🔄 synced file(s) with dianlight/opencode-actions#11
Conversation
There was a problem hiding this comment.
🚨 3 · 🛠️ 1
✅ No existing threads resolved.
The || contains(..., 'opencode:awaiting-response') suffix in both new triage workflows (3 occurrences) short-circuits all preceding guard clauses (bot exclusion, author association, state check), allowing any comment — including from bots — to potentially trigger the implementation workflow without human verification.
| ) && | ||
| github.event.comment.body.length > 10 | ||
| ) || | ||
| contains(github.event.issue.labels.*.name, 'opencode:awaiting-response') |
There was a problem hiding this comment.
🚨 [CRITICAL] Bot bypass via unguarded label check
The || at line 27 has lower precedence than &&, so the label check on line 28 bypasses ALL preceding guards (bot exclusion, author association, state check). Any comment on an issue with opencode:awaiting-response triggers the workflow, and if the comment body matches 'approved', 'lgtm', etc., implementation is dispatched without human review.
Fix: Wrap the label check with the same guard clauses.
| contains(github.event.issue.labels.*.name, 'opencode:awaiting-response') | |
| contains(github.event.issue.labels.*.name, 'opencode:awaiting-response') && | |
| github.event.issue.state == 'open' && | |
| github.event.comment.user.login != 'github-actions[bot]' && | |
| github.event.comment.user.login != 'opencode-agent[bot]' && | |
| github.event.comment.user.login != 'coderabbitai[bot]' |
| ) && | ||
| github.event.comment.body.length > 10 | ||
| ) || | ||
| contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') |
There was a problem hiding this comment.
🚨 [CRITICAL] Same bypass in triage-pr (review-comment branch)
Identical guard-clause bypass in the pull_request_review_comment branch.
| contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') | |
| contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') && | |
| github.event.pull_request.state == 'open' && | |
| github.event.comment.user.login != 'github-actions[bot]' && | |
| github.event.comment.user.login != 'opencode-agent[bot]' && | |
| github.event.comment.user.login != 'coderabbitai[bot]' |
| ) && | ||
| github.event.review.body.length > 10 | ||
| ) || | ||
| contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') |
There was a problem hiding this comment.
🚨 [CRITICAL] Same bypass in triage-pr (review branch)
Identical guard-clause bypass in the pull_request_review branch.
| contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') | |
| contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') && | |
| github.event.pull_request.state == 'open' && | |
| github.event.review.user.login != 'github-actions[bot]' && | |
| github.event.review.user.login != 'opencode-agent[bot]' && | |
| github.event.review.user.login != 'coderabbitai[bot]' |
| changed_files=$(git diff --name-only "$base"...HEAD 2>/dev/null || echo "") | ||
| if [ -z "$changed_files" ]; then | ||
| # Fallback: just check if any file changed at all | ||
| changed_files=$(git diff --name-only HEAD~1...HEAD 2>/dev/null || echo "") | ||
| fi |
There was a problem hiding this comment.
🛠️ [QUALITY] Fallback diff logic misses intermediate commits
When git diff --name-only "$base"...HEAD returns empty (edge case — e.g. invalid base SHA), the fallback HEAD~1...HEAD only captures the most recent commit's changes. For multi-commit PRs, intermediate changes are invisible. Since fetch-depth: 0 provides full history, compute the merge base explicitly and avoid the fallback entirely:
| changed_files=$(git diff --name-only "$base"...HEAD 2>/dev/null || echo "") | |
| if [ -z "$changed_files" ]; then | |
| # Fallback: just check if any file changed at all | |
| changed_files=$(git diff --name-only HEAD~1...HEAD 2>/dev/null || echo "") | |
| fi | |
| merge_base=$(git merge-base "$base" HEAD 2>/dev/null) || merge_base="$base" | |
| changed_files=$(git diff --name-only "$merge_base" HEAD 2>/dev/null || echo "") |
|
Review submitted. Verdict: REQUEST_CHANGES — 3 🚨 CRITICAL, 1 🛠️ QUALITY. Most critical finding: All three |
4c9ccd9 to
dd540f3
Compare
|
Caution Review failedAn error occurred during the review process. Please try again later. 📝 WalkthroughWalkthroughAdds ChangesOpencode automation
Estimated code review effort: 4 (Complex) | ~60 minutes Sequence Diagram(s)sequenceDiagram
participant Comment
participant auth.sh
participant Workflow
participant Opencode
Comment->>auth.sh: Parse /oc command
auth.sh->>Workflow: Return subcommand and arguments
Workflow->>Opencode: Run selected automation path
Opencode->>Workflow: Return outcome
Workflow->>Comment: Post reaction or result
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
dd540f3 to
8ead145
Compare
There was a problem hiding this comment.
🚨 4 · 🛠️ 1
✅ 0 threads resolved — all 4 previously flagged issues remain unaddressed in the current diff. A new 🚨 YAML indentation error is also found in the new opencode-triage-issue.yaml.
Most critical finding: opencode-triage-issue.yaml:12 — debug: at column 0 (same indent as jobs:) makes it a top-level key, not a child of jobs:. This invalid YAML structure will cause a GitHub Actions workflow validation error, preventing the triage job from ever running.
| debug: # ← NUOVO JOB | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Debug auth info | ||
| run: | | ||
| echo "Comment user: ${{ github.event.comment.user.login }}" | ||
| echo "Author association: ${{ github.event.comment.author_association }}" | ||
| echo "Issue state: ${{ github.event.issue.state }}" | ||
| echo "Comment body: ${{ github.event.comment.body }}" | ||
| echo "Trigger contains /oc: $(echo '${{ github.event.comment.body }}' | grep -c '/oc' || echo '0')" | ||
|
|
There was a problem hiding this comment.
🚨 [CRITICAL] debug: job YAML indentation breaks workflow validation
The debug: key is at column 0 (same indent as jobs:), making it a top-level key instead of a child of jobs:. This will cause a GitHub Actions workflow validation error — neither debug nor triage will run.
