chore: macos-15-intel runner on ci

[littledivy]

This includes fixes from denoland/sui@e229ef1

[coderabbitai]

Walkthrough

Updated macOS CI runners from macos-13 to macos-15-intel in .github/workflows/ci.generate.ts and the generated .github/workflows/ci.yml, affecting macOS x86_64 matrix entries and the PR fallback. Re-enabled the "Setup tmate session" step (uses mxschmitt/action-tmate@v3) and gated it for debug/test/bench jobs on macOS or when building Deno. Cargo.toml now pulls libsui from the git repo https://github.com/denoland/sui on branch find_section_search_intel. cli/standalone/binary.rs treats empty data as a standalone binary in addition to ELF/PE/Mach-O checks. No public API or signature changes.

Estimated code review effort

Medium | ~10–20 minutes

• Verify CI runner labels use macos-15-intel.
• Confirm the Setup tmate session step conditions and placement.
• Ensure libsui git dependency (branch find_section_search_intel) builds and tests pass.
• Review is_standalone_binary change (empty data) for regressions.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly reflects the main changes: updating macOS runners to macos-15-intel in CI configuration.
Description check	✅ Passed	The description references a specific commit with related fixes, providing context for the changes even though it's minimal.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3b067fd and a6419a2.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• Cargo.toml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• Cargo.toml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)

• GitHub Check: test debug linux-aarch64
• GitHub Check: test debug windows-x86_64
• GitHub Check: test release linux-x86_64
• GitHub Check: test debug linux-x86_64
• GitHub Check: test debug macos-aarch64
• GitHub Check: test debug macos-x86_64
• GitHub Check: lint debug windows-x86_64
• GitHub Check: build libs
• GitHub Check: lint debug macos-x86_64
• GitHub Check: lint debug linux-x86_64

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0bd52c4 and c0c4c86.

📒 Files selected for processing (3)

• .github/workflows/ci.generate.ts (1 hunks)
• .github/workflows/ci.yml (2 hunks)
• Cargo.toml (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-11-24T16:19:37.808Z

Learnt from: CR
Repo: denoland/deno PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:19:37.808Z
Learning: Use `cargo update` to update Cargo dependencies to latest compatible versions

Applied to files:

• Cargo.toml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build libs

🔇 Additional comments (2)

.github/workflows/ci.yml (1)

63-63: LGTM - generated file changes are consistent.

The macOS runner updates from macos-13 to macos-15-intel are correctly applied across the build and lint matrices, consistent with the source changes in ci.generate.ts.

Also applies to: 68-68, 765-765

.github/workflows/ci.generate.ts (1)

15-15: The macos-15-intel runner label is valid and officially available on GitHub Actions.

Verification confirms that macos-15-intel is a documented, supported runner label provided by GitHub for macOS 15 with Intel (x86_64) architecture. No CI failures will occur due to runner unavailability. The code is correct as written.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f71cd9b and 0954696.

📒 Files selected for processing (2)

• .github/workflows/ci.generate.ts (2 hunks)
• .github/workflows/ci.yml (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: test debug linux-x86_64
• GitHub Check: test release linux-x86_64
• GitHub Check: test release linux-aarch64
• GitHub Check: test debug linux-aarch64
• GitHub Check: test debug windows-x86_64
• GitHub Check: test debug macos-aarch64
• GitHub Check: test debug macos-x86_64
• GitHub Check: lint debug windows-x86_64
• GitHub Check: lint debug macos-x86_64
• GitHub Check: lint debug linux-x86_64
• GitHub Check: build libs

🔇 Additional comments (3)

.github/workflows/ci.yml (2)

63-63: macOS runner label updates look good.

The updates from macos-13 to macos-15-intel are applied consistently across the build and lint job matrices for macOS x86_64. The conditional logic on line 68 (PR-based fallback to ubuntu-24.04) is preserved correctly.

Also applies to: 68-68, 771-771

---

396-401: The tmate action version is current and maintained.

The mxschmitt/action-tmate@v3 action uses the latest v3 release (v3.23, released October 23, 2025). This major version pinning follows semantic versioning best practices and is the recommended usage pattern in the action's documentation. No concerns with the version specification.

