Skip to content

🔄 synced file(s) with dianlight/opencode-actions#11

Open
dianlight wants to merge 10 commits into
mainfrom
repo-sync/opencode-actions/default
Open

🔄 synced file(s) with dianlight/opencode-actions#11
dianlight wants to merge 10 commits into
mainfrom
repo-sync/opencode-actions/default

Conversation

@dianlight

@dianlight dianlight commented Jul 7, 2026

Copy link
Copy Markdown
Owner

synced local file(s) with dianlight/opencode-actions.

Changed files
  • created local .github/workflows/opencode-pr-review.yml from remote .github/workflows/opencode-pr-review.yml
  • created local .github/workflows/opencode-pr-comment.yml from remote .github/workflows/opencode-pr-comment.yml
  • created local .github/workflows/opencode-issue-handler.yml from remote .github/workflows/opencode-issue-handler.yml
  • created local .github/scripts/auth.sh from remote .github/scripts/auth.sh
  • synced local .github/workflows/opencode.yml with remote .github/workflows/opencode.yml
  • synced local .github/workflows/opencode-triage.yaml with remote .github/workflows/opencode-triage.yaml
  • created local .github/workflows/opencode-triage-pr.yaml from remote .github/workflows/opencode-triage-pr.yaml
  • created local .github/workflows/opencode-triage-issue.yaml from remote .github/workflows/opencode-triage-issue.yaml
  • synced local .github/workflows/opencode-implement.yaml with remote .github/workflows/opencode-implement.yaml
  • synced local .github/workflows/opencode-review.yaml with remote .github/workflows/opencode-review.yaml

This PR was created automatically by the repo-file-sync-action workflow run #29367107205

@dianlight dianlight added the sync label Jul 7, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 3 · 🛠️ 1

✅ No existing threads resolved.

The || contains(..., 'opencode:awaiting-response') suffix in both new triage workflows (3 occurrences) short-circuits all preceding guard clauses (bot exclusion, author association, state check), allowing any comment — including from bots — to potentially trigger the implementation workflow without human verification.

) &&
github.event.comment.body.length > 10
) ||
contains(github.event.issue.labels.*.name, 'opencode:awaiting-response')

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 [CRITICAL] Bot bypass via unguarded label check

The || at line 27 has lower precedence than &&, so the label check on line 28 bypasses ALL preceding guards (bot exclusion, author association, state check). Any comment on an issue with opencode:awaiting-response triggers the workflow, and if the comment body matches 'approved', 'lgtm', etc., implementation is dispatched without human review.

Fix: Wrap the label check with the same guard clauses.

Suggested change
contains(github.event.issue.labels.*.name, 'opencode:awaiting-response')
contains(github.event.issue.labels.*.name, 'opencode:awaiting-response') &&
github.event.issue.state == 'open' &&
github.event.comment.user.login != 'github-actions[bot]' &&
github.event.comment.user.login != 'opencode-agent[bot]' &&
github.event.comment.user.login != 'coderabbitai[bot]'

) &&
github.event.comment.body.length > 10
) ||
contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response')

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 [CRITICAL] Same bypass in triage-pr (review-comment branch)

Identical guard-clause bypass in the pull_request_review_comment branch.

Suggested change
contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response')
contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') &&
github.event.pull_request.state == 'open' &&
github.event.comment.user.login != 'github-actions[bot]' &&
github.event.comment.user.login != 'opencode-agent[bot]' &&
github.event.comment.user.login != 'coderabbitai[bot]'

) &&
github.event.review.body.length > 10
) ||
contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response')

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 [CRITICAL] Same bypass in triage-pr (review branch)

Identical guard-clause bypass in the pull_request_review branch.

Suggested change
contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response')
contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') &&
github.event.pull_request.state == 'open' &&
github.event.review.user.login != 'github-actions[bot]' &&
github.event.review.user.login != 'opencode-agent[bot]' &&
github.event.review.user.login != 'coderabbitai[bot]'

Comment thread .github/workflows/opencode-review.yaml Outdated
Comment on lines +34 to +38
changed_files=$(git diff --name-only "$base"...HEAD 2>/dev/null || echo "")
if [ -z "$changed_files" ]; then
# Fallback: just check if any file changed at all
changed_files=$(git diff --name-only HEAD~1...HEAD 2>/dev/null || echo "")
fi

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ [QUALITY] Fallback diff logic misses intermediate commits

When git diff --name-only "$base"...HEAD returns empty (edge case — e.g. invalid base SHA), the fallback HEAD~1...HEAD only captures the most recent commit's changes. For multi-commit PRs, intermediate changes are invisible. Since fetch-depth: 0 provides full history, compute the merge base explicitly and avoid the fallback entirely:

Suggested change
changed_files=$(git diff --name-only "$base"...HEAD 2>/dev/null || echo "")
if [ -z "$changed_files" ]; then
# Fallback: just check if any file changed at all
changed_files=$(git diff --name-only HEAD~1...HEAD 2>/dev/null || echo "")
fi
merge_base=$(git merge-base "$base" HEAD 2>/dev/null) || merge_base="$base"
changed_files=$(git diff --name-only "$merge_base" HEAD 2>/dev/null || echo "")

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Review submitted. Verdict: REQUEST_CHANGES — 3 🚨 CRITICAL, 1 🛠️ QUALITY.

Most critical finding: All three || contains(..., 'opencode:awaiting-response') guard-clause bypasses in the new triage workflows (triage-issue.yaml:28, triage-pr.yaml:32,50). Due to &&-over-|| precedence, the label check short-circuits bot exclusion, author association, and state-open checks, allowing any comment (including from bots) to potentially dispatch the implementation workflow.

New%20session%20-%202026-07-07T07%3A33%3A26.205Z
opencode session  |  github run

@dianlight dianlight force-pushed the repo-sync/opencode-actions/default branch from 4c9ccd9 to dd540f3 Compare July 7, 2026 08:27
@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

An error occurred during the review process. Please try again later.

