eliott/openwork
1
0
Fork 0
mirror of https://github.com/different-ai/openwork synced 2026-04-25 17:15:34 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
7a53c2964cd5634d1e88036d2e6835e1a293a975
openwork/.github/workflows/release-macos-aarch64.yml
Workflow config file is invalid. Please check your config file: yaml: unmarshal errors: line 665: mapping key "name" already defined at line 614 line 666: mapping key "needs" already defined at line 620 line 667: mapping key "if" already defined at line 621 line 668: mapping key "runs-on" already defined at line 622 line 669: mapping key "env" already defined at line 623 line 671: mapping key "steps" already defined at line 625
ben 7a53c2964c feat(desktop): Tauri → Electron migration release kit (#1526) 
Ships the last-missing piece of the Electron migration. After this PR
merges there are three one-shot scripts under scripts/migration/ that
carry the whole lifecycle from "cut v0.12.0" through "delete src-tauri":

  01-cut-migration-release.mjs   # bumps versions, writes the release env
                                 # fragment, tags, pushes.
  02-validate-migration.mjs      # guided smoke test against a cut release.
  03-post-migration-cleanup.mjs  # deletes src-tauri, flips defaults,
                                 # scrubs Tauri docs (dry-run by default).

Code landing in the same PR (dormant until a release sets
VITE_OPENWORK_MIGRATION_RELEASE=1):

- apps/desktop/src-tauri/src/commands/migration.rs gains
  migrate_to_electron() — downloads the matching Electron .zip, verifies
  the Apple signature, swaps the .app bundle in place via a detached
  shell script, relaunches, and exits. Windows + Linux branches are
  stubbed with clear TODOs for the follow-up.
- apps/app/src/app/lib/migration.ts grows migrateToElectron() + a
  "later" defer helper.
- apps/app/src/react-app/shell/migration-prompt.tsx adds the one-time
  "OpenWork is moving to a new engine" modal. Mounted from
  providers.tsx. Gated on isTauriRuntime() AND the build-time flag, so
  Electron users and all non-migration-release builds never render it.
- apps/app/vite.config.ts loads apps/app/.env.migration-release when
  present so the prompt gets the release-specific download URLs.
- .gitignore allows the migration-release fragment to be committed only
  on the tagged migration-release commit (removed in cleanup step).

Release workflow:
- .github/workflows/release-macos-aarch64.yml gains a publish-electron
  job alongside the Tauri jobs. Gated on RELEASE_PUBLISH_ELECTRON repo
  var OR the new publish_electron workflow_dispatch input (default
  false). Uses the existing Apple Dev ID secrets — no new credential
  story. Produces latest-mac.yml alongside Tauri's latest.json so a
  v0.12.0 release serves both updaters.

Verified:
  pnpm --filter @openwork/app typecheck   ✓
  cargo check --manifest-path apps/desktop/src-tauri/Cargo.toml   ✓
  node --check on all mjs scripts   ✓
  python yaml parse of release-macos-aarch64.yml   ✓

Not verified (needs a real release cycle):
  end-to-end migration from a signed Tauri .app to a signed Electron
  .app through the detached-script install swap.

Co-authored-by: Benjamin Shafii <benjamin@openworklabs.com>
2026-04-22 18:52:30 -07:00

1015 lines
38 KiB
YAML
Raw Blame History

name: Release App
on:
push:
tags:
- "v*"
workflow_dispatch:
inputs:
tag:
description: "Tag to release (e.g., v0.1.2). Leave empty to use current ref."
required: false
type: string
release_name:
description: "Release title (defaults to OpenWork <tag>)"
required: false
type: string
release_body:
description: "Release notes body in Markdown (defaults to a short placeholder)"
required: false
type: string
draft:
description: "Create the GitHub Release as a draft"
required: false
type: boolean
default: false
prerelease:
description: "Mark the GitHub Release as a prerelease"
required: false
type: boolean
default: false
notarize:
description: "Notarize macOS builds (requires Apple team configured)"
required: false
type: boolean
default: false
build_tauri:
description: "Build desktop (Tauri) artifacts"
required: false
type: boolean
default: true
publish_sidecars:
description: "Build + upload openwork-orchestrator sidecar release assets"
required: false
type: boolean
default: true
publish_npm:
description: "Publish openwork-orchestrator/openwork-server/opencode-router to npm if versions changed"
required: false
type: boolean
default: true
publish_daytona_snapshot:
description: "Build + push Daytona worker snapshot"
required: false
type: boolean
default: true
publish_electron:
description: "Build + publish Electron desktop artifacts (macOS) alongside Tauri"
required: false
type: boolean
default: false
permissions:
contents: write
pull-requests: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
resolve-release:
name: Resolve Release Metadata
runs-on: blacksmith-4vcpu-ubuntu-2404
outputs:
release_tag: ${{ steps.resolve.outputs.release_tag }}
release_name: ${{ steps.resolve.outputs.release_name }}
release_body: ${{ steps.resolve.outputs.release_body }}
draft: ${{ steps.resolve.outputs.draft }}
prerelease: ${{ steps.resolve.outputs.prerelease }}
notarize: ${{ steps.resolve.outputs.notarize }}
build_tauri: ${{ steps.resolve.outputs.build_tauri }}
publish_sidecars: ${{ steps.resolve.outputs.publish_sidecars }}
publish_npm: ${{ steps.resolve.outputs.publish_npm }}
publish_daytona_snapshot: ${{ steps.resolve.outputs.publish_daytona_snapshot }}
steps:
- name: Resolve metadata
id: resolve
shell: bash
env:
INPUT_TAG: ${{ github.event.inputs.tag }}
INPUT_RELEASE_NAME: ${{ github.event.inputs.release_name }}
INPUT_RELEASE_BODY: ${{ github.event.inputs.release_body }}
INPUT_DRAFT: ${{ github.event.inputs.draft }}
INPUT_PRERELEASE: ${{ github.event.inputs.prerelease }}
INPUT_NOTARIZE: ${{ github.event.inputs.notarize }}
INPUT_BUILD_TAURI: ${{ github.event.inputs.build_tauri }}
INPUT_PUBLISH_SIDECARS: ${{ github.event.inputs.publish_sidecars }}
INPUT_PUBLISH_NPM: ${{ github.event.inputs.publish_npm }}
INPUT_PUBLISH_DAYTONA_SNAPSHOT: ${{ github.event.inputs.publish_daytona_snapshot }}
DEFAULT_PUBLISH_SIDECARS: ${{ vars.RELEASE_PUBLISH_SIDECARS }}
DEFAULT_PUBLISH_NPM: ${{ vars.RELEASE_PUBLISH_NPM }}
DEFAULT_PUBLISH_DAYTONA_SNAPSHOT: ${{ vars.RELEASE_PUBLISH_DAYTONA_SNAPSHOT }}
DEFAULT_NOTARIZE: ${{ vars.MACOS_NOTARIZE }}
DEFAULT_BUILD_TAURI: ${{ vars.RELEASE_BUILD_TAURI }}
run: |
set -euo pipefail
TAG_INPUT="${INPUT_TAG:-}"
if [ -n "$TAG_INPUT" ]; then
if [[ "$TAG_INPUT" == v* ]]; then
TAG="$TAG_INPUT"
else
TAG="v$TAG_INPUT"
fi
else
TAG="${GITHUB_REF_NAME}"
fi
if [[ ! "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+([.-][0-9A-Za-z.-]+)?$ ]]; then
echo "Invalid release tag: $TAG (expected vX.Y.Z)" >&2
exit 1
fi
RELEASE_NAME_INPUT="${INPUT_RELEASE_NAME:-}"
if [ -n "$RELEASE_NAME_INPUT" ]; then
RELEASE_NAME="$RELEASE_NAME_INPUT"
else
RELEASE_NAME="OpenWork $TAG"
fi
RELEASE_BODY_INPUT="${INPUT_RELEASE_BODY:-}"
if [ -n "$RELEASE_BODY_INPUT" ]; then
RELEASE_BODY="$RELEASE_BODY_INPUT"
else
RELEASE_BODY="See the assets to download this version and install."
fi
draft="${INPUT_DRAFT:-}"
if [ -z "$draft" ]; then
if [ "${GITHUB_EVENT_NAME}" = "push" ]; then
# Keep tag-triggered releases out of /releases/latest until assets + latest.json are ready.
draft="true"
else
draft="false"
fi
fi
prerelease="${INPUT_PRERELEASE:-false}"
notarize="${INPUT_NOTARIZE:-}"
if [ -z "$notarize" ]; then
notarize="${DEFAULT_NOTARIZE:-true}"
fi
build_tauri="${INPUT_BUILD_TAURI:-}"
if [ -z "$build_tauri" ]; then
build_tauri="${DEFAULT_BUILD_TAURI:-true}"
fi
publish_sidecars="${INPUT_PUBLISH_SIDECARS:-}"
if [ -z "$publish_sidecars" ]; then
publish_sidecars="${DEFAULT_PUBLISH_SIDECARS:-true}"
fi
publish_npm="${INPUT_PUBLISH_NPM:-}"
if [ -z "$publish_npm" ]; then
publish_npm="${DEFAULT_PUBLISH_NPM:-true}"
fi
publish_daytona_snapshot="${INPUT_PUBLISH_DAYTONA_SNAPSHOT:-}"
if [ -z "$publish_daytona_snapshot" ]; then
publish_daytona_snapshot="${DEFAULT_PUBLISH_DAYTONA_SNAPSHOT:-true}"
fi
TAG="${TAG//$'\n'/}"
TAG="${TAG//$'\r'/}"
RELEASE_NAME="${RELEASE_NAME//$'\n'/ }"
RELEASE_NAME="${RELEASE_NAME//$'\r'/ }"
echo "release_tag=$TAG" >> "$GITHUB_OUTPUT"
echo "release_name=$RELEASE_NAME" >> "$GITHUB_OUTPUT"
echo "draft=$draft" >> "$GITHUB_OUTPUT"
echo "prerelease=$prerelease" >> "$GITHUB_OUTPUT"
echo "notarize=$notarize" >> "$GITHUB_OUTPUT"
echo "build_tauri=$build_tauri" >> "$GITHUB_OUTPUT"
echo "publish_sidecars=$publish_sidecars" >> "$GITHUB_OUTPUT"
echo "publish_npm=$publish_npm" >> "$GITHUB_OUTPUT"
echo "publish_daytona_snapshot=$publish_daytona_snapshot" >> "$GITHUB_OUTPUT"
{
echo "release_body<<__OPENWORK_RELEASE_BODY_EOF__"
printf '%s\n' "$RELEASE_BODY"
echo "__OPENWORK_RELEASE_BODY_EOF__"
} >> "$GITHUB_OUTPUT"
- name: Create release if missing
shell: bash
env:
GH_TOKEN: ${{ github.token }}
run: |
set -euo pipefail
BODY_FILE="$RUNNER_TEMP/release_body.md"
printf '%s\n' "${{ steps.resolve.outputs.release_body }}" > "$BODY_FILE"
if gh release view "${{ steps.resolve.outputs.release_tag }}" --repo "$GITHUB_REPOSITORY" >/dev/null 2>&1; then
echo "Release ${{ steps.resolve.outputs.release_tag }} already exists; skipping create."
