congziqi77 · congziqi77 · Jun 1, 2026 · Jun 1, 2026 · Jun 1, 2026
diff --git a/.github/workflows/release-s3.yml b/.github/workflows/release-s3.yml
@@ -0,0 +1,312 @@
+name: S3 Release Build
+
+permissions:
+  contents: read
+  id-token: write
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_tag:
+        description: 'Internal release tag, e.g. v1.4.9-rebasefix-20260601'
+        required: true
+        type: string
+      s3_bucket:
+        description: 'S3 bucket name for release artifacts'
+        required: true
+        type: string
+      s3_prefix:
+        description: 'S3 prefix before the release tag'
+        required: false
+        default: 'git-ai/releases'
+        type: string
+      public_base_url:
+        description: 'Public HTTPS base URL before the release tag, e.g. https://downloads.example.com/git-ai/releases'
+        required: true
+        type: string
+      aws_region:
+        description: 'AWS region'
+        required: false
+        default: 'us-east-1'
+        type: string
+      dry_run:
+        description: 'Build artifacts but do not upload to S3'
+        required: false
+        default: true
+        type: boolean
+
+jobs:
+  build:
+    name: Build for ${{ matrix.target }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        include:
+          - os: ubuntu-22.04
+            target: x86_64-unknown-linux-musl
+            artifact_name: git-ai-linux-x64
+            use_docker: true
+            docker_image: ubuntu:22.04
+          - os: ubuntu-22.04-arm
+            target: aarch64-unknown-linux-musl
+            artifact_name: git-ai-linux-arm64
+            use_docker: true
+            docker_image: ubuntu:22.04
+          - os: windows-latest
+            target: x86_64-pc-windows-msvc
+            artifact_name: git-ai-windows-x64
+            use_docker: false
+          - os: windows-11-arm
+            target: aarch64-pc-windows-msvc
+            artifact_name: git-ai-windows-arm64
+            use_docker: false
+          - os: macos-latest
+            target: aarch64-apple-darwin
+            artifact_name: git-ai-macos-arm64
+            use_docker: false
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Build in Docker (Linux)
+        if: matrix.use_docker == true
+        run: |
+          docker run --rm \
+            -v ${{ github.workspace }}:/workspace \
+            -w /workspace \
+            -e DEBIAN_FRONTEND=noninteractive \
+            -e SENTRY_OSS="${{ secrets.SENTRY_OSS }}" \
+            -e POSTHOG_API_KEY="${{ secrets.POSTHOG_API_KEY }}" \
+            -e OSS_BUILD="1" \
+            ${{ matrix.docker_image }} \
+            bash -c "
+              apt-get update && \
+              apt-get install -y curl build-essential pkg-config musl-tools && \
+              curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --target ${{ matrix.target }} && \
+              . \$HOME/.cargo/env && \
+              cargo build --release --target ${{ matrix.target }} && \
+              strip target/${{ matrix.target }}/release/git-ai
+            "
+
+      - name: Install Rust toolchain (non-Docker)
+        if: matrix.use_docker == false
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # master
+        with:
+          toolchain: stable
+          targets: ${{ matrix.target }}
+
+      - name: Cache dependencies (non-Docker)
+        if: matrix.use_docker == false
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+          key: ${{ runner.os }}-cargo-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-${{ matrix.target }}-
+
+      - name: Build release binary (non-Docker, non-Windows-ARM64)
+        if: matrix.use_docker == false && matrix.os != 'windows-11-arm'
+        run: cargo build --release --target ${{ matrix.target }}
+        env:
+          CARGO_INCREMENTAL: 0
+          SENTRY_OSS: ${{ secrets.SENTRY_OSS }}
+          POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
+          OSS_BUILD: "1"
+
+      - name: Build release binary (Windows ARM64 with LLVM strip)
+        if: matrix.os == 'windows-11-arm'
+        run: cargo build --release --target ${{ matrix.target }}
+        env:
+          CARGO_INCREMENTAL: 0
+          SENTRY_OSS: ${{ secrets.SENTRY_OSS }}
+          POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
+          OSS_BUILD: "1"
+          RUSTFLAGS: "-C strip=symbols"
+
+      - name: Verify binary architecture (Linux)
+        if: contains(matrix.os, 'ubuntu')
+        run: |