📝 Walkthrough

Walkthrough

Adds /oc command parsing and new issue/PR automation workflows for refinement, implementation, task execution, and review. Several existing Opencode workflows are replaced with manual no-op deprecation workflows.

Changes

Opencode automation

Layer / File(s) Summary
Command parsing contract
.github/scripts/auth.sh
Parses /oc comments and exports command status, subcommands, and task arguments through GITHUB_OUTPUT.
Issue command processing
.github/workflows/opencode-issue-handler.yml
Routes authorized issue commands to refinement or implementation jobs, then posts reactions and propagates agent failures.
PR comment routing and task execution
.github/workflows/opencode-pr-comment.yml
Routes bot-thread replies, user-thread takeovers, and /oc task requests to dedicated Opencode jobs.
PR review workflow
.github/workflows/opencode-pr-review.yml
Filters eligible comments, skips draft PRs, runs read-only reviews, submits feedback, and reports outcomes.
Deprecated workflow replacements
.github/workflows/opencode-implement.yaml, .github/workflows/opencode-review.yaml, .github/workflows/opencode-triage*.yaml, .github/workflows/opencode.yml
Replaces legacy automated workflows with manual no-op workflows and simplified deprecation notices.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Comment
  participant auth.sh
  participant Workflow
  participant Opencode
  Comment->>auth.sh: Parse /oc command
  auth.sh->>Workflow: Return subcommand and arguments
  Workflow->>Opencode: Run selected automation path
  Opencode->>Workflow: Return outcome
  Workflow->>Comment: Post reaction or result
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects that the PR syncs files from dianlight/opencode-actions.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch repo-sync/opencode-actions/default

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@dianlight dianlight force-pushed the repo-sync/opencode-actions/default branch from dd540f3 to 8ead145 Compare July 7, 2026 08:28

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 4 · 🛠️ 1

✅ 0 threads resolved — all 4 previously flagged issues remain unaddressed in the current diff. A new 🚨 YAML indentation error is also found in the new opencode-triage-issue.yaml.

Most critical finding: opencode-triage-issue.yaml:12debug: at column 0 (same indent as jobs:) makes it a top-level key, not a child of jobs:. This invalid YAML structure will cause a GitHub Actions workflow validation error, preventing the triage job from ever running.

Comment on lines +12 to +22
debug: # ← NUOVO JOB
runs-on: ubuntu-latest
steps:
- name: Debug auth info
run: |
echo "Comment user: ${{ github.event.comment.user.login }}"
echo "Author association: ${{ github.event.comment.author_association }}"
echo "Issue state: ${{ github.event.issue.state }}"
echo "Comment body: ${{ github.event.comment.body }}"
echo "Trigger contains /oc: $(echo '${{ github.event.comment.body }}' | grep -c '/oc' || echo '0')"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 [CRITICAL] debug: job YAML indentation breaks workflow validation

The debug: key is at column 0 (same indent as jobs:), making it a top-level key instead of a child of jobs:. This will cause a GitHub Actions workflow validation error — neither debug nor triage will run.

This is also leftover development scaffolding that should not be in production. Remove it:

Suggested change
debug: # ← NUOVO JOB
runs-on: ubuntu-latest
steps:
- name: Debug auth info
run: |
echo "Comment user: ${{ github.event.comment.user.login }}"
echo "Author association: ${{ github.event.comment.author_association }}"
echo "Issue state: ${{ github.event.issue.state }}"
echo "Comment body: ${{ github.event.comment.body }}"
echo "Trigger contains /oc: $(echo '${{ github.event.comment.body }}' | grep -c '/oc' || echo '0')"

) &&
github.event.comment.body.length > 10
) ||
contains(github.event.issue.labels.*.name, 'opencode:awaiting-response')

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 [CRITICAL] Bot bypass via unguarded || label check (previously flagged, still open)

|| contains(github.event.issue.labels.*.name, 'opencode:awaiting-response') has lower precedence than all preceding && operators, so the label check bypasses ALL guards (bot exclusion, author association, state check). Any comment (including from bots) on an issue with this label triggers the workflow.

Suggested change
contains(github.event.issue.labels.*.name, 'opencode:awaiting-response')
contains(github.event.issue.labels.*.name, 'opencode:awaiting-response') &&
github.event.issue.state == 'open' &&
github.event.comment.user.login != 'github-actions[bot]' &&
github.event.comment.user.login != 'opencode-agent[bot]' &&
github.event.comment.user.login != 'coderabbitai[bot]'

) &&
github.event.comment.body.length > 10
) ||
contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response')

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 [CRITICAL] Bot bypass in pull_request_review_comment branch (previously flagged, still open)

Same ||-over-&& precedence issue — the label check on this line bypasses all preceding guard clauses.

Suggested change
contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response')
contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') &&
github.event.pull_request.state == 'open' &&
github.event.comment.user.login != 'github-actions[bot]' &&
github.event.comment.user.login != 'opencode-agent[bot]' &&
github.event.comment.user.login != 'coderabbitai[bot]'

) &&
github.event.review.body.length > 10
) ||
contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response')

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 [CRITICAL] Bot bypass in pull_request_review branch (previously flagged, still open)

Same ||-over-&& precedence issue for review events.