exit 0
fi
DRAFT_FLAG=""
PRERELEASE_FLAG=""
if [ "${{ steps.resolve.outputs.draft }}" = "true" ]; then
DRAFT_FLAG="--draft"
fi
if [ "${{ steps.resolve.outputs.prerelease }}" = "true" ]; then
PRERELEASE_FLAG="--prerelease"
fi
gh release create "${{ steps.resolve.outputs.release_tag }}" \
--repo "$GITHUB_REPOSITORY" \
--title "${{ steps.resolve.outputs.release_name }}" \
--notes-file "$BODY_FILE" \
$DRAFT_FLAG $PRERELEASE_FLAG
verify-release:
name: Verify Release Versions
needs: resolve-release
runs-on: blacksmith-4vcpu-ubuntu-2404
env:
RELEASE_TAG: ${{ needs.resolve-release.outputs.release_tag }}
steps:
- name: Checkout
uses: actions/checkout@v6
with:
ref: ${{ env.RELEASE_TAG }}
fetch-depth: 0
- name: Setup Node
uses: actions/setup-node@v6
with:
node-version-file: .nvmrc
- name: Verify tag matches app versions
run: node scripts/release/verify-tag.mjs --tag "$RELEASE_TAG"
- name: Release review (strict)
run: node scripts/release/review.mjs --strict
publish-tauri:
name: Build + Publish (${{ matrix.target }})
needs: [resolve-release, verify-release]
if: needs.resolve-release.outputs.build_tauri == 'true'
# Set OPENWORK_LINUX_X64_RUNNER_LABEL to route only the Linux x86_64 build to a larger runner.
runs-on: ${{ matrix.target == 'x86_64-unknown-linux-gnu' && vars.OPENWORK_LINUX_X64_RUNNER_LABEL != '' && vars.OPENWORK_LINUX_X64_RUNNER_LABEL || matrix.platform }}
timeout-minutes: 360
env:
RELEASE_TAG: ${{ needs.resolve-release.outputs.release_tag }}
RELEASE_NAME: ${{ needs.resolve-release.outputs.release_name }}
RELEASE_BODY: ${{ needs.resolve-release.outputs.release_body }}
RELEASE_DRAFT: ${{ needs.resolve-release.outputs.draft }}
RELEASE_PRERELEASE: ${{ needs.resolve-release.outputs.prerelease }}
MACOS_NOTARIZE: ${{ needs.resolve-release.outputs.notarize }}
# Ensure Tauri's beforeBuildCommand (prepare:sidecar) uses our fork.
OPENCODE_GITHUB_REPO: ${{ vars.OPENCODE_GITHUB_REPO || 'anomalyco/opencode' }}
strategy:
fail-fast: false
matrix:
include:
- platform: macos-14
os_type: macos
target: aarch64-apple-darwin
args: "--target aarch64-apple-darwin --bundles dmg,app"
- platform: macos-14
os_type: macos
target: x86_64-apple-darwin
args: "--target x86_64-apple-darwin --bundles dmg,app"
- platform: ubuntu-22.04
os_type: linux
target: x86_64-unknown-linux-gnu
args: "--target x86_64-unknown-linux-gnu --bundles deb,rpm"
- platform: ubuntu-22.04-arm
os_type: linux
target: aarch64-unknown-linux-gnu
args: "--target aarch64-unknown-linux-gnu --bundles deb,rpm"
- platform: windows-2022
os_type: windows
target: x86_64-pc-windows-msvc
args: "--target x86_64-pc-windows-msvc --bundles msi"
steps:
- name: Log runner selection
shell: bash
run: |
echo "Requested larger runner label: ${RUNNER_LABEL:-<unset>}"
echo "Effective runs-on: ${EFFECTIVE_RUNS_ON}"
env:
RUNNER_LABEL: ${{ vars.OPENWORK_LINUX_X64_RUNNER_LABEL }}
EFFECTIVE_RUNS_ON: ${{ matrix.target == 'x86_64-unknown-linux-gnu' && vars.OPENWORK_LINUX_X64_RUNNER_LABEL != '' && vars.OPENWORK_LINUX_X64_RUNNER_LABEL || matrix.platform }}
- name: Checkout
uses: actions/checkout@v6
with:
ref: ${{ env.RELEASE_TAG }}
fetch-depth: 0
- name: Enable git long paths (Windows)
if: matrix.os_type == 'windows'
shell: pwsh
run: git config --global core.longpaths true
- name: Setup Node
uses: actions/setup-node@v6
with:
node-version-file: .nvmrc
- name: Setup pnpm
uses: pnpm/action-setup@v4
with:
version: 10.27.0
- name: Setup Bun
uses: oven-sh/setup-bun@v1
with:
bun-version: "1.3.6"
- name: Get pnpm store path
id: pnpm-store
shell: bash
run: echo "path=$(pnpm store path --silent)" >> "$GITHUB_OUTPUT"
- name: Cache pnpm store
uses: actions/cache@v5
continue-on-error: true
with:
path: ${{ steps.pnpm-store.outputs.path }}
key: ${{ runner.os }}-pnpm-${{ hashFiles('pnpm-lock.yaml') }}
restore-keys: |
${{ runner.os }}-pnpm-
- name: Cache cargo
uses: actions/cache@v5
