opencode/.github/workflows/publish.yml

name: publish
run-name: "${{ format('release {0}', inputs.bump) }}"

on:
  push:
    branches:
      - ci
      - dev
      - beta
      - snapshot-*
  workflow_dispatch:
    inputs:
      bump:
        description: "Bump major, minor, or patch"
        required: false
        type: choice
        options:
          - major
          - minor
          - patch
      version:
        description: "Override version (optional)"
        required: false
        type: string

concurrency: ${{ github.workflow }}-${{ github.ref }}-${{ inputs.version || inputs.bump }}

permissions:
  id-token: write
  contents: write
  packages: write

jobs:
  version:
    runs-on: blacksmith-4vcpu-ubuntu-2404
    if: github.repository == 'anomalyco/opencode'
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - uses: ./.github/actions/setup-bun

      - name: Setup git committer
        id: committer
        uses: ./.github/actions/setup-git-committer
        with:
          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}

      - name: Install OpenCode
        if: inputs.bump || inputs.version
        run: bun i -g opencode-ai

      - id: version
        run: |
          ./script/version.ts
        env:
          GH_TOKEN: ${{ steps.committer.outputs.token }}
          OPENCODE_BUMP: ${{ inputs.bump }}
          OPENCODE_VERSION: ${{ inputs.version }}
          OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
          GH_REPO: ${{ (github.ref_name == 'beta' && 'anomalyco/opencode-beta') || github.repository }}
    outputs:
      version: ${{ steps.version.outputs.version }}
      release: ${{ steps.version.outputs.release }}
      tag: ${{ steps.version.outputs.tag }}
      repo: ${{ steps.version.outputs.repo }}

  build-cli:
    needs: version
    runs-on: blacksmith-4vcpu-ubuntu-2404
    if: github.repository == 'anomalyco/opencode'
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-tags: true

      - uses: ./.github/actions/setup-bun

      - name: Setup git committer
        id: committer
        uses: ./.github/actions/setup-git-committer
        with:
          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}

      - name: Build
        id: build
        run: |
          ./packages/opencode/script/build.ts
        env:
          OPENCODE_VERSION: ${{ needs.version.outputs.version }}
          OPENCODE_RELEASE: ${{ needs.version.outputs.release }}
          GH_REPO: ${{ needs.version.outputs.repo }}
          GH_TOKEN: ${{ steps.committer.outputs.token }}

      - uses: actions/upload-artifact@v4
        with:
          name: opencode-cli
          path: |
            packages/opencode/dist/opencode-darwin*
            packages/opencode/dist/opencode-linux*

      - uses: actions/upload-artifact@v4
        with:
          name: opencode-cli-windows
          path: packages/opencode/dist/opencode-windows*
    outputs:
      version: ${{ needs.version.outputs.version }}

  sign-cli-windows:
    needs:
      - build-cli
      - version
    runs-on: blacksmith-4vcpu-windows-2025
    if: github.repository == 'anomalyco/opencode'
    env:
      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      AZURE_TRUSTED_SIGNING_ACCOUNT_NAME: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
      AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE }}
      AZURE_TRUSTED_SIGNING_ENDPOINT: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
    steps:
      - uses: actions/checkout@v3

      - uses: actions/download-artifact@v4
        with:
          name: opencode-cli-windows
          path: packages/opencode/dist

      - name: Setup git committer
        id: committer
        uses: ./.github/actions/setup-git-committer
        with:
          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}

      - name: Azure login
        uses: azure/login@v2
        with:
          client-id: ${{ env.AZURE_CLIENT_ID }}
          tenant-id: ${{ env.AZURE_TENANT_ID }}
          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}

      - uses: azure/artifact-signing-action@v1
        with:
          endpoint: ${{ env.AZURE_TRUSTED_SIGNING_ENDPOINT }}
          signing-account-name: ${{ env.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
          certificate-profile-name: ${{ env.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE }}
          files: |
            ${{ github.workspace }}\packages\opencode\dist\opencode-windows-arm64\bin\opencode.exe
            ${{ github.workspace }}\packages\opencode\dist\opencode-windows-x64\bin\opencode.exe
            ${{ github.workspace }}\packages\opencode\dist\opencode-windows-x64-baseline\bin\opencode.exe
          exclude-environment-credential: true
          exclude-workload-identity-credential: true
          exclude-managed-identity-credential: true
          exclude-shared-token-cache-credential: true
          exclude-visual-studio-credential: true
          exclude-visual-studio-code-credential: true
          exclude-azure-cli-credential: false
          exclude-azure-powershell-credential: true
          exclude-azure-developer-cli-credential: true
          exclude-interactive-browser-credential: true