Suggested change
contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response')
contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') &&
github.event.pull_request.state == 'open' &&
github.event.review.user.login != 'github-actions[bot]' &&
github.event.review.user.login != 'opencode-agent[bot]' &&
github.event.review.user.login != 'coderabbitai[bot]'

Comment thread .github/workflows/opencode-review.yaml Outdated
run: |
base="${{ github.event.pull_request.base.sha }}"
# Get list of changed files against the base
changed_files=$(git diff --name-only "$base"...HEAD 2>/dev/null || echo "")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ [QUALITY] Fallback diff logic misses intermediate commits (previously flagged, still open)

When git diff --name-only "$base"...HEAD returns empty, the fallback HEAD~1...HEAD only covers the most recent commit. For multi-commit PRs, intermediate changes are invisible. Since fetch-depth: 0 provides full history, compute the merge base explicitly:

Suggested change
changed_files=$(git diff --name-only "$base"...HEAD 2>/dev/null || echo "")
merge_base=$(git merge-base "$base" HEAD 2>/dev/null) || merge_base="$base"
changed_files=$(git diff --name-only "$merge_base" HEAD 2>/dev/null || echo "")

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Review submitted — REQUEST_CHANGES.

Step 1: No threads resolved — all 4 previously flagged issues persist in the current diff (3 🚨 bypass in triage-issue.yaml:39, triage-pr.yaml:32, triage-pr.yaml:50; 1 🛠️ fallback in review.yaml:34).

Step 2: Submitted with 5 inline comments:

  • 🚨 triage-issue.yaml:12 — New: debug: YAML indentation error (column 0, same as jobs:) breaks workflow validation
  • 🚨 triage-issue.yaml:39 — Previously flagged: || contains(...) bypasses all guard clauses
  • 🚨 triage-pr.yaml:32 — Previously flagged: same bypass in review-comment branch
  • 🚨 triage-pr.yaml:50 — Previously flagged: same bypass in review branch
  • 🛠️ review.yaml:34 — Previously flagged: fallback HEAD~1 misses intermediate commits

New%20session%20-%202026-07-07T08%3A28%3A10.743Z
opencode session  |  github run

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 3 · 🛠️ 2

✅ 0 threads resolved — all previously flagged issues remain unaddressed in the current diff.

Most critical finding: All three || contains(..., 'opencode:awaiting-response') guard-clause bypasses persist (triage-issue.yaml:39, triage-pr.yaml:32, triage-pr.yaml:50). Due to &&-over-|| operator precedence, the label check short-circuits all preceding guards (bot exclusion, author association, state check), allowing any comment — including from bots — to trigger the implementation workflow without human verification.

cancel-in-progress: false

jobs:
debug: # ← NUOVO JOB

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ [QUALITY] Debug job is leftover development scaffolding

The debug job (lines 12–21) prints variable values and serves no purpose in production. It runs on every issue_comment event, consuming CI minutes and cluttering logs. Remove it before shipping.

Suggested change
debug: # ← NUOVO JOB
triage:

) &&
github.event.comment.body.length > 10
) ||
contains(github.event.issue.labels.*.name, 'opencode:awaiting-response')

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 [CRITICAL] Guard-clause bypass via || operator precedence (previously flagged, still open)

|| has lower precedence than &&, so || contains(..., 'opencode:awaiting-response') on line 39 is evaluated as an alternative to ALL preceding &&-chained guards (bot exclusion at 25–27, author association at 28, state check at 29). Any commenter — including github-actions[bot], opencode-agent[bot], or coderabbitai[bot] — can bypass all checks simply by commenting on an issue with the opencode:awaiting-response label. If the comment body matches 'approved'/'lgtm', the implementation workflow is dispatched without human review.

Fix: Move the label check inside the guarded parentheses so it is subject to the same bot/author/state filters.

Suggested change
contains(github.event.issue.labels.*.name, 'opencode:awaiting-response')
(
contains(github.event.issue.labels.*.name, 'opencode:awaiting-response') ||
(
(
contains(github.event.comment.body, ' /oc') ||
startsWith(github.event.comment.body, '/oc') ||
contains(github.event.comment.body, ' /opencode') ||
startsWith(github.event.comment.body, '/opencode')
) &&
github.event.comment.body.length > 10
)
)

) &&
github.event.comment.body.length > 10
) ||
contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response')

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 [CRITICAL] Guard-clause bypass via || in pull_request_review_comment branch (previously flagged, still open)

Same ||-over-&& precedence issue. The label check on line 32 bypasses bot exclusion (lines 18–20), author association (line 21), and state check (line 22).

Suggested change
contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response')
(
contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') ||
(
(
contains(github.event.comment.body, ' /oc') ||
startsWith(github.event.comment.body, '/oc') ||
contains(github.event.comment.body, ' /opencode') ||
startsWith(github.event.comment.body, '/opencode')
) &&
github.event.comment.body.length > 10
)
)

) &&
github.event.review.body.length > 10
) ||
contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response')

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 [CRITICAL] Guard-clause bypass via || in pull_request_review branch (previously flagged, still open)

Same ||-over-&& precedence issue. The label check on line 50 bypasses bot exclusion (lines 36–38), author association (line 39), and state check (line 40).

Suggested change
contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response')
(
contains(github.event.pull_request.labels.*.name, 'opencode:awaiting-response') ||
(
(
contains(github.event.review.body, ' /oc') ||
startsWith(github.event.review.body, '/oc') ||
contains(github.event.review.body, ' /opencode') ||
startsWith(github.event.review.body, '/opencode')
) &&
github.event.review.body.length > 10
)
)

Comment thread .github/workflows/opencode-review.yaml Outdated
run: |
base="${{ github.event.pull_request.base.sha }}"
# Get list of changed files against the base
changed_files=$(git diff --name-only "$base"...HEAD 2>/dev/null || echo "")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ [QUALITY] Fallback diff logic misses intermediate commits (previously flagged, still open)

When git diff --name-only "$base"...HEAD returns empty (edge case such as an invalid base SHA), the fallback HEAD~1...HEAD only captures the most recent commit's changes. For multi-commit PRs, intermediate changes are invisible. Since fetch-depth: 0 provides full history, compute the merge base explicitly and avoid the fallback entirely:

Suggested change
changed_files=$(git diff --name-only "$base"...HEAD 2>/dev/null || echo "")
merge_base=$(git merge-base "$base" HEAD 2>/dev/null) || merge_base="$base"
changed_files=$(git diff --name-only "$merge_base" HEAD 2>/dev/null || echo "")

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Review submitted successfully — REQUEST_CHANGES with 5 inline comments:

  • opencode-triage-issue.yaml:12 — 🛠️ Debug job is leftover scaffolding
  • opencode-triage-issue.yaml:39 — 🚨 Guard-clause bypass via || precedence (previously flagged)
  • opencode-triage-pr.yaml:32 — 🚨 Same bypass in pull_request_review_comment branch (previously flagged)
  • opencode-triage-pr.yaml:50 — 🚨 Same bypass in pull_request_review branch (previously flagged)
  • opencode-review.yaml:34 — 🛠️ Fallback diff logic misses intermediate commits (previously flagged)

New%20session%20-%202026-07-07T08%3A31%3A42.668Z
opencode session  |  github run

@dianlight dianlight force-pushed the repo-sync/opencode-actions/default branch from 8ead145 to 0e8cd54 Compare July 11, 2026 17:46

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/scripts/auth.sh:
- Around line 50-59: Replace the fixed OCAUTH_EOF delimiter in the TASK_ARGS
output block with a cryptographically unpredictable, per-invocation delimiter,
and use that same generated value for both the opening and closing markers.
Preserve the existing empty TASK_ARGS behavior and GitHub output format while
ensuring comment content cannot terminate the heredoc early.
- Line 26: Update the /oc pattern in the TRIMMED matcher to require whitespace
or end-of-line immediately after the token, preventing prefixes such as /october
from matching while preserving valid /oc comments.

In @.github/workflows/opencode-pr-comment.yml:
- Around line 100-102: Update the workflow step containing the PARENT_AUTHOR and
in_reply_to_id lookups so GitHub event fields are passed through step-level env
variables rather than interpolated directly in run commands. Define env values
for the pull request review URL and in_reply_to_id, then reference them as
quoted shell variables in the gh api and related commands.
- Around line 354-397: Update the workflow instructions for
issue_comment-triggered steps to use github.event.issue.number instead of
github.event.pull_request.number when invoking gh pr checkout, gh pr edit, and
gh pr comment; preserve the existing task execution and checklist behavior.
- Around line 119-127: Update the LAST_COMMENT_AUTHOR lookup in the bot-thread
detection block to fetch the latest comments page explicitly before selecting
the comment immediately preceding the trigger. Preserve the existing
previous-author selection and bot comparisons, ensuring threads with more than
30 comments inspect the correct latest-page entry.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 94d2ca7b-3963-4318-a340-a71efea176f6

📥 Commits

Reviewing files that changed from the base of the PR and between 08b5b38 and 0e8cd54.

📒 Files selected for processing (10)
  • .github/scripts/auth.sh
  • .github/workflows/opencode-implement.yaml
  • .github/workflows/opencode-issue-handler.yml
  • .github/workflows/opencode-pr-comment.yml
  • .github/workflows/opencode-pr-review.yml
  • .github/workflows/opencode-review.yaml
  • .github/workflows/opencode-triage-issue.yaml
  • .github/workflows/opencode-triage-pr.yaml
  • .github/workflows/opencode-triage.yaml
  • .github/workflows/opencode.yml

Comment thread .github/scripts/auth.sh
SUBCOMMAND="none"
TASK_ARGS=""

if [[ "$TRIMMED" =~ ^/oc ]]; then

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Tighten the /oc matcher.
^/oc also matches prefixes like /october, so those comments can be routed as /oc. Anchor the token to whitespace or end-of-line.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/scripts/auth.sh at line 26, Update the /oc pattern in the TRIMMED
matcher to require whitespace or end-of-line immediately after the token,
preventing prefixes such as /october from matching while preserving valid /oc
comments.

Comment thread .github/scripts/auth.sh
Comment on lines +50 to +59
# Multi-line args via heredoc delimiter
if [[ -n "$TASK_ARGS" ]]; then
{
echo "TASK_ARGS<<OCAUTH_EOF"
echo "$TASK_ARGS"
echo "OCAUTH_EOF"
} >> "$GITHUB_OUTPUT"
else
echo "TASK_ARGS=" >> "$GITHUB_OUTPUT"
fi

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Static heredoc delimiter is vulnerable to output injection.

TASK_ARGS comes from the comment body. If a line equal to OCAUTH_EOF (or a crafted KEY=value after it) appears in the args, the heredoc terminates early and arbitrary step outputs can be injected. Use a random, per-invocation delimiter.

Proposed fix
-if [[ -n "$TASK_ARGS" ]]; then
+if [[ -n "$TASK_ARGS" ]]; then
+  EOF_DELIM="OCAUTH_EOF_$(openssl rand -hex 8 2>/dev/null || date +%s%N)"
   {
-    echo "TASK_ARGS<<OCAUTH_EOF"
+    echo "TASK_ARGS<<${EOF_DELIM}"
     echo "$TASK_ARGS"
-    echo "OCAUTH_EOF"
+    echo "${EOF_DELIM}"
   } >> "$GITHUB_OUTPUT"
 else
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Multi-line args via heredoc delimiter
if [[ -n "$TASK_ARGS" ]]; then
{
echo "TASK_ARGS<<OCAUTH_EOF"
echo "$TASK_ARGS"
echo "OCAUTH_EOF"
} >> "$GITHUB_OUTPUT"
else
echo "TASK_ARGS=" >> "$GITHUB_OUTPUT"
fi
# Multi-line args via heredoc delimiter
if [[ -n "$TASK_ARGS" ]]; then
EOF_DELIM="OCAUTH_EOF_$(openssl rand -hex 8 2>/dev/null || date +%s%N)"
{
echo "TASK_ARGS<<${EOF_DELIM}"
echo "$TASK_ARGS"
echo "${EOF_DELIM}"
} >> "$GITHUB_OUTPUT"
else
echo "TASK_ARGS=" >> "$GITHUB_OUTPUT"
fi
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/scripts/auth.sh around lines 50 - 59, Replace the fixed OCAUTH_EOF
delimiter in the TASK_ARGS output block with a cryptographically unpredictable,
per-invocation delimiter, and use that same generated value for both the opening
and closing markers. Preserve the existing empty TASK_ARGS behavior and GitHub
output format while ensuring comment content cannot terminate the heredoc early.