continue-on-error: true
with:
path: |
~/.cargo/registry
~/.cargo/git
apps/desktop/src-tauri/target
key: ${{ runner.os }}-cargo-${{ hashFiles('apps/desktop/src-tauri/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-
- name: Install dependencies
run: pnpm install --frozen-lockfile --prefer-offline
- name: Install OpenTUI x64 core (macOS x86_64)
if: matrix.os_type == 'macos' && matrix.target == 'x86_64-apple-darwin'
run: pnpm add -w --ignore-workspace-root-check @opentui/core-darwin-x64@0.1.77
- name: Install Linux build dependencies
if: matrix.os_type == 'linux'
run: |
sudo apt-get update
sudo apt-get install -y \
libgtk-3-dev \
libglib2.0-dev \
libayatana-appindicator3-dev \
libsoup-3.0-dev \
libwebkit2gtk-4.1-dev \
libssl-dev \
rpm \
libdbus-1-dev \
librsvg2-dev
- name: Setup Rust
uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.target }}
- name: Resolve OpenCode version
id: opencode-version
shell: bash
run: |
node <<'NODE' >> "$GITHUB_OUTPUT"
const fs = require('fs');
const parsed = JSON.parse(fs.readFileSync('./constants.json', 'utf8'));
const version = String(parsed.opencodeVersion || '').replace(/^v/, '').trim();
if (!version) {
throw new Error('Pinned OpenCode version is missing from constants.json');
}
console.log('version=' + version);
NODE
- name: Download OpenCode sidecar
shell: bash
env:
PINNED_OPENCODE_VERSION: ${{ steps.opencode-version.outputs.version }}
OPENCODE_GITHUB_REPO: ${{ vars.OPENCODE_GITHUB_REPO || 'anomalyco/opencode' }}
run: |
set -euo pipefail
case "${{ matrix.target }}" in
aarch64-apple-darwin)
opencode_asset="opencode-darwin-arm64.zip"
;;
x86_64-apple-darwin)
opencode_asset="opencode-darwin-x64-baseline.zip"
;;
x86_64-unknown-linux-gnu)
opencode_asset="opencode-linux-x64-baseline.tar.gz"
;;
aarch64-unknown-linux-gnu)
opencode_asset="opencode-linux-arm64.tar.gz"
;;
x86_64-pc-windows-msvc)
opencode_asset="opencode-windows-x64-baseline.zip"
;;
*)
echo "Unsupported target: ${{ matrix.target }}" >&2
exit 1
;;
esac
repo="${OPENCODE_GITHUB_REPO:-anomalyco/opencode}"
url="https://github.com/${repo}/releases/download/v${PINNED_OPENCODE_VERSION}/${opencode_asset}"
tmp_dir="$RUNNER_TEMP/opencode"
extract_dir="$tmp_dir/extracted"
rm -rf "$tmp_dir"
mkdir -p "$extract_dir"
curl -fsSL --retry 5 --retry-all-errors --retry-delay 2 -o "$tmp_dir/$opencode_asset" "$url"
if [[ "$opencode_asset" == *.tar.gz ]]; then
tar -xzf "$tmp_dir/$opencode_asset" -C "$extract_dir"
else
if command -v unzip >/dev/null 2>&1; then
unzip -q "$tmp_dir/$opencode_asset" -d "$extract_dir"
elif command -v 7z >/dev/null 2>&1; then
7z x "$tmp_dir/$opencode_asset" -o"$extract_dir" >/dev/null
else
echo "No unzip utility available" >&2
exit 1
fi
fi
if [ -f "$extract_dir/opencode" ]; then
bin_path="$extract_dir/opencode"
elif [ -f "$extract_dir/opencode.exe" ]; then
bin_path="$extract_dir/opencode.exe"
else
echo "OpenCode binary not found in archive" >&2
ls -la "$extract_dir"
exit 1
fi
target_name="opencode-${{ matrix.target }}"
if [ "${{ matrix.os_type }}" = "windows" ]; then
target_name="${target_name}.exe"
fi
mkdir -p apps/desktop/src-tauri/sidecars
cp "$bin_path" "apps/desktop/src-tauri/sidecars/${target_name}"
chmod 755 "apps/desktop/src-tauri/sidecars/${target_name}"
- name: Write notary API key
if: matrix.os_type == 'macos' && env.MACOS_NOTARIZE == 'true'
env:
APPLE_NOTARY_API_KEY_P8_BASE64: ${{ secrets.APPLE_NOTARY_API_KEY_P8_BASE64 }}
run: |
set -euo pipefail
NOTARY_KEY_PATH="$RUNNER_TEMP/AuthKey.p8"
printf '%s' "$APPLE_NOTARY_API_KEY_P8_BASE64" | base64 --decode > "$NOTARY_KEY_PATH"
chmod 600 "$NOTARY_KEY_PATH"
echo "NOTARY_KEY_PATH=$NOTARY_KEY_PATH" >> "$GITHUB_ENV"
- name: Build + upload (notarized)
if: matrix.os_type == 'macos' && env.MACOS_NOTARIZE == 'true'
uses: tauri-apps/tauri-action@390cbe447412ced1303d35abe75287949e43437a
env:
CI: true
