Skip to content

fix(ci): add use_github_token to opencode workflows for Blacksmith runner#330

Merged
MichaelFisher1997 merged 1 commit intodevfrom
fix/ci-opencode-blacksmith-permissions
Mar 28, 2026
Merged

fix(ci): add use_github_token to opencode workflows for Blacksmith runner#330
MichaelFisher1997 merged 1 commit intodevfrom
fix/ci-opencode-blacksmith-permissions

Conversation

@MichaelFisher1997
Copy link
Copy Markdown
Collaborator

@MichaelFisher1997 MichaelFisher1997 commented Mar 28, 2026

Summary

Fixes the User blacksmith-sh[bot] does not have write permissions error in all opencode GitHub Action workflows.

Root cause: The anomalyco/opencode/github action defaults to OIDC app token exchange. On Blacksmith runners, this resolves to blacksmith-sh[bot] identity which lacks write permissions on the repo.

Fix: Add use_github_token: "true" to all three opencode action invocations. This tells the action to use the standard GITHUB_TOKEN (which has issues: write permission in the job config) and skip the collaborator permission check.

Files Changed

  • opencode-triage.yml — issue triage on issue open
  • opencode-audit.yml — scheduled audit scans
  • opencode.yml — comment-triggered /oc commands

Relates to #329 (failed triage run example).

@MichaelFisher1997
fix(ci): add use_github_token to opencode workflows for Blacksmith ru…
30f8e3f 
…nner compatibility

Blacksmith runners use blacksmith-sh[bot] identity which lacks write
permissions. Setting use_github_token: true tells the opencode action
to use the standard GITHUB_TOKEN (which has the correct permissions)
instead of attempting OIDC app token exchange.
@github-actions github-actions bot added documentation Improvements or additions to documentation ci labels Mar 28, 2026
@MichaelFisher1997 MichaelFisher1997 merged commit e1ba638 into dev Mar 28, 2026
6 checks passed
@opencode-agent
Copy link
Copy Markdown
Contributor

opencode-agent bot commented Mar 28, 2026

📋 Summary

This PR addresses issue #329 by fixing the "blacksmith-sh[bot] does not have write permissions" error in all three opencode GitHub Action workflows. The fix adds use_github_token: "true" to each workflow's opencode action invocation, directing the action to use the standard GITHUB_TOKEN (which has proper permissions per the workflow's permissions: block) instead of attempting OIDC token exchange that resolves to the blacksmith bot identity.

PR Quality: This is a minimal, surgical fix that directly addresses the root cause. The changes are consistent across all three affected workflows.

🔴 Critical Issues (Must Fix - Blocks Merge)

✅ All previously reported critical issues have been resolved. (No previous reviews found.)

None identified in current changes.

⚠️ High Priority Issues (Should Fix)

✅ All previously reported high priority issues have been resolved. (No previous reviews found.)

None identified in current changes.

💡 Medium Priority Issues (Nice to Fix)

✅ All previously reported medium priority issues have been resolved. (No previous reviews found.)

None identified in current changes.

ℹ️ Low Priority Suggestions (Optional)

✅ All previously reported low priority suggestions have been addressed. (No previous reviews found.)

[LOW] .github/workflows/opencode-audit.yml:90 - Version pinning inconsistency
Confidence: High
Description: The audit workflow pins the opencode action to v1.3.3 while opencode-triage.yml and opencode.yml use @latest. This inconsistency could lead to different behavior between workflows when new versions are released.
Impact: Minor maintenance burden; potential for version drift between workflows.
Suggested Fix: Consider using @latest consistently across all workflows, or pin all to the same version if reproducibility is preferred. If pinning is intentional for stability, document this decision in a comment.

📊 SOLID Principles Score

Principle Score Notes
Single Responsibility 9/10 Each workflow has a clear, focused purpose.
Open/Closed 8/10 The configuration addition is non-breaking and follows the action's API contract.
Liskov Substitution N/A No inheritance or polymorphism in YAML workflows.
Interface Segregation 9/10 Each workflow configures only the parameters it needs.
Dependency Inversion 8/10 Workflows depend on abstract action interfaces, not implementation details.
Average 8.5

🎯 Final Assessment

Overall Confidence Score: 95%

How to interpret: 81-100%: High confidence, ready to merge or with trivial fixes.

Confidence Breakdown:

  • Code Quality: 95% (Simple configuration change, follows YAML best practices)
  • Completeness: 100% (All three affected workflows are fixed consistently)
  • Risk Level: 95% (Minimal risk - only adds a boolean flag to action configuration)
  • Test Coverage: N/A (CI workflow changes cannot be unit tested, but the fix directly addresses the reported issue)

Merge Readiness:

  • All critical issues resolved
  • SOLID average score >= 6.0
  • Overall confidence >= 60%
  • No security concerns
  • Tests present and passing (if applicable)

Verdict:

MERGE

This PR successfully fixes the Blacksmith runner permission issue with a minimal, targeted change. The use_github_token: "true" parameter correctly instructs the opencode action to use the standard GITHUB_TOKEN, which has the necessary issues: write permission as configured in each workflow's permissions block.

New%20session%20-%202026-03-28T19%3A14%3A58.056Z
opencode session  |  github run

@MichaelFisher1997 MichaelFisher1997 mentioned this pull request Mar 28, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MichaelFisher1997