From a56e8605c7843b5c412814c896fc65f19bb310e8 Mon Sep 17 00:00:00 2001 From: agent Date: Sun, 5 Jul 2026 05:25:24 +0000 Subject: [PATCH 1/6] Trigger opencode-bot on comments starting with /oc or /opencode Fixes #12 --- .github/workflows/opencode.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/opencode.yml b/.github/workflows/opencode.yml index 64cda44..c761254 100644 --- a/.github/workflows/opencode.yml +++ b/.github/workflows/opencode.yml @@ -55,7 +55,12 @@ jobs: ( (github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment') && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) - && (contains(github.event.comment.body, ' /oc') || contains(github.event.comment.body, ' /opencode')) + && ( + startsWith(github.event.comment.body, '/oc') + || contains(github.event.comment.body, ' /oc') + || startsWith(github.event.comment.body, '/opencode') + || contains(github.event.comment.body, ' /opencode') + ) ) || ( github.event_name == 'pull_request_review' && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association) From 62c831e3b98ce70b7eb497d228c6b711948643ac Mon Sep 17 00:00:00 2001 From: agent Date: Sun, 5 Jul 2026 05:25:26 +0000 Subject: [PATCH 2/6] Run repo QA checks in CI and gate dependabot auto-merge on them Adds a repo-qa job that runs validate-opencode.sh, shellcheck on tracked scripts, and zizmor on action.yml, and makes it a dependency of dependabot-auto-merge. Suppresses the known low-confidence github-env finding on the fixed GITHUB_PATH append. Fixes #13 --- .github/workflows/ci.yml | 20 ++++++++++++++++++++ action.yml | 2 +- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c62ecd5..682ba4e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,11 +45,31 @@ jobs: permissions: contents: write uses: dceoy/gh-actions-for-devops/.github/workflows/github-major-version-tag.yml@main # zizmor: ignore[unpinned-uses] + repo-qa: + if: > + github.event_name == 'push' + || github.event_name == 'pull_request' + || github.event_name == 'workflow_dispatch' + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + - name: Validate OpenCode agent frontmatter and review-pr references + run: ./.agents/skills/local-qa/scripts/validate-opencode.sh + - name: Shellcheck repository scripts + run: git ls-files -z -- '*.sh' '*.bash' '*.bats' | xargs -0 shellcheck + - name: Scan action.yml with zizmor + run: pipx run zizmor action.yml dependabot-auto-merge: if: > github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' needs: - github-actions-lint-and-scan + - repo-qa permissions: contents: write pull-requests: write diff --git a/action.yml b/action.yml index db25113..14c2cb2 100644 --- a/action.yml +++ b/action.yml @@ -88,7 +88,7 @@ runs: curl -fsSL https://opencode.ai/install | bash -s -- --version "${OPENCODE_VERSION}" - name: Add OpenCode to PATH shell: bash -euo pipefail {0} - run: > + run: > # zizmor: ignore[github-env] fixed path, not attacker-controlled echo "${HOME}/.opencode/bin" | tee -a "${GITHUB_PATH}" - name: Copy bundled OpenCode config if: inputs.enable-toolkit == 'true' From 7035c594d9533f7acfe17c41e65f90ae051a9bd7 Mon Sep 17 00:00:00 2001 From: agent Date: Sun, 5 Jul 2026 05:25:27 +0000 Subject: [PATCH 3/6] Describe what qa.sh actually checks Fixes #14 --- AGENTS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/AGENTS.md b/AGENTS.md index 3193132..8c7c9a9 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -12,7 +12,7 @@ There is no build step. Validate local changes with the repository QA script: .agents/skills/local-qa/scripts/qa.sh ``` -The script checks core action metadata and README examples, including the composite action declaration, `opencode github run`, and documented usage. For end-to-end testing, run the action from a temporary workflow or push a branch and reference it from a test repository workflow. +The script formats and lints the repository and mutates files in place: it runs `prettier --write` on markdown files, `yamllint` on tracked YAML, `shellcheck` on tracked shell scripts, `zizmor --fix=safe` and `actionlint` on `.github/workflows`, `checkov` across the repo, and `.agents/skills/local-qa/scripts/validate-opencode.sh` (which validates `.opencode/` agent frontmatter and the agent references in `.opencode/commands/review-pr.md` and `.opencode/skills/review-pr/SKILL.md`). Review the diff it produces before committing. For end-to-end testing, run the action from a temporary workflow or push a branch and reference it from a test repository workflow. ## Coding Style & Naming Conventions From 4d32e718e30febaf7cd9f76b4a12359bf8e91fba Mon Sep 17 00:00:00 2001 From: agent Date: Sun, 5 Jul 2026 05:25:28 +0000 Subject: [PATCH 4/6] Pin README examples to the released v0 tag instead of main Fixes #15 --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 910ae8d..4843404 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ jobs: fetch-depth: 1 persist-credentials: false - name: Run OpenCode - uses: dceoy/opencode-action@main + uses: dceoy/opencode-action@v0 env: OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -45,6 +45,8 @@ jobs: Then comment `/opencode` or `/oc` on an issue, pull request, or pull request review comment. +`@v0` tracks the latest `v0.x.y` release. Pin to an exact release tag (e.g. `@v0.2.4`) or a full commit SHA for stricter supply-chain control. + ## Inputs | Input | Required | Default | Description | @@ -89,7 +91,7 @@ Example OpenCode step: ```yaml - name: Run OpenCode review - uses: dceoy/opencode-action@main + uses: dceoy/opencode-action@v0 env: OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }} GH_TOKEN: ${{ github.token }} From 365b664d3d4721d4ff3e9f80e48c94737b73ee21 Mon Sep 17 00:00:00 2001 From: agent Date: Sun, 5 Jul 2026 07:33:07 +0000 Subject: [PATCH 5/6] Remove pull_request_review trigger from opencode workflow --- .github/workflows/opencode.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/opencode.yml b/.github/workflows/opencode.yml index c761254..f17092d 100644 --- a/.github/workflows/opencode.yml +++ b/.github/workflows/opencode.yml @@ -11,9 +11,6 @@ on: pull_request_review_comment: types: - created - pull_request_review: - types: - - submitted issues: types: - opened @@ -61,10 +58,6 @@ jobs: || startsWith(github.event.comment.body, '/opencode') || contains(github.event.comment.body, ' /opencode') ) - ) || ( - github.event_name == 'pull_request_review' - && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association) - && (contains(github.event.review.body, '/oc') || contains(github.event.review.body, '/opencode')) ) || ( github.event_name == 'issues' && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association) From 9ef42cf0e4ef88f8c6d37eef933aa0896d4e43f9 Mon Sep 17 00:00:00 2001 From: agent Date: Sun, 5 Jul 2026 07:34:16 +0000 Subject: [PATCH 6/6] Switch opencode-review model to minimax-m3 --- .github/workflows/opencode.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/opencode.yml b/.github/workflows/opencode.yml index f17092d..3edee55 100644 --- a/.github/workflows/opencode.yml +++ b/.github/workflows/opencode.yml @@ -45,7 +45,7 @@ jobs: OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }} GH_TOKEN: ${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }} with: - model: opencode-go/kimi-k2.7-code + model: opencode-go/minimax-m3 prompt: /review-pr opencode-bot: if: >