@@ -209,15 +209,131 @@ jobs:
209209 packages/opencode/dist/opencode-windows-x64
210210 packages/opencode/dist/opencode-windows-x64-baseline
211211
212- upload-latest-json :
212+ build-tauri :
213213 needs :
214+ - build-cli
214215 - version
215- runs-on : blacksmith-4vcpu-ubuntu-2404
216- if : github.repository == 'anomalyco/opencode' && needs.version.outputs.release != ''
216+ continue-on-error : false
217+ env :
218+ AZURE_CLIENT_ID : ${{ secrets.AZURE_CLIENT_ID }}
219+ AZURE_TENANT_ID : ${{ secrets.AZURE_TENANT_ID }}
220+ AZURE_SUBSCRIPTION_ID : ${{ secrets.AZURE_SUBSCRIPTION_ID }}
221+ AZURE_TRUSTED_SIGNING_ACCOUNT_NAME : ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
222+ AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE : ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE }}
223+ AZURE_TRUSTED_SIGNING_ENDPOINT : ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
224+ strategy :
225+ fail-fast : false
226+ matrix :
227+ settings :
228+ - host : macos-latest
229+ target : x86_64-apple-darwin
230+ - host : macos-latest
231+ target : aarch64-apple-darwin
232+ # github-hosted: blacksmith lacks ARM64 MSVC cross-compilation toolchain
233+ - host : windows-2025
234+ target : aarch64-pc-windows-msvc
235+ - host : blacksmith-4vcpu-windows-2025
236+ target : x86_64-pc-windows-msvc
237+ - host : blacksmith-4vcpu-ubuntu-2404
238+ target : x86_64-unknown-linux-gnu
239+ - host : blacksmith-8vcpu-ubuntu-2404-arm
240+ target : aarch64-unknown-linux-gnu
241+ runs-on : ${{ matrix.settings.host }}
217242 steps :
218- - name : Download latest.json from v1.4.3
243+ - uses : actions/checkout@v3
244+ with :
245+ fetch-tags : true
246+
247+ - uses : apple-actions/import-codesign-certs@v2
248+ if : ${{ runner.os == 'macOS' }}
249+ with :
250+ keychain : build
251+ p12-file-base64 : ${{ secrets.APPLE_CERTIFICATE }}
252+ p12-password : ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
253+
254+ - name : Verify Certificate
255+ if : ${{ runner.os == 'macOS' }}
256+ run : |
257+ CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application")
258+ CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}')
259+ echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV
260+ echo "Certificate imported."
261+
262+ name : Setup Apple API Key
263+ if : ${{ runner.os == 'macOS' }}
264+ run : |
265+ echo "${{ secrets.APPLE_API_KEY_PATH }}" > $RUNNER_TEMP/apple-api-key.p8
266+
267+ uses : ./.github/actions/setup-bun
268+
269+ - name : Azure login
270+ if : runner.os == 'Windows'
271+ uses : azure/login@v2
272+ with :
273+ client-id : ${{ env.AZURE_CLIENT_ID }}
274+ tenant-id : ${{ env.AZURE_TENANT_ID }}
275+ subscription-id : ${{ env.AZURE_SUBSCRIPTION_ID }}
276+
277+ - uses : actions/setup-node@v4
278+ with :
279+ node-version : " 24"
280+
281+ - name : Cache apt packages
282+ if : contains(matrix.settings.host, 'ubuntu')
283+ uses : actions/cache@v4
284+ with :
285+ path : ~/apt-cache
286+ key : ${{ runner.os }}-${{ matrix.settings.target }}-apt-${{ hashFiles('.github/workflows/publish.yml') }}
287+ restore-keys : |
288+ ${{ runner.os }}-${{ matrix.settings.target }}-apt-
289+
290+ name : install dependencies (ubuntu only)
291+ if : contains(matrix.settings.host, 'ubuntu')
219292 run : |
220- curl -L -o latest.json "https://github.com/anomalyco/opencode/releases/download/v1.4.3/latest.json"
293+ mkdir -p ~/apt-cache && chmod -R a+rw ~/apt-cache
294+ sudo apt-get update
295+ sudo apt-get install -y --no-install-recommends -o dir::cache::archives="$HOME/apt-cache" libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf
296+ sudo chmod -R a+rw ~/apt-cache
297+
298+ name : install Rust stable
299+ uses : dtolnay/rust-toolchain@stable
300+ with :
301+ targets : ${{ matrix.settings.target }}
302+
303+ - uses : Swatinem/rust-cache@v2
304+ with :
305+ workspaces : packages/desktop/src-tauri
306+ shared-key : ${{ matrix.settings.target }}
307+
308+ - name : Prepare
309+ run : |
310+ cd packages/desktop
311+ bun ./scripts/prepare.ts
312+ env :
313+ OPENCODE_VERSION : ${{ needs.version.outputs.version }}