Comment thread .github/workflows/opencode-pr-comment.yml
Comment on lines +119 to +127
LAST_COMMENT_AUTHOR=$(gh api \
"/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/comments" \
--jq '.[-2].user.login' 2>/dev/null || echo "")

if [[ "$LAST_COMMENT_AUTHOR" == "opencode-agent[bot]" ]] || \
[[ "$LAST_COMMENT_AUTHOR" == "github-actions[bot]" ]]; then
IS_BOT_THREAD="true"
fi
fi

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow around the referenced lines
file=".github/workflows/opencode-pr-comment.yml"
wc -l "$file"
sed -n '90,150p' "$file"

# Check for any pagination / per_page handling in this workflow
rg -n --no-heading 'per_page|paginate|issues/.*/comments|LAST_COMMENT_AUTHOR|IS_BOT_THREAD' "$file"

# Gather the relevant gh api / jq behavior from local help if available
gh api --help 2>/dev/null | sed -n '1,220p' || true
gh help api 2>/dev/null | sed -n '1,220p' || true

Repository: dianlight/smartmontools-sdk

Length of output: 18761


🌐 Web query:

GitHub REST API list issue comments default order per_page 30 docs comments endpoint oldest first

💡 Result:

For the GitHub REST API "List issue comments" endpoints, the default behavior regarding pagination and ordering is as follows: Pagination: The default value for the per_page parameter is 30, with a maximum allowed value of 100 per page [1][2]. Ordering: By default, issue comments are ordered by ascending ID [3][4][5]. The API documentation explicitly states this default ordering [3][4], which typically results in the oldest comments appearing first. Some discussions within the community have noted that while ID-based ordering often corresponds to chronological creation order, the API behavior is officially documented as being based on the ID [3][4].

Citations:


Bot-thread detection only inspects the first comments page .github/workflows/opencode-pr-comment.yml:119-127

/repos/{owner}/{repo}/issues/{n}/comments returns comments oldest-first with 30 per page, so .[-2] reads from page 1 instead of the comment immediately before the trigger. On threads with more than 30 comments, IS_BOT_THREAD can be computed from the wrong comment. Fetch the latest page explicitly before selecting the previous author.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/opencode-pr-comment.yml around lines 119 - 127, Update the
LAST_COMMENT_AUTHOR lookup in the bot-thread detection block to fetch the latest
comments page explicitly before selecting the comment immediately preceding the
trigger. Preserve the existing previous-author selection and bot comparisons,
ensuring threads with more than 30 comments inspect the correct latest-page
entry.

Comment on lines +354 to +397
- Pull request: #${{ github.event.pull_request.number }}
- Task arguments from the user: env var `OPENCODE_TASK_ARGS`

## Workflow

### 1. Determine the task
- If `OPENCODE_TASK_ARGS` is non-empty, use that as the
task description.
- If `OPENCODE_TASK_ARGS` is empty, parse the PR body
markdown. Extract the first uncompleted task matching
`- [ ]` and treat it as the execution objective.

### 2. Checkout the PR branch
```bash
gh pr checkout ${{ github.event.pull_request.number }}
```

### 3. Implement the task
- Read relevant files and understand the codebase context.
- Implement the requested feature or fix.
- Verify your code compiles / passes linting.
- Commit with a conventional commit message (e.g.
`feat(scope): implement task description`).

### 4. Push
```bash
git push origin HEAD
```

### 5. Update the PR checklist
Update the PR body to flip the completed task checkbox:
- Change `- [ ] task description` to `- [x] task description`
for the task you just completed.

```bash
gh pr edit ${{ github.event.pull_request.number }} \
--body "<updated PR body with checked checkbox>"
```

