release #114
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: publish | |
| run-name: "${{ format('release {0}', inputs.bump) }}" | |
| on: | |
| push: | |
| branches: | |
| - ci | |
| - dev | |
| - beta | |
| - snapshot-* | |
| workflow_dispatch: | |
| inputs: | |
| bump: | |
| description: "Bump major, minor, or patch" | |
| required: false | |
| type: choice | |
| options: | |
| - major | |
| - minor | |
| - patch | |
| version: | |
| description: "Override version (optional)" | |
| required: false | |
| type: string | |
| concurrency: ${{ github.workflow }}-${{ github.ref }}-${{ inputs.version || inputs.bump }} | |
| permissions: | |
| id-token: write | |
| contents: write | |
| packages: write | |
| jobs: | |
| version: | |
| runs-on: blacksmith-4vcpu-ubuntu-2404 | |
| if: github.repository == 'anomalyco/opencode' | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - uses: ./.github/actions/setup-bun | |
| - name: Setup git committer | |
| id: committer | |
| uses: ./.github/actions/setup-git-committer | |
| with: | |
| opencode-app-id: ${{ vars.OPENCODE_APP_ID }} | |
| opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }} | |
| - name: Install OpenCode | |
| if: inputs.bump || inputs.version | |
| run: bun i -g opencode-ai | |
| - id: version | |
| run: | | |
| ./script/version.ts | |
| env: | |
| GH_TOKEN: ${{ steps.committer.outputs.token }} | |
| OPENCODE_BUMP: ${{ inputs.bump }} | |
| OPENCODE_VERSION: ${{ inputs.version }} | |
| OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }} | |
| GH_REPO: ${{ (github.ref_name == 'beta' && 'anomalyco/opencode-beta') || github.repository }} | |
| outputs: | |
| version: ${{ steps.version.outputs.version }} | |
| release: ${{ steps.version.outputs.release }} | |
| tag: ${{ steps.version.outputs.tag }} | |
| repo: ${{ steps.version.outputs.repo }} | |
| build-cli: | |
| needs: version | |
| runs-on: blacksmith-4vcpu-ubuntu-2404 | |
| if: github.repository == 'anomalyco/opencode' | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-tags: true | |
| - uses: ./.github/actions/setup-bun | |
| - name: Setup git committer | |
| id: committer | |
| uses: ./.github/actions/setup-git-committer | |
| with: | |
| opencode-app-id: ${{ vars.OPENCODE_APP_ID }} | |
| opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }} | |
| - name: Build | |
| id: build | |
| run: | | |
| ./packages/opencode/script/build.ts | |
| env: | |
| OPENCODE_VERSION: ${{ needs.version.outputs.version }} | |
| OPENCODE_RELEASE: ${{ needs.version.outputs.release }} | |
| GH_REPO: ${{ needs.version.outputs.repo }} | |
| GH_TOKEN: ${{ steps.committer.outputs.token }} | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: opencode-cli | |
| path: | | |
| packages/opencode/dist/opencode-darwin* | |
| packages/opencode/dist/opencode-linux* | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: opencode-cli-windows | |
| path: packages/opencode/dist/opencode-windows* | |
| outputs: | |
| version: ${{ needs.version.outputs.version }} | |
| sign-cli-windows: | |
| needs: | |
| - build-cli | |
| - version | |
| runs-on: blacksmith-4vcpu-windows-2025 | |
| if: github.repository == 'anomalyco/opencode' | |
| env: | |
| AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
| AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
| AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| AZURE_TRUSTED_SIGNING_ACCOUNT_NAME: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }} | |
| AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE }} | |
| AZURE_TRUSTED_SIGNING_ENDPOINT: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: opencode-cli-windows | |
| path: packages/opencode/dist | |
