ci: optimize CI/CD pipeline for production

- deploy.yml: remove dev trigger, eliminate duplicate npm publish job, add path filters to skip doc/landing/desktop changes, enable cancel-in-progress for faster iteration
- release.yml: add Rust build cache (saves ~10min), per-tag concurrency, upgrade Node to 22, use frozen-lockfile
- build-sidecar.sh: fix hardcoded Prisma@5.22.0 path with dynamic version-agnostic resolution
- docs/CICD.md: complete rewrite with workflow details, deploy script internals, release process, and troubleshooting guide

Author: kaizen403

.github/workflows/deploy.yml

@@ -2,20 +2,31 @@ name: Deploy to Production
 
 on:
   push:
-    branches: [main, dev]
+    branches: [main]
+    paths-ignore:
+      - 'docs/**'
+      - '*.md'
+      - 'LICENSE'
+      - 'packaging/**'
+      - 'apps/landing/**'
+      - 'apps/intro-video/**'
+      - 'apps/desktop/**'
+      - '.gitignore'
+      - '.opencodeignore'
   workflow_dispatch:
 
 concurrency:
   group: deploy-production
-  cancel-in-progress: false
+  cancel-in-progress: true
 
 jobs:
   checks:
     name: Checks
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     services:
       postgres:
-        image: postgres:16
+        image: postgres:16-alpine
         env:
           POSTGRES_USER: openlinear
           POSTGRES_PASSWORD: openlinear
@@ -29,6 +40,7 @@ jobs:
           --health-retries 5
     env:
       DATABASE_URL: postgresql://openlinear:openlinear@localhost:5432/openlinear_test
+      TURBO_TELEMETRY_DISABLED: 1
     steps:
       - uses: actions/checkout@v4
         with:
@@ -49,20 +61,22 @@ jobs:
       - name: Push schema to test database
         run: pnpm --filter @openlinear/db db:push
 
-      - name: Typecheck
-        run: pnpm --filter @openlinear/api typecheck
+      - name: Typecheck (API + Desktop UI)
+        run: pnpm --filter @openlinear/api typecheck && pnpm --filter @openlinear/desktop-ui lint
 
       - name: Build API
         run: pnpm --filter @openlinear/api build
 
       - name: Test
         run: pnpm --filter @openlinear/api test
+        timeout-minutes: 5
 
   deploy:
     name: Deploy
     needs: checks
     runs-on: ubuntu-latest
     environment: production
+    timeout-minutes: 10
     steps:
       - name: Deploy to droplet
         uses: appleboy/ssh-action@v1
@@ -101,39 +115,11 @@ jobs:
           for i in 1 2 3 4 5 6; do
             HTTP_STATUS=$(curl -s -o /dev/null -w '%{http_code}' https://rixie.in/health)
             if [ "$HTTP_STATUS" = "200" ]; then
-              echo "✓ Deployment verified — health check returned $HTTP_STATUS"
+              echo "Deployment verified (HTTP $HTTP_STATUS)"
               exit 0
             fi
             echo "Attempt $i: got $HTTP_STATUS, retrying in 5s..."
             sleep 5
           done
-          echo "✗ Health check failed after 6 attempts"
+          echo "Health check failed after 6 attempts"
           exit 1
-
-  publish-npm:
-    name: Publish NPM Package
-    needs: checks
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: read
-    steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22
-          cache: pnpm
-      - run: pnpm install --frozen-lockfile
-      - name: Upgrade npm for OIDC Trusted Publishers support
-        run: npm install -g npm@latest
-      - name: Publish @openlinear/core (openlinear)
-        run: |
-          cd packages/openlinear
-          LOCAL_VERSION=$(node -p "require('./package.json').version")
-          REMOTE_VERSION=$(npm view openlinear version 2>/dev/null || echo "0.0.0")
-          if [ "$LOCAL_VERSION" = "$REMOTE_VERSION" ]; then
-            echo "Version $LOCAL_VERSION already published, skipping"
-            exit 0
-          fi
-          npm publish --access public --provenance

