From aa2f833b0245ca5c048f618da94d48c95dc908b0 Mon Sep 17 00:00:00 2001
From: Dhi Aurrahman <dio@rockybars.com>
Date: Sun, 13 Nov 2022 18:10:55 +0700
Subject: [PATCH 4/4] No default for Linux

Signed-off-by: Dhi Aurrahman <dio@rockybars.com>
---
 .github/workflows/release.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 670cca56..9d52a3e4 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -119,7 +119,6 @@ jobs:
         uses: softprops/action-gh-release@v1
         with:
           files: |
-            dist-Linux-default/**/*.tar.gz
             dist-Linux-clang/**/*.tar.gz
             dist-Linux-clang-fips/**/*.tar.gz
             dist-macOS-default/**/*.tar.gz