This is also leftover development scaffolding that should not be in production. Remove it:
| debug: # ← NUOVO JOB | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Debug auth info | |
| run: | | |
| echo "Comment user: ${{ github.event.comment.user.login }}" | |
| echo "Author association: ${{ github.event.comment.author_association }}" | |
| echo "Issue state: ${{ github.event.issue.state }}" | |
| echo "Comment body: ${{ github.event.comment.body }}" | |
| echo "Trigger contains /oc: $(echo '${{ github.event.comment.body }}' | grep -c '/oc' || echo '0')" | |
| ) && | ||
| github.event.comment.body.length > 10 | ||
| ) || | ||
| contains(github.event.issue.labels.*.name, 'opencode:awaiting-response') |
There was a problem hiding this comment.
🚨 [CRITICAL] Bot bypass via unguarded || label check (previously flagged, still open)
|| contains(github.event.issue.labels.*.name, 'opencode:awaiting-response') has lower precedence than all preceding && operators, so the label check bypasses ALL guards (bot exclusion, author association, state check). Any comment (including from bots) on an issue with this label triggers the workflow.
| contains(github.event.issue.labels.*.name, 'opencode:awaiting-response') | |
| contains(github.event.issue.labels.*.name, 'opencode:awaiting-response') && | |
| github.event.issue.state == 'open' && | |
| github.event.comment.user.login != 'github-actions[bot]' && | |
| github.event.comment.user.login != 'opencode-agent[bot]' && | |
| github.event.comment.user.login != 'coderabbitai[bot]' |
| ) && | ||
| github.event.comment.body.length > 10 | ||
| ) || | ||
| contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') |
There was a problem hiding this comment.
🚨 [CRITICAL] Bot bypass in pull_request_review_comment branch (previously flagged, still open)
Same ||-over-&& precedence issue — the label check on this line bypasses all preceding guard clauses.
| contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') | |
| contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') && | |
| github.event.pull_request.state == 'open' && | |
| github.event.comment.user.login != 'github-actions[bot]' && | |
| github.event.comment.user.login != 'opencode-agent[bot]' && | |
| github.event.comment.user.login != 'coderabbitai[bot]' |
| ) && | ||
| github.event.review.body.length > 10 | ||
| ) || | ||
| contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') |
There was a problem hiding this comment.
🚨 [CRITICAL] Bot bypass in pull_request_review branch (previously flagged, still open)
Same ||-over-&& precedence issue for review events.
| contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') | |
| contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') && | |
| github.event.pull_request.state == 'open' && | |
| github.event.review.user.login != 'github-actions[bot]' && | |
| github.event.review.user.login != 'opencode-agent[bot]' && | |
| github.event.review.user.login != 'coderabbitai[bot]' |
| run: | | ||
| base="${{ github.event.pull_request.base.sha }}" | ||
| # Get list of changed files against the base | ||
| changed_files=$(git diff --name-only "$base"...HEAD 2>/dev/null || echo "") |
There was a problem hiding this comment.
🛠️ [QUALITY] Fallback diff logic misses intermediate commits (previously flagged, still open)
When git diff --name-only "$base"...HEAD returns empty, the fallback HEAD~1...HEAD only covers the most recent commit. For multi-commit PRs, intermediate changes are invisible. Since fetch-depth: 0 provides full history, compute the merge base explicitly:
| changed_files=$(git diff --name-only "$base"...HEAD 2>/dev/null || echo "") | |
| merge_base=$(git merge-base "$base" HEAD 2>/dev/null) || merge_base="$base" | |
| changed_files=$(git diff --name-only "$merge_base" HEAD 2>/dev/null || echo "") |
|
Review submitted — REQUEST_CHANGES. Step 1: No threads resolved — all 4 previously flagged issues persist in the current diff (3 🚨 bypass in triage-issue.yaml:39, triage-pr.yaml:32, triage-pr.yaml:50; 1 🛠️ fallback in review.yaml:34). Step 2: Submitted with 5 inline comments:
|
There was a problem hiding this comment.
🚨 3 · 🛠️ 2
✅ 0 threads resolved — all previously flagged issues remain unaddressed in the current diff.
Most critical finding: All three || contains(..., 'opencode:awaiting-response') guard-clause bypasses persist (triage-issue.yaml:39, triage-pr.yaml:32, triage-pr.yaml:50). Due to &&-over-|| operator precedence, the label check short-circuits all preceding guards (bot exclusion, author association, state check), allowing any comment — including from bots — to trigger the implementation workflow without human verification.
| cancel-in-progress: false | ||
|
|
||
| jobs: | ||
| debug: # ← NUOVO JOB |
There was a problem hiding this comment.
🛠️ [QUALITY] Debug job is leftover development scaffolding
The debug job (lines 12–21) prints variable values and serves no purpose in production. It runs on every issue_comment event, consuming CI minutes and cluttering logs. Remove it before shipping.
| debug: # ← NUOVO JOB | |
| triage: |
| ) && | ||
| github.event.comment.body.length > 10 | ||
| ) || | ||
| contains(github.event.issue.labels.*.name, 'opencode:awaiting-response') |
There was a problem hiding this comment.
🚨 [CRITICAL] Guard-clause bypass via || operator precedence (previously flagged, still open)
|| has lower precedence than &&, so || contains(..., 'opencode:awaiting-response') on line 39 is evaluated as an alternative to ALL preceding &&-chained guards (bot exclusion at 25–27, author association at 28, state check at 29). Any commenter — including github-actions[bot], opencode-agent[bot], or coderabbitai[bot] — can bypass all checks simply by commenting on an issue with the opencode:awaiting-response label. If the comment body matches 'approved'/'lgtm', the implementation workflow is dispatched without human review.
