Why do GitLab jobs stay pending on macOS runners?

Most often tags in YAML do not match registered runner tags, the runner is registered at the wrong scope, the runner is offline, or concurrent slots are exhausted.

Why start concurrent at one or two?

Multiple xcodebuild processes contend for RAM, DerivedData, and keychain sessions on macOS. Establish stability before raising parallelism.

When should I add another Mac cloud node?

Add machines when queues exceed your window, disk or memory alerts persist, or you need geographic or environment isolation. Clone tag strategy instead of only raising concurrent on one host.

2026 GitLab Runner on macOS in Mac Cloud: Registration Tokens, Executors, and Safe Parallelism

Platform teams comfortable with Linux runners often stall when iOS pipelines need Apple hardware. After you SSH into a rented Mac cloud node, the next failures are predictable: wrong architecture binary, tags that never match .gitlab-ci.yml, or three concurrent xcodebuild jobs that shred disk and keychain state. This article is for engineers who want macOS to feel as operable as a VPS: we unpack four recurring pain points, compare shell versus custom executors, walk a five-step registration and smoke test, cite concrete capacity numbers you can paste into reviews, and close with FAQ structured data aligned with 2026 GitLab practice.

1. Summary: how macOS runners differ from Linux habits

On Linux, Docker executor workflows are familiar: ephemeral containers, cgroup limits, and volume mounts give predictable isolation. macOS is not a drop-in replacement. Apple toolchains assume a logged-in context for signing assets, DerivedData grows explosively beside CocoaPods or SwiftPM caches, and parallel xcodebuild processes fight for the same filesystem trees unless you design pools and paths deliberately. Setting concurrent equal to the number of performance cores is a common mistake: linker failures and compiler out-of-memory events show up as flaky pipelines that waste more human time than slower serial builds. You must also download the darwin-arm64 GitLab Runner binary for Apple Silicon hosts; mixing Rosetta-hosted amd64 toolchains with native Swift drivers creates subtle linker mismatches that are painful to diagnose under CI logs. This guide assumes one or more SSH-reachable Mac cloud machines that should behave like labeled capacity in GitLab, not ad-hoc laptops that sleep overnight.

2. Pain points: tokens, tags, keychain, disk contention

Architecture reviews usually surface the same four conflicts when Linux-centric teams touch macOS runners:

Registration tokens: instance-level versus project-level tokens place runners in different scopes. Rotating a token without updating ~/.gitlab-runner/config.toml yields runners that look online yet never pick up jobs.
Tag drift: YAML specifies tags: [macos, ios] while the runner registered only macos-arm64, leaving pipelines pending forever. Manual tag edits without documentation recreate the problem after every reinstall.
Keychain and unattended signing: shell executor jobs may run outside the interactive login keychain unlock flow. Without a dedicated CI user or explicit keychain partitioning, code signing identities disappear mid-pipeline.
Disk and cache collisions: DerivedData, module caches, and artifacts share one volume. Parallel jobs with aggressive cleanup can delete intermediates still referenced by a sibling job, producing nondeterministic failures.

3. Decision matrix: shell vs custom executor

Most teams start with shell because it mirrors the commands engineers already run over SSH. Custom executors or external virtualization add isolation but increase maintenance. Use the table below in design docs.

Dimension	shell executor	custom or external isolation
Time to first green job	Hours	Days to weeks
Isolation strength	Low, shared user environment	Higher, can approximate clean rooms
Signing ergonomics	Simplest when login session matches CI user	Requires explicit secret injection
Parallelism strategy	Strict `concurrent` caps and tag pools	Can map pools to directories or hosts
Disk hygiene	Path conventions plus scheduled cleanup	Hooks can snapshot or wipe workspaces
Best fit	Small to mid teams, fewer repos, xcodebuild-centric	Multi-tenant, compliance-heavy fleets

                Practical note: Until you operate custom isolation reliably, prefer tag-separated pools with conservative concurrency and fixed DerivedData roots over chasing perfect hermetic builds that stall the whole program.
            

4. Five steps from register to green smoke job

Follow this sequence on a Mac cloud host with sudo-capable SSH. Match GitLab and Runner versions using the official compatibility matrix before production cutover.

