chore: customize fork release workflows

wangzexi · wangzexi · commit 03de7f89990f · 2026-05-08T02:44:32.000+08:00
diff --git a/.github/workflows/sync-upstream.yml b/.github/workflows/sync-upstream.yml
@@ -0,0 +1,53 @@
+name: sync-upstream
+
+on:
+  schedule:
+    - cron: "17 2 * * *"
+  workflow_dispatch:
+
+concurrency: ${{ github.workflow }}-${{ github.ref }}
+
+permissions:
+  contents: write
+  actions: write
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: zexi/dev
+
+      - name: Configure git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Rebase zexi/dev onto upstream dev
+        run: |
+          git remote add upstream https://github.com/anomalyco/opencode.git
+          git fetch upstream dev
+          git rebase upstream/dev
+          git push --force-with-lease origin HEAD:zexi/dev
+
+      - name: Keep only fork workflows enabled
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
+        run: |
+          allowlist='
+          .github/workflows/sync-upstream.yml
+          .github/workflows/zexi-electron.yml
+          '
+
+          gh workflow list -R "$GH_REPO" --limit 200 --json path \
+            | jq -r '.[].path' \
+            | while read -r workflow; do
+                if printf '%s\n' "$allowlist" | sed 's/^ *//' | grep -Fxq "$workflow"; then
+                  gh workflow enable "$workflow" -R "$GH_REPO" || true
+                else
+                  gh workflow disable "$workflow" -R "$GH_REPO" || true
+                fi
+              done
diff --git a/.github/workflows/zexi-electron.yml b/.github/workflows/zexi-electron.yml
@@ -0,0 +1,197 @@
+name: zexi-electron
+
+on:
+  push:
+    branches:
+      - zexi/dev
+  workflow_dispatch:
+
+concurrency: ${{ github.workflow }}-${{ github.ref }}
+
+permissions:
+  contents: write
+
+jobs:
+  build-electron:
+    strategy:
+      fail-fast: false
+      matrix:
+        settings:
+          - name: mac-arm64
+            host: macos-26
+            target: aarch64-apple-darwin
+            platform_flag: --mac --arm64
+            bun_install_flags: --os=darwin --cpu=arm64
+          - name: windows-x64
+            host: windows-2025
+            target: x86_64-pc-windows-msvc
+            platform_flag: --win
+            bun_install_flags: ""
+    runs-on: ${{ matrix.settings.host }}
+    env:
+      OPENCODE_CHANNEL: prod
+      APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+      APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+      APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+      APPLE_API_KEY_PATH: ${{ secrets.APPLE_API_KEY_PATH }}
+      APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      AZURE_TRUSTED_SIGNING_ACCOUNT_NAME: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
+      AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE }}
+      AZURE_TRUSTED_SIGNING_ENDPOINT: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: apple-actions/import-codesign-certs@v2
+        if: runner.os == 'macOS' && env.APPLE_CERTIFICATE != '' && env.APPLE_CERTIFICATE_PASSWORD != ''
+        with:
+          keychain: build
+          p12-file-base64: ${{ env.APPLE_CERTIFICATE }}
+          p12-password: ${{ env.APPLE_CERTIFICATE_PASSWORD }}
+
+      - name: Setup Apple API Key
+        if: runner.os == 'macOS' && env.APPLE_API_KEY_PATH != ''
+        shell: bash
+        run: echo "${{ env.APPLE_API_KEY_PATH }}" > "$RUNNER_TEMP/apple-api-key.p8"
+
+      - uses: ./.github/actions/setup-bun
+        with:
+          install-flags: ${{ matrix.settings.bun_install_flags }}
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "24"
+
+      - name: Azure login
+        if: runner.os == 'Windows' && env.AZURE_CLIENT_ID != '' && env.AZURE_TENANT_ID != '' && env.AZURE_SUBSCRIPTION_ID != ''
+        uses: azure/login@v2
+        with:
+          client-id: ${{ env.AZURE_CLIENT_ID }}
+          tenant-id: ${{ env.AZURE_TENANT_ID }}
+          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Prepare
+        working-directory: packages/desktop
+        env:
+          RUST_TARGET: ${{ matrix.settings.target }}
+        run: bun ./scripts/prepare.ts
+
+      - name: Build
+        working-directory: packages/desktop
+        run: bun run build
+
+      - name: Package macOS (signed)
+        if: runner.os == 'macOS' && env.APPLE_CERTIFICATE != '' && env.APPLE_CERTIFICATE_PASSWORD != ''
+        working-directory: packages/desktop
+        timeout-minutes: 90
+        env:
+          CSC_LINK: ${{ env.APPLE_CERTIFICATE }}
+          CSC_KEY_PASSWORD: ${{ env.APPLE_CERTIFICATE_PASSWORD }}
+          APPLE_API_KEY: ${{ runner.temp }}/apple-api-key.p8
+          APPLE_API_KEY_ID: ${{ env.APPLE_API_KEY }}
+          APPLE_API_ISSUER: ${{ env.APPLE_API_ISSUER }}
+        run: npx electron-builder ${{ matrix.settings.platform_flag }} --publish never --config electron-builder.config.ts
+
+      - name: Package macOS (unsigned)
+        if: runner.os == 'macOS' && (env.APPLE_CERTIFICATE == '' || env.APPLE_CERTIFICATE_PASSWORD == '')
+        working-directory: packages/desktop
+        timeout-minutes: 90
+        env:
+          CSC_IDENTITY_AUTO_DISCOVERY: "false"
+        run: npx electron-builder ${{ matrix.settings.platform_flag }} --publish never --config electron-builder.config.ts
+
+      - name: Package Windows
+        if: runner.os == 'Windows'
+        working-directory: packages/desktop
+        timeout-minutes: 90
+        shell: pwsh
+        run: |
+          $attempts = 3
+          for ($attempt = 1; $attempt -le $attempts; $attempt++) {
+            npx electron-builder ${{ matrix.settings.platform_flag }} --publish never --config electron-builder.config.ts
+            if ($LASTEXITCODE -eq 0) {
+              exit 0
+            }
+            if ($attempt -eq $attempts) {
+              exit $LASTEXITCODE
+            }
+            Write-Host "Windows packaging failed on attempt $attempt. Retrying in 20 seconds..."
+            Start-Sleep -Seconds 20
+          }
+
+      - name: Verify signed Windows artifacts
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: |
+          $files = @()
+          $files += Get-ChildItem "${{ github.workspace }}\packages\desktop\dist\*.exe" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName
+          $files += Get-ChildItem "${{ github.workspace }}\packages\desktop\dist\*unpacked\*.exe" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName
+          $files += Get-ChildItem "${{ github.workspace }}\packages\desktop\dist\*unpacked\resources\opencode-cli.exe" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName
+
+          foreach ($file in $files | Select-Object -Unique) {
+            $sig = Get-AuthenticodeSignature $file
+            Write-Host "$file => $($sig.Status)"
+          }
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: opencode-electron-${{ matrix.settings.name }}
+          path: |
+            packages/desktop/dist/*
+            !packages/desktop/dist/*unpacked
+            !packages/desktop/dist/mac-arm64
+
+  publish-release:
+    needs: build-electron
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          path: release-artifacts
+
+      - name: Create or update release
+        id: meta
+        shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
+          GITHUB_SHA: ${{ github.sha }}
+          TARGET_REF: ${{ github.sha }}
+        run: |
+          short_sha="${GITHUB_SHA::7}"
+          stamp="$(date -u +%Y%m%d-%H%M)"
+          release_tag="zexi-electron-${stamp}-${short_sha}"
+          release_name="zexi electron build ${stamp} ${short_sha}"
+          echo "release_tag=${release_tag}" >> "$GITHUB_OUTPUT"
+          gh release view "$release_tag" --repo "$GH_REPO" >/dev/null 2>&1 || gh release create "$release_tag" --repo "$GH_REPO" --target "$TARGET_REF" --title "$release_name" --notes ""
+
+      - name: Upload release assets
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
+          RELEASE_TAG: ${{ steps.meta.outputs.release_tag }}
+        run: |
+          find release-artifacts -type f \
+            \( \
+              -name '*.dmg' -o \
+              -name '*.zip' -o \
+              -name '*.exe' -o \
+              -name 'latest*.yml' -o \
+              -name '*.blockmap' \
+            \) \
