opencode/.github/workflows/publish.yml

name: publish
run-name: "${{ format('release {0}', inputs.bump) }}"

on:
  push:
    branches:
      - ci
      - dev
      - beta
      - snapshot-*
  workflow_dispatch:
    inputs:
      bump:
        description: "Bump major, minor, or patch"
        required: false
        type: choice
        options:
          - major
          - minor
          - patch
      version:
        description: "Override version (optional)"
        required: false
        type: string

concurrency: ${{ github.workflow }}-${{ github.ref }}-${{ inputs.version || inputs.bump }}

permissions:
  id-token: write
  contents: write
  packages: write

jobs:
  version:
    runs-on: blacksmith-4vcpu-ubuntu-2404
    if: github.repository == 'anomalyco/opencode'
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - uses: ./.github/actions/setup-bun

      - name: Setup git committer
        id: committer
        uses: ./.github/actions/setup-git-committer
        with:
          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}

      - name: Install OpenCode
        if: inputs.bump || inputs.version
        run: bun i -g opencode-ai

      - id: version
        run: |
          ./script/version.ts
        env:
          GH_TOKEN: ${{ steps.committer.outputs.token }}
          OPENCODE_BUMP: ${{ inputs.bump }}
          OPENCODE_VERSION: ${{ inputs.version }}
          OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
          GH_REPO: ${{ (github.ref_name == 'beta' && 'anomalyco/opencode-beta') || github.repository }}
    outputs:
      version: ${{ steps.version.outputs.version }}
      release: ${{ steps.version.outputs.release }}
      tag: ${{ steps.version.outputs.tag }}
      repo: ${{ steps.version.outputs.repo }}

  build-cli-linux-win:
    needs: version
    runs-on: blacksmith-4vcpu-ubuntu-2404
    if: github.repository == 'anomalyco/opencode'
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-tags: true

      - uses: ./.github/actions/setup-bun

      - name: Setup git committer
        id: committer
        uses: ./.github/actions/setup-git-committer
        with:
          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}

      - name: Build
        id: build
        run: |
          ./packages/opencode/script/build.ts
        env:
          OPENCODE_VERSION: ${{ needs.version.outputs.version }}
          OPENCODE_RELEASE: ${{ needs.version.outputs.release }}
          GH_REPO: ${{ needs.version.outputs.repo }}
          GH_TOKEN: ${{ steps.committer.outputs.token }}
          OPENCODE_BUILD_OS: linux,win32
          OPENCODE_SKIP_RELEASE_UPLOAD: "1"

      - uses: actions/upload-artifact@v4
        with:
          name: opencode-cli-linux-win
          path: packages/opencode/dist

  build-cli-darwin:
    needs: version
    runs-on: macos-latest
    if: github.repository == 'anomalyco/opencode'
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-tags: true

      - uses: ./.github/actions/setup-bun

      - name: Setup git committer
        id: committer
        uses: ./.github/actions/setup-git-committer
        with:
          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}

      - uses: apple-actions/import-codesign-certs@v2
        with:
          keychain: build
          p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }}
          p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}

      - name: Resolve signing identity
        run: |
          CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application")
          CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}')
          if [ -z "$CERT_ID" ]; then
            echo "Developer ID Application identity not found"
            exit 1
          fi
          echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV

      - name: Build
        id: build
        run: |
          ./packages/opencode/script/build.ts
        env:
          OPENCODE_VERSION: ${{ needs.version.outputs.version }}
          OPENCODE_RELEASE: ${{ needs.version.outputs.release }}
          GH_REPO: ${{ needs.version.outputs.repo }}
          GH_TOKEN: ${{ steps.committer.outputs.token }}
          APPLE_SIGNING_IDENTITY: ${{ env.CERT_ID }}
          OPENCODE_BUILD_OS: darwin
          OPENCODE_SKIP_RELEASE_UPLOAD: "1"

      - name: Verify darwin signatures
        run: |
          for file in packages/opencode/dist/opencode-darwin-*/bin/opencode; do
            codesign -vvv --verify "$file"
          done