| - name: Setup git committer | |
| id: committer | |
| uses: ./.github/actions/setup-git-committer | |
| with: | |
| opencode-app-id: ${{ vars.OPENCODE_APP_ID }} | |
| opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }} | |
| - name: Azure login | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ env.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ env.AZURE_TENANT_ID }} | |
| subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }} | |
| - uses: azure/artifact-signing-action@v1 | |
| with: | |
| endpoint: ${{ env.AZURE_TRUSTED_SIGNING_ENDPOINT }} | |
| signing-account-name: ${{ env.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }} | |
| certificate-profile-name: ${{ env.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE }} | |
| files: | | |
| ${{ github.workspace }}\packages\opencode\dist\opencode-windows-arm64\bin\opencode.exe | |
| ${{ github.workspace }}\packages\opencode\dist\opencode-windows-x64\bin\opencode.exe | |
| ${{ github.workspace }}\packages\opencode\dist\opencode-windows-x64-baseline\bin\opencode.exe | |
| exclude-environment-credential: true | |
| exclude-workload-identity-credential: true | |
| exclude-managed-identity-credential: true | |
| exclude-shared-token-cache-credential: true | |
| exclude-visual-studio-credential: true | |
| exclude-visual-studio-code-credential: true | |
| exclude-azure-cli-credential: false | |
| exclude-azure-powershell-credential: true | |
| exclude-azure-developer-cli-credential: true | |
| exclude-interactive-browser-credential: true | |
| - name: Verify Windows CLI signatures | |
| shell: pwsh | |
| run: | | |
| $files = @( | |
| "${{ github.workspace }}\packages\opencode\dist\opencode-windows-arm64\bin\opencode.exe", | |
| "${{ github.workspace }}\packages\opencode\dist\opencode-windows-x64\bin\opencode.exe", | |
| "${{ github.workspace }}\packages\opencode\dist\opencode-windows-x64-baseline\bin\opencode.exe" | |
| ) | |
| foreach ($file in $files) { | |
| $sig = Get-AuthenticodeSignature $file | |
| if ($sig.Status -ne "Valid") { | |
| throw "Invalid signature for ${file}: $($sig.Status)" | |
| } | |
| } | |
| - name: Repack Windows CLI archives | |
| working-directory: packages/opencode/dist | |
| shell: pwsh | |
| run: | | |
| Compress-Archive -Path "opencode-windows-arm64\bin\*" -DestinationPath "opencode-windows-arm64.zip" -Force | |
| Compress-Archive -Path "opencode-windows-x64\bin\*" -DestinationPath "opencode-windows-x64.zip" -Force | |
| Compress-Archive -Path "opencode-windows-x64-baseline\bin\*" -DestinationPath "opencode-windows-x64-baseline.zip" -Force | |
| - name: Upload signed Windows CLI release assets | |
| if: needs.version.outputs.release != '' | |
| shell: pwsh | |
| env: | |
| GH_TOKEN: ${{ steps.committer.outputs.token }} | |
| run: | | |
| gh release upload "v${{ needs.version.outputs.version }}" ` | |
| "${{ github.workspace }}\packages\opencode\dist\opencode-windows-arm64.zip" ` | |
| "${{ github.workspace }}\packages\opencode\dist\opencode-windows-x64.zip" ` | |
| "${{ github.workspace }}\packages\opencode\dist\opencode-windows-x64-baseline.zip" ` | |
| --clobber ` | |
| --repo "${{ needs.version.outputs.repo }}" | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: opencode-cli-signed-windows | |
| path: | | |
| packages/opencode/dist/opencode-windows-arm64 | |
| packages/opencode/dist/opencode-windows-x64 | |
| packages/opencode/dist/opencode-windows-x64-baseline | |
| build-tauri: | |
| needs: | |
| - build-cli | |
| - version | |
| continue-on-error: false | |
| env: | |
| AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
| AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
| AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| AZURE_TRUSTED_SIGNING_ACCOUNT_NAME: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }} | |
| AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE }} | |
| AZURE_TRUSTED_SIGNING_ENDPOINT: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| settings: | |
| - host: macos-latest | |
| target: x86_64-apple-darwin | |
| - host: macos-latest | |
| target: aarch64-apple-darwin | |
| # github-hosted: blacksmith lacks ARM64 MSVC cross-compilation toolchain | |
| - host: windows-2025 | |
| target: aarch64-pc-windows-msvc | |
| - host: blacksmith-4vcpu-windows-2025 | |
| target: x86_64-pc-windows-msvc | |
| - host: blacksmith-4vcpu-ubuntu-2404 | |
| target: x86_64-unknown-linux-gnu | |
| - host: blacksmith-8vcpu-ubuntu-2404-arm | |
| target: aarch64-unknown-linux-gnu | |
| runs-on: ${{ matrix.settings.host }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-tags: true | |
| - uses: apple-actions/import-codesign-certs@v2 | |
| if: ${{ runner.os == 'macOS' }} | |
| with: | |
| keychain: build | |
| p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }} | |
| p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
| - name: Verify Certificate | |
| if: ${{ runner.os == 'macOS' }} | |
| run: | | |
| CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application") | |
| CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}') | |
| echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV | |
| echo "Certificate imported." | |
| - name: Setup Apple API Key | |
| if: ${{ runner.os == 'macOS' }} | |
| run: | | |
| echo "${{ secrets.APPLE_API_KEY_PATH }}" > $RUNNER_TEMP/apple-api-key.p8 | |
| - uses: ./.github/actions/setup-bun | |
| - name: Azure login | |
| if: runner.os == 'Windows' | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ env.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ env.AZURE_TENANT_ID }} | |
| subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }} | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "24" | |
| - name: Cache apt packages | |
| if: contains(matrix.settings.host, 'ubuntu') | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/apt-cache | |
| key: ${{ runner.os }}-${{ matrix.settings.target }}-apt-${{ hashFiles('.github/workflows/publish.yml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-${{ matrix.settings.target }}-apt- | |
| - name: install dependencies (ubuntu only) | |
| if: contains(matrix.settings.host, 'ubuntu') | |
| run: | | |
| mkdir -p ~/apt-cache && chmod -R a+rw ~/apt-cache | |
| sudo apt-get update | |
| sudo apt-get install -y --no-install-recommends -o dir::cache::archives="$HOME/apt-cache" libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf | |
| sudo chmod -R a+rw ~/apt-cache | |
| - name: install Rust stable | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: ${{ matrix.settings.target }} | |
| - uses: Swatinem/rust-cache@v2 | |
| with: | |
| workspaces: packages/desktop/src-tauri | |
| shared-key: ${{ matrix.settings.target }} | |
| - name: Prepare | |
| run: | | |
| cd packages/desktop | |
| bun ./scripts/prepare.ts | |
| env: | |
| OPENCODE_VERSION: ${{ needs.version.outputs.version }} | |
| GITHUB_TOKEN: ${{ steps.committer.outputs.token }} | |
| OPENCODE_CLI_ARTIFACT: ${{ (runner.os == 'Windows' && 'opencode-cli-windows') || 'opencode-cli' }} | |
| RUST_TARGET: ${{ matrix.settings.target }} | |
| GH_TOKEN: ${{ github.token }} | |
| GITHUB_RUN_ID: ${{ github.run_id }} | |
| - name: Resolve tauri portable SHA | |
| if: contains(matrix.settings.host, 'ubuntu') | |
| run: echo "TAURI_PORTABLE_SHA=$(git ls-remote https://github.com/tauri-apps/tauri.git refs/heads/feat/truly-portable-appimage | cut -f1)" >> "$GITHUB_ENV" | |