Fix: Move the label check inside the guarded parentheses so it is subject to the same bot/author/state filters.
| contains(github.event.issue.labels.*.name, 'opencode:awaiting-response') | |
| ( | |
| contains(github.event.issue.labels.*.name, 'opencode:awaiting-response') || | |
| ( | |
| ( | |
| contains(github.event.comment.body, ' /oc') || | |
| startsWith(github.event.comment.body, '/oc') || | |
| contains(github.event.comment.body, ' /opencode') || | |
| startsWith(github.event.comment.body, '/opencode') | |
| ) && | |
| github.event.comment.body.length > 10 | |
| ) | |
| ) |
| ) && | ||
| github.event.comment.body.length > 10 | ||
| ) || | ||
| contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') |
There was a problem hiding this comment.
🚨 [CRITICAL] Guard-clause bypass via || in pull_request_review_comment branch (previously flagged, still open)
Same ||-over-&& precedence issue. The label check on line 32 bypasses bot exclusion (lines 18–20), author association (line 21), and state check (line 22).
| contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') | |
| ( | |
| contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') || | |
| ( | |
| ( | |
| contains(github.event.comment.body, ' /oc') || | |
| startsWith(github.event.comment.body, '/oc') || | |
| contains(github.event.comment.body, ' /opencode') || | |
| startsWith(github.event.comment.body, '/opencode') | |
| ) && | |
| github.event.comment.body.length > 10 | |
| ) | |
| ) |
| ) && | ||
| github.event.review.body.length > 10 | ||
| ) || | ||
| contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') |
There was a problem hiding this comment.
🚨 [CRITICAL] Guard-clause bypass via || in pull_request_review branch (previously flagged, still open)
Same ||-over-&& precedence issue. The label check on line 50 bypasses bot exclusion (lines 36–38), author association (line 39), and state check (line 40).
| contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') | |
| ( | |
| contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') || | |
| ( | |
| ( | |
| contains(github.event.review.body, ' /oc') || | |
| startsWith(github.event.review.body, '/oc') || | |
| contains(github.event.review.body, ' /opencode') || | |
| startsWith(github.event.review.body, '/opencode') | |
| ) && | |
| github.event.review.body.length > 10 | |
| ) | |
| ) |
| run: | | ||
| base="${{ github.event.pull_request.base.sha }}" | ||
| # Get list of changed files against the base | ||
| changed_files=$(git diff --name-only "$base"...HEAD 2>/dev/null || echo "") |
There was a problem hiding this comment.
🛠️ [QUALITY] Fallback diff logic misses intermediate commits (previously flagged, still open)
When git diff --name-only "$base"...HEAD returns empty (edge case such as an invalid base SHA), the fallback HEAD~1...HEAD only captures the most recent commit's changes. For multi-commit PRs, intermediate changes are invisible. Since fetch-depth: 0 provides full history, compute the merge base explicitly and avoid the fallback entirely:
| changed_files=$(git diff --name-only "$base"...HEAD 2>/dev/null || echo "") | |
| merge_base=$(git merge-base "$base" HEAD 2>/dev/null) || merge_base="$base" | |
| changed_files=$(git diff --name-only "$merge_base" HEAD 2>/dev/null || echo "") |
|
Review submitted successfully — REQUEST_CHANGES with 5 inline comments:
|
8ead145 to
0e8cd54
Compare
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/scripts/auth.sh:
- Around line 50-59: Replace the fixed OCAUTH_EOF delimiter in the TASK_ARGS
output block with a cryptographically unpredictable, per-invocation delimiter,
and use that same generated value for both the opening and closing markers.
Preserve the existing empty TASK_ARGS behavior and GitHub output format while
ensuring comment content cannot terminate the heredoc early.
- Line 26: Update the /oc pattern in the TRIMMED matcher to require whitespace
or end-of-line immediately after the token, preventing prefixes such as /october
from matching while preserving valid /oc comments.
In @.github/workflows/opencode-pr-comment.yml:
- Around line 100-102: Update the workflow step containing the PARENT_AUTHOR and
in_reply_to_id lookups so GitHub event fields are passed through step-level env
variables rather than interpolated directly in run commands. Define env values
for the pull request review URL and in_reply_to_id, then reference them as
quoted shell variables in the gh api and related commands.
- Around line 354-397: Update the workflow instructions for
issue_comment-triggered steps to use github.event.issue.number instead of
github.event.pull_request.number when invoking gh pr checkout, gh pr edit, and
gh pr comment; preserve the existing task execution and checklist behavior.
- Around line 119-127: Update the LAST_COMMENT_AUTHOR lookup in the bot-thread
detection block to fetch the latest comments page explicitly before selecting
the comment immediately preceding the trigger. Preserve the existing
previous-author selection and bot comparisons, ensuring threads with more than
30 comments inspect the correct latest-page entry.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 94d2ca7b-3963-4318-a340-a71efea176f6
📒 Files selected for processing (10)
.github/scripts/auth.sh.github/workflows/opencode-implement.yaml.github/workflows/opencode-issue-handler.yml.github/workflows/opencode-pr-comment.yml.github/workflows/opencode-pr-review.yml.github/workflows/opencode-review.yaml.github/workflows/opencode-triage-issue.yaml.github/workflows/opencode-triage-pr.yaml.github/workflows/opencode-triage.yaml.github/workflows/opencode.yml
| SUBCOMMAND="none" | ||
| TASK_ARGS="" | ||
|
|
||
| if [[ "$TRIMMED" =~ ^/oc ]]; then |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Tighten the /oc matcher.
^/oc also matches prefixes like /october, so those comments can be routed as /oc. Anchor the token to whitespace or end-of-line.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/scripts/auth.sh at line 26, Update the /oc pattern in the TRIMMED
matcher to require whitespace or end-of-line immediately after the token,
preventing prefixes such as /october from matching while preserving valid /oc
comments.
| # Multi-line args via heredoc delimiter | ||
| if [[ -n "$TASK_ARGS" ]]; then | ||
| { | ||
| echo "TASK_ARGS<<OCAUTH_EOF" | ||
| echo "$TASK_ARGS" | ||
| echo "OCAUTH_EOF" | ||
| } >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "TASK_ARGS=" >> "$GITHUB_OUTPUT" | ||
| fi |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
Static heredoc delimiter is vulnerable to output injection.