+          file target/${{ matrix.target }}/release/git-ai
+          if ldd target/${{ matrix.target }}/release/git-ai 2>&1 | grep -q 'not a dynamic executable\|statically linked'; then
+            echo "Binary is statically linked (musl) - no GLIBC dependency"
+          else
+            echo "::error::Binary is dynamically linked - expected static musl binary"
+            ldd target/${{ matrix.target }}/release/git-ai || true
+            exit 1
+          fi
+
+      - name: Verify binary architecture (Windows)
+        if: contains(matrix.os, 'windows')
+        shell: bash
+        run: file target/${{ matrix.target }}/release/git-ai.exe
+
+      - name: Strip binary (Windows x64)
+        if: matrix.os == 'windows-latest'
+        run: strip target/${{ matrix.target }}/release/git-ai.exe
+
+      - name: Strip binary (macOS)
+        if: matrix.os == 'macos-latest'
+        run: strip target/${{ matrix.target }}/release/git-ai
+
+      - name: Create release directory
+        run: mkdir -p release
+
+      - name: Copy binary to release directory (Windows)
+        if: contains(matrix.os, 'windows')
+        run: cp target/${{ matrix.target }}/release/git-ai.exe release/${{ matrix.artifact_name }}.exe
+
+      - name: Copy binary to release directory (non-Windows)
+        if: ${{ !contains(matrix.os, 'windows') }}
+        run: cp target/${{ matrix.target }}/release/git-ai release/${{ matrix.artifact_name }}
+
+      - name: Upload artifact (Windows)
+        if: contains(matrix.os, 'windows')
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: ${{ matrix.artifact_name }}
+          path: release/${{ matrix.artifact_name }}.exe
+          retention-days: 30
+
+      - name: Upload artifact (non-Windows)
+        if: ${{ !contains(matrix.os, 'windows') }}
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: ${{ matrix.artifact_name }}
+          path: release/${{ matrix.artifact_name }}
+          retention-days: 30
+
+  build-macos-intel:
+    name: Build for macOS Intel
+    runs-on: macos-15-intel
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # master
+        with:
+          toolchain: stable
+          targets: x86_64-apple-darwin
+
+      - name: Cache dependencies
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+          key: ${{ runner.os }}-cargo-x86_64-apple-darwin-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-x86_64-apple-darwin-
+
+      - name: Build release binary
+        run: cargo build --release --target x86_64-apple-darwin
+        env:
+          CARGO_INCREMENTAL: 0
+          SENTRY_OSS: ${{ secrets.SENTRY_OSS }}
+          POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
+          OSS_BUILD: "1"
+
+      - name: Verify binary architecture
+        run: |
+          file target/x86_64-apple-darwin/release/git-ai
+          lipo -info target/x86_64-apple-darwin/release/git-ai
+
+      - name: Strip binary
+        run: strip target/x86_64-apple-darwin/release/git-ai
+
+      - name: Create release directory
+        run: mkdir -p release
+
+      - name: Copy binary to release directory
+        run: cp target/x86_64-apple-darwin/release/git-ai release/git-ai-macos-x64
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: git-ai-macos-x64
+          path: release/git-ai-macos-x64
+          retention-days: 30
+
+  publish-s3:
+    name: Publish S3 Release
+    needs: [build, build-macos-intel]
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code for install scripts
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Download all artifacts
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7 # v8.0.1
+        with:
+          path: artifacts
+
+      - name: Create release directory
+        run: mkdir -p release
+
+      - name: Move artifacts to release directory
+        run: find artifacts -type f -name "git-ai-*" -exec cp {} release/ \;
+
+      - name: Create binary checksums
+        run: |
+          cd release
+          sha256sum git-ai-* > SHA256SUMS
+
+      - name: Generate S3 install scripts
+        run: |
+          set -euo pipefail
+          VERSION="${{ inputs.release_tag }}"
+          PUBLIC_BASE_URL="${{ inputs.public_base_url }}"
+          BASE_URL="${PUBLIC_BASE_URL%/}/${VERSION}"
+          CHECKSUMS=$(tr '\n' '|' < release/SHA256SUMS | sed 's/|$//')
+
+          awk -v version="$VERSION" -v base_url="$BASE_URL" -v checksums="$CHECKSUMS" '
+            /^PINNED_VERSION="__VERSION_PLACEHOLDER__"/ { sub(/__VERSION_PLACEHOLDER__/, version) }