| # Fixes AppImage build issues, can be removed when https://github.com/tauri-apps/tauri/pull/12491 is released | |
| - name: Install tauri-cli from portable appimage branch | |
| uses: taiki-e/cache-cargo-install-action@v3 | |
| if: contains(matrix.settings.host, 'ubuntu') | |
| with: | |
| tool: tauri-cli | |
| git: https://github.com/tauri-apps/tauri | |
| # branch: feat/truly-portable-appimage | |
| rev: ${{ env.TAURI_PORTABLE_SHA }} | |
| - name: Show tauri-cli version | |
| if: contains(matrix.settings.host, 'ubuntu') | |
| run: cargo tauri --version | |
| - name: Setup git committer | |
| id: committer | |
| uses: ./.github/actions/setup-git-committer | |
| with: | |
| opencode-app-id: ${{ vars.OPENCODE_APP_ID }} | |
| opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }} | |
| - name: Build and upload artifacts | |
| uses: tauri-apps/tauri-action@390cbe447412ced1303d35abe75287949e43437a | |
| timeout-minutes: 60 | |
| with: | |
| projectPath: packages/desktop | |
| uploadWorkflowArtifacts: true | |
| tauriScript: ${{ (contains(matrix.settings.host, 'ubuntu') && 'cargo tauri') || '' }} | |
| args: --target ${{ matrix.settings.target }} --config ${{ (github.ref_name == 'beta' && './src-tauri/tauri.beta.conf.json') || './src-tauri/tauri.prod.conf.json' }} --verbose | |
| updaterJsonPreferNsis: true | |
| releaseId: ${{ needs.version.outputs.release }} | |
| tagName: ${{ needs.version.outputs.tag }} | |
| releaseDraft: true | |
| releaseAssetNamePattern: opencode-desktop-[platform]-[arch][ext] | |
| repo: ${{ (github.ref_name == 'beta' && 'opencode-beta') || '' }} | |
| releaseCommitish: ${{ github.sha }} | |
| env: | |
| GITHUB_TOKEN: ${{ steps.committer.outputs.token }} | |
| TAURI_BUNDLER_NEW_APPIMAGE_FORMAT: true | |
| TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} | |
| TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} | |
| APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} | |
| APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
| APPLE_SIGNING_IDENTITY: ${{ env.CERT_ID }} | |
| APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }} | |
| APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }} | |
| APPLE_API_KEY_PATH: ${{ runner.temp }}/apple-api-key.p8 | |
| - name: Verify signed Windows desktop artifacts | |
| if: runner.os == 'Windows' | |
| shell: pwsh | |
| run: | | |
| $files = @( | |
| "${{ github.workspace }}\packages\desktop\src-tauri\sidecars\opencode-cli-${{ matrix.settings.target }}.exe" | |
| ) | |
| $files += Get-ChildItem "${{ github.workspace }}\packages\desktop\src-tauri\target\${{ matrix.settings.target }}\release\bundle\nsis\*.exe" | Select-Object -ExpandProperty FullName | |
| foreach ($file in $files) { | |
| $sig = Get-AuthenticodeSignature $file | |
| if ($sig.Status -ne "Valid") { | |
| throw "Invalid signature for ${file}: $($sig.Status)" | |
| } | |
| } | |
| build-electron: | |
| needs: | |
| - build-cli | |
| - version | |
| continue-on-error: false | |
| env: | |
| AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
| AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
| AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| AZURE_TRUSTED_SIGNING_ACCOUNT_NAME: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }} | |
| AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE }} | |
| AZURE_TRUSTED_SIGNING_ENDPOINT: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| settings: | |
| - host: macos-latest | |
| target: x86_64-apple-darwin | |
| platform_flag: --mac --x64 | |
| - host: macos-latest | |
| target: aarch64-apple-darwin | |
| platform_flag: --mac --arm64 | |