      - name: Verify Windows CLI signatures
        shell: pwsh
        run: |
          $files = @(
            "${{ github.workspace }}\packages\opencode\dist\opencode-windows-arm64\bin\opencode.exe",
            "${{ github.workspace }}\packages\opencode\dist\opencode-windows-x64\bin\opencode.exe",
            "${{ github.workspace }}\packages\opencode\dist\opencode-windows-x64-baseline\bin\opencode.exe"
          )

          foreach ($file in $files) {
            $sig = Get-AuthenticodeSignature $file
            if ($sig.Status -ne "Valid") {
              throw "Invalid signature for ${file}: $($sig.Status)"
            }
          }

      - name: Repack Windows CLI archives
        working-directory: packages/opencode/dist
        shell: pwsh
        run: |
          Compress-Archive -Path "opencode-windows-arm64\bin\*" -DestinationPath "opencode-windows-arm64.zip" -Force
          Compress-Archive -Path "opencode-windows-x64\bin\*" -DestinationPath "opencode-windows-x64.zip" -Force
          Compress-Archive -Path "opencode-windows-x64-baseline\bin\*" -DestinationPath "opencode-windows-x64-baseline.zip" -Force

      - name: Upload signed Windows CLI release assets
        if: needs.version.outputs.release != ''
        shell: pwsh
        env:
          GH_TOKEN: ${{ steps.committer.outputs.token }}
        run: |
          gh release upload "v${{ needs.version.outputs.version }}" `
            "${{ github.workspace }}\packages\opencode\dist\opencode-windows-arm64.zip" `
            "${{ github.workspace }}\packages\opencode\dist\opencode-windows-x64.zip" `
            "${{ github.workspace }}\packages\opencode\dist\opencode-windows-x64-baseline.zip" `
            --clobber `
            --repo "${{ needs.version.outputs.repo }}"

      - uses: actions/upload-artifact@v4
        with:
          name: opencode-cli-signed-windows
          path: |
            packages/opencode/dist/opencode-windows-arm64
            packages/opencode/dist/opencode-windows-x64
            packages/opencode/dist/opencode-windows-x64-baseline

  build-tauri:
    needs:
      - build-cli
      - version
    continue-on-error: false
    env:
      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      AZURE_TRUSTED_SIGNING_ACCOUNT_NAME: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
      AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE }}
      AZURE_TRUSTED_SIGNING_ENDPOINT: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
    strategy:
      fail-fast: false
      matrix:
        settings:
          - host: macos-latest
            target: x86_64-apple-darwin
          - host: macos-latest
            target: aarch64-apple-darwin
          # github-hosted: blacksmith lacks ARM64 MSVC cross-compilation toolchain
          - host: windows-2025
            target: aarch64-pc-windows-msvc
          - host: blacksmith-4vcpu-windows-2025
            target: x86_64-pc-windows-msvc
          - host: blacksmith-4vcpu-ubuntu-2404
            target: x86_64-unknown-linux-gnu
          - host: blacksmith-8vcpu-ubuntu-2404-arm
            target: aarch64-unknown-linux-gnu
    runs-on: ${{ matrix.settings.host }}
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-tags: true

      - uses: apple-actions/import-codesign-certs@v2
        if: ${{ runner.os == 'macOS' }}
        with:
          keychain: build
          p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }}
          p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}

      - name: Verify Certificate
        if: ${{ runner.os == 'macOS' }}
        run: |
          CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application")
          CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}')
          echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV
          echo "Certificate imported."

      - name: Setup Apple API Key
        if: ${{ runner.os == 'macOS' }}
        run: |
          echo "${{ secrets.APPLE_API_KEY_PATH }}" > $RUNNER_TEMP/apple-api-key.p8

      - uses: ./.github/actions/setup-bun

      - name: Azure login
        if: runner.os == 'Windows'
        uses: azure/login@v2
        with:
          client-id: ${{ env.AZURE_CLIENT_ID }}
          tenant-id: ${{ env.AZURE_TENANT_ID }}
          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}

      - uses: actions/setup-node@v4
        with:
          node-version: "24"