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Tauri updater signing
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
# macOS signing
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
APPLE_CERTIFICATE: ${{ secrets.APPLE_CODESIGN_CERT_P12_BASE64 }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CODESIGN_CERT_PASSWORD }}
# macOS notarization (App Store Connect API key)
APPLE_API_KEY: ${{ secrets.APPLE_NOTARY_API_KEY_ID }}
APPLE_API_ISSUER: ${{ secrets.APPLE_NOTARY_API_ISSUER_ID }}
APPLE_API_KEY_PATH: ${{ env.NOTARY_KEY_PATH }}
with:
tagName: ${{ env.RELEASE_TAG }}
releaseName: ${{ env.RELEASE_NAME }}
releaseBody: ${{ env.RELEASE_BODY }}
releaseDraft: ${{ env.RELEASE_DRAFT == 'true' }}
prerelease: ${{ env.RELEASE_PRERELEASE == 'true' }}
projectPath: apps/desktop
tauriScript: pnpm exec tauri -vvv
args: ${{ matrix.args }}
retryAttempts: 3
uploadUpdaterJson: false
updaterJsonPreferNsis: true
releaseAssetNamePattern: openwork-desktop-[platform]-[arch][ext]
- name: Build + upload
if: matrix.os_type != 'macos' || env.MACOS_NOTARIZE != 'true'
uses: tauri-apps/tauri-action@390cbe447412ced1303d35abe75287949e43437a
env:
CI: true
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Tauri updater signing
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
# macOS signing
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
APPLE_CERTIFICATE: ${{ secrets.APPLE_CODESIGN_CERT_P12_BASE64 }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CODESIGN_CERT_PASSWORD }}
with:
tagName: ${{ env.RELEASE_TAG }}
releaseName: ${{ env.RELEASE_NAME }}
releaseBody: ${{ env.RELEASE_BODY }}
releaseDraft: ${{ env.RELEASE_DRAFT == 'true' }}
prerelease: ${{ env.RELEASE_PRERELEASE == 'true' }}
projectPath: apps/desktop
tauriScript: pnpm exec tauri -vvv
args: ${{ matrix.args }}
retryAttempts: 3
uploadUpdaterJson: false
updaterJsonPreferNsis: true
releaseAssetNamePattern: openwork-desktop-[platform]-[arch][ext]
- name: Verify versions.json bundled (macOS)
if: success() && matrix.os_type == 'macos'
shell: bash
env:
GH_TOKEN: ${{ github.token }}
run: |
set -euo pipefail
case "${{ matrix.target }}" in
aarch64-apple-darwin)
asset_arch="aarch64"
;;
x86_64-apple-darwin)
asset_arch="x64"
;;
*)
echo "Unexpected target for macOS verify: ${{ matrix.target }}" >&2
exit 1
;;
esac
tmp_dir="$RUNNER_TEMP/openwork-bundle-verify"
rm -rf "$tmp_dir"
mkdir -p "$tmp_dir"
gh release download "${RELEASE_TAG}" \
--repo "$GITHUB_REPOSITORY" \
--pattern "openwork-desktop-darwin-${asset_arch}.app.tar.gz" \
--dir "$tmp_dir"
tar -xzf "$tmp_dir/openwork-desktop-darwin-${asset_arch}.app.tar.gz" -C "$tmp_dir"
app_path="$tmp_dir/OpenWork.app"
manifest_path="$app_path/Contents/MacOS/versions.json"
if [ ! -f "$manifest_path" ]; then
echo "ERROR: versions.json missing from app bundle: $manifest_path" >&2
echo "Hint: ensure apps/desktop/src-tauri/tauri.conf.json bundles sidecars/versions.json" >&2
exit 1
fi
echo "Found bundled versions.json at $manifest_path"
publish-updater-json:
name: Publish consolidated latest.json
needs: [resolve-release, verify-release, publish-tauri]
if: needs.resolve-release.outputs.build_tauri == 'true'
runs-on: blacksmith-4vcpu-ubuntu-2404
env:
RELEASE_TAG: ${{ needs.resolve-release.outputs.release_tag }}
steps:
- name: Checkout
uses: actions/checkout@v6
with:
ref: ${{ env.RELEASE_TAG }}
fetch-depth: 0
- name: Generate latest.json from release assets
env:
GH_TOKEN: ${{ github.token }}
run: |
set -euo pipefail
node scripts/release/generate-latest-json.mjs \
--tag "$RELEASE_TAG" \
--repo "$GITHUB_REPOSITORY" \
--output "$RUNNER_TEMP/latest.json"
- name: Upload latest.json
env:
GH_TOKEN: ${{ github.token }}
run: |
set -euo pipefail
gh release upload "$RELEASE_TAG" "$RUNNER_TEMP/latest.json#latest.json" \
--repo "$GITHUB_REPOSITORY" \
--clobber
publish-electron:
name: Build + publish Electron desktop (macOS)