TASK_ARGS comes from the comment body. If a line equal to OCAUTH_EOF (or a crafted KEY=value after it) appears in the args, the heredoc terminates early and arbitrary step outputs can be injected. Use a random, per-invocation delimiter.
Proposed fix
-if [[ -n "$TASK_ARGS" ]]; then
+if [[ -n "$TASK_ARGS" ]]; then
+ EOF_DELIM="OCAUTH_EOF_$(openssl rand -hex 8 2>/dev/null || date +%s%N)"
{
- echo "TASK_ARGS<<OCAUTH_EOF"
+ echo "TASK_ARGS<<${EOF_DELIM}"
echo "$TASK_ARGS"
- echo "OCAUTH_EOF"
+ echo "${EOF_DELIM}"
} >> "$GITHUB_OUTPUT"
else📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # Multi-line args via heredoc delimiter | |
| if [[ -n "$TASK_ARGS" ]]; then | |
| { | |
| echo "TASK_ARGS<<OCAUTH_EOF" | |
| echo "$TASK_ARGS" | |
| echo "OCAUTH_EOF" | |
| } >> "$GITHUB_OUTPUT" | |
| else | |
| echo "TASK_ARGS=" >> "$GITHUB_OUTPUT" | |
| fi | |
| # Multi-line args via heredoc delimiter | |
| if [[ -n "$TASK_ARGS" ]]; then | |
| EOF_DELIM="OCAUTH_EOF_$(openssl rand -hex 8 2>/dev/null || date +%s%N)" | |
| { | |
| echo "TASK_ARGS<<${EOF_DELIM}" | |
| echo "$TASK_ARGS" | |
| echo "${EOF_DELIM}" | |
| } >> "$GITHUB_OUTPUT" | |
| else | |
| echo "TASK_ARGS=" >> "$GITHUB_OUTPUT" | |
| fi |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/scripts/auth.sh around lines 50 - 59, Replace the fixed OCAUTH_EOF
delimiter in the TASK_ARGS output block with a cryptographically unpredictable,
per-invocation delimiter, and use that same generated value for both the opening
and closing markers. Preserve the existing empty TASK_ARGS behavior and GitHub
output format while ensuring comment content cannot terminate the heredoc early.
| LAST_COMMENT_AUTHOR=$(gh api \ | ||
| "/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/comments" \ | ||
| --jq '.[-2].user.login' 2>/dev/null || echo "") | ||
|
|
||
| if [[ "$LAST_COMMENT_AUTHOR" == "opencode-agent[bot]" ]] || \ | ||
| [[ "$LAST_COMMENT_AUTHOR" == "github-actions[bot]" ]]; then | ||
| IS_BOT_THREAD="true" | ||
| fi | ||
| fi |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the workflow around the referenced lines
file=".github/workflows/opencode-pr-comment.yml"
wc -l "$file"
sed -n '90,150p' "$file"
# Check for any pagination / per_page handling in this workflow
rg -n --no-heading 'per_page|paginate|issues/.*/comments|LAST_COMMENT_AUTHOR|IS_BOT_THREAD' "$file"
# Gather the relevant gh api / jq behavior from local help if available
gh api --help 2>/dev/null | sed -n '1,220p' || true
gh help api 2>/dev/null | sed -n '1,220p' || trueRepository: dianlight/smartmontools-sdk
Length of output: 18761
🌐 Web query:
GitHub REST API list issue comments default order per_page 30 docs comments endpoint oldest first
💡 Result:
For the GitHub REST API "List issue comments" endpoints, the default behavior regarding pagination and ordering is as follows: Pagination: The default value for the per_page parameter is 30, with a maximum allowed value of 100 per page [1][2]. Ordering: By default, issue comments are ordered by ascending ID [3][4][5]. The API documentation explicitly states this default ordering [3][4], which typically results in the oldest comments appearing first. Some discussions within the community have noted that while ID-based ordering often corresponds to chronological creation order, the API behavior is officially documented as being based on the ID [3][4].
Citations:
- 1: https://docs.github.com/enterprise-server@3.10/rest/issues/comments
- 2: https://docs.github.com/en/rest/issues/comments?apiVersion=2022-11-28
- 3: https://docs.github.com/en/rest/issues/comments?apiVersion=--
- 4: https://docs.github.com/en/enterprise-server@3.17/rest/issues/comments
- 5: https://docs.github.com/en/enterprise-server@3.2/rest/issues/comments
Bot-thread detection only inspects the first comments page .github/workflows/opencode-pr-comment.yml:119-127
/repos/{owner}/{repo}/issues/{n}/comments returns comments oldest-first with 30 per page, so .[-2] reads from page 1 instead of the comment immediately before the trigger. On threads with more than 30 comments, IS_BOT_THREAD can be computed from the wrong comment. Fetch the latest page explicitly before selecting the previous author.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/opencode-pr-comment.yml around lines 119 - 127, Update the
LAST_COMMENT_AUTHOR lookup in the bot-thread detection block to fetch the latest
comments page explicitly before selecting the comment immediately preceding the
trigger. Preserve the existing previous-author selection and bot comparisons,
ensuring threads with more than 30 comments inspect the correct latest-page
entry.
