ci(openemr-cmd): add macos-smoke-e2e on macos-14 via colima (daily-cron only)

[bradymiller]

⚠️ Pre-merge cleanup required

The if: guard temporarily includes pull_request so this PR's CI can validate the job actually works end-to-end on a macos-14 runner (the alternative would be merging schedule-only blind). Before merge, drop the pull_request clause so the guard reverts to:

if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}

---

Summary

New e2e job exercising one nonworktree-style stack (`openemr-cmd up` from `docker/development-easy/`) on a `macos-14` runner via colima. Pins two contracts on macOS Docker:

1. openemr-cmd happy path works on macOS (not just Linux Docker Engine)
2. HOST_UID adoption holds through colima's Lima VM boundary — `sites/default/sqlconf.php` should end up owned by the runner uid on the host (same probe as Linux `nonworktree-lifecycle-e2e`)

Triggers

`schedule` + `workflow_dispatch` only. Skipped on `push`/`pull_request` via:
```yaml
if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
```

Rationale: keeps PR cycle fast. macOS runners are limited in the GH-hosted pool and a stack startup on Apple Silicon + qemu amd64 emulation takes 15-25 min vs ~5 min on Linux. Catching macOS-specific divergence within 24h via the daily cron is the right tradeoff.

Scope (intentionally narrow vs the Linux jobs)

Linux	macOS smoke
worktree lifecycle	—
multi-concurrent (4 stacks)	—
nonworktree lifecycle	✓ (this job)
functional round-trip	—
prek install + real commit	—

Just one stack, one health check, one HTTP smoke, one ownership assertion, one teardown. Heavier macOS-specific coverage can be filed later if this proves stable.

Docker setup

```yaml

• run: brew install colima docker docker-compose
• run: colima start --cpu 4 --memory 8 --disk 30
  ```

macOS GH-hosted runners have brew preinstalled but no Docker. Apple's license forbids Docker Desktop on hosted runners; colima is unrestricted.

Validation path

This PR can't validate the job end-to-end (it's gated to schedule/dispatch). After merge:

1. GitHub Actions UI → openemr-cmd e2e workflow → "Run workflow" → branch=master to verify the job works
2. Tomorrow's daily cron at 06:17 UTC will fire it automatically

If something breaks at runtime, the diagnostics step dumps docker ps, volume ls, colima status, and the last 500 lines of both openemr + mysql container logs.

Test plan

• YAML validates (verified locally via Python yaml.safe_load)
• Job's `if:` guard correctly skips on this PR (visible in the Actions tab — the job should NOT run on this PR)
• Other 5 e2e jobs unaffected — additive change
• After merge: manual `workflow_dispatch` run reaches "OK: bind-mount file owned by uid=…" on macos-14

🤖 Generated with Claude Code

Summary by CodeRabbit

• Tests
  • Added a new macOS smoke-test (tier-2) GitHub Actions job that runs a minimal openemr-cmd up flow on macOS 14 using a colima-provided Docker VM.
  • Provisions the VM with increased CPU/RAM/disk, waits for container health (longer timeout), and performs an HTTP smoke check on localhost:8300.
  • Verifies macOS bind-mount ownership via host UID checks, improves failure diagnostics, and ensures reliable teardown with openemr-cmd down.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: a81cd576-1c2e-4cc4-88fa-938b3a469bfd

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The workflow adds a macOS-14 colima-backed smoke job for openemr-cmd, with stack startup, health polling, HTTP verification, bind-mount ownership checks, teardown, and failure diagnostics.

Changes

macOS smoke workflow

Layer / File(s)	Summary
macOS smoke job .github/workflows/test-bats-openemr-cmd-real-docker.yml	The workflow note names macos-smoke-e2e, and the job runs on macos-14 with schedule/manual gating and current PR runs.
macOS runtime setup .github/workflows/test-bats-openemr-cmd-real-docker.yml	The job installs openemr-cmd, checks out openemr, reports runner resources, installs Docker, colima, and QEMU, and starts colima with QEMU and sized CPU, memory, and disk settings.
Smoke checks .github/workflows/test-bats-openemr-cmd-real-docker.yml	The job brings up openemr/docker/development-easy, waits for development-easy-openemr-1 to become healthy, performs repeated HTTP checks on port 8300, verifies sqlconf.php ownership against the runner UID, and emits container and colima diagnostics on failure.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• openemr/openemr-devops#843: Updates the same workflow with a similar openemr-cmd up → health wait → HTTP smoke → ownership verification flow.
• openemr/openemr-devops#831: Adds another non-worktree openemr-cmd lifecycle job in the same workflow, with overlapping smoke and teardown steps.
• openemr/openemr-devops#818: Extends the same real-docker workflow with a macOS smoke job for openemr-cmd E2E coverage.

Poem

🐇 I hopped on macOS under starlit skies,
openemr-cmd woke up with sleepy eyes.
I sniffed port 8300, warm and bright,
Then checked the files were owned just right.
A tidy burrow, clean and new—
Hooray for smoke tests, and carrots too! 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: adding a macOS smoke E2E job for openemr-cmd via colima.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/test-bats-openemr-cmd-real-docker.yml:
- Around line 1717-1721: Remove the temporary pull_request trigger from the job
condition so the macOS smoke job remains schedule/manual-only before merge.
Update the workflow guard in test-bats-openemr-cmd-real-docker so the if
expression only allows schedule and workflow_dispatch, and make sure the inline
TEMPORARY comment matches that final behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 5c697d4f-4deb-46cd-acbe-bd9fae38990f

📥 Commits

Reviewing files that changed from the base of the PR and between 8168856 and ba31e24.

📒 Files selected for processing (1)

• .github/workflows/test-bats-openemr-cmd-real-docker.yml

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Drop the temporary pull_request clause before merge.

Line 1721 still enables this job on pull_request, which contradicts both the PR objective and the inline contract that macOS smoke should stay schedule/manual-only so PR cycles remain fast.

Suggested fix

-    if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request' }}
+    if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# TEMPORARY: include pull_request so this PR can validate the job
	# actually works on a macOS runner before merging. Revert to
	# schedule-only (drop the pull_request clause) in the final
	# pre-merge commit on this branch.
	if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request' }}
	# TEMPORARY: include pull_request so this PR can validate the job
	# actually works on a macOS runner before merging. Revert to
	# schedule-only (drop the pull_request clause) in the final
	# pre-merge commit on this branch.
	if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test-bats-openemr-cmd-real-docker.yml around lines 1717 -
1721, Remove the temporary pull_request trigger from the job condition so the
macOS smoke job remains schedule/manual-only before merge. Update the workflow
guard in test-bats-openemr-cmd-real-docker so the if expression only allows
schedule and workflow_dispatch, and make sure the inline TEMPORARY comment
matches that final behavior.

[bradymiller]

Pivoting to arm64 Linux runners (ubuntu-24.04-arm) instead — see follow-up PR. The macOS approach hit a fundamental wall (free GH macos-14 can't run Linux VMs reliably; macos-13 Intel pool is being phased out + queues for 10+ min). arm64 Linux gives us the actual signal (arm-architecture image verification) without the macOS-VM brittleness, since Docker on Linux uses native containerization regardless of CPU arch.