      - name: Cache apt packages
        if: contains(matrix.settings.host, 'ubuntu')
        uses: actions/cache@v4
        with:
          path: ~/apt-cache
          key: ${{ runner.os }}-${{ matrix.settings.target }}-apt-${{ hashFiles('.github/workflows/publish.yml') }}
          restore-keys: |
            ${{ runner.os }}-${{ matrix.settings.target }}-apt-

      - name: install dependencies (ubuntu only)
        if: contains(matrix.settings.host, 'ubuntu')
        run: |
          mkdir -p ~/apt-cache && chmod -R a+rw ~/apt-cache
          sudo apt-get update
          sudo apt-get install -y --no-install-recommends -o dir::cache::archives="$HOME/apt-cache" libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf
          sudo chmod -R a+rw ~/apt-cache

      - name: install Rust stable
        uses: dtolnay/rust-toolchain@stable
        with:
          targets: ${{ matrix.settings.target }}

      - uses: Swatinem/rust-cache@v2
        with:
          workspaces: packages/desktop/src-tauri
          shared-key: ${{ matrix.settings.target }}

      - name: Prepare
        run: |
          cd packages/desktop
          bun ./scripts/prepare.ts
        env:
          OPENCODE_VERSION: ${{ needs.version.outputs.version }}
          GITHUB_TOKEN: ${{ steps.committer.outputs.token }}
          OPENCODE_CLI_ARTIFACT: ${{ (runner.os == 'Windows' && 'opencode-cli-windows') || 'opencode-cli' }}
          RUST_TARGET: ${{ matrix.settings.target }}
          GH_TOKEN: ${{ github.token }}
          GITHUB_RUN_ID: ${{ github.run_id }}

      - name: Resolve tauri portable SHA
        if: contains(matrix.settings.host, 'ubuntu')
        run: echo "TAURI_PORTABLE_SHA=$(git ls-remote https://github.com/tauri-apps/tauri.git refs/heads/feat/truly-portable-appimage | cut -f1)" >> "$GITHUB_ENV"

      # Fixes AppImage build issues, can be removed when https://github.com/tauri-apps/tauri/pull/12491 is released
      - name: Install tauri-cli from portable appimage branch
        uses: taiki-e/cache-cargo-install-action@v3
        if: contains(matrix.settings.host, 'ubuntu')
        with:
          tool: tauri-cli
          git: https://github.com/tauri-apps/tauri
          # branch: feat/truly-portable-appimage
          rev: ${{ env.TAURI_PORTABLE_SHA }}

      - name: Show tauri-cli version
        if: contains(matrix.settings.host, 'ubuntu')
        run: cargo tauri --version

      - name: Setup git committer
        id: committer
        uses: ./.github/actions/setup-git-committer
        with:
          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}

      - name: Build and upload artifacts
        uses: tauri-apps/tauri-action@390cbe447412ced1303d35abe75287949e43437a
        timeout-minutes: 60
        with:
          projectPath: packages/desktop
          uploadWorkflowArtifacts: true
          tauriScript: ${{ (contains(matrix.settings.host, 'ubuntu') && 'cargo tauri') || '' }}
          args: --target ${{ matrix.settings.target }} --config ${{ (github.ref_name == 'beta' && './src-tauri/tauri.beta.conf.json') || './src-tauri/tauri.prod.conf.json' }} --verbose
          updaterJsonPreferNsis: true
          releaseId: ${{ needs.version.outputs.release }}
          tagName: ${{ needs.version.outputs.tag }}
          releaseDraft: true
          releaseAssetNamePattern: opencode-desktop-[platform]-[arch][ext]
          repo: ${{ (github.ref_name == 'beta' && 'opencode-beta') || '' }}
          releaseCommitish: ${{ github.sha }}
        env:
          GITHUB_TOKEN: ${{ steps.committer.outputs.token }}
          TAURI_BUNDLER_NEW_APPIMAGE_FORMAT: true
          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          APPLE_SIGNING_IDENTITY: ${{ env.CERT_ID }}
          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
          APPLE_API_KEY_PATH: ${{ runner.temp }}/apple-api-key.p8