      - uses: actions/upload-artifact@v4
        with:
          name: opencode-cli-darwin
          path: packages/opencode/dist

  build-tauri:
    needs:
      - version
    continue-on-error: false
    strategy:
      fail-fast: false
      matrix:
        settings:
          - host: macos-latest
            target: x86_64-apple-darwin
          - host: macos-latest
            target: aarch64-apple-darwin
          # github-hosted: blacksmith lacks ARM64 MSVC cross-compilation toolchain
          - host: windows-2025
            target: aarch64-pc-windows-msvc
          - host: blacksmith-4vcpu-windows-2025
            target: x86_64-pc-windows-msvc
          - host: blacksmith-4vcpu-ubuntu-2404
            target: x86_64-unknown-linux-gnu
          - host: blacksmith-8vcpu-ubuntu-2404-arm
            target: aarch64-unknown-linux-gnu
    runs-on: ${{ matrix.settings.host }}
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-tags: true

      - uses: apple-actions/import-codesign-certs@v2
        if: ${{ runner.os == 'macOS' }}
        with:
          keychain: build
          p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }}
          p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}

      - name: Verify Certificate
        if: ${{ runner.os == 'macOS' }}
        run: |
          CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application")
          CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}')
          echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV
          echo "Certificate imported."

      - name: Setup Apple API Key
        if: ${{ runner.os == 'macOS' }}
        run: |
          echo "${{ secrets.APPLE_API_KEY_PATH }}" > $RUNNER_TEMP/apple-api-key.p8

      - uses: ./.github/actions/setup-bun

      - uses: actions/setup-node@v4
        with:
          node-version: "24"

      - name: Cache apt packages
        if: contains(matrix.settings.host, 'ubuntu')
        uses: actions/cache@v4
        with:
          path: ~/apt-cache
          key: ${{ runner.os }}-${{ matrix.settings.target }}-apt-${{ hashFiles('.github/workflows/publish.yml') }}
          restore-keys: |
            ${{ runner.os }}-${{ matrix.settings.target }}-apt-

      - name: install dependencies (ubuntu only)
        if: contains(matrix.settings.host, 'ubuntu')
        run: |
          mkdir -p ~/apt-cache && chmod -R a+rw ~/apt-cache
          sudo apt-get update
          sudo apt-get install -y --no-install-recommends -o dir::cache::archives="$HOME/apt-cache" libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf
          sudo chmod -R a+rw ~/apt-cache

      - name: install Rust stable
        uses: dtolnay/rust-toolchain@stable
        with:
          targets: ${{ matrix.settings.target }}

      - uses: Swatinem/rust-cache@v2
        with:
          workspaces: packages/desktop/src-tauri
          shared-key: ${{ matrix.settings.target }}

      - name: Prepare
        run: |
          cd packages/desktop
          bun ./scripts/prepare.ts
        env:
          OPENCODE_VERSION: ${{ needs.version.outputs.version }}
          GITHUB_TOKEN: ${{ steps.committer.outputs.token }}
          RUST_TARGET: ${{ matrix.settings.target }}
          GH_TOKEN: ${{ github.token }}
          GITHUB_RUN_ID: ${{ github.run_id }}

      - name: Resolve tauri portable SHA
        if: contains(matrix.settings.host, 'ubuntu')
        run: echo "TAURI_PORTABLE_SHA=$(git ls-remote https://github.com/tauri-apps/tauri.git refs/heads/feat/truly-portable-appimage | cut -f1)" >> "$GITHUB_ENV"

      # Fixes AppImage build issues, can be removed when https://github.com/tauri-apps/tauri/pull/12491 is released
      - name: Install tauri-cli from portable appimage branch
        uses: taiki-e/cache-cargo-install-action@v3
        if: contains(matrix.settings.host, 'ubuntu')
        with:
          tool: tauri-cli
          git: https://github.com/tauri-apps/tauri
          # branch: feat/truly-portable-appimage
          rev: ${{ env.TAURI_PORTABLE_SHA }}

      - name: Show tauri-cli version
        if: contains(matrix.settings.host, 'ubuntu')
        run: cargo tauri --version

