feat: add opencode configuration

[ryderstorm]

Why?

To enable an additional autonomous coding agent to this repo for testing, similar to @claude

What Changed?

Added a GitHub Actions workflow config to enable the OpenCode agent. See https://opencode.ai/docs/github/#usage-examples for docs.

Additional Notes

Powered by a newly created GitHub-Workflows-OpenCode API key under the Innovation Team project on https://platform.openai.com/api-keys

Summary by CodeRabbit

• New Features

  • Added an automated AI code-review workflow triggered by the /oc-codex command in issue comments, review comments/bodies, or issue titles when used by repository collaborators/owners/members.

• Chores

  • Configured CI behavior: concurrency with cancel-in-progress, 30-minute job timeout, and necessary runner permissions.
  • Integrated an AI review action with secure API key usage and platform execution.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adds a new GitHub Actions workflow .github/workflows/opencode-gpt-5-codex.yml that triggers on issue_comment, pull_request_review_comment, pull_request_review, and issues when bodies/titles contain /oc-codex; runs an opencode job invoking sst/opencode/github@latest with OPENAI_API_KEY_FOR_OPENCODE and model openai/gpt-5-codex, with dynamic concurrency and 30m timeout.

Changes

Cohort / File(s)

Summary

New workflow \.github/workflows/opencode-gpt-5-codex\.yml

Adds opencode-gpt-5-codex workflow: triggers on issue_comment, pull_request_review_comment, pull_request_review, and issues; compound if requires comment/review/issue content to contain /oc-codex and author_association to be OWNER/MEMBER/COLLABORATOR; sets permissions (contents: read, id-token: write), dynamic concurrency group with cancel-in-progress, 30m job timeout-minutes, runs on ubuntu-latest; steps: checkout and run sst/opencode/github@latest using secret OPENAI_API_KEY_FOR_OPENCODE and model: openai/gpt-5-codex.

Sequence Diagram(s)

sequenceDiagram
  participant User as Actor (comment/review/issue)
  participant GitHub as GitHub Events
  participant Actions as GitHub Actions
  participant Repo as Checkout
  participant Opencode as sst/opencode/github@latest

  User->>GitHub: Create comment/review/issue containing `/oc-codex`
  GitHub->>Actions: Emit event (issue_comment / pr_review_comment / pr_review / issues)
  Note right of Actions #DDEBF7: Conditional check: content contains `/oc-codex`\nand author_association is OWNER/MEMBER/COLLABORATOR
  Actions-->>Repo: checkout repository
  Actions-->>Opencode: run action with secret `OPENAI_API_KEY_FOR_OPENCODE` and model `openai/gpt-5-codex`
  Opencode-->>Actions: action completes (success/failure)
  Actions-->>GitHub: post workflow status

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇 A slash, a hokey trigger, and a hop,
The workflow wakes, the busy codex plop.
Secrets snug, the job begins to hum,
I twitch my nose — the actions run,
Small rabbit cheer, the CI won't stop.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The PR title "feat: add opencode configuration" directly and clearly summarizes the primary change in the pull request, which is the addition of a new GitHub Actions workflow configuration file for OpenCode. The title uses standard conventional commit formatting, is concise and specific, avoids vague language or noise, and accurately reflects what a teammate would find when reviewing this changeset. The title is fully related to the main change and leaves no ambiguity about the purpose of the PR.
Description Check	✅ Passed	The PR description covers all the primary required sections from the template: the "Why?" section explains the motivation (enabling an additional autonomous coding agent), the "What Changed?" section describes the key update (adding a GitHub Actions workflow configuration), and the "Additional Notes" section provides relevant context about the API key. While the checklist items at the end of the template are not included, the description is substantially complete with all the main descriptive content sections well-filled and informative, providing sufficient context for reviewers to understand the change and its purpose.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/setup-opencode-on-github

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4b4232c and 67f005f.

📒 Files selected for processing (1)

• .github/workflows/opencode-gpt-5-codex.yml (1 hunks)

🔇 Additional comments (3)

.github/workflows/opencode-gpt-5-codex.yml (3)

19-40: Security restrictions properly implemented. ✓

The workflow now correctly restricts execution to repository members (OWNER, MEMBER, COLLABORATOR) across all trigger events, addressing the critical security issue previously flagged. The condition comprehensively guards:

• issue_comment events (body contains /oc-codex)
• pull_request_review_comment events (body contains /oc-codex)
• pull_request_review events (body contains /oc-codex)
• issues events (body or title contains /oc-codex)

Combined with timeout and concurrency controls (lines 15–18), this prevents unauthorized access, cost abuse, and uncontrolled API consumption.

