Problem

The Go (macos-latest) job's "Test (pkg + cmd + internal, -short)" step fails on many PRs (#302, #321, #325, and now ubuntu too) with:

TempDir: mkdir /tmp/gotmpXXXXXX/<TestName>/001: permission denied

Root cause

t.TempDir() creates a per-test parent dir then a numbered sub-dir (001) for each parallel sub-test. When $TMPDIR points into /tmp (and /private/tmp on macOS), which is world-writable with the sticky bit (mode 1777), the hosted runner's extra sandbox layer (sandbox-exec on macOS, AppArmor on ubuntu) intermittently denies that nested mkdir. This is why #316's mktemp -d /tmp/... + chmod 777 did not help — the sticky /tmp tree itself is the problem, not the parent dir's mode. The failure is flaky (same SHA passes and fails across reruns) and recently spread to the ubuntu job once it was also redirected into /tmp.

Fix

Keep temp out of the sticky /tmp tree and use a plain, per-user, runner-owned directory:

• macOS: TMPDIR=$(getconf DARWIN_USER_TEMP_DIR) — the OS-native /var/folders/.../T per-user temp, no sticky bit, no sandbox quirk.
• Linux: a fresh mktemp -d under the runner-owned $RUNNER_TEMP.

actionlint clean; GOWORK=off go build ./cmd/daemon ./cmd/pilotctl passes; snapshot TempDir tests pass locally under the native macOS temp dir.

Once this is green, macOS can be re-added to web4 required checks.