| - Pull request: #${{ github.event.pull_request.number }} | ||
| - Task arguments from the user: env var `OPENCODE_TASK_ARGS` | ||
|
|
||
| ## Workflow | ||
|
|
||
| ### 1. Determine the task | ||
| - If `OPENCODE_TASK_ARGS` is non-empty, use that as the | ||
| task description. | ||
| - If `OPENCODE_TASK_ARGS` is empty, parse the PR body | ||
| markdown. Extract the first uncompleted task matching | ||
| `- [ ]` and treat it as the execution objective. | ||
|
|
||
| ### 2. Checkout the PR branch | ||
| ```bash | ||
| gh pr checkout ${{ github.event.pull_request.number }} | ||
| ``` | ||
|
|
||
| ### 3. Implement the task | ||
| - Read relevant files and understand the codebase context. | ||
| - Implement the requested feature or fix. | ||
| - Verify your code compiles / passes linting. | ||
| - Commit with a conventional commit message (e.g. | ||
| `feat(scope): implement task description`). | ||
|
|
||
| ### 4. Push | ||
| ```bash | ||
| git push origin HEAD | ||
| ``` | ||
|
|
||
| ### 5. Update the PR checklist | ||
| Update the PR body to flip the completed task checkbox: | ||
| - Change `- [ ] task description` to `- [x] task description` | ||
| for the task you just completed. | ||
|
|
||
| ```bash | ||
| gh pr edit ${{ github.event.pull_request.number }} \ | ||
| --body "<updated PR body with checked checkbox>" | ||
| ``` | ||
|
|
||
| ### 6. Post summary comment | ||
| ```bash | ||
| gh pr comment ${{ github.event.pull_request.number }} \ | ||
| --body "✅ Task completed: <description>\nCommit: <sha>" | ||
| ``` |
There was a problem hiding this comment.
🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win
Use github.event.issue.number for issue_comment workflow steps — github.event.pull_request.number is empty on this event, so gh pr checkout, gh pr edit, and gh pr comment will fail with a blank PR number.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/opencode-pr-comment.yml around lines 354 - 397, Update the
workflow instructions for issue_comment-triggered steps to use
github.event.issue.number instead of github.event.pull_request.number when
invoking gh pr checkout, gh pr edit, and gh pr comment; preserve the existing
task execution and checklist behavior.
0e8cd54 to
01484a8
Compare
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/opencode-issue-handler.yml:
- Around line 64-83: Update the Process 4 job permissions and opencode step:
remove id-token: write from permissions and set use_github_token: true in the
opencode action’s with configuration. Keep the existing read-only contents
permission and issue-writing behavior unchanged.
- Around line 118-124: Remove the manual gh issue comment instructions and
execution steps from the issue-handling workflow, including the corresponding
block around the later response section. Configure the workflow to return the
formatted response to the pinned anomalyco/opencode/github action instead,
relying on that action to create the issue comment once.
In @.github/workflows/opencode-pr-comment.yml:
- Around line 81-89: Add a repository checkout step at the beginning of the
process-2 job’s steps, before any Opencode execution, so the job has a local git
worktree available. Use the workflow’s existing checkout action configuration
and leave the job conditions and permissions unchanged.
- Around line 215-229: Update the process-3 workflow job around the opencode
step to grant contents: write permission and enable persisted checkout
credentials instead of setting persist-credentials to false. Apply the same
contents: write permission to the process-6 job while preserving its existing
checkout authentication configuration, so both jobs can push changes.
- Around line 175-181: Remove the gh api reply instructions and shell code
blocks from the prompt blocks in the workflow, including the ## Output section
shown and all equivalent prompt sections. Have each prompt request and return
only the Markdown reply content directly, without instructing the model to post
via GitHub API or reference github.event.comment.id.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: a5c51317-6d71-4180-aa44-6245b6846b8f
📒 Files selected for processing (10)
.github/scripts/auth.sh.github/workflows/opencode-implement.yaml.github/workflows/opencode-issue-handler.yml.github/workflows/opencode-pr-comment.yml.github/workflows/opencode-pr-review.yml.github/workflows/opencode-review.yaml.github/workflows/opencode-triage-issue.yaml.github/workflows/opencode-triage-pr.yaml.github/workflows/opencode-triage.yaml.github/workflows/opencode.yml
🚧 Files skipped from review as they are similar to previous changes (8)
- .github/workflows/opencode-triage-issue.yaml
- .github/workflows/opencode.yml
- .github/workflows/opencode-triage-pr.yaml
- .github/workflows/opencode-triage.yaml
- .github/workflows/opencode-review.yaml
- .github/workflows/opencode-implement.yaml
- .github/scripts/auth.sh
- .github/workflows/opencode-pr-review.yml
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| issues: write | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - name: Run opencode (Process 4 — Issue Review & Refinement) | ||
| id: opencode | ||
| continue-on-error: true | ||
| uses: anomalyco/opencode/github@77fc88c8ade8e5a620ebbe1197f3a572d29ae91a # latest | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }} | ||
| OPENCODE_TRIGGER_BODY: ${{ github.event.comment.body }} | ||
| with: | ||
| model: opencode/deepseek-v4-flash-free |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
curl -fsSL \
https://raw.githubusercontent.com/anomalyco/opencode/77fc88c8ade8e5a620ebbe1197f3a572d29ae91a/github/action.yml |
grep -n -A8 'use_github_token'Repository: dianlight/smartmontools-sdk
Length of output: 739
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo '--- workflow ---'
cat -n .github/workflows/opencode-issue-handler.yml | sed -n '55,90p'
echo
echo '--- local references to use_github_token ---'
rg -n "use_github_token|USE_GITHUB_TOKEN|OIDC_BASE_URL|GITHUB_TOKEN" .github/workflows . -g '!**/node_modules/**' -g '!**/dist/**' -g '!**/build/**'Repository: dianlight/smartmontools-sdk
Length of output: 4704
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo '--- opencode-issue-handler around the other use_github_token occurrence ---'
cat -n .github/workflows/opencode-issue-handler.yml | sed -n '188,210p'
echo
echo '--- opencode-pr-review usage ---'
cat -n .github/workflows/opencode-pr-review.yml | sed -n '60,80p'
echo
echo '--- opencode-pr-comment usage ---'
cat -n .github/workflows/opencode-pr-comment.yml | sed -n '138,152p'Repository: dianlight/smartmontools-sdk
Length of output: 3373
Enforce Process 4’s read-only boundary with the job token. use_github_token is still at its default false, so this step uses the OIDC/App-token path instead of the job-scoped GITHUB_TOKEN. Set use_github_token: true here and remove id-token: write.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/opencode-issue-handler.yml around lines 64 - 83, Update
the Process 4 job permissions and opencode step: remove id-token: write from
permissions and set use_github_token: true in the opencode action’s with
configuration. Keep the existing read-only contents permission and issue-writing
behavior unchanged.