---

15-18: Timeout and concurrency configuration looks good.

The 30-minute timeout accommodates extended Codex runs (as documented in the inline comment), and the dynamic concurrency grouping with cancel-in-progress prevents resource contention. Monitor the timeout in practice to ensure it balances between allowing sufficient compute time and preventing runaway executions.

---

52-53: No changes needed—implementation is correct.

The sst/opencode/github action expects provider API keys like OPENAI_API_KEY to be set in env, not passed via with parameters. The current implementation aligns with the action's documented expectations.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

.github/workflows/opencode-gpt-5-codex.yml (3)

23-23: Pin the action to a specific version instead of @latest.

Using @latest on actions in production workflows introduces non-deterministic behavior and makes workflows harder to audit and test. If the sst/opencode action receives an update that introduces breaking changes or security issues, your workflow could break unexpectedly.

Apply this diff to pin to a specific version:

-        uses: sst/opencode/github@latest
+        uses: sst/opencode/github@v1  # Replace v1 with the latest stable version

Check the sst/opencode action releases to find the latest stable version number.

---

10-13: Consider refining the trigger condition to avoid false positives.

The contains() check will match comments like "I think /oc-gpt-5-codex is a bad idea" or "Check out /oc-gpt-5-codex documentation". This could lead to unintended workflow invocations.

Consider stricter patterns:

• Require the token at the start of a line or after specific delimiters
• Add a more explicit sentinel (e.g., require exact phrase like @oc-gpt-5-codex review or similar)

     if: |
-      contains(github.event.comment.body, ' /oc-gpt-5-codex') ||
-      startsWith(github.event.comment.body, '/oc-gpt-5-codex') ||
-      contains(github.event.comment.body, ' /opencode-gpt-5-codex') ||
-      startsWith(github.event.comment.body, '/opencode-gpt-5-codex')
+      (startsWith(github.event.comment.body, '/oc-gpt-5-codex') && !contains(github.event.comment.body, 'do not')) ||
+      (startsWith(github.event.comment.body, '/opencode-gpt-5-codex') && !contains(github.event.comment.body, 'do not'))

Or use regex if the action supports it.

---

1-27: Add concurrency control and documentation.

To prevent duplicate or conflicting autonomous code changes, consider adding:

1. Concurrency group to serialize workflow runs
2. Inline comments explaining the workflow's purpose and safety considerations
3. Reference to OpenCode documentation (already noted in PR objectives, but could be in the file for maintainers)

Apply this diff to add concurrency and documentation:

 name: opencode-gpt-5-codex
+# This workflow enables autonomous code review and generation via OpenCode agent.
+# See: https://opencode.ai/docs/github/#usage-examples
+# WARNING: Ensure access control restrictions are in place (see 'if' condition below).

 on:
   issue_comment:
     types: [created]

+concurrency:
+  group: opencode-${{ github.issue.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:

This ensures that only one OpenCode invocation runs per issue/PR, canceling any previous in-progress runs.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8333401 and 05de94e.

📒 Files selected for processing (1)

• .github/workflows/opencode-gpt-5-codex.yml (1 hunks)

🔇 Additional comments (1)

.github/workflows/opencode-gpt-5-codex.yml (1)

24-27: Verify the model identifier and API key scope.

Confirm that:

1. openai/gpt-5-codex is a valid model identifier (GPT-5 availability and naming should be verified against current OpenAI API documentation)
2. The OPENAI_API_KEY_FOR_OPENCODE secret has appropriate scope and permissions (e.g., not full write access to all resources)
3. The secret is rotated regularly and has usage limits in the OpenAI dashboard

Verify these details against the OpenAI API documentation and your platform.openai.com configuration.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/opencode-gpt-5-codex.yml (1)

15-15: Minor: Fix typo in inline comment.

"accomodate" should be "accommodate".

-    timeout-minutes: 30 # to accomodate Codex's ability to run for extended periods
+    timeout-minutes: 30 # to accommodate Codex's ability to run for extended periods

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9768154 and ade76ab.

