feat: add OmniRoute vendored release workflow

.github/workflows/omniroute-artifacts.yaml

@@ -0,0 +1,242 @@
+name: Build OmniRoute artifacts
+
+on:
+  workflow_dispatch:
+    inputs:
+      publish_to_azure:
+        description: Publish built artifacts to Azure Storage after all builds succeed
+        required: false
+        type: boolean
+        default: false
+  schedule:
+    - cron: "23 3 * * *"
+  push:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/omniroute-artifacts.yaml"
+      - ".gitmodules"
+      - "README.md"
+      - "scripts/**"
+      - "packages/omniroute/**"
+  pull_request:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/omniroute-artifacts.yaml"
+      - ".gitmodules"
+      - "README.md"
+      - "scripts/**"
+      - "packages/omniroute/**"
+
+permissions:
+  contents: read
+
+jobs:
+  prepare_release:
+    name: prepare-release
+    runs-on: ubuntu-22.04
+    outputs:
+      version: ${{ steps.version.outputs.version }}
+      tag: ${{ steps.version.outputs.tag }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 22
+
+      - name: Resolve release version
+        id: version
+        run: node ./scripts/versioning.mjs >> "$GITHUB_OUTPUT"
+
+  build:
+    name: ${{ matrix.name }}
+    needs: prepare_release
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: Linux x64
+            runner: ubuntu-22.04
+            artifact_name: omniroute-linux-amd64
+            platform: linux
+            arch: amd64
+          - name: macOS x64
+            runner: macos-13
+            artifact_name: omniroute-macos-amd64
+            platform: macos
+            arch: amd64
+          - name: macOS arm64
+            runner: macos-14
+            artifact_name: omniroute-macos-arm64
+            platform: macos
+            arch: arm64
+          - name: Windows x64
+            runner: windows-latest
+            artifact_name: omniroute-windows-amd64
+            platform: windows
+            arch: amd64
+
+    env:
+      CI: true
+      VERSION: ${{ needs.prepare_release.outputs.version }}
+      BUILD_ARTIFACTS_PLATFORM: ${{ matrix.platform }}
+      ARCH: ${{ matrix.arch }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          submodules: recursive
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: npm
+          cache-dependency-path: packages/omniroute/upstream/package-lock.json
+
+      - name: Build artifacts
+        run: node ./packages/omniroute/scripts/build-artifacts.mjs
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.artifact_name }}
+          path: artifacts/omniroute/*
+          if-no-files-found: error
+
+  verify:
+    name: ${{ format('verify-{0}', matrix.name) }}
+    needs: build
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: Linux x64
+            runner: ubuntu-22.04
+            artifact_name: omniroute-linux-amd64
+          - name: macOS x64
+            runner: macos-13
+            artifact_name: omniroute-macos-amd64
+          - name: macOS arm64
+            runner: macos-14
+            artifact_name: omniroute-macos-arm64
+          - name: Windows x64
+            runner: windows-latest
+            artifact_name: omniroute-windows-amd64
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: packages/omniroute/upstream/.node-version
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v5
+        with:
+          name: ${{ matrix.artifact_name }}
+          path: downloaded/omniroute
+
+      - name: Verify downloaded release
+        run: node ./packages/omniroute/scripts/verify-startup.mjs
+
+  publish_azure:
+    name: publish-azure
+    needs:
+      - prepare_release
+      - build
+      - verify
+    if: >-
+      ${{
+        (github.event_name == 'push' && github.ref == 'refs/heads/main') ||
+        (github.event_name == 'workflow_dispatch' && github.event.inputs.publish_to_azure == 'true')
+      }}
+    runs-on: ubuntu-22.04
+    concurrency:
+      group: vendered-azure-publication
+      cancel-in-progress: false
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 22
+
+      - name: Download build artifacts
+        uses: actions/download-artifact@v5
+        with:
+          pattern: omniroute-*
+          path: downloaded
+
+      - name: Validate Azure SAS secret
+        shell: bash
+        env:
+          AZURE_STORAGE_CONTAINER_SAS_URL: ${{ secrets.VENDORED_AZURE_CONTAINER_SAS_URL }}
+        run: |
+          if [[ -z "${AZURE_STORAGE_CONTAINER_SAS_URL}" ]]; then
+            echo "Missing GitHub secret: VENDORED_AZURE_CONTAINER_SAS_URL" >&2
+            exit 1
+          fi
+
+      - name: Publish vendored artifacts to Azure Storage
+        env:
+          AZURE_STORAGE_CONTAINER_SAS_URL: ${{ secrets.VENDORED_AZURE_CONTAINER_SAS_URL }}
+        run: node ./scripts/publish-to-azure.mjs --artifacts-dir downloaded --publish-result artifacts/publish-result.json
+
+      - name: Update version index
+        env:
+          AZURE_STORAGE_CONTAINER_SAS_URL: ${{ secrets.VENDORED_AZURE_CONTAINER_SAS_URL }}
+        run: node ./scripts/update-version-index.mjs --publish-result artifacts/publish-result.json
+
+  publish_github_release:
+    name: publish-github-release
+    needs:
+      - prepare_release
+      - build
+      - verify
+    if: >-
+      ${{
+        (github.event_name == 'push' && github.ref == 'refs/heads/main') ||
+        (github.event_name == 'workflow_dispatch' && github.event.inputs.publish_to_azure == 'true')
+      }}
+    runs-on: ubuntu-22.04
+    concurrency:
+      group: ${{ format('vendered-github-release-{0}', needs.prepare_release.outputs.tag) }}
+      cancel-in-progress: false
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 22
+
+      - name: Download build artifacts
+        uses: actions/download-artifact@v5
+        with:
+          pattern: omniroute-*
+          path: downloaded
+
+      - name: Create GitHub release and upload build archives
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: >-
+          node ./scripts/github-release.mjs
+          --artifacts-dir downloaded
+          --tag "${{ needs.prepare_release.outputs.tag }}"
+          --name "${{ needs.prepare_release.outputs.version }}"
+          --target-commitish "${{ github.sha }}"

.gitmodules

@@ -1,3 +1,6 @@
 [submodule "code-server"]
 	path = packages/code-server/upstream
 	url = https://github.com/coder/code-server.git
+[submodule "packages/omniroute/upstream"]
+	path = packages/omniroute/upstream
+	url = https://github.com/diegosouzapw/OmniRoute.git

README.md

@@ -4,13 +4,18 @@ This repository stores vendored build inputs and CI automation.
 