### 6. Post summary comment
```bash
gh pr comment ${{ github.event.pull_request.number }} \
--body "✅ Task completed: <description>\nCommit: <sha>"
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

Use github.event.issue.number for issue_comment workflow stepsgithub.event.pull_request.number is empty on this event, so gh pr checkout, gh pr edit, and gh pr comment will fail with a blank PR number.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/opencode-pr-comment.yml around lines 354 - 397, Update the
workflow instructions for issue_comment-triggered steps to use
github.event.issue.number instead of github.event.pull_request.number when
invoking gh pr checkout, gh pr edit, and gh pr comment; preserve the existing
task execution and checklist behavior.

@dianlight dianlight force-pushed the repo-sync/opencode-actions/default branch from 0e8cd54 to 01484a8 Compare July 12, 2026 14:23

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/opencode-issue-handler.yml:
- Around line 64-83: Update the Process 4 job permissions and opencode step:
remove id-token: write from permissions and set use_github_token: true in the
opencode action’s with configuration. Keep the existing read-only contents
permission and issue-writing behavior unchanged.
- Around line 118-124: Remove the manual gh issue comment instructions and
execution steps from the issue-handling workflow, including the corresponding
block around the later response section. Configure the workflow to return the
formatted response to the pinned anomalyco/opencode/github action instead,
relying on that action to create the issue comment once.

In @.github/workflows/opencode-pr-comment.yml:
- Around line 81-89: Add a repository checkout step at the beginning of the
process-2 job’s steps, before any Opencode execution, so the job has a local git
worktree available. Use the workflow’s existing checkout action configuration
and leave the job conditions and permissions unchanged.
- Around line 215-229: Update the process-3 workflow job around the opencode
step to grant contents: write permission and enable persisted checkout
credentials instead of setting persist-credentials to false. Apply the same
contents: write permission to the process-6 job while preserving its existing
checkout authentication configuration, so both jobs can push changes.
- Around line 175-181: Remove the gh api reply instructions and shell code
blocks from the prompt blocks in the workflow, including the ## Output section
shown and all equivalent prompt sections. Have each prompt request and return
only the Markdown reply content directly, without instructing the model to post
via GitHub API or reference github.event.comment.id.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a5c51317-6d71-4180-aa44-6245b6846b8f

📥 Commits

Reviewing files that changed from the base of the PR and between 0e8cd54 and 01484a8.

📒 Files selected for processing (10)
  • .github/scripts/auth.sh
  • .github/workflows/opencode-implement.yaml
  • .github/workflows/opencode-issue-handler.yml
  • .github/workflows/opencode-pr-comment.yml
  • .github/workflows/opencode-pr-review.yml
  • .github/workflows/opencode-review.yaml
  • .github/workflows/opencode-triage-issue.yaml
  • .github/workflows/opencode-triage-pr.yaml
  • .github/workflows/opencode-triage.yaml
  • .github/workflows/opencode.yml
🚧 Files skipped from review as they are similar to previous changes (8)
  • .github/workflows/opencode-triage-issue.yaml
  • .github/workflows/opencode.yml
  • .github/workflows/opencode-triage-pr.yaml
  • .github/workflows/opencode-triage.yaml
  • .github/workflows/opencode-review.yaml
  • .github/workflows/opencode-implement.yaml
  • .github/scripts/auth.sh
  • .github/workflows/opencode-pr-review.yml

Comment on lines +64 to +83
permissions:
id-token: write
contents: read
issues: write
steps:
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
persist-credentials: false

- name: Run opencode (Process 4 — Issue Review & Refinement)
id: opencode
continue-on-error: true
uses: anomalyco/opencode/github@77fc88c8ade8e5a620ebbe1197f3a572d29ae91a # latest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
OPENCODE_TRIGGER_BODY: ${{ github.event.comment.body }}
with:
model: opencode/deepseek-v4-flash-free

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
curl -fsSL \
  https://raw.githubusercontent.com/anomalyco/opencode/77fc88c8ade8e5a620ebbe1197f3a572d29ae91a/github/action.yml |
  grep -n -A8 'use_github_token'

Repository: dianlight/smartmontools-sdk

Length of output: 739


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo '--- workflow ---'
cat -n .github/workflows/opencode-issue-handler.yml | sed -n '55,90p'

echo
echo '--- local references to use_github_token ---'
rg -n "use_github_token|USE_GITHUB_TOKEN|OIDC_BASE_URL|GITHUB_TOKEN" .github/workflows . -g '!**/node_modules/**' -g '!**/dist/**' -g '!**/build/**'

Repository: dianlight/smartmontools-sdk

Length of output: 4704


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo '--- opencode-issue-handler around the other use_github_token occurrence ---'
cat -n .github/workflows/opencode-issue-handler.yml | sed -n '188,210p'

echo
echo '--- opencode-pr-review usage ---'
cat -n .github/workflows/opencode-pr-review.yml | sed -n '60,80p'

echo
echo '--- opencode-pr-comment usage ---'
cat -n .github/workflows/opencode-pr-comment.yml | sed -n '138,152p'

Repository: dianlight/smartmontools-sdk

Length of output: 3373


Enforce Process 4’s read-only boundary with the job token. use_github_token is still at its default false, so this step uses the OIDC/App-token path instead of the job-scoped GITHUB_TOKEN. Set use_github_token: true here and remove id-token: write.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/opencode-issue-handler.yml around lines 64 - 83, Update
the Process 4 job permissions and opencode step: remove id-token: write from
permissions and set use_github_token: true in the opencode action’s with
configuration. Keep the existing read-only contents permission and issue-writing
behavior unchanged.

Comment on lines +118 to +124
### 4. Post your response
Post a well-formatted comment on the issue timeline:

```bash
gh issue comment ${{ github.event.issue.number }} \
--body-file /tmp/response.md
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
curl -fsSL \
  https://raw.githubusercontent.com/anomalyco/opencode/77fc88c8ade8e5a620ebbe1197f3a572d29ae91a/packages/opencode/src/cli/cmd/github.ts |
  grep -n 'createComment'

Repository: dianlight/smartmontools-sdk

Length of output: 823


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow around the reported lines.
sed -n '100,140p' .github/workflows/opencode-issue-handler.yml
printf '\n---\n'
sed -n '300,325p' .github/workflows/opencode-issue-handler.yml

printf '\n=== external github.ts around createComment ===\n'
curl -fsSL https://raw.githubusercontent.com/anomalyco/opencode/77fc88c8ade8e5a620ebbe1197f3a572d29ae91a/packages/opencode/src/cli/cmd/github.ts |
  sed -n '600,720p'

Repository: dianlight/smartmontools-sdk

Length of output: 8180


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Find any workflow references to the opencode issue handler and any explicit comment-posting steps.
rg -n --hidden --glob '.github/workflows/*.yml' -e 'gh issue comment|opencode|response.md|createComment|issue timeline' .github/workflows

printf '\n=== workflow file list ===\n'
git ls-files '.github/workflows/*'

Repository: dianlight/smartmontools-sdk

Length of output: 7121


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Read the second issue-handler block around the reported lines for exact context.
sed -n '286,320p' .github/workflows/opencode-issue-handler.yml

Repository: dianlight/smartmontools-sdk

Length of output: 1254


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow inputs/output contract around the opencode step and the comment step.
sed -n '70,130p' .github/workflows/opencode-issue-handler.yml
printf '\n---\n'
sed -n '190,320p' .github/workflows/opencode-issue-handler.yml

Repository: dianlight/smartmontools-sdk

Length of output: 7582


Return the formatted response instead of posting it manually. The pinned anomalyco/opencode/github@77fc88c8ade8e5a620ebbe1197f3a572d29ae91a action already creates issue comments in the issue path, so these gh issue comment steps will duplicate the same response. Also applies to lines 310-315.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/opencode-issue-handler.yml around lines 118 - 124, Remove
the manual gh issue comment instructions and execution steps from the
issue-handling workflow, including the corresponding block around the later
response section. Configure the workflow to return the formatted response to the
pinned anomalyco/opencode/github action instead, relying on that action to
create the issue comment once.

