Add macOS runtime packaging and release support

Add Taskfile tasks for building, packaging, and fetching macOS runtime
and firmware tarballs (build-runner-darwin, package-runtime-darwin,
package-firmware-darwin, fetch-runtime-darwin, fetch-firmware-darwin).

Update release workflow to build macOS arm64 artifacts on macos-15,
include them in GitHub Releases, and push OCI artifacts to ghcr.io.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: JAORMX

.github/workflows/release.yaml

@@ -60,10 +60,53 @@ jobs:
           name: propolis-firmware-linux-${{ matrix.arch }}
           path: dist/propolis-firmware-linux-${{ matrix.arch }}.tar.gz
 
+  build-artifacts-darwin:
+    name: Build macOS (${{ matrix.arch }})
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      matrix:
+        include:
+          - arch: arm64
+            runner: macos-15
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up Task
+        uses: arduino/setup-task@v2
+        with:
+          version: 3.x
+
+      - name: Install libkrun via Homebrew
+        run: |
+          brew tap slp/krun
+          brew install libkrun libkrunfw
+
+      - name: Build runner and copy libraries
+        run: task build-runner-darwin VERSION=${{ github.ref_name }}
+
+      - name: Package runtime tarball
+        run: task package-runtime-darwin TAG=${{ github.ref_name }}
+
+      - name: Package firmware tarball
+        run: task package-firmware-darwin TAG=${{ github.ref_name }}
+
+      - name: Upload runtime artifact
+        uses: actions/upload-artifact@v6
+        with:
+          name: propolis-runtime-darwin-${{ matrix.arch }}
+          path: dist/propolis-runtime-darwin-${{ matrix.arch }}.tar.gz
+
+      - name: Upload firmware artifact
+        uses: actions/upload-artifact@v6
+        with:
+          name: propolis-firmware-darwin-${{ matrix.arch }}
+          path: dist/propolis-firmware-darwin-${{ matrix.arch }}.tar.gz
+
   create-release:
     name: Create Release
     runs-on: ubuntu-latest
-    needs: build-artifacts
+    needs: [build-artifacts, build-artifacts-darwin]
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
@@ -86,6 +129,8 @@ jobs:
             propolis-runtime-linux-arm64.tar.gz \
             propolis-firmware-linux-amd64.tar.gz \
             propolis-firmware-linux-arm64.tar.gz \
+            propolis-runtime-darwin-arm64.tar.gz \
+            propolis-firmware-darwin-arm64.tar.gz \
             sha256sums.txt
 
   push-oci:
@@ -126,3 +171,41 @@ jobs:
           oras push ghcr.io/stacklok/propolis/firmware:${{ github.ref_name }}-linux-${{ matrix.arch }} \
             --artifact-type application/vnd.stacklok.propolis.firmware \
             propolis-firmware-linux-${{ matrix.arch }}.tar.gz:application/gzip
+
+  push-oci-darwin:
+    name: Push OCI macOS (${{ matrix.arch }})
+    runs-on: ubuntu-latest
+    needs: build-artifacts-darwin
+    strategy:
+      matrix:
+        include:
+          - arch: arm64
+    steps:
+      - name: Download runtime artifact
+        uses: actions/download-artifact@v7
+        with:
+          name: propolis-runtime-darwin-${{ matrix.arch }}
+
+      - name: Download firmware artifact
+        uses: actions/download-artifact@v7
+        with:
+          name: propolis-firmware-darwin-${{ matrix.arch }}
+
+      - name: Install oras
+        uses: oras-project/setup-oras@v1
+
+      - name: Login to ghcr.io
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | oras login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Push runtime OCI artifact
+        run: |
+          oras push ghcr.io/stacklok/propolis/runtime:${{ github.ref_name }}-darwin-${{ matrix.arch }} \
+            --artifact-type application/vnd.stacklok.propolis.runtime \
+            propolis-runtime-darwin-${{ matrix.arch }}.tar.gz:application/gzip
+
+      - name: Push firmware OCI artifact
+        run: |
+          oras push ghcr.io/stacklok/propolis/firmware:${{ github.ref_name }}-darwin-${{ matrix.arch }} \
+            --artifact-type application/vnd.stacklok.propolis.firmware \
+            propolis-firmware-darwin-${{ matrix.arch }}.tar.gz:application/gzip

Taskfile.yaml

@@ -68,6 +68,18 @@ tasks:
       # Hypervisor.framework requires entitlements
       - codesign --entitlements assets/entitlements.plist --force -s - bin/{{.RUNNER_NAME}}
 
