fix: prevent SIGSEGV crash on Homebrew

[MicBun]

resolves: https://github.com/truflation/augustus/issues/2

Summary by CodeRabbit

• Chores
  • Split build and test pipelines into separate Linux and macOS workflows so artifacts are built and validated per-OS, and release publishing waits for both builds.
  • Strengthened native build behavior on macOS to use dynamic linking, repair library references and rpaths, and validate resulting packages to improve compatibility of distributed wheels.

[coderabbitai]

Warning

Rate limit exceeded

@MicBun has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 33 minutes and 20 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7157ba0b-9359-44cd-828f-05747d0a0287

📥 Commits

Reviewing files that changed from the base of the PR and between 3c8d200 and 9deb11b.

📒 Files selected for processing (2)

• .github/workflows/release-build.yml
• Makefile

📝 Walkthrough

Walkthrough

Split cross-platform wheel build/test into OS-specific GitHub Actions jobs: Linux uses explicit Go+Python setup and manual wheel build/testing; macOS uses cibuildwheel (v2.21.3) with pre-build hooks and validates wheels under Homebrew Python. Makefile enables dynamic linking and performs macOS install-name fixups and validation.

Changes

Cohort / File(s)	Summary
GitHub Actions — distribution tests .github/workflows/distribution-test.yml	Replaced unified test-native-build with OS-specific jobs. Linux uses setup-go@v5/setup-python@v5, installs system deps unconditionally on Ubuntu, runs uv+make gopy_build+python -m build, installs wheel from /tmp/wheelhouse and runs tests/distribution/get_account_test.py. macOS uses pypa/cibuildwheel@v2.21.3 (cp312-macosx_arm64), installs Go/Python prereqs in cibuildwheel hooks, builds wheels, then validates by installing wheelhouse/*.whl into a Homebrew Python 3.12 venv and running the same test.
GitHub Actions — release build & publish .github/workflows/release-build.yml	Removed combined matrix build; added build-linux and build-macos. build-linux installs OS packages (incl. patchelf), Go, Python 3.12, runs make gopy_build and python -m build, uploads wheels-linux. build-macos uses cibuildwheel@v2.21.3 with CIBW_BUILD/CIBW_ARCHS_MACOS, pre-build hooks for Go tools and Python deps, uploads wheels-macos-${{ matrix.arch }}. publish now requires both build jobs and collects wheels-* artifacts to publish dist/*.whl on tag.
Build rules Makefile	Enable gopy gen -dynamic-link=true on macOS, set CGO_LDFLAGS_ALLOW and override sub-make LDFLAGS to -undefined dynamic_lookup -Wl,-flat_namespace. After build, set install-name ID on trufnetwork_sdk_c_bindings_go.so, locate and rewrite _trufnetwork_sdk_c_bindings.so's reference to that go-shared lib to @loader_path/..., add @loader_path rpath, emit otool -L diagnostics, and fail if either .so still links against Python.framework/libpython or if the expected reference is missing.

Sequence Diagram(s)

sequenceDiagram
  participant Dev as Developer
  participant GH as GitHub Actions
  participant L as build-linux job
  participant M as build-macos job (cibuildwheel)
  participant S as Artifact Storage
  participant P as publish job
  Dev->>GH: push / tag
  GH->>L: start Linux build
  L->>L: setup-go@v5, setup-python@v5\ninstall OS deps, make gopy_build\npython -m build, run distribution test
  L->>S: upload wheels-linux
  GH->>M: start macOS build
  M->>M: run cibuildwheel@v2.21.3\npre-build hooks install Go/Python deps\nbuild macOS wheel(s), validate in Homebrew Python venv
  M->>S: upload wheels-macos
  GH->>P: trigger publish (needs: build-linux, build-macos)
  P->>S: download wheels-*
  P->>P: validate & publish dist/*.whl (on tag)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐰
I hopped through CI, split lanes with care,
Linux hums builds, macOS crafts wheels in air,
Loader paths rewritten so libraries roam,
Wheels bundled, then published to find a home,
A happy rabbit cheers—pip installs with flair!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: prevent SIGSEGV crash on Homebrew' directly aligns with the PR's primary objective and all changes across the Makefile and CI workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch macOsPatch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 33 minutes and 20 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[holdex]

Time Submission Status

Member	Status	Time	Action	Last Update
MicBun	✅ Submitted	4h	Update time	May 1, 2026, 7:39 PM

---

You can submit time with the command. Example:

@holdex pr submit-time 15m

See available commands to help comply with our Guidelines.