| # github-hosted: blacksmith lacks ARM64 MSVC cross-compilation toolchain | |
| - host: "windows-2025" | |
| target: aarch64-pc-windows-msvc | |
| platform_flag: --win --arm64 | |
| - host: "blacksmith-4vcpu-windows-2025" | |
| target: x86_64-pc-windows-msvc | |
| platform_flag: --win | |
| - host: "blacksmith-4vcpu-ubuntu-2404" | |
| target: x86_64-unknown-linux-gnu | |
| platform_flag: --linux | |
| - host: "blacksmith-4vcpu-ubuntu-2404" | |
| target: aarch64-unknown-linux-gnu | |
| platform_flag: --linux | |
| runs-on: ${{ matrix.settings.host }} | |
| # if: github.ref_name == 'beta' | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: apple-actions/import-codesign-certs@v2 | |
| if: runner.os == 'macOS' | |
| with: | |
| keychain: build | |
| p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }} | |
| p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
| - name: Setup Apple API Key | |
| if: runner.os == 'macOS' | |
| run: echo "${{ secrets.APPLE_API_KEY_PATH }}" > $RUNNER_TEMP/apple-api-key.p8 | |
| - uses: ./.github/actions/setup-bun | |
| - name: Azure login | |
| if: runner.os == 'Windows' | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ env.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ env.AZURE_TENANT_ID }} | |
| subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }} | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "24" | |
| - name: Cache apt packages | |
| if: contains(matrix.settings.host, 'ubuntu') | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/apt-cache | |
| key: ${{ runner.os }}-${{ matrix.settings.target }}-apt-electron-${{ hashFiles('.github/workflows/publish.yml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-${{ matrix.settings.target }}-apt-electron- | |
| - name: Install dependencies (ubuntu only) | |
| if: contains(matrix.settings.host, 'ubuntu') | |
| run: | | |
| mkdir -p ~/apt-cache && chmod -R a+rw ~/apt-cache | |
| sudo apt-get update | |
| sudo apt-get install -y --no-install-recommends -o dir::cache::archives="$HOME/apt-cache" rpm | |
| sudo chmod -R a+rw ~/apt-cache | |
| - name: Setup git committer | |
| id: committer | |
| uses: ./.github/actions/setup-git-committer | |
| with: | |
| opencode-app-id: ${{ vars.OPENCODE_APP_ID }} | |
| opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }} | |
| - name: Prepare | |
| run: bun ./scripts/prepare.ts | |
| working-directory: packages/desktop-electron | |
| env: | |
| OPENCODE_VERSION: ${{ needs.version.outputs.version }} | |
| OPENCODE_CHANNEL: ${{ (github.ref_name == 'beta' && 'beta') || 'prod' }} | |
| OPENCODE_CLI_ARTIFACT: ${{ (runner.os == 'Windows' && 'opencode-cli-windows') || 'opencode-cli' }} | |
| RUST_TARGET: ${{ matrix.settings.target }} | |
| GH_TOKEN: ${{ github.token }} | |
| GITHUB_RUN_ID: ${{ github.run_id }} | |
| - name: Build | |
| run: bun run build | |
| working-directory: packages/desktop-electron | |
| env: | |
| OPENCODE_CHANNEL: ${{ (github.ref_name == 'beta' && 'beta') || 'prod' }} | |
| - name: Package and publish | |
| if: needs.version.outputs.release | |
| run: npx electron-builder ${{ matrix.settings.platform_flag }} --publish always --config electron-builder.config.ts | |
| working-directory: packages/desktop-electron | |
| timeout-minutes: 60 | |
| env: | |
| OPENCODE_CHANNEL: ${{ (github.ref_name == 'beta' && 'beta') || 'prod' }} | |
| GH_TOKEN: ${{ steps.committer.outputs.token }} | |
| CSC_LINK: ${{ secrets.APPLE_CERTIFICATE }} | |
| CSC_KEY_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
| APPLE_API_KEY: ${{ runner.temp }}/apple-api-key.p8 | |
| APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY }} | |
| APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }} | |
