Skip to content

ci: test macOS HVF runtime#91

Open
Max042004 wants to merge 1 commit into
sysprog21:mainfrom
Max042004:ci/macos-hvf
Open

ci: test macOS HVF runtime#91
Max042004 wants to merge 1 commit into
sysprog21:mainfrom
Max042004:ci/macos-hvf

Conversation

@Max042004

@Max042004 Max042004 commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Why

GitHub-hosted macOS runners do not expose Apple's Hypervisor.framework (HVF):
the hosted runner OS itself runs inside a virtualization layer that withholds
HVF, so hv_vm_create() returns HV_UNSUPPORTED. Because of this, the existing
build-macos job can only compile elfuse and verify the HVF entitlement — it
can never actually boot a guest.

This PR adds a runtime-macos job that runs on a self-hosted Apple Silicon
runner (an M4 machine) where HVF is available, so the real runtime path —
booting a Linux guest under HVF + Rosetta — is exercised in CI for the first
time. The hosted build-macos job is unchanged and keeps gating builds as
before; this job runs after it (needs: build-macos).

What the runtime-macos job does

  • runs-on: [self-hosted, macOS, arm64, hvf], needs: build-macos,
    60-minute timeout.
  • Per-ref concurrency: cancels in-progress runs for the same PR, but lets
    main runs finish.
  • Trigger gating (if:): runs on push, or on a pull_request only when
    the PR is from the same repository     (head.repo.full_name == github.repository)
    and carries the ci-hvf label.
    • Fork PRs are deliberately excluded so untrusted code can never execute on
      the physical machine.
    • The ci-hvf label gates it further, so the single physical runner isn't
      tied up by every same-repo PR — you opt a PR in by adding the label.

Steps, in order:

  1. Host infosw_vers, uname -a, sysctl kern.hv_support, assert the
    host is arm64.
  2. Cache + install Homebrew packages (binutils, qemu) — only installs
    what is missing.
  3. Tool versions — make / objcopy / qemu-aarch64 / python3.
  4. Check Rosetta for Linux — verifies
    /Library/Apple/usr/libexec/oah/RosettaLinux/rosetta exists; if not, it
    emits a ::error:: with the exact install command and dumps the oah
    directory to aid debugging.
  5. Build elfuse (make elfuse).
  6. Verify the HVF entitlement is embedded in the binary via codesign.
  7. Run the runtime tests: make test-hello, make test-multi-vcpu,
    make check, then the full bash tests/test-matrix.sh all matrix.

Self-hosted runner setup — must be done by @jserv

This job targets a physical Apple Silicon (M4) machine. Registering and
configuring that runner requires admin rights on sysprog21/elfuse plus
physical/admin access to the machine, so it can only be done by @jserv — I
(the fork author) cannot set this up from my side. The following one-time setup
is needed on the runner host before the job can go green:

  1. Register the self-hosted runner against sysprog21/elfuse
    (Settings → Actions → Runners → New self-hosted runner). Requires repo/org
    admin permission — only @jserv has this.
  2. Apply the runner labels exactly: self-hosted, macOS, arm64, hvf.
    The job's runs-on matches on all four.
  3. Install Rosetta for Linux on the runner: 
    sudo softwareupdate --install-rosetta --agree-to-license
  4. Homebrew available, with binutils and qemu (the job auto-installs any
    that are missing, but Homebrew itself must be present).
  5. Create the ci-hvf label in the repo so same-repo PRs can opt in.

Until @jserv registers and labels the runner, the runtime-macos job stays
queued/pending; nothing else in CI is affected.

Summary by cubic

Add a self-hosted macOS (Apple Silicon, HVF) CI job to run runtime tests on M4 hardware. It builds elfuse and executes the test matrix under HVF.

  • New Features

    • Adds runtime-macos job with labels [self-hosted, macOS, arm64, hvf]; depends on build-macos and uses per-ref concurrency.
    • Triggers on push, or same-repo PRs labeled ci-hvf.
    • Uses actions/checkout@v6 and caches Homebrew downloads via actions/cache@v5.
    • Conditionally installs Homebrew binutils and qemu; sets GNU_OBJCOPY and toolchain env.
    • Verifies Rosetta for Linux, checks HVF entitlement, then runs hello, multi-vcpu, make check, and the full test matrix.

  • Migration

    • Label the self-hosted runner: self-hosted, macOS, arm64, hvf.
    • Install Rosetta for Linux: sudo softwareupdate --install-rosetta --agree-to-license.
    • Ensure Homebrew is available with binutils and qemu installed.

Written for commit a6261c8. Summary will update on new commits.

Review in cubic

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Jun 9, 2026
View reviewed changes

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Re-trigger cubic

@Max042004 Max042004 changed the title ci: test macOS HVF runtime on fork ci: test macOS HVF runtime Jun 9, 2026
@jserv jserv self-assigned this Jun 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

@jserv jserv

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Max042004 @jserv