# Runs alongside the Tauri jobs so the same release carries both
# latest.json (Tauri updater) AND latest-mac.yml (electron-updater).
# Gated on RELEASE_PUBLISH_ELECTRON=true (repo var) OR the workflow
# input of the same name so opt-in during rollout, opt-out if a
# non-migration release doesn't want Electron artifacts.
needs: [resolve-release, verify-release]
if: ${{ vars.RELEASE_PUBLISH_ELECTRON == 'true' || github.event.inputs.publish_electron == 'true' }}
runs-on: macos-14
env:
RELEASE_TAG: ${{ needs.resolve-release.outputs.release_tag }}
steps:
- name: Checkout
uses: actions/checkout@v6
with:
ref: ${{ env.RELEASE_TAG }}
fetch-depth: 0
- name: Setup pnpm
uses: pnpm/action-setup@v4
with:
version: 10.27.0
- name: Setup Node
uses: actions/setup-node@v6
with:
node-version-file: .nvmrc
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.9
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Build + package Electron app
env:
# electron-builder reads these to codesign + notarize the .app.
# Reuses the same secrets the Tauri path already uses.
CSC_LINK: ${{ secrets.APPLE_CERTIFICATE }}
CSC_KEY_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
# electron-builder needs this to upload artifacts + the updater
# feed manifest (latest-mac.yml) to the GitHub release.
GH_TOKEN: ${{ github.token }}
run: |
set -euo pipefail
pnpm --filter @openwork/desktop package:electron --publish always
name: Build + Upload openwork-orchestrator Sidecars
needs: [resolve-release, verify-release]
if: needs.resolve-release.outputs.publish_sidecars == 'true'
runs-on: blacksmith-4vcpu-ubuntu-2404
env:
RELEASE_TAG: ${{ needs.resolve-release.outputs.release_tag }}
steps:
- name: Checkout
uses: actions/checkout@v6
with:
ref: ${{ env.RELEASE_TAG }}
fetch-depth: 0
- name: Setup Node
uses: actions/setup-node@v6
with:
node-version-file: .nvmrc
- name: Setup pnpm
uses: pnpm/action-setup@v4
with:
version: 10.27.0
- name: Setup Bun
uses: oven-sh/setup-bun@v1
with:
bun-version: "1.3.6"
- name: Get pnpm store path
id: pnpm-store
shell: bash
run: echo "path=$(pnpm store path --silent)" >> "$GITHUB_OUTPUT"
- name: Cache pnpm store
uses: actions/cache@v5
continue-on-error: true
with:
path: ${{ steps.pnpm-store.outputs.path }}
key: ubuntu-pnpm-${{ hashFiles('pnpm-lock.yaml') }}
restore-keys: |
ubuntu-pnpm-
- name: Install dependencies
run: pnpm install --frozen-lockfile --prefer-offline
- name: Resolve sidecar versions
id: sidecar-versions
shell: bash
run: |
node -e "const fs=require('fs'); const orchestrator=JSON.parse(fs.readFileSync('apps/orchestrator/package.json','utf8')); const server=JSON.parse(fs.readFileSync('apps/server/package.json','utf8')); const opencodeRouter=JSON.parse(fs.readFileSync('apps/opencode-router/package.json','utf8')); console.log('orchestrator=' + orchestrator.version); console.log('server=' + server.version); console.log('opencodeRouter=' + opencodeRouter.version);" >> "$GITHUB_OUTPUT"
- name: Resolve SOURCE_DATE_EPOCH
id: source-date
shell: bash
run: |
epoch=$(git show -s --format=%ct "${RELEASE_TAG}")
echo "epoch=$epoch" >> "$GITHUB_OUTPUT"
- name: Check openwork-orchestrator release
id: orchestrator-release
shell: bash
env:
GH_TOKEN: ${{ github.token }}
run: |
set -euo pipefail
tag="openwork-orchestrator-v${{ steps.sidecar-versions.outputs.orchestrator }}"
if gh release view "$tag" --repo "$GITHUB_REPOSITORY" >/dev/null 2>&1; then
echo "exists=true" >> "$GITHUB_OUTPUT"
else
echo "exists=false" >> "$GITHUB_OUTPUT"
fi
- name: Build orchestrator release artifacts
env:
SOURCE_DATE_EPOCH: ${{ steps.source-date.outputs.epoch }}
run: |
pnpm --filter openwork-orchestrator build:bin:all
pnpm --filter openwork-orchestrator build:sidecars
- name: Release review (strict)
env:
SOURCE_DATE_EPOCH: ${{ steps.source-date.outputs.epoch }}
run: node scripts/release/review.mjs --strict
- name: Create openwork-orchestrator release
if: steps.orchestrator-release.outputs.exists != 'true'
env:
GH_TOKEN: ${{ github.token }}
run: |
version="${{ steps.sidecar-versions.outputs.orchestrator }}"
tag="openwork-orchestrator-v${version}"