| ### 4. Post your response | ||
| Post a well-formatted comment on the issue timeline: | ||
|
|
||
| ```bash | ||
| gh issue comment ${{ github.event.issue.number }} \ | ||
| --body-file /tmp/response.md | ||
| ``` |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
curl -fsSL \
https://raw.githubusercontent.com/anomalyco/opencode/77fc88c8ade8e5a620ebbe1197f3a572d29ae91a/packages/opencode/src/cli/cmd/github.ts |
grep -n 'createComment'Repository: dianlight/smartmontools-sdk
Length of output: 823
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the workflow around the reported lines.
sed -n '100,140p' .github/workflows/opencode-issue-handler.yml
printf '\n---\n'
sed -n '300,325p' .github/workflows/opencode-issue-handler.yml
printf '\n=== external github.ts around createComment ===\n'
curl -fsSL https://raw.githubusercontent.com/anomalyco/opencode/77fc88c8ade8e5a620ebbe1197f3a572d29ae91a/packages/opencode/src/cli/cmd/github.ts |
sed -n '600,720p'Repository: dianlight/smartmontools-sdk
Length of output: 8180
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Find any workflow references to the opencode issue handler and any explicit comment-posting steps.
rg -n --hidden --glob '.github/workflows/*.yml' -e 'gh issue comment|opencode|response.md|createComment|issue timeline' .github/workflows
printf '\n=== workflow file list ===\n'
git ls-files '.github/workflows/*'Repository: dianlight/smartmontools-sdk
Length of output: 7121
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Read the second issue-handler block around the reported lines for exact context.
sed -n '286,320p' .github/workflows/opencode-issue-handler.ymlRepository: dianlight/smartmontools-sdk
Length of output: 1254
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the workflow inputs/output contract around the opencode step and the comment step.
sed -n '70,130p' .github/workflows/opencode-issue-handler.yml
printf '\n---\n'
sed -n '190,320p' .github/workflows/opencode-issue-handler.ymlRepository: dianlight/smartmontools-sdk
Length of output: 7582
Return the formatted response instead of posting it manually. The pinned anomalyco/opencode/github@77fc88c8ade8e5a620ebbe1197f3a572d29ae91a action already creates issue comments in the issue path, so these gh issue comment steps will duplicate the same response. Also applies to lines 310-315.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/opencode-issue-handler.yml around lines 118 - 124, Remove
the manual gh issue comment instructions and execution steps from the
issue-handling workflow, including the corresponding block around the later
response section. Configure the workflow to return the formatted response to the
pinned anomalyco/opencode/github action instead, relying on that action to
create the issue comment once.
| process-2: | ||
| if: needs.route.outputs.process == 'process-2' | ||
| needs: route | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| id-token: write | ||
| contents: write | ||
| pull-requests: write | ||
| steps: |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
sed -n '81,145p' .github/workflows/opencode-pr-comment.ymlRepository: dianlight/smartmontools-sdk
Length of output: 2902
Checkout the repository before Process 2. Opencode runs from the local git worktree here, but this job never checks the repo out first, so the step can fail before it processes the prompt.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/opencode-pr-comment.yml around lines 81 - 89, Add a
repository checkout step at the beginning of the process-2 job’s steps, before
any Opencode execution, so the job has a local git worktree available. Use the
workflow’s existing checkout action configuration and leave the job conditions
and permissions unchanged.
| ## Output | ||
| Reply to the thread via `gh api`: | ||
| ```bash | ||
| gh api --method POST \ | ||
| /repos/${{ github.repository }}/pulls/comments/${{ github.event.comment.id }}/replies \ | ||
| -f body="Your response here" | ||
| ``` |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
curl -fsSL \
https://raw.githubusercontent.com/anomalyco/opencode/77fc88c8ade8e5a620ebbe1197f3a572d29ae91a/packages/opencode/src/cli/cmd/github.ts |
grep -n 'createComment'Repository: dianlight/smartmontools-sdk
Length of output: 823
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== workflow outline ==\n'
ast-grep outline .github/workflows/opencode-pr-comment.yml || true
printf '\n== workflow snippets ==\n'
sed -n '150,210p' .github/workflows/opencode-pr-comment.yml
printf '\n---\n'
sed -n '250,290p' .github/workflows/opencode-pr-comment.yml
printf '\n---\n'
sed -n '380,410p' .github/workflows/opencode-pr-comment.yml
printf '\n== github.ts around createComment ==\n'
tmp=$(mktemp)
curl -fsSL \
https://raw.githubusercontent.com/anomalyco/opencode/77fc88c8ade8e5a620ebbe1197f3a572d29ae91a/packages/opencode/src/cli/cmd/github.ts \
-o "$tmp"
sed -n '1280,1335p' "$tmp"
rm -f "$tmp"Repository: dianlight/smartmontools-sdk
Length of output: 7764
🏁 Script executed:
#!/bin/bash
set -euo pipefail
sed -n '150,210p' .github/workflows/opencode-pr-comment.yml
printf '\n---\n'
sed -n '250,290p' .github/workflows/opencode-pr-comment.yml
printf '\n---\n'
sed -n '380,410p' .github/workflows/opencode-pr-comment.ymlRepository: dianlight/smartmontools-sdk
Length of output: 5789
🏁 Script executed:
#!/bin/bash
set -euo pipefail
rg -n "opencode|final response|createComment|gh api|pulls/comments|issue_comment|review comment" .github/workflows/opencode-pr-comment.ymlRepository: dianlight/smartmontools-sdk
Length of output: 3780
🌐 Web query:
GitHub REST API reply to pull request review comment requires pull request review comment ID issue_comment payload comment.id review comment id
💡 Result:
To reply to a pull request review comment using the GitHub REST API, you should use the dedicated endpoint for pull request review comment replies rather than the generic issue comment endpoint [1][2][3][4]. The correct endpoint is: POST /repos/{owner}/{repo}/pulls/{pull_number}/comments/{comment_id}/replies In this path, the {comment_id} must be the unique identifier of an existing top-level pull request review comment [1][5]. The API does not support replies to replies; you cannot nest replies further than the initial response to a top-level comment [1][2][6]. Key requirements for the request: 1. Path Parameters: You must provide the correct owner, repository name, pull request number, and the ID of the top-level comment you are replying to [5][7]. 2. Body Payload: The request body must include a body field containing the text of your reply [1][6][7]. Example: {"body": "Your reply text here"}. 3. Distinction: Do not confuse this with the "issue comments" API, which manages comments on the pull request as a whole rather than specific review comments within the diff [3][4]. If you are programmatically identifying the comment to reply to, ensure you are referencing the id field of the pull request review comment object, not an issue_comment ID [1][5].
