feat: add Swift macOS CI workflow (#207)

Author: jr200

.github/workflows/ci_swift.yaml

@@ -0,0 +1,75 @@
+name: template-ci-swift
+
+on:
+  workflow_call:
+    inputs:
+      checkout-ref:
+        description: "checkout ref (leave empty to use the event's natural ref)"
+        required: false
+        type: string
+        default: ""
+      project:
+        description: "Path to the Xcode project"
+        required: false
+        type: string
+        default: "Glossa.xcodeproj"
+      scheme:
+        description: "Xcode scheme to build and test"
+        required: false
+        type: string
+        default: "Glossa"
+      configuration:
+        description: "Xcode build configuration"
+        required: false
+        type: string
+        default: "Debug"
+      derived-data-path:
+        description: "DerivedData output path"
+        required: false
+        type: string
+        default: ".build/DerivedData"
+      run-tests:
+        description: "Whether to run xcodebuild test"
+        required: false
+        type: boolean
+        default: true
+      runner:
+        description: "Runner label for macOS/Xcode builds"
+        required: false
+        type: string
+        default: ""
+
+jobs:
+  build-and-test:
+    runs-on: ${{ inputs.runner || fromJSON(vars.RUNNER_PROFILES)[vars.RUNNER_PROFILE].macos }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.checkout-ref }}
+
+      - name: Show Xcode version
+        run: xcodebuild -version
+
+      - name: Build
+        run: >
+          xcodebuild
+          -project "${{ inputs.project }}"
+          -scheme "${{ inputs.scheme }}"
+          -configuration "${{ inputs.configuration }}"
+          -derivedDataPath "${{ inputs.derived-data-path }}"
+          CODE_SIGNING_ALLOWED=NO
+          CODE_SIGNING_REQUIRED=NO
+          build
+
+      - name: Test
+        if: inputs.run-tests
+        run: >
+          xcodebuild
+          -project "${{ inputs.project }}"
+          -scheme "${{ inputs.scheme }}"
+          -configuration "${{ inputs.configuration }}"
+          -derivedDataPath "${{ inputs.derived-data-path }}"
+          CODE_SIGNING_ALLOWED=NO
+          CODE_SIGNING_REQUIRED=NO
+          test

AGENTS.md

@@ -52,6 +52,7 @@ Current groups:
 | `node-bench` | node-bench | repo has a Node/pnpm benchmark workflow and wants the shared manual benchmark caller |
 | `npm-package` | publish-npm-package | repo publishes a Node package to npmjs.com on release (needs `secrets.NPMJS_API_TOKEN`) |
 | `go` | ci-go | repo has `go.mod` |
+| `swift` | ci-swift | repo is a native Swift/Xcode app, including macOS app development |
 | `docker` | build-docker-image | repo publishes a docker image to ghcr.io |
 | `quarto-docs` | publish-quarto-docs | repo publishes a Quarto site from `docs` to `gh-pages` |
 | `helm-chart` | build-helm-chart | repo publishes a Helm chart (needs `vars.HELM_CHART_REPO` + `secrets.CHARTS_WRITE_TOKEN`) |
@@ -91,11 +92,11 @@ The canonical caller workflows encode invariants that are easy to break by hand
 
 - **Top-level `permissions:`** — only the caller's *top-level* permissions cascade into reusable workflows. Job-level permissions on the caller are silently ignored when the caller invokes a reusable. Missing this on `build_docker_image.yaml` was the keymint v1.0.0 silent build failure.
 - **Secret name match** — the reusable declares a secret name; the caller must pass it under exactly that name. `app_private_key` vs `INTEGRATION_APP_PRIVATE_KEY` is a one-character bug that fails the run at startup.
-- **Runner forwarding** — every reusable that runs jobs takes a `runner:` input parameterised via `vars.RUNNER_PROFILES[vars.RUNNER_PROFILE].default`. Hard-coded `ubuntu-latest` is forbidden.
+- **Runner forwarding** — every reusable that runs jobs takes a `runner:` input parameterised via `vars.RUNNER_PROFILES[vars.RUNNER_PROFILE].<role>`. Linux CI generally uses `default`; native Swift/Xcode macOS app CI uses `macos`. Hard-coded labels such as `ubuntu-latest` or `macos-latest` are forbidden.
 
 ## Tests: unit vs integration
 
-The canonical `ci-python` / `ci-go` / `ci-node` callers run **lint + unit tests only**. Integration tests — anything that needs external infrastructure (database, message bus, S3, etc.) — stay **bespoke per repo** in a separate `integration-tests.yaml` workflow that owns its own service setup, fixtures, and secrets.
+The canonical `ci-python` / `ci-go` / `ci-node` / `ci-swift` callers run **lint/build + unit tests only**. For native Swift/Xcode macOS app development, `ci-swift` builds and tests the app scheme on a macOS runner with code signing disabled. Integration tests — anything that needs external infrastructure (database, message bus, S3, etc.) — stay **bespoke per repo** in a separate `integration-tests.yaml` workflow that owns its own service setup, fixtures, and secrets.
 
 Why: each repo's external deps are different, so there's no canonical infra setup that fits every consumer. Pushing infra into the canonical CI would either reintroduce per-repo substitution (rejected — see "How a consuming repo uses this" above) or impose a one-size-fits-none stack on every Python/Go/Node repo.
 

README.md

@@ -1,6 +1,6 @@
 # github-action-templates
 
-Reusable GitHub Actions workflows + canonical caller workflows shared across consumer orgs.
+Reusable GitHub Actions workflows + canonical caller workflows shared across consumer orgs, including native Swift/Xcode macOS app CI.
 
 ## Two halves
 

consumers/groups/swift.yaml

@@ -0,0 +1,3 @@
+# Swift/macOS app source group. Pulls in Xcode build + test on a macOS runner.
+includes:
+  - ci-swift

consumers/workflows/ci-swift.yaml

@@ -0,0 +1,17 @@
+# GENERATED/SHARED WORKFLOW: copied into consuming repos by sync-shared.
+# Do not edit in consuming repos; change jr200-labs/github-action-templates and sync.
+name: ci-swift
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  ci:
+    uses: jr200-labs/github-action-templates/.github/workflows/ci_swift.yaml@master
+    with:
+      runner: ${{ fromJSON(vars.RUNNER_PROFILES)[vars.RUNNER_PROFILE].macos }}