      - name: Verify signed Windows desktop artifacts
        if: runner.os == 'Windows'
        shell: pwsh
        run: |
          $files = @(
            "${{ github.workspace }}\packages\desktop\src-tauri\sidecars\opencode-cli-${{ matrix.settings.target }}.exe"
          )
          $files += Get-ChildItem "${{ github.workspace }}\packages\desktop\src-tauri\target\${{ matrix.settings.target }}\release\bundle\nsis\*.exe" | Select-Object -ExpandProperty FullName

          foreach ($file in $files) {
            $sig = Get-AuthenticodeSignature $file
            if ($sig.Status -ne "Valid") {
              throw "Invalid signature for ${file}: $($sig.Status)"
            }
          }

  build-electron:
    needs:
      - build-cli
      - version
    if: github.repository == 'anomalyco/opencode'
    continue-on-error: false
    env:
      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      AZURE_TRUSTED_SIGNING_ACCOUNT_NAME: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
      AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE }}
      AZURE_TRUSTED_SIGNING_ENDPOINT: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
    strategy:
      fail-fast: false
      matrix:
        settings:
          - host: macos-latest
            target: x86_64-apple-darwin
            platform_flag: --mac --x64
          - host: macos-latest
            target: aarch64-apple-darwin
            platform_flag: --mac --arm64
          # github-hosted: blacksmith lacks ARM64 MSVC cross-compilation toolchain
          - host: "windows-2025"
            target: aarch64-pc-windows-msvc
            platform_flag: --win --arm64
          - host: "blacksmith-4vcpu-windows-2025"
            target: x86_64-pc-windows-msvc
            platform_flag: --win
          - host: "blacksmith-4vcpu-ubuntu-2404"
            target: x86_64-unknown-linux-gnu
            platform_flag: --linux
          - host: "blacksmith-4vcpu-ubuntu-2404"
            target: aarch64-unknown-linux-gnu
            platform_flag: --linux
    runs-on: ${{ matrix.settings.host }}
    steps:
      - uses: actions/checkout@v3

      - uses: apple-actions/import-codesign-certs@v2
        if: runner.os == 'macOS'
        with:
          keychain: build
          p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }}
          p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}

      - name: Setup Apple API Key
        if: runner.os == 'macOS'
        run: echo "${{ secrets.APPLE_API_KEY_PATH }}" > $RUNNER_TEMP/apple-api-key.p8

      - uses: ./.github/actions/setup-bun

      - name: Azure login
        if: runner.os == 'Windows'
        uses: azure/login@v2
        with:
          client-id: ${{ env.AZURE_CLIENT_ID }}
          tenant-id: ${{ env.AZURE_TENANT_ID }}
          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}

      - uses: actions/setup-node@v4
        with:
          node-version: "24"

      - name: Cache apt packages
        if: contains(matrix.settings.host, 'ubuntu')
        uses: actions/cache@v4
        with:
          path: ~/apt-cache
          key: ${{ runner.os }}-${{ matrix.settings.target }}-apt-electron-${{ hashFiles('.github/workflows/publish.yml') }}
          restore-keys: |
            ${{ runner.os }}-${{ matrix.settings.target }}-apt-electron-

      - name: Install dependencies (ubuntu only)
        if: contains(matrix.settings.host, 'ubuntu')
        run: |
          mkdir -p ~/apt-cache && chmod -R a+rw ~/apt-cache
          sudo apt-get update
          sudo apt-get install -y --no-install-recommends -o dir::cache::archives="$HOME/apt-cache" rpm
          sudo chmod -R a+rw ~/apt-cache

      - name: Setup git committer
        id: committer
        uses: ./.github/actions/setup-git-committer
        with:
          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}

      - name: Prepare
        run: bun ./scripts/prepare.ts
        working-directory: packages/desktop-electron
        env:
          OPENCODE_VERSION: ${{ needs.version.outputs.version }}
          OPENCODE_CHANNEL: ${{ (github.ref_name == 'beta' && 'beta') || 'prod' }}
          OPENCODE_CLI_ARTIFACT: ${{ (runner.os == 'Windows' && 'opencode-cli-windows') || 'opencode-cli' }}
          RUST_TARGET: ${{ matrix.settings.target }}
          GH_TOKEN: ${{ github.token }}
          GITHUB_RUN_ID: ${{ github.run_id }}

      - name: Build
        run: bun run build
        working-directory: packages/desktop-electron
        env:
          OPENCODE_CHANNEL: ${{ (github.ref_name == 'beta' && 'beta') || 'prod' }}