Citations:
- 1: https://docs.github.com/en/rest/pulls/comments
- 2: https://docs.github.com/en/rest/pulls/comments?apiVersion=2022-11-28
- 3: https://docs.github.com/en/rest/guides/working-with-comments?apiVersion=2022-11-28
- 4: https://docs.github.com/en/rest/issues/comments?apiVersion=--
- 5: https://www.withone.ai/knowledge/github/conn_mod_def%3A%3AGJ3Zv5BQNq8%3A%3ANXYCqjI3SIidnrv0RVX8XQ/md
- 6: https://docs.github.com/enterprise-server@3.10/rest/pulls/comments
- 7: https://docs.github.com/enterprise-server@3.7/rest/pulls/comments
🏁 Script executed:
#!/bin/bash
set -euo pipefail
sed -n '1,85p' .github/workflows/opencode-pr-comment.yml
printf '\n---\n'
sed -n '220,310p' .github/workflows/opencode-pr-comment.yml
printf '\n---\n'
sed -n '330,440p' .github/workflows/opencode-pr-comment.ymlRepository: dianlight/smartmontools-sdk
Length of output: 11007
🌐 Web query:
anomalyco/opencode github action posts final response automatically gh api reply prompt
💡 Result:
The anomalyco/opencode GitHub Action is designed to integrate the OpenCode AI agent into your GitHub workflow [1][2]. It does not require you to manually use the GitHub API (gh api) to post responses, as the action handles this process automatically [1][3]. Key features and mechanisms: 1. Automatic Replying: When triggered by events like issue comments or pull request reviews, the OpenCode GitHub Action automatically processes the context (including existing comments) and posts its response as a comment on the corresponding GitHub issue or pull request [1][2][4]. 2. Triggering: You typically configure the action in a workflow file (e.g.,.github/workflows/opencode.yml) [1][4]. It can be configured to trigger on events such as issue_comment, pull_request_review_comment, issues, and pull_request [1][2][5]. 3. No Manual API Calls Needed: The action manages the interaction with the GitHub API internally [1][3]. It uses the provided GITHUB_TOKEN (typically supplied via secrets) to perform operations such as posting comments, creating branches, or opening pull requests [2][4][5]. 4. Advanced Automation: Recent updates have expanded the action's capabilities, allowing it to automatically extract prompts from issue titles, bodies, and labels (for example, on 'assigned' or 'opened' events), further reducing the need for manual prompt configuration or manual API interaction [3]. If you are looking to build a custom solution or need to interact with the GitHub API manually for other purposes, you can use the GitHub CLI (gh api) [6] or the actions/github-script action [7], but for standard OpenCode functionality, the anomalyco/opencode action handles these tasks for you [1][3].
Citations:
- 1: https://frank.dev.opencode.ai/docs/github/
- 2: https://github.com/anomalyco/opencode/tree/dev/github
- 3: feat(github): auto-extract issue prompt on assignment and opened events anomalyco/opencode#19934
- 4: https://github.com/anomalyco/opencode/blob/51e310c9/github/README.md
- 5: https://github.com/anomalyco/opencode/blob/dev/packages/web/src/content/docs/github.mdx
- 6: Can't seem to figure out how to use the `gh api` with POSTing objects cli/cli#3955
- 7: https://github.com/actions/github-script
🏁 Script executed:
#!/bin/bash
set -euo pipefail
tmp=$(mktemp)
curl -fsSL https://raw.githubusercontent.com/anomalyco/opencode/main/README.md -o "$tmp" || curl -fsSL https://raw.githubusercontent.com/anomalyco/opencode/master/README.md -o "$tmp"
printf '\n== README mentions GitHub action/comment behavior ==\n'
rg -n "GitHub Action|comment|reply|final response|post.*response|createComment|gh api" "$tmp" || true
printf '\n== nearby sections ==\n'
sed -n '1,260p' "$tmp" | rg -n -C 3 "GitHub Action|comment|reply|final response|post.*response|createComment|gh api" || true
rm -f "$tmp"Repository: dianlight/smartmontools-sdk
Length of output: 291
Remove the gh api reply instruction from these prompts
The action posts the model output itself, so the prompt should return the Markdown reply directly. github.event.comment.id is also wrong on issue_comment runs, where GitHub expects the top-level review-comment ID for /pulls/comments/{comment_id}/replies. Apply the same change to the other prompt blocks.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/opencode-pr-comment.yml around lines 175 - 181, Remove the
gh api reply instructions and shell code blocks from the prompt blocks in the
workflow, including the ## Output section shown and all equivalent prompt
sections. Have each prompt request and return only the Markdown reply content
directly, without instructing the model to post via GitHub API or reference
github.event.comment.id.