+            /^BASE_URL="__BASE_URL_PLACEHOLDER__"/ { sub(/__BASE_URL_PLACEHOLDER__/, base_url) }
+            /^EMBEDDED_CHECKSUMS="__CHECKSUMS_PLACEHOLDER__"/ { sub(/__CHECKSUMS_PLACEHOLDER__/, checksums) }
+            { print }
+          ' install.sh > release/install.sh
+          chmod +x release/install.sh
+
+          awk -v version="$VERSION" -v base_url="$BASE_URL" -v checksums="$CHECKSUMS" '
+            /^[$]PinnedVersion = .__VERSION_PLACEHOLDER__/ { sub(/__VERSION_PLACEHOLDER__/, version) }
+            /^[$]BaseUrl = .__BASE_URL_PLACEHOLDER__/ { sub(/__BASE_URL_PLACEHOLDER__/, base_url) }
+            /^[$]EmbeddedChecksums = .__CHECKSUMS_PLACEHOLDER__/ { sub(/__CHECKSUMS_PLACEHOLDER__/, checksums) }
+            { print }
+          ' install.ps1 > release/install.ps1
+
+      - name: Add install scripts to checksums
+        run: |
+          cd release
+          sha256sum install.sh install.ps1 >> SHA256SUMS
+
+      - name: Upload generated release bundle as workflow artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: git-ai-s3-release-${{ inputs.release_tag }}
+          path: release/
+          retention-days: 30
+
+      - name: Configure AWS credentials
+        if: inputs.dry_run != true
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_S3_RELEASE_ROLE_ARN }}
+          aws-region: ${{ inputs.aws_region }}
+
+      - name: Upload release to S3
+        if: inputs.dry_run != true
+        run: |
+          set -euo pipefail
+          PREFIX="${{ inputs.s3_prefix }}"
+          PREFIX="${PREFIX#/}"
+          PREFIX="${PREFIX%/}"
+          DEST="s3://${{ inputs.s3_bucket }}/${PREFIX}/${{ inputs.release_tag }}/"
+          aws s3 sync release/ "$DEST" --delete
+          echo "Uploaded release to $DEST"
+          echo "Install with:"
+          echo "curl -fsSL ${{ inputs.public_base_url }}/${{ inputs.release_tag }}/install.sh | bash"
diff --git a/install.ps1 b/install.ps1
@@ -230,6 +230,10 @@ if ($Repo -eq '__REPO_PLACEHOLDER__') {
 # When set to __VERSION_PLACEHOLDER__, defaults to "latest"
 $PinnedVersion = '__VERSION_PLACEHOLDER__'
 
+# Base URL placeholder - replaced by internal/S3 release builds.
+# When set, binaries are downloaded from "$BaseUrl/$binaryName(.exe)" instead of GitHub Releases.
+$BaseUrl = '__BASE_URL_PLACEHOLDER__'
+
 # Embedded checksums - replaced during release builds with actual SHA256 checksums
 # Format: "hash  filename|hash  filename|..." (pipe-separated)
 # When set to __CHECKSUMS_PLACEHOLDER__, checksum verification is skipped
@@ -409,6 +413,13 @@ $binaryName = "git-ai-$os-$arch"
 # Priority: 1. Local binary override, 2. Pinned version (for release builds), 3. Environment variable, 4. "latest"
 if (-not [string]::IsNullOrWhiteSpace($env:GIT_AI_LOCAL_BINARY)) {
     $releaseTag = 'local'
+} elseif ($BaseUrl -ne '__BASE_URL_PLACEHOLDER__' -and -not [string]::IsNullOrWhiteSpace($BaseUrl)) {
+    $releaseTag = $PinnedVersion
+    if ($releaseTag -eq '__VERSION_PLACEHOLDER__') {
+        $releaseTag = 'custom'
+    }
+    $downloadUrlExe = "$($BaseUrl.TrimEnd('/'))/$binaryName.exe"
+    $downloadUrlNoExt = "$($BaseUrl.TrimEnd('/'))/$binaryName"
 } elseif ($PinnedVersion -ne '__VERSION_PLACEHOLDER__') {
     # Version-pinned install script from a release
     $releaseTag = $PinnedVersion

diff --git a/install.sh b/install.sh
@@ -59,6 +59,10 @@ fi
 # When set to __VERSION_PLACEHOLDER__, defaults to "latest"
 PINNED_VERSION="__VERSION_PLACEHOLDER__"
 
+# Base URL placeholder - replaced by internal/S3 release builds.
+# When set, binaries are downloaded from "${BASE_URL}/${BINARY_NAME}" instead of GitHub Releases.
+BASE_URL="__BASE_URL_PLACEHOLDER__"
+
 # Embedded checksums - replaced during release builds with actual SHA256 checksums
 # Format: "hash  filename|hash  filename|..." (pipe-separated)
 # When set to __CHECKSUMS_PLACEHOLDER__, checksum verification is skipped
@@ -259,6 +263,12 @@ BINARY_NAME="git-ai-${OS}-${ARCH}"
 if [ -n "${GIT_AI_LOCAL_BINARY:-}" ]; then
     RELEASE_TAG="local"
     DOWNLOAD_URL=""
+elif [ "$BASE_URL" != "__BASE_URL_PLACEHOLDER__" ] && [ -n "$BASE_URL" ]; then
+    RELEASE_TAG="$PINNED_VERSION"
+    if [ "$RELEASE_TAG" = "__VERSION_PLACEHOLDER__" ]; then
+        RELEASE_TAG="custom"
+    fi
+    DOWNLOAD_URL="${BASE_URL%/}/${BINARY_NAME}"
 elif [ "$PINNED_VERSION" != "__VERSION_PLACEHOLDER__" ]; then
     # Version-pinned install script from a release
     RELEASE_TAG="$PINNED_VERSION"