      - name: Setup git committer
        id: committer
        uses: ./.github/actions/setup-git-committer
        with:
          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}

      - name: Build and upload artifacts
        uses: tauri-apps/tauri-action@390cbe447412ced1303d35abe75287949e43437a
        timeout-minutes: 60
        with:
          projectPath: packages/desktop
          uploadWorkflowArtifacts: true
          tauriScript: ${{ (contains(matrix.settings.host, 'ubuntu') && 'cargo tauri') || '' }}
          args: --target ${{ matrix.settings.target }} --config ${{ (github.ref_name == 'beta' && './src-tauri/tauri.beta.conf.json') || './src-tauri/tauri.prod.conf.json' }} --verbose
          updaterJsonPreferNsis: true
          releaseId: ${{ needs.version.outputs.release }}
          tagName: ${{ needs.version.outputs.tag }}
          releaseDraft: true
          releaseAssetNamePattern: opencode-desktop-[platform]-[arch][ext]
          repo: ${{ (github.ref_name == 'beta' && 'opencode-beta') || '' }}
          releaseCommitish: ${{ github.sha }}
        env:
          GITHUB_TOKEN: ${{ steps.committer.outputs.token }}
          TAURI_BUNDLER_NEW_APPIMAGE_FORMAT: true
          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          APPLE_SIGNING_IDENTITY: ${{ env.CERT_ID }}
          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
          APPLE_API_KEY_PATH: ${{ runner.temp }}/apple-api-key.p8

  build-electron:
    needs:
      - version
    continue-on-error: false
    strategy:
      fail-fast: false
      matrix:
        settings:
          - host: macos-latest
            target: x86_64-apple-darwin
            platform_flag: --mac --x64
          - host: macos-latest
            target: aarch64-apple-darwin
            platform_flag: --mac --arm64
          # github-hosted: blacksmith lacks ARM64 MSVC cross-compilation toolchain
          - host: "windows-2025"
            target: aarch64-pc-windows-msvc
            platform_flag: --win --arm64
          - host: "blacksmith-4vcpu-windows-2025"
            target: x86_64-pc-windows-msvc
            platform_flag: --win
          - host: "blacksmith-4vcpu-ubuntu-2404"
            target: x86_64-unknown-linux-gnu
            platform_flag: --linux
          - host: "blacksmith-4vcpu-ubuntu-2404"
            target: aarch64-unknown-linux-gnu
            platform_flag: --linux
    runs-on: ${{ matrix.settings.host }}
    # if: github.ref_name == 'beta'
    steps:
      - uses: actions/checkout@v3

      - uses: apple-actions/import-codesign-certs@v2
        if: runner.os == 'macOS'
        with:
          keychain: build
          p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }}
          p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}

      - name: Setup Apple API Key
        if: runner.os == 'macOS'
        run: echo "${{ secrets.APPLE_API_KEY_PATH }}" > $RUNNER_TEMP/apple-api-key.p8

      - uses: ./.github/actions/setup-bun

      - uses: actions/setup-node@v4
        with:
          node-version: "24"

      - name: Cache apt packages
        if: contains(matrix.settings.host, 'ubuntu')
        uses: actions/cache@v4
        with:
          path: ~/apt-cache
          key: ${{ runner.os }}-${{ matrix.settings.target }}-apt-electron-${{ hashFiles('.github/workflows/publish.yml') }}
          restore-keys: |
            ${{ runner.os }}-${{ matrix.settings.target }}-apt-electron-

      - name: Install dependencies (ubuntu only)
        if: contains(matrix.settings.host, 'ubuntu')
        run: |
          mkdir -p ~/apt-cache && chmod -R a+rw ~/apt-cache
          sudo apt-get update
          sudo apt-get install -y --no-install-recommends -o dir::cache::archives="$HOME/apt-cache" rpm
          sudo chmod -R a+rw ~/apt-cache

      - name: Setup git committer
        id: committer
        uses: ./.github/actions/setup-git-committer
        with:
          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}