      - name: Package and publish
        if: needs.version.outputs.release
        run: npx electron-builder ${{ matrix.settings.platform_flag }} --publish always --config electron-builder.config.ts
        working-directory: packages/desktop-electron
        timeout-minutes: 60
        env:
          OPENCODE_CHANNEL: ${{ (github.ref_name == 'beta' && 'beta') || 'prod' }}
          GH_TOKEN: ${{ steps.committer.outputs.token }}
          CSC_LINK: ${{ secrets.APPLE_CERTIFICATE }}
          CSC_KEY_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          APPLE_API_KEY: ${{ runner.temp }}/apple-api-key.p8
          APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY }}
          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}

      - name: Package (no publish)
        if: ${{ !needs.version.outputs.release }}
        run: npx electron-builder ${{ matrix.settings.platform_flag }} --publish never --config electron-builder.config.ts
        working-directory: packages/desktop-electron
        timeout-minutes: 60
        env:
          OPENCODE_CHANNEL: ${{ (github.ref_name == 'beta' && 'beta') || 'prod' }}

      - name: Verify signed Windows Electron artifacts
        if: runner.os == 'Windows'
        shell: pwsh
        run: |
          $files = @()
          $files += Get-ChildItem "${{ github.workspace }}\packages\desktop-electron\dist\*.exe" | Select-Object -ExpandProperty FullName
          $files += Get-ChildItem "${{ github.workspace }}\packages\desktop-electron\dist\*unpacked\*.exe" | Select-Object -ExpandProperty FullName
          $files += Get-ChildItem "${{ github.workspace }}\packages\desktop-electron\dist\*unpacked\resources\opencode-cli.exe" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName

          foreach ($file in $files | Select-Object -Unique) {
            $sig = Get-AuthenticodeSignature $file
            if ($sig.Status -ne "Valid") {
              throw "Invalid signature for ${file}: $($sig.Status)"
            }
          }

      - uses: actions/upload-artifact@v4
        with:
          name: opencode-electron-${{ matrix.settings.target }}
          path: packages/desktop-electron/dist/*

      - uses: actions/upload-artifact@v4
        if: needs.version.outputs.release
        with:
          name: latest-yml-${{ matrix.settings.target }}
          path: packages/desktop-electron/dist/latest*.yml

  publish:
    needs:
      - version
      - build-cli
      - sign-cli-windows
      - build-tauri
      - build-electron
    if: always() && !failure() && !cancelled()
    runs-on: blacksmith-4vcpu-ubuntu-2404
    steps:
      - uses: actions/checkout@v3

      - uses: ./.github/actions/setup-bun

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - uses: actions/setup-node@v4
        with:
          node-version: "24"
          registry-url: "https://registry.npmjs.org"

      - name: Setup git committer
        id: committer
        uses: ./.github/actions/setup-git-committer
        with:
          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}

      - uses: actions/download-artifact@v4
        with:
          name: opencode-cli
          path: packages/opencode/dist

      - uses: actions/download-artifact@v4
        with:
          name: opencode-cli-windows
          path: packages/opencode/dist

      - uses: actions/download-artifact@v4
        with:
          name: opencode-cli-signed-windows
          path: packages/opencode/dist

      - uses: actions/download-artifact@v4
        if: needs.version.outputs.release
        with:
          pattern: latest-yml-*
          path: /tmp/latest-yml

      - name: Cache apt packages (AUR)
        uses: actions/cache@v4
        with:
          path: /var/cache/apt/archives
          key: ${{ runner.os }}-apt-aur-${{ hashFiles('.github/workflows/publish.yml') }}
          restore-keys: |
            ${{ runner.os }}-apt-aur-

      - name: Setup SSH for AUR
        run: |
          sudo apt-get update
          sudo apt-get install -y pacman-package-manager
          mkdir -p ~/.ssh
          echo "${{ secrets.AUR_KEY }}" > ~/.ssh/id_rsa
          chmod 600 ~/.ssh/id_rsa
          git config --global user.email "[email protected]"
          git config --global user.name "opencode"
          ssh-keyscan -H aur.archlinux.org >> ~/.ssh/known_hosts || true

      - run: ./script/publish.ts
        env:
          OPENCODE_VERSION: ${{ needs.version.outputs.version }}
          OPENCODE_RELEASE: ${{ needs.version.outputs.release }}
          AUR_KEY: ${{ secrets.AUR_KEY }}
          GITHUB_TOKEN: ${{ steps.committer.outputs.token }}
          GH_REPO: ${{ needs.version.outputs.repo }}
          NPM_CONFIG_PROVENANCE: false
          LATEST_YML_DIR: /tmp/latest-yml