.github/workflows/ci.generate.ts (1)

15-15: macOS x86 runner label update looks good

Using macos-15-intel via the macosX86Runner constant cleanly propagates to all macOS x86 matrix entries; no further changes needed here.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# First, check the exact content at lines 697-705
sed -n '690,710p' .github/workflows/ci.generate.ts

Repository: denoland/deno

Length of output: 170

---

🏁 Script executed:

#!/bin/bash
# Check the file at the specified lines
sed -n '690,720p' .github/workflows/ci.generate.ts

Repository: denoland/deno

Length of output: 170

---

🌐 Web query:

mxschmitt/action-tmate v3 interactive session blocking behavior

💡 Result:

Summary: By default mxschmitt/action-tmate@v3 starts a tmate session and blocks the job — it waits (pauses) until the tmate session is finished (typically when the connected user exits). If you want the job to continue immediately, use detached: true; detached mode starts the session, prints connection info, continues the next steps, and then waits at the end of the job for the session to exit (and will auto-terminate after 10 minutes if nobody connects). [1][2]

Sources:

• README (mxschmitt/action-tmate v3). [1]
• Documentation site (action-tmate). [2]

---

🌐 Web query:

deno ci workflow debug tmate session best practices

💡 Result:

Here are concise best practices for using tmate to debug Deno CI workflows (securely and effectively):

1. Make debugging opt‑in (manual or on failure)

   • Enable tmate only for workflow_dispatch with a debug input or run it when a job fails (if: failure()). (github.com)

2. Prefer detached / short sessions and explicit timeouts

   • Use detached mode or set timeout-minutes so sessions don’t keep runners alive indefinitely. (github.com)

3. Minimize privileges and secrets exposure

   • Don’t expose secrets to PRs or forked runs; scope GITHUB_TOKEN permissions and avoid running tmate for untrusted events. Revoke/rotate tokens after debugging. (github.blog)

4. Limit who can access the session

   • Restrict session access to repository actors or trusted teams; prefer actions that support “limit-access-to-actor” or equivalent. Use audit logs to track access. (github.com)

5. Use ephemeral keys / ephemeral sessions

   • Prefer ephemeral SSH keys or web‑based tmate connections that expire automatically. Configure automatic shutdown if no one connects. (mxschmitt.github.io)

6. Keep sensitive operations out of debug sessions

   • Don’t run deploys, secret dumps, or production‑affecting commands inside tmate sessions. Treat the runner as ephemeral and untrusted. (github.blog)

7. Combine with Deno’s local debugging options

   • For application debugging prefer Deno flags (--inspect, --inspect-wait, --inspect-brk) and IDE tools; use tmate for runner/system-level investigation only. (docs.deno.com)

8. Repro and artifact hygiene

   • Save logs, test artifacts, and failing input so you can reproduce fixes without re‑opening sessions. Clean workspace before finishing. (mxschmitt.github.io)

9. Use a narrow scope and ephemeral runners when possible

   • If you use self‑hosted runners, be extra cautious: isolate runner, wipe state after debug, or prefer GitHub-hosted runners for temporary sessions. (docs.github.com)

10. Automate safe defaults in workflow templates

• Provide a standard debug step (conditional, timeboxed, least‑privilege) in your reusable workflow so teams follow the same secure pattern. (github.com)

If you want, I can:

• Generate a ready-to-use GitHub Actions snippet for Deno that integrates tmate with timeouts, manual enable, and least-privilege settings.
• Or produce a checklist for post-debug cleanup (token rotation, runner wipe).

Citations:

• 1: https://github.com/mxschmitt/action-tmate?utm_source=openai
• 2: https://github.com/mxschmitt/action-tmate?utm_source=openai
• 3: https://github.blog/security/supply-chain-security/four-tips-to-keep-your-github-actions-workflows-secure/?utm_source=openai
• 4: https://github.com/lhotari/action-upterm?utm_source=openai
• 5: https://mxschmitt.github.io/action-tmate/?utm_source=openai
• 6: https://github.blog/security/supply-chain-security/four-tips-to-keep-your-github-actions-workflows-secure/?utm_source=openai
• 7: https://docs.deno.com/runtime/fundamentals/debugging/?utm_source=openai
• 8: https://mxschmitt.github.io/action-tmate/?utm_source=openai
• 9: https://docs.github.com/en/actions/how-tos/security-for-github-actions?utm_source=openai
• 10: https://github.com/mxschmitt/action-tmate?utm_source=openai

---

Re-enabled tmate step will run on every eligible debug test/bench job and block CI indefinitely

The mxschmitt/action-tmate@v3 action blocks by default until the tmate session is manually terminated. Configuring it to run on every debug test/bench job (all matrix.job == 'test' || 'bench' with matrix.profile == 'debug' on macOS or the denoland/deno repository) will halt routine CI runs unless someone actively connects to the session.

According to GitHub Actions security best practices, tmate sessions should be opt-in only—either triggered manually via workflow_dispatch with a debug input or enabled conditionally on failure (if: failure()). If this is intentional for ad-hoc debugging, consider gating behind a workflow input or label, or use detached mode with an explicit timeout to prevent indefinite blocking.

🤖 Prompt for AI Agents

.github/workflows/ci.generate.ts around lines 697 to 705: the tmate step as
written will start an interactive session that blocks the job indefinitely for
every debug test/bench matrix entry; change it so tmate is opt-in or nonblocking
by gating the step behind a workflow input (e.g., only run when a debug input is
set) or run it only on failure (if: failure()), or configure the action in
detached mode with an explicit timeout so it cannot block CI indefinitely.