+  build-runner-darwin:
+    desc: Build runner + copy Homebrew dylibs for macOS packaging
+    platforms: [darwin]
+    cmds:
+      - task: build-dev-darwin
+      - cp $(brew --prefix libkrun)/lib/libkrun.dylib bin/
+      - cp $(brew --prefix libkrunfw)/lib/libkrunfw.dylib bin/
+    generates:
+      - bin/{{.RUNNER_NAME}}
+      - bin/libkrun.dylib
+      - bin/libkrunfw.dylib
+
   build-dev-race:
     desc: Build runner with race detector (requires libkrun-devel)
     env:
@@ -227,6 +239,40 @@ tasks:
         tar czf "dist/${staging}.tar.gz" "${staging}"
         rm -rf "${staging}"
 
+  package-runtime-darwin:
+    desc: Package macOS runtime tarball (runner + libkrun)
+    platforms: [darwin]
+    vars:
+      TAG: '{{.TAG | default .VERSION}}'
+    cmds:
+      - mkdir -p dist
+      - |
+        staging="propolis-runtime-darwin-{{.HOST_ARCH}}"
+        mkdir -p "${staging}"
+        cp bin/propolis-runner bin/libkrun.dylib "${staging}/"
+        echo "{{.TAG}}" > "${staging}/VERSION"
+        tar czf "dist/${staging}.tar.gz" "${staging}"
+        rm -rf "${staging}"
+
+  package-firmware-darwin:
+    desc: Package macOS firmware tarball (libkrunfw, GPL-licensed)
+    platforms: [darwin]
+    vars:
+      TAG: '{{.TAG | default .VERSION}}'
+    cmds:
+      - mkdir -p dist
+      - |
+        staging="propolis-firmware-darwin-{{.HOST_ARCH}}"
+        mkdir -p "${staging}"
+        cp bin/libkrunfw.dylib "${staging}/"
+        echo "{{.TAG}}" > "${staging}/VERSION"
+        cat > "${staging}/LICENSE-GPL" <<'LICEOF'
+        libkrunfw is licensed under the GNU General Public License v2.0 (GPL-2.0).
+        See https://github.com/containers/libkrunfw for full license text.
+        LICEOF
+        tar czf "dist/${staging}.tar.gz" "${staging}"
+        rm -rf "${staging}"
+
   # =============================================================================
   # Fetch Pre-built Artifacts
   # =============================================================================
@@ -259,6 +305,34 @@ tasks:
       - tar -xzf bin/propolis-firmware-linux-{{.HOST_ARCH}}.tar.gz -C bin/ --strip-components=1
       - rm -f bin/propolis-firmware-linux-{{.HOST_ARCH}}.tar.gz
 
+  fetch-runtime-darwin:
+    desc: Download pre-built macOS runtime tarball from GitHub Release
+    vars:
+      RELEASE_TAG: '{{.RELEASE_TAG | default .VERSION}}'
+    cmds:
+      - mkdir -p bin
+      - >-
+        gh release download {{.RELEASE_TAG}}
+        --repo stacklok/propolis
+        --pattern "propolis-runtime-darwin-{{.HOST_ARCH}}.tar.gz"
+        --dir bin/ --clobber
+      - tar -xzf bin/propolis-runtime-darwin-{{.HOST_ARCH}}.tar.gz -C bin/ --strip-components=1
+      - rm -f bin/propolis-runtime-darwin-{{.HOST_ARCH}}.tar.gz
+
+  fetch-firmware-darwin:
+    desc: Download pre-built macOS firmware tarball from GitHub Release
+    vars:
+      RELEASE_TAG: '{{.RELEASE_TAG | default .VERSION}}'
+    cmds:
+      - mkdir -p bin
+      - >-
+        gh release download {{.RELEASE_TAG}}
+        --repo stacklok/propolis
+        --pattern "propolis-firmware-darwin-{{.HOST_ARCH}}.tar.gz"
+        --dir bin/ --clobber
+      - tar -xzf bin/propolis-firmware-darwin-{{.HOST_ARCH}}.tar.gz -C bin/ --strip-components=1
+      - rm -f bin/propolis-firmware-darwin-{{.HOST_ARCH}}.tar.gz
+
   fetch-runtime-oci:
     desc: Pull pre-built runtime OCI artifact from ghcr.io
     vars: