local-transcription/.gitea/workflows/build-sidecar.yml

name: Build Sidecars

on:
  push:
    branches: [main]
    paths:
      - 'client/**'
      - 'server/**'
      - 'backend/**'
      - 'pyproject.toml'
      - 'local-transcription-headless.spec'
  workflow_dispatch:

jobs:
  bump-sidecar-version:
    name: Bump sidecar version and tag
    if: "!contains(github.event.head_commit.message, '[skip ci]')"
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.bump.outputs.version }}
      tag: ${{ steps.bump.outputs.tag }}
      has_changes: ${{ steps.check_changes.outputs.has_changes }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 2

      - name: Check for backend changes
        id: check_changes
        run: |
          # If triggered by workflow_dispatch, always build
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            echo "has_changes=true" >> $GITHUB_OUTPUT
            exit 0
          fi
          # Check if relevant files changed in this commit
          CHANGED=$(git diff --name-only HEAD~1 HEAD -- client/ server/ backend/ pyproject.toml local-transcription-headless.spec 2>/dev/null || echo "")
          if [ -n "$CHANGED" ]; then
            echo "has_changes=true" >> $GITHUB_OUTPUT
            echo "Backend changes detected: $CHANGED"
          else
            echo "has_changes=false" >> $GITHUB_OUTPUT
            echo "No backend changes detected, skipping sidecar build"
          fi

      - name: Configure git
        if: steps.check_changes.outputs.has_changes == 'true'
        run: |
          git config user.name "Gitea Actions"
          git config user.email "actions@gitea.local"

      - name: Bump sidecar patch version
        if: steps.check_changes.outputs.has_changes == 'true'
        id: bump
        run: |
          # Read current version from pyproject.toml
          CURRENT=$(grep '^version = ' pyproject.toml | head -1 | sed 's/version = "\(.*\)"/\1/')
          echo "Current sidecar version: ${CURRENT}"

          # Increment patch number
          MAJOR=$(echo "${CURRENT}" | cut -d. -f1)
          MINOR=$(echo "${CURRENT}" | cut -d. -f2)
          PATCH=$(echo "${CURRENT}" | cut -d. -f3)
          NEW_PATCH=$((PATCH + 1))
          NEW_VERSION="${MAJOR}.${MINOR}.${NEW_PATCH}"
          echo "New sidecar version: ${NEW_VERSION}"

          # Update pyproject.toml
          sed -i "s/^version = \"${CURRENT}\"/version = \"${NEW_VERSION}\"/" pyproject.toml

          # Update version.py
          sed -i "s/__version__ = \"${CURRENT}\"/__version__ = \"${NEW_VERSION}\"/" version.py
          sed -i "s/__version_info__ = .*/__version_info__ = (${MAJOR}, ${MINOR}, ${NEW_PATCH})/" version.py

          echo "version=${NEW_VERSION}" >> $GITHUB_OUTPUT
          echo "tag=sidecar-v${NEW_VERSION}" >> $GITHUB_OUTPUT

      - name: Commit and tag
        if: steps.check_changes.outputs.has_changes == 'true'
        env:
          BUILD_TOKEN: ${{ secrets.BUILD_TOKEN }}
        run: |
          NEW_VERSION="${{ steps.bump.outputs.version }}"
          TAG="${{ steps.bump.outputs.tag }}"
          git add pyproject.toml version.py
          git commit -m "chore: bump sidecar version to ${NEW_VERSION} [skip ci]"
          git tag "${TAG}"

          REMOTE_URL=$(git remote get-url origin | sed "s|://|://gitea-actions:${BUILD_TOKEN}@|")
          git pull --rebase "${REMOTE_URL}" main || true
          git push "${REMOTE_URL}" HEAD:main
          git push "${REMOTE_URL}" "${TAG}"

      - name: Create Gitea release
        if: steps.check_changes.outputs.has_changes == 'true'
        env:
          BUILD_TOKEN: ${{ secrets.BUILD_TOKEN }}
        run: |
          REPO_API="${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}"
          TAG="${{ steps.bump.outputs.tag }}"
          VERSION="${{ steps.bump.outputs.version }}"
          RELEASE_NAME="Sidecar v${VERSION}"

          curl -s -X POST \
            -H "Authorization: token ${BUILD_TOKEN}" \
            -H "Content-Type: application/json" \
            -d "{\"tag_name\": \"${TAG}\", \"name\": \"${RELEASE_NAME}\", \"body\": \"Automated sidecar build.\", \"draft\": false, \"prerelease\": false}" \
            "${REPO_API}/releases"
          echo "Created release: ${RELEASE_NAME}"

  # ── Linux sidecar (CUDA + CPU) ──

  build-sidecar-linux:
    name: Build Sidecar (Linux)
    needs: bump-sidecar-version
    if: needs.bump-sidecar-version.outputs.has_changes == 'true'
    runs-on: ubuntu-latest
    env:
      PYTHON_VERSION: "3.11"
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ needs.bump-sidecar-version.outputs.tag }}

      - name: Install uv
        run: |
          if command -v uv &> /dev/null; then
            echo "uv already installed: $(uv --version)"
          else
            curl -LsSf https://astral.sh/uv/install.sh | sh
            echo "$HOME/.local/bin" >> $GITHUB_PATH
          fi

      - name: Set up Python
        run: uv python install ${{ env.PYTHON_VERSION }}

      - name: Install system dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y portaudio19-dev

      - name: Build sidecar (CUDA)
        run: |
          uv sync --frozen || uv sync
          uv run pyinstaller local-transcription-headless.spec

      - name: Package sidecar (CUDA)
        run: |
          cd dist/local-transcription-backend && zip -r ../../sidecar-linux-x86_64-cuda.zip .

      - name: Build sidecar (CPU)
        run: |
          rm -rf dist/local-transcription-backend build/
          uv pip install torch torchaudio --index-url https://download.pytorch.org/whl/cpu --force-reinstall
          uv run pyinstaller local-transcription-headless.spec

      - name: Package sidecar (CPU)
        run: |
          cd dist/local-transcription-backend && zip -r ../../sidecar-linux-x86_64-cpu.zip .

      - name: Upload to sidecar release
        env:
          BUILD_TOKEN: ${{ secrets.BUILD_TOKEN }}
        run: |
          sudo apt-get install -y jq
          REPO_API="${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}"
          TAG="${{ needs.bump-sidecar-version.outputs.tag }}"

          echo "Waiting for sidecar release ${TAG} to be available..."
          for i in $(seq 1 30); do
            RELEASE_JSON=$(curl -s -H "Authorization: token ${BUILD_TOKEN}" \
              "${REPO_API}/releases/tags/${TAG}")
            RELEASE_ID=$(echo "$RELEASE_JSON" | jq -r '.id // empty')

            if [ -n "${RELEASE_ID}" ] && [ "${RELEASE_ID}" != "null" ]; then
              echo "Found sidecar release: ${TAG} (ID: ${RELEASE_ID})"
              break
            fi

            echo "Attempt ${i}/30: Release not ready yet, retrying in 10s..."
            sleep 10
          done

          if [ -z "${RELEASE_ID}" ] || [ "${RELEASE_ID}" = "null" ]; then
            echo "ERROR: Failed to find sidecar release for tag ${TAG} after 30 attempts."
            exit 1
          fi

          for file in sidecar-*.zip; do
            filename=$(basename "$file")
            encoded_name=$(echo "$filename" | sed 's/ /%20/g')
            echo "Uploading ${filename} ($(du -h "$file" | cut -f1))..."

            ASSET_ID=$(curl -s -H "Authorization: token ${BUILD_TOKEN}" \
              "${REPO_API}/releases/${RELEASE_ID}/assets" | jq -r ".[] | select(.name == \"${filename}\") | .id // empty")
            if [ -n "${ASSET_ID}" ]; then
              curl -s -X DELETE -H "Authorization: token ${BUILD_TOKEN}" \
                "${REPO_API}/releases/${RELEASE_ID}/assets/${ASSET_ID}"
            fi

            HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
              -H "Authorization: token ${BUILD_TOKEN}" \
              -H "Content-Type: application/octet-stream" \
              -T "$file" \
              "${REPO_API}/releases/${RELEASE_ID}/assets?name=${encoded_name}")
            echo "Upload response: HTTP ${HTTP_CODE}"
          done

  # ── Windows sidecar (CUDA + CPU) ──

  build-sidecar-windows:
    name: Build Sidecar (Windows)
    needs: bump-sidecar-version
    if: needs.bump-sidecar-version.outputs.has_changes == 'true'
    runs-on: windows-latest
    env:
      PYTHON_VERSION: "3.11"
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ needs.bump-sidecar-version.outputs.tag }}

      - name: Install uv
        shell: powershell
        run: |
          if (Get-Command uv -ErrorAction SilentlyContinue) {
            Write-Host "uv already installed: $(uv --version)"
          } else {
            irm https://astral.sh/uv/install.ps1 | iex
            # Add both possible uv install locations to PATH
            $uvPaths = @(
              "$env:USERPROFILE\.local\bin",
              "$env:USERPROFILE\.cargo\bin",
              "$env:LOCALAPPDATA\uv\bin"
            )
            foreach ($p in $uvPaths) {
              if (Test-Path $p) {
                echo $p | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
              }
            }
          }

      - name: Set up Python
        shell: powershell
        run: uv python install ${{ env.PYTHON_VERSION }}

      - name: Install 7-Zip
        shell: powershell
        run: |
          if (-not (Get-Command 7z -ErrorAction SilentlyContinue)) {
            choco install 7zip -y
          }

      - name: Build sidecar (CUDA)
        shell: powershell
        run: |
          uv sync --frozen
          if ($LASTEXITCODE -ne 0) { uv sync }
          uv run pyinstaller local-transcription-headless.spec

      - name: Package sidecar (CUDA)
        shell: powershell
        run: |
          7z a -tzip -mx=5 sidecar-windows-x86_64-cuda.zip .\dist\local-transcription-backend\*

      - name: Build sidecar (CPU)
        shell: powershell
        run: |
          Remove-Item -Recurse -Force dist\local-transcription-backend, build -ErrorAction SilentlyContinue
          uv pip install torch torchaudio --index-url https://download.pytorch.org/whl/cpu --force-reinstall
          uv run pyinstaller local-transcription-headless.spec

      - name: Package sidecar (CPU)
        shell: powershell
        run: |
          7z a -tzip -mx=5 sidecar-windows-x86_64-cpu.zip .\dist\local-transcription-backend\*

      - name: Upload to sidecar release
        shell: powershell
        env:
          BUILD_TOKEN: ${{ secrets.BUILD_TOKEN }}
        run: |
          $REPO_API = "${{ github.server_url }}/api/v1/repos/${{ github.repository }}"
          $Headers = @{ "Authorization" = "token $env:BUILD_TOKEN" }
          $TAG = "${{ needs.bump-sidecar-version.outputs.tag }}"

          Write-Host "Waiting for sidecar release ${TAG} to be available..."
          $RELEASE_ID = $null

          for ($i = 1; $i -le 30; $i++) {
            try {
              $release = Invoke-RestMethod -Uri "${REPO_API}/releases/tags/${TAG}" -Headers $Headers -ErrorAction Stop
              $RELEASE_ID = $release.id

              if ($RELEASE_ID) {
                Write-Host "Found sidecar release: ${TAG} (ID: ${RELEASE_ID})"
                break
              }
            } catch {}

            Write-Host "Attempt ${i}/30: Release not ready yet, retrying in 10s..."
            Start-Sleep -Seconds 10
          }

          if (-not $RELEASE_ID) {
            Write-Host "ERROR: Failed to find sidecar release for tag ${TAG} after 30 attempts."
            exit 1
          }

          Get-ChildItem -Path . -Filter "sidecar-*.zip" | ForEach-Object {
            $filename = $_.Name
            $encodedName = [System.Uri]::EscapeDataString($filename)
            $size = [math]::Round($_.Length / 1MB, 1)
            Write-Host "Uploading ${filename} (${size} MB)..."

            try {
              $assets = Invoke-RestMethod -Uri "${REPO_API}/releases/${RELEASE_ID}/assets" -Headers $Headers
              $existing = $assets | Where-Object { $_.name -eq $filename }
              if ($existing) {
                Invoke-RestMethod -Uri "${REPO_API}/releases/${RELEASE_ID}/assets/$($existing.id)" -Method Delete -Headers $Headers
              }
            } catch {}

            $uploadUrl = "${REPO_API}/releases/${RELEASE_ID}/assets?name=${encodedName}"
            $result = curl.exe --fail --silent --show-error `
              -X POST `
              -H "Authorization: token $env:BUILD_TOKEN" `
              -H "Content-Type: application/octet-stream" `
              -T "$($_.FullName)" `
              "$uploadUrl" 2>&1
            if ($LASTEXITCODE -eq 0) {
              Write-Host "Upload successful: ${filename}"
            } else {
              Write-Host "WARNING: Upload failed for ${filename}: ${result}"
            }
          }

  # ── macOS sidecar (CPU only — no CUDA on macOS) ──

  build-sidecar-macos:
    name: Build Sidecar (macOS)
    needs: bump-sidecar-version
    if: needs.bump-sidecar-version.outputs.has_changes == 'true'
    runs-on: macos-latest
    env:
      PYTHON_VERSION: "3.11"
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ needs.bump-sidecar-version.outputs.tag }}

      - name: Install uv
        run: |
          if command -v uv &> /dev/null; then
            echo "uv already installed: $(uv --version)"
          else
            curl -LsSf https://astral.sh/uv/install.sh | sh
            echo "$HOME/.local/bin" >> $GITHUB_PATH
          fi

      - name: Set up Python
        run: uv python install ${{ env.PYTHON_VERSION }}

      - name: Install system dependencies
        run: brew install portaudio

      - name: Build sidecar (CPU)
        run: |
          # --no-sources bypasses pyproject.toml's [tool.uv.sources] which forces
          # torch from the CUDA index (no macOS ARM wheels there)
          # Default PyPI torch includes MPS (Apple Silicon GPU) support
          uv sync --no-sources
          uv run pyinstaller local-transcription-headless.spec

      - name: Package sidecar (CPU)
        run: |
          cd dist/local-transcription-backend && zip -r ../../sidecar-macos-aarch64-cpu.zip .

      - name: Upload to sidecar release
        env:
          BUILD_TOKEN: ${{ secrets.BUILD_TOKEN }}
        run: |
          which jq || brew install jq
          REPO_API="${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}"
          TAG="${{ needs.bump-sidecar-version.outputs.tag }}"

          echo "Waiting for sidecar release ${TAG} to be available..."
          for i in $(seq 1 30); do
            RELEASE_JSON=$(curl -s -H "Authorization: token ${BUILD_TOKEN}" \
              "${REPO_API}/releases/tags/${TAG}")
            RELEASE_ID=$(echo "$RELEASE_JSON" | jq -r '.id // empty')

            if [ -n "${RELEASE_ID}" ] && [ "${RELEASE_ID}" != "null" ]; then
              echo "Found sidecar release: ${TAG} (ID: ${RELEASE_ID})"
              break
            fi

            echo "Attempt ${i}/30: Release not ready yet, retrying in 10s..."
            sleep 10
          done

          if [ -z "${RELEASE_ID}" ] || [ "${RELEASE_ID}" = "null" ]; then
            echo "ERROR: Failed to find sidecar release for tag ${TAG} after 30 attempts."
            exit 1
          fi

          for file in sidecar-*.zip; do
            filename=$(basename "$file")
            encoded_name=$(echo "$filename" | sed 's/ /%20/g')
            echo "Uploading ${filename} ($(du -h "$file" | cut -f1))..."

            ASSET_ID=$(curl -s -H "Authorization: token ${BUILD_TOKEN}" \
              "${REPO_API}/releases/${RELEASE_ID}/assets" | jq -r ".[] | select(.name == \"${filename}\") | .id // empty")
            if [ -n "${ASSET_ID}" ]; then
              curl -s -X DELETE -H "Authorization: token ${BUILD_TOKEN}" \
                "${REPO_API}/releases/${RELEASE_ID}/assets/${ASSET_ID}"
            fi

            HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
              -H "Authorization: token ${BUILD_TOKEN}" \
              -H "Content-Type: application/octet-stream" \
              -T "$file" \
              "${REPO_API}/releases/${RELEASE_ID}/assets?name=${encoded_name}")
            echo "Upload response: HTTP ${HTTP_CODE}"
          done