[holdex]

Bug Report Checklist

Status	Commit Link	Bug Author	HR Card
✅ Submitted	commit link	@MicBun	HR Card

If this commit or author is incorrect, reply in this PR with:

@holdex bug dispute <correct-commit-url> && bug author @correct-user

Use git blame to identify the right commit and author before posting.

See available commands to help comply with our Guidelines.

[MicBun]

@holdex pr submit-time 4h

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/distribution-test.yml (2)

33-36: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update actions/setup-go to v5.

The static analysis flagged actions/setup-go@v4 as potentially too old for current GitHub Actions runners. The same applies to line 79. Update both to v5 for better compatibility.

Proposed fix

       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: '1.24.1'

Apply the same change at line 79 in the macOS job.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/distribution-test.yml around lines 33 - 36, Update the
GitHub Actions step usages of actions/setup-go from v4 to v5: replace both
occurrences of "uses: actions/setup-go@v4" (one in the linux job around the
first setup step and the second in the macOS job) with "uses:
actions/setup-go@v5" so the workflow uses the latest major release for Go setup
in both places.

---

49-52: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update actions/setup-python to v5.

For consistency and better runner compatibility, update to the current major version.

Proposed fix

       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: '3.12'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/distribution-test.yml around lines 49 - 52, Update the
GitHub Actions step that sets up Python (the step named "Set up Python" which
currently uses actions/setup-python@v4) to use actions/setup-python@v5; replace
the uses value with actions/setup-python@v5 and keep the existing python-version
input ('3.12') as-is, ensuring the workflow continues to supply the same
python-version parameter to the new major version.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release-build.yml:
- Line 11: The workflow currently uses an overly broad permission setting
(`permissions: write-all`); update the workflow permissions to the least
privilege needed for publishing releases by replacing the global write-all
permission with a scoped permission like `permissions: contents: write` (i.e.,
change the `permissions` entry in the release workflow to only grant contents
write access).
- Around line 22-25: Update the GitHub Actions usage entries for the setup
actions to their v5 majors: replace uses: actions/setup-go@v4 with
actions/setup-go@v5 and replace uses: actions/setup-python@v4 with
actions/setup-python@v5 for each occurrence in the workflow (the three places
where setup-go and setup-python are referenced), ensuring the other with: keys
(e.g., go-version or python-version) remain unchanged.

---

Outside diff comments:
In @.github/workflows/distribution-test.yml:
- Around line 33-36: Update the GitHub Actions step usages of actions/setup-go
from v4 to v5: replace both occurrences of "uses: actions/setup-go@v4" (one in
the linux job around the first setup step and the second in the macOS job) with
"uses: actions/setup-go@v5" so the workflow uses the latest major release for Go
setup in both places.
- Around line 49-52: Update the GitHub Actions step that sets up Python (the
step named "Set up Python" which currently uses actions/setup-python@v4) to use
actions/setup-python@v5; replace the uses value with actions/setup-python@v5 and
keep the existing python-version input ('3.12') as-is, ensuring the workflow
continues to supply the same python-version parameter to the new major version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6809bc97-fca7-439a-937c-d5e72a7d1cb5

📥 Commits

Reviewing files that changed from the base of the PR and between 0f07db2 and 86df731.