Install and verify architecture: Install the darwin-arm64 gitlab-runner binary, confirm with gitlab-runner --version and uname -m. Document a ban on accidental amd64 toolchain usage under Rosetta for Swift builds.
Register with deliberate tags: Run gitlab-runner register with the correct instance or project token. The tags you enter must match future .gitlab-ci.yml stanzas character for character. Validate that config.toml contains a new [[runners]] block.
Pin executor and concurrency: Set executor = "shell" and start with concurrent at one or two. Split pull-request pools from release pools via runner names and tags so heavy archives do not exhaust keychain sessions meant for lint jobs.
Smoke YAML: Add a job that only runs sw_vers and xcodebuild -version. Prove artifact upload and tag routing before wiring full schemes.
Cleanup and observability: Standardize DerivedData and dependency cache locations. Schedule disk sweeps or pipeline-final cleanup steps. Alert when free space drops under agreed thresholds. Classify failures as signing, dependency, out-of-memory, or disk to speed postmortems.

Minimal .gitlab-ci.yml example:

stages: [verify]

mac-smoke:
  stage: verify
  tags: [macos-arm64, ci-pool-dev]
  script:
    - sw_vers
    - xcodebuild -version

Illustrative config.toml fragment (redact real tokens):

concurrent = 2
check_interval = 0

[[runners]]
  name = "mac-cloud-pool-dev"
  url = "https://gitlab.example.com/"
  token = "REDACTED"
  executor = "shell"
  [runners.custom_build_dir]
  builds_dir = "/Users/gitlab-ci/builds"
  cache_dir = "/Users/gitlab-ci/cache"

5. Hard numbers: memory, disk, and concurrency

Use these ranges in capacity planning for medium-sized Swift and iOS codebases; always validate against your own modules. When leadership asks for a single chart in a quarterly review, pair memory peaks with queue depth: swapping during link phases shows up as long tail latency even when average job time looks acceptable. Document both mean and p95, and split queue wait from active compile minutes so you can tell whether to add runners or simply serialize heavy schemes.

Runner observability: Track runner version, GitLab version, and last successful job timestamp per tag pool. Stale runners after certificate rotation or OS upgrades are a frequent hidden cause of pending jobs that logs alone will not flag until you chart uptime versus job pickup.
Memory peaks: A full Archive often spikes between roughly twelve and eighteen gigabytes on Apple Silicon. Three concurrent full builds on a thirty-two gigabyte host frequently swap and stretch p95 duration.
Disk buffer: Keep on the order of forty gigabytes of contiguous free space when DerivedData plus package caches are enabled. Below roughly ten gigabytes, linker failures become common and hard to reproduce.
Concurrency starting point: Without custom isolation, begin with one or two concurrent xcodebuild jobs per machine. Separate lightweight checks from archives using tags.
Version skew: Large GitLab upgrades can change runner API behavior. Pilot on staging runners before moving production tags.
Network geometry: Frequent dependency fetches amplify round-trip time between the Mac host and GitLab or private registries. Capture fetch sub-phase timings during proof of concept.
Instrumentation: Emit df -h, DerivedData roots, and result bundle paths in job logs to correlate flaky failures with disk races.

6. Why Linux-only fleets fall short and when dedicated Mac cloud wins

A Linux-only runner fleet cannot honestly execute native Xcode signing workflows. Borrowing an engineer laptop as a runner introduces sleep, travel, and audit gaps. Attempting to approximate macOS builds on non-Apple hardware collides with licensing, performance, and toolchain reality, producing support debt that exceeds rental cost. Teams that need unattended signing, pinned Xcode minor versions, corporate egress rules, and stable SSH operations should add one or more dedicated Mac cloud hosts to GitLab as first-class labeled capacity. Renting keeps procurement out of the critical path: you receive credentials quickly, register runners, and scale horizontally by cloning tag strategy instead of stacking risky concurrency on a single fragile machine. Docker-style isolation on macOS adds value but also operational surface; native Mac cloud nodes reduce that friction for many CI profiles. When you want the same programmatic rhythm as ordering a VPS API, read VPSMAC guidance on ninety-second Mac cloud API provisioning and CI integration to connect checkout to green pipelines end to end.