From 5c57ac365518f4237032516f43a6c71d68996826 Mon Sep 17 00:00:00 2001
From: Conrad Kramer <conrad@conradkramer.com>
Date: Wed, 18 Mar 2026 22:58:10 -0700
Subject: [PATCH] Use macOS-safe runner workdir

---
 services/forgejo-nsc/internal/nsc/macos.go     | 15 +++++++++++----
 services/forgejo-nsc/internal/nsc/macos_nsc.go |  4 +---
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/services/forgejo-nsc/internal/nsc/macos.go b/services/forgejo-nsc/internal/nsc/macos.go
index 9bf3837..42bb798 100644
--- a/services/forgejo-nsc/internal/nsc/macos.go
+++ b/services/forgejo-nsc/internal/nsc/macos.go
@@ -125,6 +125,16 @@ func macosComputeBaseImageID(baseImageID string) string {
 	}
 }
 
+func macosWorkDir(workdir string) string {
+	workdir = strings.TrimSpace(workdir)
+	switch workdir {
+	case "", "/var/lib/forgejo-runner":
+		return "/tmp/forgejo-runner"
+	default:
+		return workdir
+	}
+}
+
 type nscBearerTokenFile struct {
 	BearerToken string `json:"bearer_token"`
 }
@@ -183,10 +193,7 @@ func (d *Dispatcher) launchMacOSRunner(ctx context.Context, runnerName string, r
 	httpClient := &http.Client{Timeout: 60 * time.Second}
 	client := computev1betaconnect.NewComputeServiceClient(httpClient, d.opts.ComputeBaseURL)
 
-	workdir := d.opts.WorkDir
-	if strings.TrimSpace(workdir) == "" {
-		workdir = "/tmp/forgejo-runner"
-	}
+	workdir := macosWorkDir(d.opts.WorkDir)
 
 	env := map[string]string{
 		"FORGEJO_INSTANCE_URL":   req.InstanceURL,
diff --git a/services/forgejo-nsc/internal/nsc/macos_nsc.go b/services/forgejo-nsc/internal/nsc/macos_nsc.go
index 6e7273f..e7b8023 100644
--- a/services/forgejo-nsc/internal/nsc/macos_nsc.go
+++ b/services/forgejo-nsc/internal/nsc/macos_nsc.go
@@ -305,9 +305,7 @@ func (d *Dispatcher) destroyNSCInstance(ctx context.Context, runnerName, instanc
 }
 
 func macosBootstrapWrapperScript(runnerName string, req LaunchRequest, executor, workdir string) string {
-	if strings.TrimSpace(workdir) == "" {
-		workdir = "/tmp/forgejo-runner"
-	}
+	workdir = macosWorkDir(workdir)
 
 	// Pass all values via stdin script so secrets do not appear in the nsc ssh argv.
 	env := map[string]string{