📒 Files selected for processing (3)

• .github/workflows/distribution-test.yml
• .github/workflows/release-build.yml
• Makefile

[MicBun]

@holdex bug commit e2859bc && bug author @georgeciubotaru

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

Makefile (1)

3-3: ⚡ Quick win

Enforce the minimum gopy version for this new flag.

setup.py:16-23 still shells out to make gopy_build during install, so this target now depends on a gopy gen option that upstream documents on the gen command. If check_dependencies() doesn't reject older gopy binaries first, source installs will fail at build time with an opaque CLI error. Please either pin/document the minimum supported gopy version or validate it before invoking this target. (github.com)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` at line 3, The Makefile's new gopy gen usage requires a minimum
gopy version so add a runtime check in setup.py's check_dependencies() (which is
called before the Makefile gopy_build target is invoked) to call `gopy
--version`, parse the semantic version, and fail with a clear error instructing
the user to upgrade if the installed gopy is older than the minimum supported
version (use e.g. >=0.5.0); ensure the error message mentions the gopy version
requirement and suggests installation/upgrading steps so source installs fail
fast with a helpful message.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Makefile`:
- Around line 19-21: Add a hard assertion after the otool -L checks to fail the
build if either binary still references Python by searching the otool output for
"Python.framework" or "libpython"; run `otool -L
src/trufnetwork_sdk_c_bindings/_trufnetwork_sdk_c_bindings.so` and `otool -L
src/trufnetwork_sdk_c_bindings/trufnetwork_sdk_c_bindings_go.so`, pipe each
output to grep -E for "Python.framework|libpython" and if grep finds a match
exit with non-zero status (causing make to fail) and print a clear error message
indicating which .so still contains Python references so CI cannot pass when
those references remain.

---

Nitpick comments:
In `@Makefile`:
- Line 3: The Makefile's new gopy gen usage requires a minimum gopy version so
add a runtime check in setup.py's check_dependencies() (which is called before
the Makefile gopy_build target is invoked) to call `gopy --version`, parse the
semantic version, and fail with a clear error instructing the user to upgrade if
the installed gopy is older than the minimum supported version (use e.g.
>=0.5.0); ensure the error message mentions the gopy version requirement and
suggests installation/upgrading steps so source installs fail fast with a
helpful message.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: df8af075-66e3-4a8a-bd8b-bf82cd311a79

📥 Commits

Reviewing files that changed from the base of the PR and between 86df731 and 7235708.

📒 Files selected for processing (1)

• Makefile

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release-build.yml:
- Around line 88-111: Add a smoke-test step between the "Build wheels with
cibuildwheel" step and the "Upload wheels" step that installs the macOS wheel
from wheelhouse/*.whl into a matching interpreter (use actions/setup-python with
the same Python version as CIBW_BUILD / cp312) and runs a quick import and basic
runtime check (pip install wheelhouse/*.whl && python -c "import
<your_package_module>; print('ok')") so the job fails if the wheel cannot be
loaded on the built interpreter; ensure the step runs per-matrix (uses
matrix.arch/matrix.goarch) and returns a non-zero exit on failure so Upload
wheels only runs for validated wheels.

In `@Makefile`:
- Around line 34-56: The Darwin fixup block in the Makefile (the sequence
calling install_name_tool, otool, and setting GO_SO_OLD) can continue after a
failing command because it runs in one shell with simple semicolons; change it
to fail fast by enabling errexit for that shell or checking each command's exit
status: wrap the Darwin branch commands with "set -e" (or prefix the block with
"set -o errexit") or chain critical calls (install_name_tool, otool, the
install_name_tool -change and -add_rpath invocations) with && so any failure
immediately triggers exit and the make target fails; ensure the GO_SO_OLD
determination and its subsequent install_name_tool -change are guarded so a
missing/failed otool causes an immediate exit rather than continuing with broken
state.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d46fb917-ed46-4168-8ed0-54abe79b118d

📥 Commits

Reviewing files that changed from the base of the PR and between 7235708 and 3c8d200.

📒 Files selected for processing (3)

• .github/workflows/distribution-test.yml
• .github/workflows/release-build.yml
• Makefile

[georgeciubotaru]

@holdex bug dispute 3c961cb && bug author @MicBun