      - name: Prepare
        run: bun ./scripts/prepare.ts
        working-directory: packages/desktop-electron
        env:
          OPENCODE_VERSION: ${{ needs.version.outputs.version }}
          OPENCODE_CHANNEL: ${{ (github.ref_name == 'beta' && 'beta') || 'prod' }}
          RUST_TARGET: ${{ matrix.settings.target }}
          GH_TOKEN: ${{ github.token }}
          GITHUB_RUN_ID: ${{ github.run_id }}

      - name: Build
        run: bun run build
        working-directory: packages/desktop-electron
        env:
          OPENCODE_CHANNEL: ${{ (github.ref_name == 'beta' && 'beta') || 'prod' }}

      - name: Package and publish
        if: needs.version.outputs.release
        run: npx electron-builder ${{ matrix.settings.platform_flag }} --publish always --config electron-builder.config.ts
        working-directory: packages/desktop-electron
        timeout-minutes: 60
        env:
          OPENCODE_CHANNEL: ${{ (github.ref_name == 'beta' && 'beta') || 'prod' }}
          GH_TOKEN: ${{ steps.committer.outputs.token }}
          CSC_LINK: ${{ secrets.APPLE_CERTIFICATE }}
          CSC_KEY_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          APPLE_API_KEY: ${{ runner.temp }}/apple-api-key.p8
          APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY }}
          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}

      - name: Package (no publish)
        if: ${{ !needs.version.outputs.release }}
        run: npx electron-builder ${{ matrix.settings.platform_flag }} --publish never --config electron-builder.config.ts
        working-directory: packages/desktop-electron
        timeout-minutes: 60
        env:
          OPENCODE_CHANNEL: ${{ (github.ref_name == 'beta' && 'beta') || 'prod' }}

      - uses: actions/upload-artifact@v4
        with:
          name: opencode-electron-${{ matrix.settings.target }}
          path: packages/desktop-electron/dist/*

      - uses: actions/upload-artifact@v4
        if: needs.version.outputs.release
        with:
          name: latest-yml-${{ matrix.settings.target }}
          path: packages/desktop-electron/dist/latest*.yml

  publish:
    needs:
      - version
      - build-cli-darwin
      - build-cli-linux-win
      - build-tauri
      - build-electron
    runs-on: blacksmith-4vcpu-ubuntu-2404
    steps:
      - uses: actions/checkout@v3

      - uses: ./.github/actions/setup-bun

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - uses: actions/setup-node@v4
        with:
          node-version: "24"
          registry-url: "https://registry.npmjs.org"

      - name: Setup git committer
        id: committer
        uses: ./.github/actions/setup-git-committer
        with:
          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}

      - uses: actions/download-artifact@v4
        with:
          pattern: opencode-cli-*
          path: packages/opencode/dist
          merge-multiple: true

      - uses: actions/download-artifact@v4
        if: needs.version.outputs.release
        with:
          pattern: latest-yml-*
          path: /tmp/latest-yml

      - name: Cache apt packages (AUR)
        uses: actions/cache@v4
        with:
          path: /var/cache/apt/archives
          key: ${{ runner.os }}-apt-aur-${{ hashFiles('.github/workflows/publish.yml') }}
          restore-keys: |
            ${{ runner.os }}-apt-aur-

      - name: Setup SSH for AUR
        run: |
          sudo apt-get update
          sudo apt-get install -y pacman-package-manager
          mkdir -p ~/.ssh
          echo "${{ secrets.AUR_KEY }}" > ~/.ssh/id_rsa
          chmod 600 ~/.ssh/id_rsa
          git config --global user.email "[email protected]"
          git config --global user.name "opencode"
          ssh-keyscan -H aur.archlinux.org >> ~/.ssh/known_hosts || true

      - run: ./script/publish.ts
        env:
          OPENCODE_VERSION: ${{ needs.version.outputs.version }}
          OPENCODE_RELEASE: ${{ needs.version.outputs.release }}
          AUR_KEY: ${{ secrets.AUR_KEY }}
          GITHUB_TOKEN: ${{ steps.committer.outputs.token }}
          GH_REPO: ${{ needs.version.outputs.repo }}
          NPM_CONFIG_PROVENANCE: false
          LATEST_YML_DIR: /tmp/latest-yml