.github/workflows/os-check.yml: split make_check into make_check_linux and make_check_macos

The previous structure left make_check as "Ubuntu matrix + 5 macOS configs
attached via include:" alongside a separate make_check_linux job. Two
Linux-first jobs with overlapping purpose plus an include: hack to bolt
macOS onto the first one was confusing.

Refactor to a symmetric pair, each with its own plain matrix:

  - make_check_linux: all 51 previous make_check configs plus the 18
    previous make_check_linux configs, merged into one 69-entry list with
    a section comment delimiting the two original groupings.
  - make_check_macos: 5 curated configs as a plain matrix, no include:
    indirection.

No coverage change vs. the previous commit; this is purely structural.
Branch protection rules upstream that reference the old job names
("make check", "make check (Linux only)", or any specific
"(macos-latest, ...)" combination) will need updating.

Author: claude

.github/workflows/os-check.yml

@@ -13,20 +13,18 @@ concurrency:
 # END OF COMMON SECTION
 
 jobs:
-  # The full config matrix runs on Ubuntu only. macOS runs the curated subset
-  # under include: below, covering the code paths that genuinely differ on
-  # Darwin (sys-ca-certs / Apple Security.framework, BSD-socket DTLS,
-  # crypto-callback dispatch) plus broad key-crypto via --enable-all.
-  make_check:
+  # Ubuntu config matrix. macOS is covered separately by make_check_macos
+  # below with a curated subset; configs here either have equivalent macOS
+  # coverage there or exercise no Darwin-specific code.
+  make_check_linux:
     strategy:
       fail-fast: false
       matrix:
-        # WARNING: keep this list to a single OS. Adding another value here
-        # cross-products with all configs below and silently re-adds dozens
-        # of jobs. Add new OSes via include: instead.
-        os: [ ubuntu-24.04 ]
         config: [
-          # Add new configs here
+          # Add new configs here.
+          # --- Configs whose macOS-relevant paths are covered by
+          #     make_check_macos (sys-ca-certs, --enable-all, DTLS-CID,
+          #     cryptocb dispatch). ---
           '',
           '--enable-all --enable-asn=template',
           '--enable-all --enable-asn=original',
@@ -93,61 +91,9 @@ jobs:
           '--enable-ocsp --enable-ocsp-responder --enable-ocspstapling CPPFLAGS="-DWOLFSSL_NONBLOCK_OCSP" --enable-maxfragment',
           '--enable-all CPPFLAGS=-DWOLFSSL_HASH_KEEP',
           '--enable-all --enable-writedup',
-        ]
-        include:
-          # Curated macOS coverage. Each entry exists for a Darwin-specific
-          # reason; do not add entries that only re-test platform-agnostic
-          # crypto already exercised in --enable-all.
-          #
-          # 1) Default build: --enable-sys-ca-certs is auto-on on macOS, so
-          #    this exercises Apple keychain / system trust loading in
-          #    src/ssl_load.c that has no Linux equivalent.
-          - os: macos-latest
-            config: ''
-          # 2) Broad key-crypto + Security.framework + opensslextra in one
-          #    run (RSA, ECC, AES, SHA-2/3, ChaCha20-Poly1305, Curve25519/448,
-          #    HMAC, sniffer, DTLS, OCSP, ...). Note: --enable-all does NOT
-          #    enable cryptocb or SHE, so those have their own entries below.
-          - os: macos-latest
-            config: '--enable-all --enable-asn=template'
-          # 3) Negative test: ensure the explicit-disable path still builds
-          #    and runs cleanly on the only OS that auto-enables sys-ca-certs.
-          - os: macos-latest
-            config: '--disable-sys-ca-certs'
-          # 4) DTLS over BSD sockets on Darwin: connection-ID, fragmented
-          #    ClientHello, secure renegotiation, PSK, AES-CCM, null cipher
-          #    -- exercises recvmsg/MTU/datagram handling that differs from
-          #    Linux.
-          - os: macos-latest
-            config: '--enable-dtls --enable-dtlscid --enable-dtls13 --enable-secure-renegotiation
-              --enable-psk --enable-aesccm --enable-nullcipher
-              CPPFLAGS=-DWOLFSSL_STATIC_RSA'
-          # 5) Crypto-callback dispatcher on macOS clang. Not covered by
-          #    --enable-all; verifies the cryptocb find/setkey/keygen path
-          #    compiles and runs on Apple Silicon's compiler toolchain.
-          - os: macos-latest
-            config: '--enable-cryptocb --enable-keygen --enable-cryptocbutils=setkey'
-    name: make check
-    if: github.repository_owner == 'wolfssl'
-    runs-on: ${{ matrix.os }}
-    # This should be a safe limit for the tests to run.
-    timeout-minutes: 14
-    steps:
-      - name: Build and test wolfSSL
-        uses: wolfSSL/actions-build-autotools-project@v1
-        with:
-          configure: CFLAGS="-pedantic -Wdeclaration-after-statement -Wnull-dereference -Wno-overlength-strings -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE" ${{ matrix.config }}
-          check: true
-
-  # Linux-only configs. These are tests where the make_check job above
-  # already provides equivalent coverage on macOS via its include: entries
-  # (or where the config exercises no Darwin-specific code at all), so
-  # running them on macOS would only duplicate signal on a slow runner.
-  make_check_linux:
-    strategy:
-      fail-fast: false
-      matrix:
-        config: [
+          # --- Configs that exercise no Darwin-specific code at all
+          #     (pure crypto algorithms, preprocessor guards, features
+          #     with no platform-specific code paths). ---
           '--enable-ascon --enable-experimental',
           '--enable-ascon CPPFLAGS=-DWOLFSSL_ASCON_UNROLL --enable-experimental',
           # PKCS#7 with RSA-PSS (CMS RSASSA-PSS signers)
@@ -169,7 +115,7 @@ jobs:
           '--enable-curve25519=nonblock --enable-ecc=nonblock --enable-sp=yes,nonblock CPPFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK"',
           '--enable-certreq --enable-certext --enable-certgen --disable-secure-renegotiation-info CPPFLAGS="-DNO_TLS"',
         ]
-    name: make check (Linux only)
+    name: make check (Linux)
     if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-24.04
     # This should be a safe limit for the tests to run.
@@ -181,10 +127,54 @@ jobs:
           configure: CFLAGS="-pedantic -Wdeclaration-after-statement -Wnull-dereference -Wno-overlength-strings -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE" ${{ matrix.config }}
           check: true
 
