opencode-ide-plugin/.github/workflows/publish.yml

name: publish
run-name: "${{ format('release {0}', inputs.bump) }}"

on:
  push:
    branches:
      - dev
      - snapshot-*
  workflow_dispatch:
    inputs:
      bump:
        description: "Bump major, minor, or patch"
        required: false
        type: choice
        options:
          - major
          - minor
          - patch
      version:
        description: "Override version (optional)"
        required: false
        type: string

concurrency: ${{ github.workflow }}-${{ github.ref }}-${{ inputs.version || inputs.bump }}

permissions:
  id-token: write
  contents: write
  packages: write

jobs:
  publish:
    runs-on: blacksmith-4vcpu-ubuntu-2404
    if: github.repository == 'anomalyco/opencode'
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - run: git fetch --force --tags

      - uses: ./.github/actions/setup-bun

      - name: Install OpenCode
        if: inputs.bump || inputs.version
        run: bun i -g [email protected]

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - uses: actions/setup-node@v4
        with:
          node-version: "24"
          registry-url: "https://registry.npmjs.org"

      - name: Setup Git Identity
        run: |
          git config --global user.email "[email protected]"
          git config --global user.name "opencode"
          git remote set-url origin https://x-access-token:${{ secrets.SST_GITHUB_TOKEN }}@github.com/${{ github.repository }}

      - name: Publish
        id: publish
        run: ./script/publish-start.ts
        env:
          OPENCODE_BUMP: ${{ inputs.bump }}
          OPENCODE_VERSION: ${{ inputs.version }}
          OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
          AUR_KEY: ${{ secrets.AUR_KEY }}
          GITHUB_TOKEN: ${{ secrets.SST_GITHUB_TOKEN }}
          NPM_CONFIG_PROVENANCE: false

      - uses: actions/upload-artifact@v4
        with:
          name: opencode-cli
          path: packages/opencode/dist

    outputs:
      release: ${{ steps.publish.outputs.release }}
      tag: ${{ steps.publish.outputs.tag }}
      version: ${{ steps.publish.outputs.version }}

  publish-tauri:
    needs: publish
    continue-on-error: false
    strategy:
      fail-fast: false
      matrix:
        settings:
          - host: macos-latest
            target: x86_64-apple-darwin
          - host: macos-latest
            target: aarch64-apple-darwin
          - host: blacksmith-4vcpu-windows-2025
            target: x86_64-pc-windows-msvc
          - host: blacksmith-4vcpu-ubuntu-2404
            target: x86_64-unknown-linux-gnu
          - host: blacksmith-4vcpu-ubuntu-2404-arm
            target: aarch64-unknown-linux-gnu
    runs-on: ${{ matrix.settings.host }}
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
          ref: ${{ needs.publish.outputs.tag }}

      - uses: apple-actions/import-codesign-certs@v2
        if: ${{ runner.os == 'macOS' }}
        with:
          keychain: build
          p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }}
          p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}

      - name: Verify Certificate
        if: ${{ runner.os == 'macOS' }}
        run: |
          CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application")
          CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}')
          echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV
          echo "Certificate imported."

      - name: Setup Apple API Key
        if: ${{ runner.os == 'macOS' }}
        run: |
          echo "${{ secrets.APPLE_API_KEY_PATH }}" > $RUNNER_TEMP/apple-api-key.p8

      - run: git fetch --force --tags

      - uses: ./.github/actions/setup-bun

      - name: install dependencies (ubuntu only)
        if: contains(matrix.settings.host, 'ubuntu')
        run: |
          sudo apt-get update
          sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf

      - name: install Rust stable
        uses: dtolnay/rust-toolchain@stable
        with:
          targets: ${{ matrix.settings.target }}

      - uses: Swatinem/rust-cache@v2
        with:
          workspaces: packages/desktop/src-tauri
          shared-key: ${{ matrix.settings.target }}

      - name: Prepare
        run: |
          cd packages/desktop
          bun ./scripts/prepare.ts
        env:
          OPENCODE_VERSION: ${{ needs.publish.outputs.version }}
          NPM_CONFIG_TOKEN: ${{ secrets.NPM_TOKEN }}
          GITHUB_TOKEN: ${{ secrets.SST_GITHUB_TOKEN }}
          AUR_KEY: ${{ secrets.AUR_KEY }}
          OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
          RUST_TARGET: ${{ matrix.settings.target }}
          GH_TOKEN: ${{ github.token }}
          GITHUB_RUN_ID: ${{ github.run_id }}

      # Fixes AppImage build issues, can be removed when https://github.com/tauri-apps/tauri/pull/12491 is released
      - name: Install tauri-cli from portable appimage branch
        if: contains(matrix.settings.host, 'ubuntu')
        run: |
          cargo install tauri-cli --git https://github.com/tauri-apps/tauri --branch feat/truly-portable-appimage --force
          echo "Installed tauri-cli version:"
          cargo tauri --version

      - name: Build and upload artifacts
        uses: Wandalen/wretry.action@v3
        timeout-minutes: 60
        with:
          attempt_limit: 3
          attempt_delay: 10000
          action: tauri-apps/tauri-action@390cbe447412ced1303d35abe75287949e43437a
          with: |
            projectPath: packages/desktop
            uploadWorkflowArtifacts: true
            tauriScript: ${{ (contains(matrix.settings.host, 'ubuntu') && 'cargo tauri') || '' }}
            args: --target ${{ matrix.settings.target }} --config ./src-tauri/tauri.prod.conf.json --verbose
            updaterJsonPreferNsis: true
            releaseId: ${{ needs.publish.outputs.release }}
            tagName: ${{ needs.publish.outputs.tag }}
            releaseAssetNamePattern: opencode-desktop-[platform]-[arch][ext]
            releaseDraft: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAURI_BUNDLER_NEW_APPIMAGE_FORMAT: true
          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          APPLE_SIGNING_IDENTITY: ${{ env.CERT_ID }}
          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
          APPLE_API_KEY_PATH: ${{ runner.temp }}/apple-api-key.p8

  publish-release:
    needs:
      - publish
      - publish-tauri
    if: needs.publish.outputs.tag
    runs-on: blacksmith-4vcpu-ubuntu-2404
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
          ref: ${{ needs.publish.outputs.tag }}

      - uses: ./.github/actions/setup-bun

      - name: Setup SSH for AUR
        run: |
          sudo apt-get update
          sudo apt-get install -y pacman-package-manager
          mkdir -p ~/.ssh
          echo "${{ secrets.AUR_KEY }}" > ~/.ssh/id_rsa
          chmod 600 ~/.ssh/id_rsa
          git config --global user.email "[email protected]"
          git config --global user.name "opencode"
          ssh-keyscan -H aur.archlinux.org >> ~/.ssh/known_hosts || true

      - run: ./script/publish-complete.ts
        env:
          OPENCODE_VERSION: ${{ needs.publish.outputs.version  }}
          AUR_KEY: ${{ secrets.AUR_KEY }}
          GITHUB_TOKEN: ${{ secrets.SST_GITHUB_TOKEN }}