ci: remove dylib build pipeline (#22592)

## Summary

The macOS `.dylib` is only used by Coder Desktop macOS v0.7.2 or older.
v0.7.2 was released in August 2025. v0.8.0 of Coder Desktop macOS, also
released in August 2025, uses a signed Coder slim binary from the
deployment instead.

It's unlikely customers will be using Coder Desktop macOS v0.7.2 and the
next release of Coder simultaneously, so I think we can safely remove
this process, given it slows down CI & release processes.

## Changes

- **Makefile**: Remove `DYLIB_ARCHES`, `CODER_DYLIBS` variables and
`build/coder-dylib` target
- **scripts/build_go.sh**: Remove `--dylib` flag and all dylib-specific
logic (c-shared buildmode, CGO, plist embedding, vpn/dylib entrypoint)
- **scripts/sign_darwin.sh**: Remove dylib-specific comment
- **CI (ci.yaml)**: Remove `build-dylib` job, artifact download/insert
steps, and `build-dylib` dependency from `build` job
- **Release (release.yaml)**: Remove `build-dylib` job, artifact
download/insert steps, and `build-dylib` dependency from `release` job
- **vpn/dylib/**: Delete entire directory (`lib.go` + `info.plist.tmpl`)
- **vpn/router.go, vpn/dns.go**: Clean up comments referencing dylib

The slim and fat binary builds are completely unaffected — the dylib was
an independent build target with its own CI job.

_Generated by mux but reviewed by a human_

vpn/dns.go

@@ -31,7 +31,7 @@ func (*dnsManager) SupportsSplitDNS() bool {
 
 // Close implements dns.OSConfigurator.
 func (*dnsManager) Close() error {
-	// There's no cleanup that we need to initiate from within the dylib.
+	// There's no cleanup that we need to initiate from within the tunnel.
 	return nil
 }
 

vpn/dylib/info.plist.tmpl

@@ -1,14 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-    <key>CFBundleName</key>
-    <string>CoderVPN</string>
-    <key>CFBundleIdentifier</key>
-    <string>${BUNDLE_IDENTIFIER}</string>
-    <key>CFBundleVersion</key>
-    <string>${VERSION_STRING}</string>
-    <key>CFBundleShortVersionString</key>
-    <string>${SHORT_VERSION_STRING}</string>
-</dict>
-</plist>

vpn/dylib/lib.go

@@ -1,64 +0,0 @@
-//go:build darwin
-
-package main
-
-import "C"
-
-import (
-	"context"
-
-	"golang.org/x/sys/unix"
-
-	"cdr.dev/slog/v3"
-	"github.com/coder/coder/v2/vpn"
-)
-
-const (
-	ErrDupReadFD  = -2
-	ErrDupWriteFD = -3
-	ErrOpenPipe   = -4
-	ErrNewTunnel  = -5
-)
-
-// OpenTunnel creates a new VPN tunnel by `dup`ing the provided 'PIPE'
-// file descriptors for reading and writing.
-//
-//export OpenTunnel
-func OpenTunnel(cReadFD, cWriteFD int32) int32 {
-	ctx := context.Background()
-
-	readFD, err := unix.Dup(int(cReadFD))
-	if err != nil {
-		return ErrDupReadFD
-	}
-
-	writeFD, err := unix.Dup(int(cWriteFD))
-	if err != nil {
-		unix.Close(readFD)
-		return ErrDupWriteFD
-	}
-
-	conn, err := vpn.NewBidirectionalPipe(uintptr(readFD), uintptr(writeFD))
-	if err != nil {
-		unix.Close(readFD)
-		unix.Close(writeFD)
-		return ErrOpenPipe
-	}
-
-	// We log everything, as filtering is done by whatever renders the OS
-	// logs.
-	_, err = vpn.NewTunnel(ctx, slog.Make().Leveled(slog.LevelDebug), conn,
-		vpn.NewClient(),
-		vpn.UseOSNetworkingStack(),
-		vpn.UseAsLogger(),
-	)
-	if err != nil {
-		unix.Close(readFD)
-		unix.Close(writeFD)
-		return ErrNewTunnel
-	}
-
-	return 0
-}
-
-func main() {}

vpn/router.go

@@ -30,7 +30,7 @@ func (v *vpnRouter) Set(cfg *router.Config) error {
 }
 
 func (*vpnRouter) Close() error {
-	// There's no cleanup that we need to initiate from within the dylib.
+	// There's no cleanup that we need to initiate from within the tunnel.
 	return nil
 }