+  # Curated macOS subset. Each config exists for a Darwin-specific reason;
+  # do not add entries that only re-test platform-agnostic crypto already
+  # covered by the corresponding Linux run.
+  make_check_macos:
+    strategy:
+      fail-fast: false
+      matrix:
+        config: [
+          # Default build: --enable-sys-ca-certs is auto-on on macOS, so
+          # this exercises Apple keychain / system trust loading in
+          # src/ssl_load.c that has no Linux equivalent.
+          '',
+          # Broad key-crypto + Security.framework + opensslextra in one run
+          # (RSA, ECC, AES, SHA-2/3, ChaCha20-Poly1305, Curve25519/448, HMAC,
+          # sniffer, DTLS, OCSP, ...). Note: --enable-all does NOT enable
+          # cryptocb or SHE, so those have their own entries below.
+          '--enable-all --enable-asn=template',
+          # Negative test: ensure the explicit-disable path still builds and
+          # runs cleanly on the only OS that auto-enables sys-ca-certs.
+          '--disable-sys-ca-certs',
+          # DTLS over BSD sockets on Darwin: connection-ID, fragmented
+          # ClientHello, secure renegotiation, PSK, AES-CCM, null cipher --
+          # exercises recvmsg/MTU/datagram handling that differs from Linux.
+          '--enable-dtls --enable-dtlscid --enable-dtls13 --enable-secure-renegotiation
+            --enable-psk --enable-aesccm --enable-nullcipher
+            CPPFLAGS=-DWOLFSSL_STATIC_RSA',
+          # Crypto-callback dispatcher under Apple clang. Not covered by
+          # --enable-all; verifies the cryptocb find/setkey/keygen path
+          # compiles and runs on the macOS toolchain.
+          '--enable-cryptocb --enable-keygen --enable-cryptocbutils=setkey',
+        ]
+    name: make check (macOS)
+    if: github.repository_owner == 'wolfssl'
+    runs-on: macos-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 14
+    steps:
+      - name: Build and test wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          configure: CFLAGS="-pedantic -Wdeclaration-after-statement -Wnull-dereference -Wno-overlength-strings -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE" ${{ matrix.config }}
+          check: true
+
   # Run on both OSes: the user_settings.h header-driven build path is
-  # distinct from the autotools-driven --enable-all path in make_check, and
-  # macOS-specific guard ordering (e.g. WOLFSSL_SYS_CA_CERTS pulling in
-  # Security.framework) needs to be exercised under Apple clang here.
+  # distinct from the autotools-driven --enable-all path in
+  # make_check_linux / make_check_macos, and macOS-specific guard ordering
+  # (e.g. WOLFSSL_SYS_CA_CERTS pulling in Security.framework) needs to be
+  # exercised under Apple clang here.
   make_user_settings:
     strategy:
       fail-fast: false
@@ -252,9 +242,9 @@ jobs:
         run: ./wolfcrypt/test/testwolfcrypt
 
   # Has to be dedicated function due to the sed call.
-  # Platform-agnostic; --enable-all macOS coverage in make_check and the
-  # macOS user_settings_all.h run in make_user_settings already cover the
-  # equivalent code paths on Darwin.
+  # Platform-agnostic; --enable-all macOS coverage in make_check_macos and
+  # the macOS user_settings_all.h run in make_user_settings already cover
+  # the equivalent code paths on Darwin.
   make_user_all:
     name: make user_setting.h (with sed)
     if: github.repository_owner == 'wolfssl'