314+ GITHUB_TOKEN : ${{ steps.committer.outputs.token }}
315+ OPENCODE_CLI_ARTIFACT : ${{ (runner.os == 'Windows' && 'opencode-cli-windows') || 'opencode-cli' }}
316+ RUST_TARGET : ${{ matrix.settings.target }}
317+ GH_TOKEN : ${{ github.token }}
318+ GITHUB_RUN_ID : ${{ github.run_id }}
319+
320+ - name : Resolve tauri portable SHA
321+ if : contains(matrix.settings.host, 'ubuntu')
322+ run : echo "TAURI_PORTABLE_SHA=$(git ls-remote https://github.com/tauri-apps/tauri.git refs/heads/feat/truly-portable-appimage | cut -f1)" >> "$GITHUB_ENV"
323+
324+ # Fixes AppImage build issues, can be removed when https://github.com/tauri-apps/tauri/pull/12491 is released
325+ - name : Install tauri-cli from portable appimage branch
326+ uses : taiki-e/cache-cargo-install-action@v3
327+ if : contains(matrix.settings.host, 'ubuntu')
328+ with :
329+ tool : tauri-cli
330+ git : https://github.com/tauri-apps/tauri
331+ # branch: feat/truly-portable-appimage
332+ rev : ${{ env.TAURI_PORTABLE_SHA }}
333+
334+ - name : Show tauri-cli version
335+ if : contains(matrix.settings.host, 'ubuntu')
336+ run : cargo tauri --version
221337
222338 - name : Setup git committer
223339 id : committer
@@ -226,11 +342,48 @@ jobs:
226342 opencode-app-id : ${{ vars.OPENCODE_APP_ID }}
227343 opencode-app-secret : ${{ secrets.OPENCODE_APP_SECRET }}
228344
229- - name : Upload latest.json to release
345+ - name : Build and upload artifacts
346+ uses : tauri-apps/tauri-action@390cbe447412ced1303d35abe75287949e43437a
347+ timeout-minutes : 60
348+ with :
349+ projectPath : packages/desktop
350+ uploadWorkflowArtifacts : true
351+ tauriScript : ${{ (contains(matrix.settings.host, 'ubuntu') && 'cargo tauri') || '' }}
352+ args : --target ${{ matrix.settings.target }} --config ${{ (github.ref_name == 'beta' && './src-tauri/tauri.beta.conf.json') || './src-tauri/tauri.prod.conf.json' }} --verbose
353+ updaterJsonPreferNsis : true
354+ releaseId : ${{ needs.version.outputs.release }}
355+ tagName : ${{ needs.version.outputs.tag }}
356+ releaseDraft : true
357+ releaseAssetNamePattern : opencode-desktop-[platform]-[arch][ext]
358+ repo : ${{ (github.ref_name == 'beta' && 'opencode-beta') || '' }}
359+ releaseCommitish : ${{ github.sha }}
230360 env :
231- GH_TOKEN : ${{ steps.committer.outputs.token }}
361+ GITHUB_TOKEN : ${{ steps.committer.outputs.token }}
362+ TAURI_BUNDLER_NEW_APPIMAGE_FORMAT : true
363+ TAURI_SIGNING_PRIVATE_KEY : ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
364+ TAURI_SIGNING_PRIVATE_KEY_PASSWORD : ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
365+ APPLE_CERTIFICATE : ${{ secrets.APPLE_CERTIFICATE }}
366+ APPLE_CERTIFICATE_PASSWORD : ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
367+ APPLE_SIGNING_IDENTITY : ${{ env.CERT_ID }}
368+ APPLE_API_ISSUER : ${{ secrets.APPLE_API_ISSUER }}
369+ APPLE_API_KEY : ${{ secrets.APPLE_API_KEY }}
370+ APPLE_API_KEY_PATH : ${{ runner.temp }}/apple-api-key.p8
371+
372+ - name : Verify signed Windows desktop artifacts
373+ if : runner.os == 'Windows'
374+ shell : pwsh
232375 run : |
233- gh release upload "v${{ needs.version.outputs.version }}" latest.json --clobber --repo "${{ needs.version.outputs.repo }}"
376+ $files = @(
377+ "${{ github.workspace }}\packages\desktop\src-tauri\sidecars\opencode-cli-${{ matrix.settings.target }}.exe"
378+ )
379+ $files += Get-ChildItem "${{ github.workspace }}\packages\desktop\src-tauri\target\${{ matrix.settings.target }}\release\bundle\nsis\*.exe" | Select-Object -ExpandProperty FullName
380+
381+ foreach ($file in $files) {
382+ $sig = Get-AuthenticodeSignature $file
383+ if ($sig.Status -ne "Valid") {
384+ throw "Invalid signature for ${file}: $($sig.Status)"
385+ }
386+ }
234387
235388build-electron :
236389 needs :
@@ -392,7 +545,7 @@ jobs:
392545 - version
393546 - build-cli
394547 - sign-cli-windows
395- - upload-latest-json
548+ - build-tauri
396549 - build-electron
397550 if : always() && !failure() && !cancelled()
398551 runs-on : blacksmith-4vcpu-ubuntu-2404
0 commit comments