docs(release): correct rationale comment on macos-latest runner

[zkochan]

Summary

The release workflow's comment block on the macos-latest runner choice (added in #11415) attributed darwin SEA crashes to ldid producing bad code-signature page hashes. That theory turned out to be wrong:

• The upstream minimal repro in nodejs/node#62893 is node --build-sea + codesign --sign - + run, with no pnpm and no ldid involved. It still crashes on Intel Mac.
• codesign produces correct page hashes by definition, so if signing were the bug, this repro would work. It doesn't.
• The actual bug is in LIEF's Mach-O surgery during --build-sea for x64 — chained-fixup chain entries get rewritten incorrectly when the SEA segment is inserted, and dyld dereferences the unprocessed chain values at startup.
• Re-signing with anything (codesign, ldid, ProcursusTeam ldid) just covers the structurally broken bytes.

The Node.js team has opted not to fix this on the grounds that x64 macOS is being phased out (related: nodejs/node#59553).

What this changes

Comment-only update to .github/workflows/release.yml. No behaviour change. The job still runs on macos-latest, just for the actually-correct reasons:

1. Native codesign is on the runner — no need to build/install ldid.
2. macos-latest is Apple Silicon, so verify-binary.mjs can execute and smoke-test the darwin-arm64 SEA in place.

The new comment also explicitly notes that this does not fix the darwin-x64 crash — that's an upstream Node.js bug, separately documented in the pack-app docs (pnpm/pnpm.io@36d962f6).

Related

• Issue: pnpm 11.0.3 standalone executable segfaults on Intel macOS (upstream Node.js SEA bug) #11423
• Prior PR with the now-incorrect comment: ci(release): build artifacts on macos-latest to fix darwin-x64 signing #11415
• Upstream Node: SEA: Binary created in Intel MacOS seg faults nodejs/node#62893, test-single-executable-application* tests flaking on macOS nodejs/node#59553, test: skip sea tests on x64 macOS nodejs/node#60250

Test plan

• git diff origin/main shows only the comment change; attestations: write and the Attest build provenance step from ci(release): attest build provenance for release artifacts #11441 are preserved.
• No CI required — comment-only change.

Summary by CodeRabbit

• Documentation
  • Updated release workflow documentation to clarify macOS code signing process and Apple Silicon build details, along with notes on known upstream issues affecting certain build configurations.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates the macOS job comments in the release workflow, replacing outdated notes about Linux cross-signing with clarifications about native macOS codesign, Apple Silicon darwin-arm64 execution, and the unresolved upstream darwin-x64 crash in Node.js SEA.

Changes

Workflow Documentation

Layer / File(s)	Summary
Workflow Comments .github/workflows/release.yml	macOS job commentary updated to explain native codesign behavior, why macos-latest runs darwin-arm64, and that the upstream darwin-x64 SEA crash remains unaddressed.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• pnpm/pnpm#11415: Moves the macOS release job to macos-latest to enable Apple Silicon execution; this PR clarifies the signing behavior and architecture coverage of that configuration.

Poem

🐰 A comment blooms, old notes fade fast,
Codesign and ARM—the new contrast,
Darwin-arm64 now runs so clear,
While x64's bug stays: "Not here, dear!"

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: updating a documentation comment in the release workflow file to correct the rationale for using the macos-latest runner.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/release-yml-comment

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR updates the explanatory comment in the release workflow to reflect the current understanding of why the release job runs on macos-latest. It keeps the workflow behavior unchanged while correcting the rationale around macOS signing and SEA verification.

Changes:

• Replaces the outdated ldid/page-hash explanation with the current rationale for using macos-latest.
• Clarifies that native codesign and in-place darwin-arm64 verification are the reasons for the macOS runner choice.
• Notes that the darwin-x64 crash remains an upstream Node.js SEA issue rather than something this workflow setting fixes.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/release.yml (2)

14-17: ⚡ Quick win

Make the macos-latest/arm64 assumption more future-proof (and linkable).

This comment is likely correct, but it’s currently stated without a pointer. GitHub’s docs map macos-latest to an arm64 (M1) runner label (Intel is available via explicit macos-*-intel labels), so consider referencing that (or rephrasing to emphasize “as of now, macos-latest is arm64”). (docs.github.com)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 14 - 17, Update the comment
around the macOS runner block to qualify the `macos-latest`/arm64 assumption:
reference GitHub docs
(https://docs.github.com/en/actions/reference/github-hosted-runners-reference)
or rephrase to say “as of [date]/currently `macos-latest` maps to an arm64
runner” and mention the Intel labels (`macos-*-intel`) for contrast; keep notes
about why `macos-latest` is chosen for ad-hoc `codesign` and for running
`verify-binary.mjs` on the darwin-arm64 SEA, but add the doc link or “as of”
qualifier to make the comment future-proof and linkable.

---

18-19: ⚡ Quick win

Replace the vague “see pack-app docs” with a concrete reference.

“see pack-app docs” is hard to act on later—please point to the exact doc URL or repo path/section that explains the upstream SEA darwin-x64 crash vs signing. Also, your nodejs/node#62893 reference aligns with the upstream report: Intel Mac segfault after node --build-sea ... followed by codesign --sign -, while arm64 doesn’t repro. (github.com)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 18 - 19, Replace the vague "see
pack-app docs" text with a concrete reference: update the comment that currently
reads "see pack-app docs" to include the exact pack-app docs URL or repo
path/section that explains the upstream SEA darwin-x64 crash vs signing (replace
the placeholder text "see pack-app docs" with that link/path), add the upstream
Node.js issue URL (https://github.com/nodejs/node/issues/62893) and a one-line
parenthetical summary like "(upstream SEA darwin-x64 crash with codesign, see
linked issue and docs for details)"; ensure the new comment still mentions
nodejs/node#62893 and provides both the authoritative pack-app docs location and
the upstream issue link for future reference.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 14-17: Update the comment around the macOS runner block to qualify
the `macos-latest`/arm64 assumption: reference GitHub docs
(https://docs.github.com/en/actions/reference/github-hosted-runners-reference)
or rephrase to say “as of [date]/currently `macos-latest` maps to an arm64
runner” and mention the Intel labels (`macos-*-intel`) for contrast; keep notes
about why `macos-latest` is chosen for ad-hoc `codesign` and for running
`verify-binary.mjs` on the darwin-arm64 SEA, but add the doc link or “as of”
qualifier to make the comment future-proof and linkable.
- Around line 18-19: Replace the vague "see pack-app docs" text with a concrete
reference: update the comment that currently reads "see pack-app docs" to
include the exact pack-app docs URL or repo path/section that explains the
upstream SEA darwin-x64 crash vs signing (replace the placeholder text "see
pack-app docs" with that link/path), add the upstream Node.js issue URL
(https://github.com/nodejs/node/issues/62893) and a one-line parenthetical
summary like "(upstream SEA darwin-x64 crash with codesign, see linked issue and
docs for details)"; ensure the new comment still mentions nodejs/node#62893 and
provides both the authoritative pack-app docs location and the upstream issue
link for future reference.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: fa14b6c9-e883-44ac-8308-1e9694b5fdba

📥 Commits

Reviewing files that changed from the base of the PR and between caf5b7d and dbce37a.

📒 Files selected for processing (1)

• .github/workflows/release.yml