.github/workflows/release.yml

@@ -1,4 +1,4 @@
-name: release
+name: Release
 
 on:
   push:
@@ -9,9 +9,16 @@ permissions:
   contents: write
   packages: write
 
+concurrency:
+  group: release-${{ github.ref_name }}
+  cancel-in-progress: false
+
 jobs:
   build-release:
     runs-on: ubuntu-22.04
+    timeout-minutes: 30
+    env:
+      TURBO_TELEMETRY_DISABLED: 1
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -22,12 +29,24 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 22
           cache: pnpm
 
       - name: Setup Rust
         uses: dtolnay/rust-toolchain@stable
 
+      - name: Cache Rust build artifacts
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+            apps/desktop/src-tauri/target/
+          key: rust-release-${{ runner.os }}-${{ hashFiles('apps/desktop/src-tauri/Cargo.lock') }}
+          restore-keys: |
+            rust-release-${{ runner.os }}-
+
       - name: Install Linux dependencies
         run: |
           sudo apt-get update
@@ -40,7 +59,7 @@ jobs:
             libfuse2
 
       - name: Install dependencies
-        run: pnpm install
+        run: pnpm install --frozen-lockfile
 
       - name: Generate Prisma client
         run: pnpm --filter @openlinear/db db:generate
@@ -80,12 +99,14 @@ jobs:
       - name: Create GitHub release
         uses: softprops/action-gh-release@v2
         with:
+          generate_release_notes: true
           files: dist/release/*
 
   publish-npm:
     name: Publish NPM Package
     needs: build-release
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       id-token: write
       contents: read

docs/CICD.md

@@ -1,110 +1,129 @@
-# CI/CD Deployment Setup
+# CI/CD Pipeline
 
-This document describes the automated deployment setup for OpenLinear.
-
-## Overview
-
-The CI/CD pipeline automatically deploys the application to the DigitalOcean droplet whenever changes are pushed to the `main` or `dev` branches.
-
-## Architecture
+Two GitHub Actions workflows handle all automation. One deploys the API + frontend to the production droplet. The other builds desktop releases and publishes to npm.
 
 ```
-GitHub Push → GitHub Actions Workflow → SSH to Droplet → Deploy Script
+main push ──→ deploy.yml ──→ checks (typecheck, build, test) ──→ SSH deploy ──→ health check
+tag push  ──→ release.yml ──→ build desktop (Tauri + Rust) ──→ GitHub Release ──→ npm publish
 ```
 
-## GitHub Secrets
+## Workflows
 
-The following secrets must be configured in the GitHub repository:
+### `deploy.yml` — Deploy to Production
 
-| Secret | Value | Description |
-|--------|-------|-------------|
-| `DEPLOY_HOST` | `206.189.139.212` | IP address of the DigitalOcean droplet |
-| `DEPLOY_USER` | `root` | SSH username for the droplet |
-| `DEPLOY_SSH_KEY` | Private key content | SSH private key for authentication |
+**Trigger:** Push to `main` (ignores docs, landing, desktop, packaging changes).
 
-### SSH Key Setup
+**Concurrency:** Cancels in-progress deploys when a new push arrives.
 
-The SSH key used for deployment is located at `~/.ssh/droplet_key` on the local machine and has been added to the droplet's `~/.ssh/authorized_keys`.
+| Job | What it does | Timeout |
+|-----|-------------|---------|
+| **checks** | Install deps, generate Prisma, push test schema, typecheck API + desktop-ui, build API, run API tests | 10 min |
+| **deploy** | SSH into droplet, run `scripts/deploy.sh` | 10 min |
+| **verify** | POST to `https://rixie.in/health`, retry 6 times | — |
 
-**Public key fingerprint:**
-```
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAzxe83rbgC3EG2VEIPvep7yc+9YdQcpw9+3UhLGcTxN opencode-agent
-```
+Path filters skip the workflow entirely for changes that don't affect the deployed services:
+- `docs/**`, `*.md`, `LICENSE`
+- `apps/landing/**` (deployed via Vercel separately)
+- `apps/desktop/**`, `apps/intro-video/**`
+- `packaging/**`
+
+### `release.yml` — Desktop Release + npm Publish
 
-## Workflow
+**Trigger:** Tag push matching `v*` (e.g. `v0.1.14`).
 