| - name: Package (no publish) | |
| if: ${{ !needs.version.outputs.release }} | |
| run: npx electron-builder ${{ matrix.settings.platform_flag }} --publish never --config electron-builder.config.ts | |
| working-directory: packages/desktop-electron | |
| timeout-minutes: 60 | |
| env: | |
| OPENCODE_CHANNEL: ${{ (github.ref_name == 'beta' && 'beta') || 'prod' }} | |
| - name: Verify signed Windows Electron artifacts | |
| if: runner.os == 'Windows' | |
| shell: pwsh | |
| run: | | |
| $files = @() | |
| $files += Get-ChildItem "${{ github.workspace }}\packages\desktop-electron\dist\*.exe" | Select-Object -ExpandProperty FullName | |
| $files += Get-ChildItem "${{ github.workspace }}\packages\desktop-electron\dist\*unpacked\*.exe" | Select-Object -ExpandProperty FullName | |
| $files += Get-ChildItem "${{ github.workspace }}\packages\desktop-electron\dist\*unpacked\resources\opencode-cli.exe" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName | |
| foreach ($file in $files | Select-Object -Unique) { | |
| $sig = Get-AuthenticodeSignature $file | |
| if ($sig.Status -ne "Valid") { | |
| throw "Invalid signature for ${file}: $($sig.Status)" | |
| } | |
| } | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: opencode-electron-${{ matrix.settings.target }} | |
| path: packages/desktop-electron/dist/* | |
| - uses: actions/upload-artifact@v4 | |
| if: needs.version.outputs.release | |
| with: | |
| name: latest-yml-${{ matrix.settings.target }} | |
| path: packages/desktop-electron/dist/latest*.yml | |
| publish: | |
| needs: | |
| - version | |
| - build-cli | |
| - sign-cli-windows | |
| - build-tauri | |
| - build-electron | |
| runs-on: blacksmith-4vcpu-ubuntu-2404 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: ./.github/actions/setup-bun | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "24" | |
| registry-url: "https://registry.npmjs.org" | |
| - name: Setup git committer | |
| id: committer | |
| uses: ./.github/actions/setup-git-committer | |
| with: | |
| opencode-app-id: ${{ vars.OPENCODE_APP_ID }} | |
| opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }} | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: opencode-cli | |
| path: packages/opencode/dist | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: opencode-cli-windows | |
| path: packages/opencode/dist | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: opencode-cli-signed-windows | |
| path: packages/opencode/dist | |
| - uses: actions/download-artifact@v4 | |
| if: needs.version.outputs.release | |
| with: | |
| pattern: latest-yml-* | |
| path: /tmp/latest-yml | |
| - name: Cache apt packages (AUR) | |
| uses: actions/cache@v4 | |
| with: | |
| path: /var/cache/apt/archives | |
| key: ${{ runner.os }}-apt-aur-${{ hashFiles('.github/workflows/publish.yml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-apt-aur- | |
| - name: Setup SSH for AUR | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y pacman-package-manager | |
| mkdir -p ~/.ssh | |
| echo "${{ secrets.AUR_KEY }}" > ~/.ssh/id_rsa | |
| chmod 600 ~/.ssh/id_rsa | |
| git config --global user.email "opencode@sst.dev" | |
| git config --global user.name "opencode" | |
| ssh-keyscan -H aur.archlinux.org >> ~/.ssh/known_hosts || true | |
| - run: ./script/publish.ts | |
| env: | |
| OPENCODE_VERSION: ${{ needs.version.outputs.version }} | |
| OPENCODE_RELEASE: ${{ needs.version.outputs.release }} | |
| AUR_KEY: ${{ secrets.AUR_KEY }} | |
| GITHUB_TOKEN: ${{ steps.committer.outputs.token }} | |
| GH_REPO: ${{ needs.version.outputs.repo }} | |
| NPM_CONFIG_PROVENANCE: false | |
| LATEST_YML_DIR: /tmp/latest-yml |