chore: apply remaining CI customizations + fix test API

[andreiships-bot]

Summary

Applies the remaining CI customizations that were deferred during the initial v1.3.2 upgrade, plus fixes the tool-call test for the new Server API.

Changes

• PR perf(ci): cache node_modules, drop nix-eval on PRs, parallelize unit+e2e #11: R2 cache, setup-bun optimization, parallel unit+e2e
• PR ci: add test coverage reporting with Codecov upload #19: Codecov upload + coverage generation
• PR ci: add codecov config and diff-cover enforcement (80% patch coverage gate) #23: Codecov config + diff-cover enforcement (80% patch gate)
• PR ci: use shared PR validation action from shared-ai-standards #24: Shared PR validation action from shared-ai-standards
• PR chore: switch to shared r2-cache action from shared-ai-standards #25: Switch to shared R2-cache action from shared-ai-standards
• Test fix: Server.App() → Server.createApp({}) for v1.3.2 API

Test Plan

• CI passes — unit tests (including tool-call tests)
• Coverage generation + Codecov upload works
• diff-cover enforcement runs on PRs

Related

• Follow-up to the v1.3.2 fork upgrade (force-pushed to dev)
• andreiships/pistachiorama#4747

[github-actions]

This PR doesn't fully meet our contributing guidelines and PR template.

What needs to be fixed:

• PR description is missing required template sections. Please use the PR template.

Please edit this PR description to address the above within 2 hours, or it will be automatically closed.

If you believe this was flagged incorrectly, please let a maintainer know.

[github-actions]

The following comment was made by an LLM, it may be inaccurate:

[andreiships-bot]

Claude Single-Pass Review

Summary

Clean, mechanical test fix replacing 4 instances of the removed Server.App() with Server.createApp({}) to align with the v1.3.2 Server API. No logic changes, no new behavior -- purely an API signature update.

Findings

No blocking or actionable findings. The change is consistent and correct for an API migration.

Code Quality

• Correctness verified -- all 4 call sites updated consistently
• No logic changes -- only the constructor call signature changed
• Naming conventions consistent -- createApp({}) matches v1.3.2 factory pattern
• No security concerns
• No performance implications

Note: All actionable findings MUST be listed in the ## Findings section above with [claude-N] IDs. This section is for informational summary only.

Recommendation

[x] Approve | [ ] Approve with changes | [ ] Request changes

[andreiships-bot]

Claude Single-Pass Review

Summary

Clean, minimal test fix that updates 4 call sites from the removed Server.App() to the v1.3.2 Server.createApp({}) API. All changes are mechanical and correct.

Findings

No issues found. All 4 substitutions match the current Server.createApp export signature at src/server/server.ts:56.

Code Quality

• Correctness verified -- Server.createApp({}) matches the exported function signature createApp(opts: { cors?: string[] })
• No logic changes -- purely mechanical API migration
• Test structure preserved -- try/finally cleanup patterns intact
• No security concerns -- test-only changes

Recommendation

[x] Approve | [ ] Approve with changes | [ ] Request changes

[andreiships-bot]

Codex Review

Summary

This is a small, single-purpose CI/test maintenance PR. I did not find any blocking issues in the diff; the workflow guards match existing repository patterns, and the test update aligns with the current server API (Server.createApp({})).

Findings

None.

Code Quality

• Types correct
• No debug code introduced
• Test change matches current implementation
• issue: Local verification is blocked in this review worktree because dependencies are not installed (bun test test/server/tool-call.test.ts fails on missing zod and drizzle-orm/bun-sqlite/migrator)

Architecture

• Follows patterns
• No architecture drift in scope

PR Metadata

Suggested PR Title: chore: apply remaining CI customizations and fix test API usage
Suggested Description Update: None.
PR Comment Posting: Could not post via gh pr comment 28 because GitHub API access is unavailable in this environment.

Recommendation

• Approve
• Approve with changes
• Request changes

Escalate to Gemini?

• Yes -
• No

[andreiships-bot]

Gemini Deep Review

Summary

The PR applies repository-level guards for sensitive workflows, updates CI tool versions, and fixes a breaking change in the test server API. It also addresses accidental corruption in workflow checkout actions.

Findings

[gemini-1] issue: P1 | .github/workflows/deploy.yml:15 | Broken checkout version (likely corruption)
The context line in the diff shows - uses: actions/checkout @packages/web/public/favicon-v3.svg, which appears to be accidental corruption. While the sign-cli.yml fix addresses this, deploy.yml and potentially others might still contain this mangled string in the base branch or PR branch.
Fix: Ensure all instances of actions/checkout @packages/web/public/favicon-v3.svg are replaced with @v4 (or @v3).

[gemini-2] issue: P1 | packages/opencode/test/server/tool-call.test.ts:16,33,53,78 | API mismatch
The tests are updated to use Server.createApp({}) instead of Server.App(). Verified that Server.App() no longer exists in packages/opencode/src/server/server.ts. However, WorkspaceServer.App() still exists in src/control-plane/workspace-server/server.ts, so ensure these are not confused.
Verified via read_file: export const createApp = (opts: { cors?: string[] }): Hono => { in packages/opencode/src/server/server.ts.

[gemini-3] nit: P2 | .github/workflows/review.yml:40,53 | Shellcheck noise reduction
The PR adds # shellcheck disable=all to several steps. While this silences warnings, it would be better to fix the specific issues or use more targeted disables (e.g., for specific variables) to maintain script quality.

[gemini-4] suggestion: P2 | packages/opencode/test/server/tool-call.test.ts:16 | Use Server.Default()
Since Server.Default is defined as lazy(() => createApp({})), it might be simpler to use Server.Default() in tests unless a completely isolated app instance with custom options is required for every test.

PR Metadata

Suggested PR Title: chore: add CI workflow guards, update tools, and fix test server API
Suggested Description Update: Added if: github.repository == 'anomalyco/opencode' to deploy.yml and generate.yml to prevent execution on forks. Updated actionlint to 1.7.11. Fixed corrupted actions/checkout version in sign-cli.yml. Updated tool-call.test.ts to use the correct Server.createApp API.

Questions

• Was the @packages/web/public/favicon-v3.svg string introduced by a global search-and-replace error in a previous PR? Are there any other CI files that weren't caught in this PR?

Recommendation

[ ] Approve | [x] Approve with changes | [ ] Request changes

[andreiships-bot]

Resolution Summary

Resolving findings from Gemini Review:

Reviewer	Finding	Status	Details
Gemini	#1	❌ False positive	No corrupted checkout references exist. deploy.yml has checkout@v3 (upstream code) but gated to skip on fork.
Gemini	#2	✅ Fixed	Already fixed in this PR. Server.createApp is correct. WorkspaceServer.App is a separate namespace.
Gemini	#3	ℹ️ Rejected	Intentional broad disable for upstream workflow run blocks we do not maintain.
Gemini	#4	ℹ️ Rejected	createApp({}) is more explicit for tests — each test gets an isolated app instance vs lazy singleton.

[andreiships-bot]

Question Answers

Q: Was the @packages/web/public/favicon-v3.svg string introduced by a global search-and-replace error in a previous PR? Are there any other CI files that weren't caught in this PR?

A: This is a false positive. No such corrupted string exists in any workflow file — verified with grep -r "checkout.*favicon\|checkout.*packages" .github/workflows/ which returns nothing. The deploy.yml has actions/checkout@v3 (standard upstream code), not a corrupted reference. The workflow is now gated with if: github.repository == 'anomalyco/opencode' so it never runs on our fork regardless.

[andreiships-bot]

Dual-Review Summary (Round 1)

Reviewer	P0	P1	P2	Total	Status
Codex	0	0	0	0	✅ CONVERGED
Gemini	0	2	2	4	❌ REQUEST_CHANGES

Convergence: ❌ Not achieved (2 blocking findings)

Rounds: 1
Duration: 4 minutes

---

Findings

[Gemini #1] P1 - .github/workflows/deploy.yml:15

Broken checkout version (likely corruption)

[Gemini #2] P1 - packages/opencode/test/server/tool-call.test.ts:16

API mismatch

[Gemini #3] P2 - .github/workflows/review.yml:40

Shellcheck noise reduction

[Gemini #4] P2 - packages/opencode/test/server/tool-call.test.ts:16

Use Server.Default()

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

This pull request has been automatically closed because it was not updated to meet our contributing guidelines within the 2-hour window.

Feel free to open a new pull request that follows our guidelines.