-The deployment workflow (`.github/workflows/deploy.yml`) consists of three jobs:
+**Concurrency:** Per-tag group, does not cancel (releases must complete).
 
-### 1. Checks
-- Runs tests and type checking
-- Builds the API
-- Ensures code quality before deployment
+| Job | What it does | Timeout |
+|-----|-------------|---------|
+| **build-release** | Build sidecar binary, build Tauri desktop (AppImage + deb), strip Wayland libs, create GitHub Release | 30 min |
+| **publish-npm** | Build + publish the `openlinear` npm package with provenance | 10 min |
 
-### 2. Deploy
-- SSHs into the droplet
-- Runs the deploy script at `/opt/openlinear/scripts/deploy.sh`
-- Performs diagnostics after deployment
-- Verifies health endpoint
+Caching:
+- **Rust build cache** — `~/.cargo` registry + `apps/desktop/src-tauri/target/`, keyed on `Cargo.lock` hash. Saves ~10 min on repeat builds.
+- **pnpm store** — via `actions/setup-node` `cache: pnpm`.
 
-### 3. Publish NPM Package
-- Builds and publishes the `openlinear` npm package
-- Uses trusted publishing with provenance
+## Deploy Script (`scripts/deploy.sh`)
 
-## Deploy Script Optimizations
+Runs on the droplet via SSH. Implements incremental deploys:
 
-The deploy script (`scripts/deploy.sh`) includes several optimizations:
+1. **Pull** — `git pull origin main --ff-only`
+2. **Diff detection** — compares `OLD_HEAD` vs `NEW_HEAD` to determine what changed:
+   - `apps/api/**` → rebuild API
+   - `apps/desktop-ui/**` or `packages/**` → rebuild frontend
+   - `packages/db/**` → regenerate Prisma + push schema
+3. **Install** — only runs `pnpm install` if `package.json` or `pnpm-lock.yaml` changed
+4. **Build** — only rebuilds changed components
+5. **Restart** — PM2 `reload` for zero-downtime restart (only for changed services)
 
-1. **Incremental builds**: Only rebuilds changed components (API, FE, DB)
-2. **PNPM cache**: Uses persistent store for faster installs
-3. **Zero-downtime reload**: Uses PM2 reload instead of restart
-4. **Removed Docker worker build**: Not needed in local-only mode
-5. **Timing**: Shows total deploy duration
+On manual trigger (`workflow_dispatch`) or first deploy, everything rebuilds.
 
-## Manual Deployment
+## Release Process
 
-If needed, manual deployment can be done via SSH:
+To cut a release:
 
 ```bash
-ssh -i ~/.ssh/droplet_key root@206.189.139.212
-cd /opt/openlinear
-./scripts/deploy.sh
+# 1. Bump version in these files:
+#    - apps/desktop/src-tauri/tauri.conf.json  (version field)
+#    - packages/openlinear/package.json        (version field)
+
+# 2. Commit and tag
+git add -A && git commit -m "release: vX.Y.Z"
+git tag vX.Y.Z
+git push origin main --tags
 ```
 
-## Troubleshooting
+This triggers:
+- `deploy.yml` — deploys the API/frontend commit to production
+- `release.yml` — builds desktop binaries and creates a GitHub Release
 