notes="Sidecar bundle for openwork-orchestrator v${version}.\n\nopenwork-server: ${{ steps.sidecar-versions.outputs.server }}\nopencodeRouter: ${{ steps.sidecar-versions.outputs.opencodeRouter }}"
gh release create "$tag" \
--repo "$GITHUB_REPOSITORY" \
--title "openwork-orchestrator v${version}" \
--notes "$notes" \
--latest=false
- name: Upload orchestrator release assets
env:
GH_TOKEN: ${{ github.token }}
run: |
tag="openwork-orchestrator-v${{ steps.sidecar-versions.outputs.orchestrator }}"
gh release upload "$tag" apps/orchestrator/dist/bin/* apps/orchestrator/dist/sidecars/* --repo "$GITHUB_REPOSITORY" --clobber
publish-npm:
name: Publish npm packages
needs: [resolve-release, verify-release, release-orchestrator-sidecars]
if: |
always() &&
needs.resolve-release.result == 'success' &&
needs.verify-release.result == 'success' &&
(needs.release-orchestrator-sidecars.result == 'success' || needs.release-orchestrator-sidecars.result == 'skipped') &&
needs.resolve-release.outputs.publish_npm == 'true'
runs-on: blacksmith-4vcpu-ubuntu-2404
env:
RELEASE_TAG: ${{ needs.resolve-release.outputs.release_tag }}
steps:
- name: Checkout
uses: actions/checkout@v6
with:
ref: ${{ env.RELEASE_TAG }}
fetch-depth: 0
- name: Setup Node
uses: actions/setup-node@v6
with:
node-version-file: .nvmrc
- name: Setup pnpm
uses: pnpm/action-setup@v4
with:
version: 10.27.0
- name: Setup Bun
uses: oven-sh/setup-bun@v1
with:
bun-version: "1.3.6"
- name: Get pnpm store path
id: pnpm-store
shell: bash
run: echo "path=$(pnpm store path --silent)" >> "$GITHUB_OUTPUT"
- name: Cache pnpm store
uses: actions/cache@v5
continue-on-error: true
with:
path: ${{ steps.pnpm-store.outputs.path }}
key: ubuntu-pnpm-${{ hashFiles('pnpm-lock.yaml') }}
restore-keys: |
ubuntu-pnpm-
- name: Install dependencies
run: pnpm install --frozen-lockfile --prefer-offline
- name: Resolve package versions
id: package-versions
shell: bash
run: |
node -e "const fs=require('fs'); const orchestrator=JSON.parse(fs.readFileSync('apps/orchestrator/package.json','utf8')); const server=JSON.parse(fs.readFileSync('apps/server/package.json','utf8')); const opencodeRouter=JSON.parse(fs.readFileSync('apps/opencode-router/package.json','utf8')); console.log('orchestrator=' + orchestrator.version); console.log('server=' + server.version); console.log('opencodeRouter=' + opencodeRouter.version);" >> "$GITHUB_OUTPUT"
- name: Check npm versions
id: npm-versions
shell: bash
env:
ORCHESTRATOR_VERSION: ${{ steps.package-versions.outputs.orchestrator }}
SERVER_VERSION: ${{ steps.package-versions.outputs.server }}
OPENCODE_ROUTER_VERSION: ${{ steps.package-versions.outputs.opencodeRouter }}
run: |
set -euo pipefail
# npm view exits non-zero for packages that don't exist yet (404).
# Treat missing packages as "not published" so release can publish them.
orchestrator_current="$(npm view openwork-orchestrator version 2>/dev/null || true)"
server_current="$(npm view openwork-server version 2>/dev/null || true)"
opencodeRouter_current="$(npm view opencode-router version 2>/dev/null || true)"
if [ "$orchestrator_current" = "$ORCHESTRATOR_VERSION" ]; then
echo "publish_orchestrator=false" >> "$GITHUB_OUTPUT"
else
echo "publish_orchestrator=true" >> "$GITHUB_OUTPUT"
fi
if [ "$server_current" = "$SERVER_VERSION" ]; then
echo "publish_server=false" >> "$GITHUB_OUTPUT"
else
echo "publish_server=true" >> "$GITHUB_OUTPUT"
fi
if [ "$opencodeRouter_current" = "$OPENCODE_ROUTER_VERSION" ]; then
echo "publish_opencodeRouter=false" >> "$GITHUB_OUTPUT"
else
echo "publish_opencodeRouter=true" >> "$GITHUB_OUTPUT"
fi
publish_any=false
if [ "$orchestrator_current" != "$ORCHESTRATOR_VERSION" ] || [ "$server_current" != "$SERVER_VERSION" ] || [ "$opencodeRouter_current" != "$OPENCODE_ROUTER_VERSION" ]; then
publish_any=true
fi
echo "publish_any=$publish_any" >> "$GITHUB_OUTPUT"
- name: Ensure npm auth
id: npm-auth
shell: bash
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
PUBLISH_ANY: ${{ steps.npm-versions.outputs.publish_any }}
run: |
set -euo pipefail
if [ "${PUBLISH_ANY}" != "true" ]; then
echo "enabled=false" >> "$GITHUB_OUTPUT"
exit 0
fi
if [ -z "${NPM_TOKEN:-}" ]; then
echo "NPM_TOKEN not set; skipping npm publish."
echo "enabled=false" >> "$GITHUB_OUTPUT"
exit 0
fi
npm config set //registry.npmjs.org/:_authToken "$NPM_TOKEN"
echo "enabled=true" >> "$GITHUB_OUTPUT"
- name: Publish openwork-server
if: steps.npm-auth.outputs.enabled == 'true' && steps.npm-versions.outputs.publish_server == 'true'
run: pnpm --filter openwork-server publish --access public --no-git-checks
- name: Publish opencode-router
if: steps.npm-auth.outputs.enabled == 'true' && steps.npm-versions.outputs.publish_opencodeRouter == 'true'
run: pnpm --filter opencode-router publish --access public --no-git-checks
- name: Publish openwork-orchestrator
if: steps.npm-auth.outputs.enabled == 'true' && steps.npm-versions.outputs.publish_orchestrator == 'true'
env:
GH_TOKEN: ${{ github.token }}
ORCHESTRATOR_VERSION: ${{ steps.package-versions.outputs.orchestrator }}
run: |
set -euo pipefail
tag="openwork-orchestrator-v${ORCHESTRATOR_VERSION}"
if ! gh release view "$tag" --repo "$GITHUB_REPOSITORY" >/dev/null 2>&1; then
echo "openwork-orchestrator sidecar release $tag not found. Publish sidecars before openwork-orchestrator." >&2
exit 1
fi
pnpm --filter openwork-orchestrator build:bin:all
node apps/orchestrator/scripts/publish-npm.mjs
publish-daytona-snapshot:
name: Build + Push Daytona Snapshot
needs: [resolve-release, verify-release, publish-npm]
if: |
always() &&
needs.resolve-release.result == 'success' &&
needs.verify-release.result == 'success' &&
(needs.publish-npm.result == 'success' || needs.publish-npm.result == 'skipped') &&
needs.resolve-release.outputs.publish_daytona_snapshot == 'true'
uses: ./.github/workflows/release-daytona-snapshot.yml
with:
tag: ${{ needs.resolve-release.outputs.release_tag }}
secrets: inherit
aur-publish:
name: Publish AUR
needs: [resolve-release, publish-tauri, publish-release]
if: |
always() &&
needs.resolve-release.result == 'success' &&
(needs.publish-tauri.result == 'success' || needs.publish-tauri.result == 'skipped') &&
(needs.publish-release.result == 'success' || needs.publish-release.result == 'skipped')
runs-on: blacksmith-4vcpu-ubuntu-2404
permissions:
contents: write
env:
RELEASE_TAG: ${{ needs.resolve-release.outputs.release_tag }}
steps:
- name: Checkout dev
uses: actions/checkout@v6
with:
ref: dev
fetch-depth: 0
- name: Update AUR packaging files
run: scripts/aur/update-aur.sh "$RELEASE_TAG"
- name: Commit packaging update to dev
shell: bash
run: |
set -euo pipefail
if ! git status --porcelain -- packaging/aur/PKGBUILD packaging/aur/.SRCINFO | grep -q .; then
echo "AUR packaging already up to date in dev."
exit 0
fi
version="${RELEASE_TAG#v}"
git add packaging/aur/PKGBUILD packaging/aur/.SRCINFO
git -c user.name="OpenWork Release Bot" \
-c user.email="release-bot@users.noreply.github.com" \
commit -m "chore(aur): update PKGBUILD for ${version}"
git push origin HEAD:dev
- name: Publish to AUR
env:
AUR_SSH_PRIVATE_KEY: ${{ secrets.AUR_SSH_PRIVATE_KEY }}
AUR_REPO: ${{ vars.AUR_REPO || 'openwork' }}
AUR_SKIP_UPDATE: "1"
run: |
set -euo pipefail
if [ -z "${AUR_SSH_PRIVATE_KEY:-}" ]; then
echo "AUR_SSH_PRIVATE_KEY not set; skipping publish to AUR."
exit 0
fi
scripts/aur/publish-aur.sh "$RELEASE_TAG"
publish-release:
name: Publish GitHub Release
needs:
- resolve-release
- verify-release
- publish-tauri
- publish-updater-json
- release-orchestrator-sidecars
- publish-npm
- publish-daytona-snapshot
if: |
always() &&
needs.resolve-release.outputs.draft == 'true' &&
needs.resolve-release.result == 'success' &&
needs.verify-release.result == 'success' &&
(needs.publish-tauri.result == 'success' || needs.publish-tauri.result == 'skipped') &&
(needs.publish-updater-json.result == 'success' || needs.publish-updater-json.result == 'skipped') &&
(needs.release-orchestrator-sidecars.result == 'success' || needs.release-orchestrator-sidecars.result == 'skipped') &&
(needs.publish-npm.result == 'success' || needs.publish-npm.result == 'skipped') &&
(needs.publish-daytona-snapshot.result == 'success' || needs.publish-daytona-snapshot.result == 'skipped')
runs-on: blacksmith-4vcpu-ubuntu-2404
env:
RELEASE_TAG: ${{ needs.resolve-release.outputs.release_tag }}
RELEASE_PRERELEASE: ${{ needs.resolve-release.outputs.prerelease }}
steps:
- name: Publish release after assets are ready
env:
GH_TOKEN: ${{ github.token }}
run: |
set -euo pipefail
if [ "${RELEASE_PRERELEASE}" = "true" ]; then
gh release edit "$RELEASE_TAG" --repo "$GITHUB_REPOSITORY" --draft=false --prerelease
else
gh release edit "$RELEASE_TAG" --repo "$GITHUB_REPOSITORY" --draft=false --latest
fi
Reference in New Issue View Git Blame Copy Permalink