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| pull-requests: write | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 | ||
| with: | ||
| persist-credentials: false | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Run opencode (Process 3 — User-owned thread takeover) | ||
| id: opencode | ||
| continue-on-error: true | ||
| uses: anomalyco/opencode/github@77fc88c8ade8e5a620ebbe1197f3a572d29ae91a # latest |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
sed -n '211,240p;304,342p' .github/workflows/opencode-pr-comment.ymlRepository: dianlight/smartmontools-sdk
Length of output: 2546
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Show the full workflow section around the two processes and any auth-related setup.
sed -n '200,345p' .github/workflows/opencode-pr-comment.yml
# Find all references to the opencode action and git/checkout auth settings in this workflow.
rg -n "use_github_token|persist-credentials|contents:|pull-requests:|git config|push|commit|checkout" .github/workflows/opencode-pr-comment.ymlRepository: dianlight/smartmontools-sdk
Length of output: 7716
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the workflow jobs around all processes, including permissions and checkout auth.
cat -n .github/workflows/opencode-pr-comment.yml | sed -n '1,430p'
# Focus on the opencode action invocations and token-related inputs across the file.
rg -n "use_github_token|GITHUB_TOKEN|persist-credentials|contents: (read|write)|gh pr checkout|git push|commit with" .github/workflows/opencode-pr-comment.ymlRepository: dianlight/smartmontools-sdk
Length of output: 21452
🌐 Web query:
anomalyco/opencode/github use_github_token git authentication documentation
💡 Result:
In the context of the anomalyco/opencode project, the use_github_token mechanism refers to an authentication configuration for the OpenCode GitHub Action [1][2]. When utilizing the OpenCode GitHub Action, the agent requires authentication to perform tasks like committing changes, opening pull requests, and creating issue comments [1]. By default, the action uses an installation access token from the OpenCode GitHub App [1]. If you choose to use your own token—such as a personal access token (PAT) or the workflow's built-in GITHUB_TOKEN—you must set the use_github_token configuration [1][2]. According to the project's implementation and documentation: 1. Requirement: When use_github_token is enabled, you must provide a valid GITHUB_TOKEN via environment variables (typically ${{ secrets.GITHUB_TOKEN }}) [2][3]. 2. Git Configuration: Unlike the default mode, where OpenCode manages and configures Git credentials internally using an app-specific token [4][2], enabling use_github_token skips this automated configuration [2]. 3. Security: If you use the built-in GITHUB_TOKEN, ensure your workflow job has the necessary permissions granted (e.g., id-token, contents, pull-requests, and issues write permissions) [1]. For general Git authentication outside of this specific action, standard GitHub practices apply, such as using the GitHub CLI (gh auth login) or Git Credential Manager (GCM) to securely cache credentials [5][6].
Citations:
- 1: https://github.com/anomalyco/opencode/blob/dev/packages/web/src/content/docs/github.mdx
- 2: https://github.com/anomalyco/opencode/blob/ec3ae17e/packages/opencode/src/cli/cmd/github.ts
- 3: How to setup opencode github action with copilot provider? anomalyco/opencode#1341
- 4: https://github.com/anomalyco/opencode/blob/dev/github/index.ts
- 5: https://github.com/github/docs/blob/main/content/get-started/git-basics/caching-your-github-credentials-in-git.md
- 6: https://docs.github.com/en/enterprise-cloud@latest/get-started/git-basics/caching-your-github-credentials-in-git
Grant these jobs write access for git pushes (.github/workflows/opencode-pr-comment.yml:215-229, 304-334)
process-3disables persisted checkout credentials, anduse_github_token: truemakes Opencode rely on the job token instead of setting up its own Git auth.process-6keeps checkout auth, butcontents: readstill leaves the token read-only, sogit pushwill fail there too.- Set
contents: writefor both, and restore checkout credentials forprocess-3.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/opencode-pr-comment.yml around lines 215 - 229, Update the
process-3 workflow job around the opencode step to grant contents: write
permission and enable persisted checkout credentials instead of setting
persist-credentials to false. Apply the same contents: write permission to the
process-6 job while preserving its existing checkout authentication
configuration, so both jobs can push changes.
01484a8 to
603e384
Compare
…e '.github/workflows/opencode-pr-review.yml'
…te '.github/workflows/opencode-pr-comment.yml'
…emote '.github/workflows/opencode-issue-handler.yml'
…workflows/opencode.yml'
….github/workflows/opencode-triage.yaml'
…te '.github/workflows/opencode-triage-pr.yaml'
…emote '.github/workflows/opencode-triage-issue.yaml'
…e '.github/workflows/opencode-implement.yaml'
….github/workflows/opencode-review.yaml'
603e384 to
e25d4f6
Compare



synced local file(s) with dianlight/opencode-actions.
Changed files
.github/workflows/opencode-pr-review.ymlfrom remote.github/workflows/opencode-pr-review.yml.github/workflows/opencode-pr-comment.ymlfrom remote.github/workflows/opencode-pr-comment.yml.github/workflows/opencode-issue-handler.ymlfrom remote.github/workflows/opencode-issue-handler.yml.github/scripts/auth.shfrom remote.github/scripts/auth.sh.github/workflows/opencode.ymlwith remote.github/workflows/opencode.yml.github/workflows/opencode-triage.yamlwith remote.github/workflows/opencode-triage.yaml.github/workflows/opencode-triage-pr.yamlfrom remote.github/workflows/opencode-triage-pr.yaml.github/workflows/opencode-triage-issue.yamlfrom remote.github/workflows/opencode-triage-issue.yaml.github/workflows/opencode-implement.yamlwith remote.github/workflows/opencode-implement.yaml.github/workflows/opencode-review.yamlwith remote.github/workflows/opencode-review.yamlThis PR was created automatically by the repo-file-sync-action workflow run #29367107205