-### Deploy Job Fails
-1. Check GitHub secrets are correctly set
-2. Verify SSH key is in droplet's `authorized_keys`
-3. Check droplet is running: `curl https://rixie.in/health`
-
-### CORS Issues
-If desktop app can't connect to API, ensure `tauri://localhost` is in CORS allowed origins:
-```typescript
-// apps/api/src/app.ts
-const allowedOrigins = [
-  process.env.CORS_ORIGIN || 'http://localhost:3000',
-  'http://tauri.localhost',
-  'https://tauri.localhost',
-  'tauri://localhost',
-];
-```
+The npm publish step skips automatically if the version is already published.
+
+## Artifacts
+
+Each GitHub Release contains:
+- `openlinear-{version}-x86_64.AppImage` — Linux portable binary
+- `openlinear-{version}-x86_64.deb` — Debian/Ubuntu package
+- `openlinear-api-{version}-x86_64` — Standalone API server binary
+
+## Required GitHub Secrets
+
+| Secret | Description |
+|--------|-------------|
+| `DEPLOY_HOST` | Droplet IP address |
+| `DEPLOY_USER` | SSH username (root) |
+| `DEPLOY_SSH_KEY` | SSH private key for droplet access |
+
+npm publishing uses OIDC Trusted Publishers (no `NPM_TOKEN` needed).
+
+## Architecture Decisions
+
+**Why not deploy on `dev`?** Pushing to `dev` previously triggered production deploys. Removed to prevent accidental production deployments from development work.
+
+**Why `cancel-in-progress: true` on deploy?** If you push 3 commits in quick succession, only the latest one deploys. The earlier in-flight deploys are cancelled since they'd be immediately superseded.
+
+**Why `cancel-in-progress: false` on release?** Releases must complete — cancelling a half-uploaded GitHub Release corrupts it.
+
+**Why path filters?** Changes to docs, the landing page (Vercel), or the desktop app (release-only) don't need a production deploy. Saves CI minutes.
+
+**Why Rust caching?** The Tauri/Rust compilation is the slowest step (~15 min cold, ~3 min cached). Caching `target/` and `~/.cargo` dramatically reduces release build times.
+
+**Why is npm publish only in release.yml?** It was previously duplicated in both workflows. The deploy workflow would attempt to publish on every main push (wasteful, even with the version guard skip). npm publishes belong exclusively with tagged releases.
+
+## Troubleshooting
 
-### OAuth Redirect Issues
-Ensure the API has the desktop OAuth logic:
-- Detects `?source=desktop` parameter
-- Uses `desktop:` state prefix
-- Redirects to `openlinear://callback` for desktop apps
+**Deploy fails with SSH timeout:**
+- Verify secrets are set: Settings → Secrets → Actions
+- Test manually: `ssh -i ~/.ssh/droplet_key root@<DEPLOY_HOST>`
 
-## Verification
+**Health check fails after deploy:**
+- SSH in and check PM2: `pm2 status && pm2 logs openlinear-api --lines 50`
+- Check port binding: `ss -ltnp | grep 3001`
 
-After deployment, verify:
-- API health: `curl https://rixie.in/health`
-- GitHub Actions: Check workflow run status
-- PM2 status: `ssh root@206.189.139.212 "pm2 status"`
+**Release build fails on Rust compilation:**
+- Usually a cache corruption issue. Delete the `rust-release-*` cache from the Actions → Caches page and re-run.
 
-## Recent Changes
+**npm publish fails with 403:**
+- Check that OIDC Trusted Publishers is configured for the `openlinear` package on npmjs.com under Settings → Publishing access.
 
-- Fixed CORS to allow `tauri://localhost` for desktop app
-- Optimized deploy script for faster deployments (~54s)
-- Fixed GitHub Actions secrets for automatic deployment
-- Added desktop OAuth flow with deep-link callback
+**Two workflows running on same commit:**
+- Expected when you push a tag to `main`. `deploy.yml` deploys the API. `release.yml` builds the desktop. They don't conflict — different concurrency groups.