opencode-model-fallback/.github/workflows/release.yml at main · Smart-Coders-HQ/opencode-model-fallback · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
name: Release

on:
  workflow_run:
    workflows: ["Release Gate"]
    types: [completed]

concurrency:
  group: release-main
  cancel-in-progress: false

jobs:
  release:
    if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'push' && github.event.workflow_run.head_branch == 'main' && github.event.workflow_run.head_sha == github.sha }}
    runs-on: ubuntu-latest
    permissions:
      contents: write
      issues: write
      pull-requests: write

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Setup Bun
        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
        with:
          bun-version: latest

      - name: Setup Node.js
        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
        with:
          node-version: 24

      - name: Cache Bun packages
        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
        with:
          path: ~/.bun/install/cache
          key: ${{ runner.os }}-bun-release-${{ hashFiles('bun.lock') }}
          restore-keys: |
            ${{ runner.os }}-bun-release-

      - name: Install dependencies
        run: bun install --frozen-lockfile

      - name: Lint
        run: bun run lint

      - name: Build
        run: bun run build

      - name: Import GPG key
        env:
          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
        run: |
          set -euo pipefail
          echo "$GPG_PRIVATE_KEY" | gpg --batch --import
          KEYGRIP=$(gpg --with-keygrip --list-secret-keys --with-colons \
            | awk -F: '/^grp/{print $10; exit}')
          if [ -z "$KEYGRIP" ]; then
            echo "Unable to determine GPG keygrip" >&2
            exit 1
          fi
          echo "allow-preset-passphrase" >> ~/.gnupg/gpg-agent.conf
          gpgconf --kill gpg-agent
          gpg-connect-agent reloadagent /bye
          "$(gpgconf --list-dirs libexecdir)/gpg-preset-passphrase" \
            --preset -P "$GPG_PASSPHRASE" "$KEYGRIP"
          KEY_ID=$(gpg --list-secret-keys --with-colons | awk -F: '/^sec/{print $5; exit}')
          if [ -z "$KEY_ID" ]; then
            echo "Unable to determine imported GPG key id" >&2
            exit 1
          fi
          git config --global user.signingkey "$KEY_ID"
          git config --global commit.gpgsign true

      - name: Configure git auth for release
        run: git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Release
        run: bun run release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}