From 4967dad08caf8644a5ad01484caee38cf2563f59 Mon Sep 17 00:00:00 2001
From: Affaan Mustafa <affaan@dcube.ai>
Date: Mon, 6 Apr 2026 14:08:08 -0700
Subject: [PATCH] ci: gate releases on opencode payload verification

---
 .github/workflows/release.yml          | 11 +++++++++++
 .github/workflows/reusable-release.yml | 11 +++++++++++
 scripts/release.sh                     |  7 +++++++
 3 files changed, 29 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e4e93e7c..cea5f6ca 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -18,6 +18,17 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version: '20.x'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Verify OpenCode package payload
+        run: node tests/scripts/build-opencode.test.js
+
       - name: Validate version tag
         run: |
           if ! [[ "${REF_NAME}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
diff --git a/.github/workflows/reusable-release.yml b/.github/workflows/reusable-release.yml
index 2a7b5786..9fd37991 100644
--- a/.github/workflows/reusable-release.yml
+++ b/.github/workflows/reusable-release.yml
@@ -27,6 +27,17 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version: '20.x'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Verify OpenCode package payload
+        run: node tests/scripts/build-opencode.test.js
+
       - name: Validate version tag
         env:
           INPUT_TAG: ${{ inputs.tag }}
diff --git a/scripts/release.sh b/scripts/release.sh
index c36b985c..f9c1ebb7 100755
--- a/scripts/release.sh
+++ b/scripts/release.sh
@@ -58,6 +58,13 @@ if [[ -z "$OLD_VERSION" ]]; then
 fi
 echo "Bumping version: $OLD_VERSION -> $VERSION"
 
+# Build and verify the packaged OpenCode payload before mutating any manifest
+# versions or creating a tag. This keeps a broken npm artifact from being
+# released via the manual script path.
+echo "Verifying OpenCode build and npm pack payload..."
+node scripts/build-opencode.js
+node tests/scripts/build-opencode.test.js
+
 update_version() {
   local file="$1"
   local pattern="$2"