From bae6c05907c8b957ccc752e290eb711dd52b9246 Mon Sep 17 00:00:00 2001
From: Christophoros <bekos.christopher@gmail.com>
Date: Fri, 26 Jun 2026 03:04:38 +0300
Subject: [PATCH 1/3] support multiple releases separated by tag

---
 .github/workflows/build-on-tag.yml | 28 ++++++++++++++++++++++++++++
 .gitignore                         |  4 +++-
 2 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/build-on-tag.yml

diff --git a/.github/workflows/build-on-tag.yml b/.github/workflows/build-on-tag.yml
new file mode 100644
index 0000000..a199e87
--- /dev/null
+++ b/.github/workflows/build-on-tag.yml
@@ -0,0 +1,28 @@
+name: Build and Release (Tag)
+
+on:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Docker build
+        run: docker build --platform linux/amd64 --tag si-moko .
+
+      - name: Docker run
+        run: docker run --platform linux/amd64 --env "PUBLIC_KEY_HEX=${{ secrets.PUBLIC_KEY_HEX }}" --name firmware-container si-moko
+
+      - name: Copy firmware from container
+        run: docker cp firmware-container:/spaceinvader/dist/firmware.bin ${{ github.workspace }}/firmware.bin
+
+      - name: Create Release
+        uses: softprops/action-gh-release@v1
+        with:
+          files: ${{ github.workspace }}/firmware.bin
+          tag_name: ${{ github.ref_name }}
diff --git a/.gitignore b/.gitignore
index 7ad05b1..aef1ca4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -55,4 +55,6 @@ apps/firmware/build/_build/
 .DS_Store
 apps/firmware/dfu_images/private.key
 # apps/firmware/dfu_images/public_key.c
-_build/
\ No newline at end of file
+_build/
+
+.idea/
\ No newline at end of file

From 42e0a33d85783ac0692b37f95cf6ca8c23edfc61 Mon Sep 17 00:00:00 2001
From: Christophoros <bekos.christopher@gmail.com>
Date: Fri, 26 Jun 2026 03:22:18 +0300
Subject: [PATCH 2/3] minimize build size

---
 Dockerfile |  2 +-
 build.sh   | 11 +++++++++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 451e89f..6cdec00 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ FROM debian:bookworm-slim as build-env
 
 # Install OS packages
 RUN apt-get update
-RUN apt-get install -y git build-essential wget
+RUN apt-get install -y git build-essential wget srecord
 
 # https://github.com/micropython/micropython/issues/8685
 RUN wget --no-verbose "https://developer.arm.com/-/media/Files/downloads/gnu/11.3.rel1/binrel/arm-gnu-toolchain-11.3.rel1-x86_64-arm-none-eabi.tar.xz?rev=95edb5e17b9d43f28c74ce824f9c6f10&hash=D5ACE3A6F75F603551D7702E00ED7B29" -O /tmp/arm-gnu-toolchain.tar.xz
diff --git a/build.sh b/build.sh
index cb36497..a1a8b9b 100755
--- a/build.sh
+++ b/build.sh
@@ -42,8 +42,15 @@ mergehex --merge bl_settings.hex secure_bootloader_moko.hex nrf52810_xxaa.hex s1
 # debug
 ls -alh firmware.hex
 
-# Convert the HEX file to a BIN file
-arm-none-eabi-objcopy --input-target=ihex --output-target=binary firmware.hex $WORKSPACE/dist/firmware.bin
+# Convert the HEX file to a BIN file.
+# Crop to the nRF52810 flash region (0x00000000 - 0x00030000, 192 KB) and fill
+# gaps with 0xFF (erased flash value) so the binary preserves the correct
+# offsets. Without cropping, records in the FICR/UICR region (~0x10000000)
+# would cause a 256 MB padded binary.
+srec_cat firmware.hex -Intel \
+    -crop 0x00000000 0x00030000 \
+    -fill 0xFF 0x00000000 0x00030000 \
+    -o $WORKSPACE/dist/firmware.bin -Binary
 
 # debug
 ls -alh $WORKSPACE/dist/firmware.bin

From fb968cbca14e14c9f26f4b3ac701f8c3efcb7946 Mon Sep 17 00:00:00 2001
From: Christophoros <bekos.christopher@gmail.com>
Date: Fri, 26 Jun 2026 03:31:29 +0300
Subject: [PATCH 3/3] fix build

---
 build.sh | 27 +++++++++++++++++----------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/build.sh b/build.sh
index a1a8b9b..027b60a 100755
--- a/build.sh
+++ b/build.sh
@@ -42,15 +42,22 @@ mergehex --merge bl_settings.hex secure_bootloader_moko.hex nrf52810_xxaa.hex s1
 # debug
 ls -alh firmware.hex
 
-# Convert the HEX file to a BIN file.
-# Crop to the nRF52810 flash region (0x00000000 - 0x00030000, 192 KB) and fill
-# gaps with 0xFF (erased flash value) so the binary preserves the correct
-# offsets. Without cropping, records in the FICR/UICR region (~0x10000000)
-# would cause a 256 MB padded binary.
-srec_cat firmware.hex -Intel \
-    -crop 0x00000000 0x00030000 \
-    -fill 0xFF 0x00000000 0x00030000 \
-    -o $WORKSPACE/dist/firmware.bin -Binary
+# Produce the DFU release artifact: the APPLICATION-ONLY binary.
+#
+# The backend's DFU pipeline (blu-transmogrifier) patches a per-device key into
+# this binary and packages it as a buttonless *application* DFU, so it expects
+# ONLY the application image (the same ~50 KB shape as the legacy
+# nrf52810_xxaa.bin) -- NOT the merged MBR+SoftDevice+bootloader+app image.
+#
+# nrf52810_xxaa.hex is the app-only build output (linked above the SoftDevice).
+# objcopy -O binary writes it starting at the app's first byte, so the file
+# begins with the application vector table. The app hex has no UICR/FICR record,
+# so the old 256 MB blow-up cannot happen here -- no crop/fill needed.
+arm-none-eabi-objcopy -I ihex -O binary nrf52810_xxaa.hex $WORKSPACE/dist/firmware.bin
+
+# Keep the full merged image (MBR + SoftDevice + bootloader + settings + app)
+# for first-time factory provisioning over SWD. Not used by the DFU pipeline.
+cp firmware.hex $WORKSPACE/dist/firmware.hex
 
 # debug
-ls -alh $WORKSPACE/dist/firmware.bin
+ls -alh $WORKSPACE/dist/firmware.bin $WORKSPACE/dist/firmware.hex