Comment on lines +81 to +89
process-2:
if: needs.route.outputs.process == 'process-2'
needs: route
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
pull-requests: write
steps:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
sed -n '81,145p' .github/workflows/opencode-pr-comment.yml

Repository: dianlight/smartmontools-sdk

Length of output: 2902


Checkout the repository before Process 2. Opencode runs from the local git worktree here, but this job never checks the repo out first, so the step can fail before it processes the prompt.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/opencode-pr-comment.yml around lines 81 - 89, Add a
repository checkout step at the beginning of the process-2 job’s steps, before
any Opencode execution, so the job has a local git worktree available. Use the
workflow’s existing checkout action configuration and leave the job conditions
and permissions unchanged.

Comment on lines +175 to +181
## Output
Reply to the thread via `gh api`:
```bash
gh api --method POST \
/repos/${{ github.repository }}/pulls/comments/${{ github.event.comment.id }}/replies \
-f body="Your response here"
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
curl -fsSL \
  https://raw.githubusercontent.com/anomalyco/opencode/77fc88c8ade8e5a620ebbe1197f3a572d29ae91a/packages/opencode/src/cli/cmd/github.ts |
  grep -n 'createComment'

Repository: dianlight/smartmontools-sdk

Length of output: 823


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== workflow outline ==\n'
ast-grep outline .github/workflows/opencode-pr-comment.yml || true

printf '\n== workflow snippets ==\n'
sed -n '150,210p' .github/workflows/opencode-pr-comment.yml
printf '\n---\n'
sed -n '250,290p' .github/workflows/opencode-pr-comment.yml
printf '\n---\n'
sed -n '380,410p' .github/workflows/opencode-pr-comment.yml

printf '\n== github.ts around createComment ==\n'
tmp=$(mktemp)
curl -fsSL \
  https://raw.githubusercontent.com/anomalyco/opencode/77fc88c8ade8e5a620ebbe1197f3a572d29ae91a/packages/opencode/src/cli/cmd/github.ts \
  -o "$tmp"
sed -n '1280,1335p' "$tmp"
rm -f "$tmp"

Repository: dianlight/smartmontools-sdk

Length of output: 7764


🏁 Script executed:

#!/bin/bash
set -euo pipefail
sed -n '150,210p' .github/workflows/opencode-pr-comment.yml
printf '\n---\n'
sed -n '250,290p' .github/workflows/opencode-pr-comment.yml
printf '\n---\n'
sed -n '380,410p' .github/workflows/opencode-pr-comment.yml

Repository: dianlight/smartmontools-sdk

Length of output: 5789


🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n "opencode|final response|createComment|gh api|pulls/comments|issue_comment|review comment" .github/workflows/opencode-pr-comment.yml

Repository: dianlight/smartmontools-sdk

Length of output: 3780


🌐 Web query:

GitHub REST API reply to pull request review comment requires pull request review comment ID issue_comment payload comment.id review comment id

💡 Result:

To reply to a pull request review comment using the GitHub REST API, you should use the dedicated endpoint for pull request review comment replies rather than the generic issue comment endpoint [1][2][3][4]. The correct endpoint is: POST /repos/{owner}/{repo}/pulls/{pull_number}/comments/{comment_id}/replies In this path, the {comment_id} must be the unique identifier of an existing top-level pull request review comment [1][5]. The API does not support replies to replies; you cannot nest replies further than the initial response to a top-level comment [1][2][6]. Key requirements for the request: 1. Path Parameters: You must provide the correct owner, repository name, pull request number, and the ID of the top-level comment you are replying to [5][7]. 2. Body Payload: The request body must include a body field containing the text of your reply [1][6][7]. Example: {"body": "Your reply text here"}. 3. Distinction: Do not confuse this with the "issue comments" API, which manages comments on the pull request as a whole rather than specific review comments within the diff [3][4]. If you are programmatically identifying the comment to reply to, ensure you are referencing the id field of the pull request review comment object, not an issue_comment ID [1][5].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,85p' .github/workflows/opencode-pr-comment.yml
printf '\n---\n'
sed -n '220,310p' .github/workflows/opencode-pr-comment.yml
printf '\n---\n'
sed -n '330,440p' .github/workflows/opencode-pr-comment.yml

Repository: dianlight/smartmontools-sdk

Length of output: 11007


🌐 Web query:

anomalyco/opencode github action posts final response automatically gh api reply prompt

💡 Result:

The anomalyco/opencode GitHub Action is designed to integrate the OpenCode AI agent into your GitHub workflow [1][2]. It does not require you to manually use the GitHub API (gh api) to post responses, as the action handles this process automatically [1][3]. Key features and mechanisms: 1. Automatic Replying: When triggered by events like issue comments or pull request reviews, the OpenCode GitHub Action automatically processes the context (including existing comments) and posts its response as a comment on the corresponding GitHub issue or pull request [1][2][4]. 2. Triggering: You typically configure the action in a workflow file (e.g.,.github/workflows/opencode.yml) [1][4]. It can be configured to trigger on events such as issue_comment, pull_request_review_comment, issues, and pull_request [1][2][5]. 3. No Manual API Calls Needed: The action manages the interaction with the GitHub API internally [1][3]. It uses the provided GITHUB_TOKEN (typically supplied via secrets) to perform operations such as posting comments, creating branches, or opening pull requests [2][4][5]. 4. Advanced Automation: Recent updates have expanded the action's capabilities, allowing it to automatically extract prompts from issue titles, bodies, and labels (for example, on 'assigned' or 'opened' events), further reducing the need for manual prompt configuration or manual API interaction [3]. If you are looking to build a custom solution or need to interact with the GitHub API manually for other purposes, you can use the GitHub CLI (gh api) [6] or the actions/github-script action [7], but for standard OpenCode functionality, the anomalyco/opencode action handles these tasks for you [1][3].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail

tmp=$(mktemp)
curl -fsSL https://raw.githubusercontent.com/anomalyco/opencode/main/README.md -o "$tmp" || curl -fsSL https://raw.githubusercontent.com/anomalyco/opencode/master/README.md -o "$tmp"

printf '\n== README mentions GitHub action/comment behavior ==\n'
rg -n "GitHub Action|comment|reply|final response|post.*response|createComment|gh api" "$tmp" || true

printf '\n== nearby sections ==\n'
sed -n '1,260p' "$tmp" | rg -n -C 3 "GitHub Action|comment|reply|final response|post.*response|createComment|gh api" || true

rm -f "$tmp"

Repository: dianlight/smartmontools-sdk

Length of output: 291


Remove the gh api reply instruction from these prompts
The action posts the model output itself, so the prompt should return the Markdown reply directly. github.event.comment.id is also wrong on issue_comment runs, where GitHub expects the top-level review-comment ID for /pulls/comments/{comment_id}/replies. Apply the same change to the other prompt blocks.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/opencode-pr-comment.yml around lines 175 - 181, Remove the
gh api reply instructions and shell code blocks from the prompt blocks in the
workflow, including the ## Output section shown and all equivalent prompt
sections. Have each prompt request and return only the Markdown reply content
directly, without instructing the model to post via GitHub API or reference
github.event.comment.id.

Comment on lines +215 to +229
permissions:
id-token: write
contents: read
pull-requests: write
steps:
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
persist-credentials: false
fetch-depth: 0

- name: Run opencode (Process 3 — User-owned thread takeover)
id: opencode
continue-on-error: true
uses: anomalyco/opencode/github@77fc88c8ade8e5a620ebbe1197f3a572d29ae91a # latest

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
sed -n '211,240p;304,342p' .github/workflows/opencode-pr-comment.yml

Repository: dianlight/smartmontools-sdk

Length of output: 2546


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the full workflow section around the two processes and any auth-related setup.
sed -n '200,345p' .github/workflows/opencode-pr-comment.yml

# Find all references to the opencode action and git/checkout auth settings in this workflow.
rg -n "use_github_token|persist-credentials|contents:|pull-requests:|git config|push|commit|checkout" .github/workflows/opencode-pr-comment.yml

Repository: dianlight/smartmontools-sdk

Length of output: 7716


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow jobs around all processes, including permissions and checkout auth.
cat -n .github/workflows/opencode-pr-comment.yml | sed -n '1,430p'

# Focus on the opencode action invocations and token-related inputs across the file.
rg -n "use_github_token|GITHUB_TOKEN|persist-credentials|contents: (read|write)|gh pr checkout|git push|commit with" .github/workflows/opencode-pr-comment.yml

Repository: dianlight/smartmontools-sdk

Length of output: 21452


🌐 Web query:

anomalyco/opencode/github use_github_token git authentication documentation

💡 Result:

In the context of the anomalyco/opencode project, the use_github_token mechanism refers to an authentication configuration for the OpenCode GitHub Action [1][2]. When utilizing the OpenCode GitHub Action, the agent requires authentication to perform tasks like committing changes, opening pull requests, and creating issue comments [1]. By default, the action uses an installation access token from the OpenCode GitHub App [1]. If you choose to use your own token—such as a personal access token (PAT) or the workflow's built-in GITHUB_TOKEN—you must set the use_github_token configuration [1][2]. According to the project's implementation and documentation: 1. Requirement: When use_github_token is enabled, you must provide a valid GITHUB_TOKEN via environment variables (typically ${{ secrets.GITHUB_TOKEN }}) [2][3]. 2. Git Configuration: Unlike the default mode, where OpenCode manages and configures Git credentials internally using an app-specific token [4][2], enabling use_github_token skips this automated configuration [2]. 3. Security: If you use the built-in GITHUB_TOKEN, ensure your workflow job has the necessary permissions granted (e.g., id-token, contents, pull-requests, and issues write permissions) [1]. For general Git authentication outside of this specific action, standard GitHub practices apply, such as using the GitHub CLI (gh auth login) or Git Credential Manager (GCM) to securely cache credentials [5][6].

Citations:


Grant these jobs write access for git pushes (.github/workflows/opencode-pr-comment.yml:215-229, 304-334)

  • process-3 disables persisted checkout credentials, and use_github_token: true makes Opencode rely on the job token instead of setting up its own Git auth.
  • process-6 keeps checkout auth, but contents: read still leaves the token read-only, so git push will fail there too.
  • Set contents: write for both, and restore checkout credentials for process-3.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/opencode-pr-comment.yml around lines 215 - 229, Update the
process-3 workflow job around the opencode step to grant contents: write
permission and enable persisted checkout credentials instead of setting
persist-credentials to false. Apply the same contents: write permission to the
process-6 job while preserving its existing checkout authentication
configuration, so both jobs can push changes.

@dianlight dianlight force-pushed the repo-sync/opencode-actions/default branch from 01484a8 to 603e384 Compare July 12, 2026 14:41
@dianlight dianlight force-pushed the repo-sync/opencode-actions/default branch from 603e384 to e25d4f6 Compare July 14, 2026 20:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant