ci(bonk): resolve opencode permission defaults that ask interactively

[ascorbic]

What does this PR do?

Resolves the two opencode permission defaults that ask for approval (rather than allowing or denying outright):

• external_directory — any tool touching paths outside the project cwd
• doom_loop — same tool call repeating 3x with identical input

CI runs have no TTY, so when either of these prompts fires the run deadlocks until the workflow timeout. #769 dropped that timeout from 45 to 30 min, but the underlying hang is still there. Last week the triggering case was a bash redirect (git show ... > /tmp/foo) — /tmp/ is outside the project cwd, so it tripped external_directory → ask → 30-minute hang.

Sets both explicitly in OPENCODE_CONFIG_CONTENT for all four bonk-family workflows:

{
  "permission": {
    "external_directory": {
      "*": "deny",
      "/tmp/**": "allow",
      "~/**": "allow"
    },
    "doom_loop": "deny"
  }
}

/tmp/** and ~/** cover the legitimate external paths a CI agent needs (scratch files, home-dir caches like ~/.config/...). Everything else outside cwd is denied. doom_loop denies so a stuck loop aborts the run instead of waiting forever.

read defaults stay as opencode ships them (allow with .env* files denied) — that baseline is sensible.

Type of change

• Bug fix
• Feature
• Refactor
• Translation
• Documentation
• Performance improvement
• Tests
• Chore (dependencies, CI, tooling)

Checklist

• I have read CONTRIBUTING.md
• pnpm typecheck passes (no TS files touched)
• pnpm lint passes (pnpm --silent lint:json | jq '.diagnostics | length' → 0)
• pnpm test passes (or targeted tests for my change) — N/A, CI workflow only
• pnpm format has been run
• I have added/updated tests for my changes (if applicable) — N/A
• User-visible strings in the admin UI are wrapped for translation — N/A
• I have added a changeset — N/A, CI only
• New features link to an approved Discussion — N/A, bug fix

AI-generated code disclosure

• This PR includes AI-generated code

JSON content drafted with Claude Opus, validated against the live opencode config schema (https://opencode.ai/config.json + the embedded models.dev schema). Reviewed line by line.

Screenshots / test output

Validated each workflow's OPENCODE_CONFIG_CONTENT JSON parses and contains the expected permission rules:

=== bonk.yml ===
"deny"
=== ultrabonk.yml ===
"deny"
=== review.yml ===
"deny"
=== ultrareview.yml ===
"deny"

Repro from PR #769 logs: the run stalled exactly when the model issued git show origin/main:packages/core/src/search/fts-manager.ts > /tmp/fts-main.ts. The > /tmp/... redirect crosses out of cwd, triggers external_directory: ask, and CI has no one to answer.

Related: PR #769 (concurrency + auto-PR template + workflow timeout drop) — same workflow set, complementary fix.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 48e6aaf

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	emdash-i18n	48e6aaf	Apr 25 2026, 10:18 AM

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	emdash-demo-cache	48e6aaf	Apr 25 2026, 10:19 AM