+            -print0 | xargs -0 gh release upload "$RELEASE_TAG" --repo "$GH_REPO" --clobber
+
+      - name: Prune old zexi releases
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
+        run: |
+          gh api "repos/$GH_REPO/releases" --paginate --jq '.[] | select(.tag_name | startswith("zexi-electron-")) | [.created_at, .tag_name] | @tsv' \
+            | sort -r \
+            | awk 'NR > 3 { print $2 }' \
+            | while read -r tag; do
+                [ -n "$tag" ] || continue
+                gh release delete "$tag" --repo "$GH_REPO" --yes
+              done
diff --git a/packages/desktop/electron-builder.config.ts b/packages/desktop/electron-builder.config.ts
@@ -26,6 +26,10 @@ const channel = (() => {
   return "dev"
 })()
 
+const getUpdateOwner = () => process.env.OPENCODE_UPDATE_OWNER?.trim() || "wangzexi"
+const getUpdateRepo = () => process.env.OPENCODE_UPDATE_REPO?.trim() || "opencode"
+const getBetaUpdateRepo = () => process.env.OPENCODE_UPDATE_BETA_REPO?.trim() || getUpdateRepo()
+
 const getBase = (): Configuration => ({
   artifactName: "opencode-desktop-${os}-${arch}.${ext}",
   directories: {
@@ -96,7 +100,7 @@ function getConfig() {
         appId: "ai.opencode.desktop.beta",
         productName: "OpenCode Beta",
         protocols: { name: "OpenCode Beta", schemes: ["opencode"] },
-        publish: { provider: "github", owner: "anomalyco", repo: "opencode-beta", channel: "latest" },
+        publish: { provider: "github", owner: getUpdateOwner(), repo: getBetaUpdateRepo(), channel: "latest" },
         rpm: { packageName: "opencode-beta" },
       }
     }
@@ -106,7 +110,7 @@ function getConfig() {
         appId: "ai.opencode.desktop",
         productName: "OpenCode",
         protocols: { name: "OpenCode", schemes: ["opencode"] },
-        publish: { provider: "github", owner: "anomalyco", repo: "opencode", channel: "latest" },
+        publish: { provider: "github", owner: getUpdateOwner(), repo: getUpdateRepo(), channel: "latest" },
         rpm: { packageName: "opencode" },
       }
     }
diff --git a/packages/script/src/index.ts b/packages/script/src/index.ts
@@ -20,6 +20,7 @@ if (!semver.satisfies(process.versions.bun, expectedBunVersionRange)) {
 const env = {
   OPENCODE_CHANNEL: process.env["OPENCODE_CHANNEL"],
   OPENCODE_BUMP: process.env["OPENCODE_BUMP"],
+  OPENCODE_FORK_SUFFIX: process.env["OPENCODE_FORK_SUFFIX"],
   OPENCODE_VERSION: process.env["OPENCODE_VERSION"],
   OPENCODE_RELEASE: process.env["OPENCODE_RELEASE"],
 }
@@ -30,9 +31,38 @@ const CHANNEL = await (async () => {
   return await $`git branch --show-current`.text().then((x) => x.trim())
 })()
 const IS_PREVIEW = CHANNEL !== "latest"
+const FORK_SUFFIX = await (async () => {
+  if (env.OPENCODE_FORK_SUFFIX?.trim()) return env.OPENCODE_FORK_SUFFIX.trim()
+  const branch = await $`git branch --show-current`.text().then((x) => x.trim())
+  if (branch.startsWith("zexi/")) return "zexi"
+  return ""
+})()
+const BASE_VERSION = await (async () => {
+  const synced = await $`git log --format=%s -n 1 --grep=^sync\\ release\\ versions\\ for\\ v -- package.json packages/desktop-electron/package.json`
+    .text()
+    .then((x) => x.trim())
+    .catch(() => "")
+  const matched = synced.match(/v(\d+\.\d+\.\d+)/)
+  if (matched) return matched[1]
+
+  const desktopPkg = await Bun.file(path.resolve(import.meta.dir, "../../desktop-electron/package.json"))
+    .json()
+    .catch(() => ({ version: "" }))
+  if (typeof desktopPkg.version === "string" && desktopPkg.version) {
+    return desktopPkg.version.replace(/-.+$/, "")
+  }
+
+  return await fetch("https://registry.npmjs.org/opencode-ai/latest")
+    .then((res) => {
+      if (!res.ok) throw new Error(res.statusText)
+      return res.json()
+    })
+    .then((data: any) => data.version)
+})()
 
 const VERSION = await (async () => {
   if (env.OPENCODE_VERSION) return env.OPENCODE_VERSION
+  if (FORK_SUFFIX) return `${BASE_VERSION}-${FORK_SUFFIX}`
   if (IS_PREVIEW) return `0.0.0-${CHANNEL}-${new Date().toISOString().slice(0, 16).replace(/[-:T]/g, "")}`
   const version = await fetch("https://registry.npmjs.org/opencode-ai/latest")
     .then((res) => {