 - `packages/code-server/` contains the vendored code-server integration.
 - `packages/code-server/upstream/` is a Git submodule pointing to `https://github.com/coder/code-server.git`.
+- `packages/omniroute/` contains the vendored OmniRoute integration.
+- `packages/omniroute/upstream/` is a Git submodule pointing to `https://github.com/diegosouzapw/OmniRoute.git`.
 - `.github/workflows/code-server-artifacts.yaml` builds code-server artifacts on Linux, macOS, and Windows, validates startup on each runner, uploads the outputs to GitHub Actions artifacts, and publishes successful `main` branch pushes into Azure Storage and a GitHub Release in parallel.
+- `.github/workflows/omniroute-artifacts.yaml` builds OmniRoute artifacts on Linux x64, macOS x64, macOS arm64, and Windows x64, validates packaged entrypoints on each runner, and only publishes on `main` pushes or explicit manual dispatch.
 - `packages/code-server/scripts/build-artifacts.mjs` and `packages/code-server/scripts/verify-startup.mjs` are the Node entrypoints for the build and post-build verification flow.
+- `packages/omniroute/scripts/build-artifacts.mjs` and `packages/omniroute/scripts/verify-startup.mjs` are the OmniRoute package-local build and packaged-entry verification entrypoints.
 
 ## Azure publication
 
-The publication jobs in `.github/workflows/code-server-artifacts.yaml` run after the per-platform build and verification jobs succeed. They publish automatically on `push` to `main`, and they can also be triggered manually with `workflow_dispatch` by setting `publish_to_azure=true`.
-Because the SAS publication scripts only use repository files plus downloaded build artifacts, the publish job uses a standalone Node 22 runtime and does not need the `packages/code-server/upstream/` submodule checkout.
+The publication jobs in `.github/workflows/code-server-artifacts.yaml` and `.github/workflows/omniroute-artifacts.yaml` run after the per-platform build and verification jobs succeed. They publish automatically on `push` to `main`, and they can also be triggered manually with `workflow_dispatch` by setting `publish_to_azure=true`.
+The OmniRoute workflow also has a daily schedule, but scheduled runs stop after build and verification so publication remains explicit.
+Because the SAS publication scripts only use repository files plus downloaded build artifacts, the publish jobs use a standalone Node 22 runtime and do not need the package submodule checkout.
 
 ## Release versioning
 
@@ -55,7 +60,13 @@ For `code-server`, the initial contract is:
 - archive blob key: `packages/code-server/versions/<version>/<platform>-<arch>/code-server-<version>-<platform>-<arch>.<ext>`
 - metadata blob key: `packages/code-server/versions/<version>/<platform>-<arch>/metadata.json`
 
-`packages/code-server/scripts/build-artifacts.mjs` emits normalized `metadata.json` with:
+For `omniroute`, the vendored contract is:
+
+- `packageId`: `omniroute`
+- archive blob key: `packages/omniroute/versions/<version>/<platform>-<arch>/omniroute-<version>-<platform>-<arch>.<ext>`
+- metadata blob key: `packages/omniroute/versions/<version>/<platform>-<arch>/metadata.json`
+
+`packages/code-server/scripts/build-artifacts.mjs` and `packages/omniroute/scripts/build-artifacts.mjs` emit normalized `metadata.json` with:
 
 - `schemaVersion`
 - `packageId`
@@ -66,13 +77,15 @@ For `code-server`, the initial contract is:
 - `extra`
 - `artifacts[]` with `kind`, `fileName`, `blobKey`, and integrity fields when available
 
+OmniRoute uses `extra.standaloneBundle = true` and `extra.packagedEntrypoint = "bin/omniroute.mjs"` so downstream publication records can identify the packaged entrypoint contract.
+
 If required metadata is missing, or any declared artifact file does not exist, publication fails before `index.json` is updated.
 
 `scripts/publish-to-azure.mjs` and `scripts/update-version-index.mjs` both require `AZURE_STORAGE_CONTAINER_SAS_URL` in the environment. The GitHub workflow maps that from `secrets.VENDORED_AZURE_CONTAINER_SAS_URL`.
 
 ## GitHub Release publication
 
-When publication is enabled, the workflow also creates or updates a repository release tagged with `v<version>` and uploads the generated `.tar.gz` and `.zip` build archives. This runs in parallel with Azure publication and uses the workflow's built-in `GITHUB_TOKEN`, so no extra secret is required beyond the Azure SAS URL.
+When publication is enabled, each workflow creates or updates the same repository release tagged with `v<version>` and uploads its generated `.tar.gz` and `.zip` build archives. Asset names stay package-specific so OmniRoute and `code-server` can append to the same vendored release/tag without deleting one another's archives. This runs in parallel with Azure publication and uses the workflow's built-in `GITHUB_TOKEN`, so no extra secret is required beyond the Azure SAS URL.
 
 ### `index.json` semantics