📒 Files selected for processing (1)

• .github/workflows/opencode-gpt-5-codex.yml (1 hunks)

🔇 Additional comments (4)

.github/workflows/opencode-gpt-5-codex.yml (4)

19-40: Security restrictions properly implemented. ✓

The conditional logic correctly restricts workflow triggers to OWNER/MEMBER/COLLABORATOR contributors across all four event types (issue_comment, pull_request_review_comment, pull_request_review, and issues). Null checks are appropriately placed (lines 30, 36) to prevent runtime errors. This successfully addresses the critical security concern from the previous review.

---

3-11: Event triggers are appropriately specific. ✓

Using typed event triggers (types: [created], types: [opened, edited], etc.) is safer than triggering on all events and filtering in the condition. The multi-event approach aligns with the flexible trigger goals.

---

15-18: Timeout and concurrency configuration is sound. ✓

30-minute timeout accommodates Codex's extended processing needs. Concurrency grouping by event_name, issue/PR number, and run_id prevents parallel runs for the same context while allowing independent concurrent runs across different events and issues, which is appropriate.

---

42-44: Minimal permissions are correctly configured. ✓

The workflow adheres to the principle of least privilege: contents: read for repository access and id-token: write for OIDC token signing if needed by the action.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/opencode-gpt-5-codex.yml (1)

50-51: Monitor sst/opencode version for stability.

The decision to pin to @latest rather than a specific version acknowledges rapid release cycles. This is pragmatic but creates implicit dependency risk. Consider establishing a monitoring cadence (weekly/monthly) to review release notes and detect breaking changes.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ade76ab and 4c5f541.

📒 Files selected for processing (1)

• .github/workflows/opencode-gpt-5-codex.yml (1 hunks)

🔇 Additional comments (2)

.github/workflows/opencode-gpt-5-codex.yml (2)

19-40: ✓ Security restrictions properly implemented.

The access controls match the Claude workflow pattern from release 1.2.0:

• Author association check restricts execution to OWNER, MEMBER, or COLLABORATOR across all trigger events
• Defensive null checks for optional event fields (review.body, issue.body)
• Event-specific trigger filtering prevents accidental execution

The concurrency group and timeout controls (lines 15-18) further enhance safety and cost management.

---

52-55: API key parameter handling is correct—no changes needed.

Per the sst/opencode action documentation, provider API keys like OPENAI_API_KEY should be supplied via environment variables, and the model parameter belongs in the "with" section. The current configuration correctly places the OPENAI_API_KEY in env and the model in with.

[jguice]

👍

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/opencode-gpt-5-codex.yml (1)

22-22: Consider adding word-boundary checks to trigger tokens to reduce false positives.

The current implementation uses contains(github.event.comment.body, '/oc-codex') and contains(..., '/oc-codex'), which may match unintended strings like "soc-codex" or "doc-codex" if they appear in comments or issue bodies.

To match the Claude workflow pattern from release 1.2.0 (as referenced in the past review), add word-boundary checks:

-        contains(github.event.comment.body, '/oc-codex') &&
+        (contains(github.event.comment.body, ' /oc-codex') || startsWith(github.event.comment.body, '/oc-codex')) &&

Apply this pattern to lines 26, 31, and 36-37 for consistency across all event types.

Also applies to: 26-26, 31-31, 36-37

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4c5f541 and 4b4232c.

📒 Files selected for processing (1)

• .github/workflows/opencode-gpt-5-codex.yml (1 hunks)

🔇 Additional comments (2)

.github/workflows/opencode-gpt-5-codex.yml (2)

19-40: ✓ Security restrictions properly applied across all event types.

The compound if condition correctly enforces author_association checks (OWNER, MEMBER, COLLABORATOR) for all four event types: issue_comment, pull_request_review_comment, pull_request_review, and issues. This aligns with the security fixes applied to the Claude workflow and prevents unauthorized users from triggering the autonomous agent.

---

52-53: Clarify API key parameter location: env: vs. with:.

The OPENAI_API_KEY is currently passed via env: (lines 52-53). According to the past review feedback from the Claude bot, secrets should be passed via with: for better encapsulation. Verify whether the sst/opencode/github@latest action expects the API key in env: or with:, and adjust accordingly:

-        env:
-          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY_FOR_OPENCODE }}
         with:
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY_FOR_OPENCODE }}
           model: openai/gpt-5-codex

Please consult the sst/opencode action documentation or repository to confirm the correct parameter location for the API key.