ci: remove dylib build pipeline (#22592)

## Summary

The macOS `.dylib` is only used by Coder Desktop macOS v0.7.2 or older.
v0.7.2 was released in August 2025. v0.8.0 of Coder Desktop macOS, also
released in August 2025, uses a signed Coder slim binary from the
deployment instead.

It's unlikely customers will be using Coder Desktop macOS v0.7.2 and the
next release of Coder simultaneously, so I think we can safely remove
this process, given it slows down CI & release processes.

## Changes

- **Makefile**: Remove `DYLIB_ARCHES`, `CODER_DYLIBS` variables and
`build/coder-dylib` target
- **scripts/build_go.sh**: Remove `--dylib` flag and all dylib-specific
logic (c-shared buildmode, CGO, plist embedding, vpn/dylib entrypoint)
- **scripts/sign_darwin.sh**: Remove dylib-specific comment
- **CI (ci.yaml)**: Remove `build-dylib` job, artifact download/insert
steps, and `build-dylib` dependency from `build` job
- **Release (release.yaml)**: Remove `build-dylib` job, artifact
download/insert steps, and `build-dylib` dependency from `release` job
- **vpn/dylib/**: Delete entire directory (`lib.go` + `info.plist.tmpl`)
- **vpn/router.go, vpn/dns.go**: Clean up comments referencing dylib

The slim and fat binary builds are completely unaffected — the dylib was
an independent build target with its own CI job.

_Generated by mux but reviewed by a human_

scripts/build_go.sh

@@ -2,7 +2,7 @@
 
 # This script builds a single Go binary of Coder with the given parameters.
 #
-# Usage: ./build_go.sh [--version 1.2.3-devel+abcdef] [--os linux] [--arch amd64] [--output path/to/output] [--slim] [--agpl] [--boringcrypto] [--dylib]
+# Usage: ./build_go.sh [--version 1.2.3-devel+abcdef] [--os linux] [--arch amd64] [--output path/to/output] [--slim] [--agpl] [--boringcrypto]
 #
 # Defaults to linux:amd64 with slim disabled, but can be controlled with GOOS,
 # GOARCH and CODER_SLIM_BUILD=1. If no version is specified, defaults to the
@@ -29,9 +29,6 @@
 # If the --boringcrypto parameter is specified, builds use boringcrypto instead of
 # the standard go crypto libraries.
 #
-# If the --dylib parameter is specified, the Coder Desktop `.dylib` is built
-# instead of the standard binary. This is only supported on macOS arm64 & amd64.
-
 set -euo pipefail
 # shellcheck source=scripts/lib.sh
 source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
@@ -46,14 +43,13 @@ sign_darwin="${CODER_SIGN_DARWIN:-0}"
 sign_windows="${CODER_SIGN_WINDOWS:-0}"
 sign_gpg="${CODER_SIGN_GPG:-0}"
 boringcrypto=${CODER_BUILD_BORINGCRYPTO:-0}
-dylib=0
 windows_resources="${CODER_WINDOWS_RESOURCES:-0}"
 debug=0
 develop_in_coder="${DEVELOP_IN_CODER:-0}"
 
 bin_ident="com.coder.cli"
 
-args="$(getopt -o "" -l version:,os:,arch:,output:,slim,agpl,sign-darwin,sign-windows,boringcrypto,dylib,windows-resources,debug -- "$@")"
+args="$(getopt -o "" -l version:,os:,arch:,output:,slim,agpl,sign-darwin,sign-windows,boringcrypto,windows-resources,debug -- "$@")"
 eval set -- "$args"
 while true; do
 	case "$1" in
@@ -98,10 +94,6 @@ while true; do
 		boringcrypto=1
 		shift
 		;;
-	--dylib)
-		dylib=1
-		shift
-		;;
 	--windows-resources)
 		windows_resources=1
 		shift
@@ -160,7 +152,7 @@ fi
 # We use ts_omit_aws here because on Linux it prevents Tailscale from importing
 # github.com/aws/aws-sdk-go-v2/aws, which adds 7 MB to the binary.
 TS_EXTRA_SMALL="ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube"
-if [[ "$slim" == 1 || "$dylib" == 1 ]]; then
+if [[ "$slim" == 1 ]]; then
 	build_args+=(-tags "slim,$TS_EXTRA_SMALL")
 else
 	build_args+=(-tags "embed,$TS_EXTRA_SMALL")
@@ -171,24 +163,6 @@ if [[ "$agpl" == 1 ]]; then
 	ldflags+=(-X "'github.com/coder/coder/v2/buildinfo.agpl=true'")
 fi
 cgo=0
-if [[ "$dylib" == 1 ]]; then
-	if [[ "$os" != "darwin" ]]; then
-		error "dylib builds are not supported on $os"
-	fi
-	cgo=1
-	build_args+=("-buildmode=c-shared")
-	SDKROOT="$(xcrun --sdk macosx --show-sdk-path)"
-	export SDKROOT
-	bin_ident="com.coder.Coder-Desktop.VPN.dylib"
-
-	plist_file=$(mktemp)
-	trap 'rm -f "$plist_file"' EXIT
-	# CFBundleShortVersionString must be in the format /[0-9]+.[0-9]+.[0-9]+/
-	# CFBundleVersion can be in any format
-	BUNDLE_IDENTIFIER="$bin_ident" VERSION_STRING="$version" SHORT_VERSION_STRING=$(echo "$version" | grep -oE '^[0-9]+\.[0-9]+\.[0-9]+') \
-		execrelative envsubst <"$(realpath ./vpn/dylib/info.plist.tmpl)" >"$plist_file"
-	ldflags+=("-extldflags '-sectcreate __TEXT __info_plist $plist_file'")
-fi
 build_args+=(-ldflags "${ldflags[*]}")
 
 # Disable optimizations if building a binary for debuggers.
@@ -222,9 +196,6 @@ cmd_path="./enterprise/cmd/coder"
 if [[ "$agpl" == 1 ]]; then
 	cmd_path="./cmd/coder"
 fi
-if [[ "$dylib" == 1 ]]; then
-	cmd_path="./vpn/dylib/lib.go"
-fi
 
 goexp=""
 if [[ "$boringcrypto" == 1 ]]; then

scripts/sign_darwin.sh

@@ -9,7 +9,6 @@
 # certificate.
 #
 # For the Coder CLI, the binary_identifier should be "com.coder.cli".
-# For the CoderVPN `.dylib`, the binary_identifier should be "com.coder.Coder-Desktop.VPN.dylib".
 #
 # You can check if a binary is signed by running the following command on a Mac:
 #   codesign -dvv path/to/binary