From 8d4f30718390c5367469989c9750727a5106c55e Mon Sep 17 00:00:00 2001 From: Damien Storm Date: Thu, 16 Oct 2025 16:52:47 -0400 Subject: [PATCH 1/4] feat: add opencode configuration --- .github/workflows/opencode-gpt-5-codex.yml | 27 ++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/opencode-gpt-5-codex.yml diff --git a/.github/workflows/opencode-gpt-5-codex.yml b/.github/workflows/opencode-gpt-5-codex.yml new file mode 100644 index 0000000..b04a1d0 --- /dev/null +++ b/.github/workflows/opencode-gpt-5-codex.yml @@ -0,0 +1,27 @@ +name: opencode-gpt-5-codex + +on: + issue_comment: + types: [created] + +jobs: + opencode: + if: | + contains(github.event.comment.body, ' /oc-gpt-5-codex') || + startsWith(github.event.comment.body, '/oc-gpt-5-codex') || + contains(github.event.comment.body, ' /opencode-gpt-5-codex') || + startsWith(github.event.comment.body, '/opencode-gpt-5-codex') + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Run opencode + uses: sst/opencode/github@latest + env: + OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY_FOR_OPENCODE }} + with: + model: openai/gpt-5-codex From 1565056df1fca0424e3652fe2bec43c02fe0eedd Mon Sep 17 00:00:00 2001 From: Damien Storm Date: Thu, 16 Oct 2025 17:15:43 -0400 Subject: [PATCH 2/4] feat(ci): restrict opencode workflow to authorized users only MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add author association checks to ensure only repository owners, members, and collaborators can trigger the opencode workflow. This prevents unauthorized users from triggering potentially expensive operations. Changes: - Check comment.author_association before evaluating commands - Require OWNER, MEMBER, or COLLABORATOR status - Use consistent pattern with claude.yml workflow 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- .github/workflows/opencode-gpt-5-codex.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/opencode-gpt-5-codex.yml b/.github/workflows/opencode-gpt-5-codex.yml index b04a1d0..020f349 100644 --- a/.github/workflows/opencode-gpt-5-codex.yml +++ b/.github/workflows/opencode-gpt-5-codex.yml @@ -7,10 +7,11 @@ on: jobs: opencode: if: | - contains(github.event.comment.body, ' /oc-gpt-5-codex') || - startsWith(github.event.comment.body, '/oc-gpt-5-codex') || - contains(github.event.comment.body, ' /opencode-gpt-5-codex') || - startsWith(github.event.comment.body, '/opencode-gpt-5-codex') + contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) && + (contains(github.event.comment.body, ' /oc-gpt-5-codex') || + startsWith(github.event.comment.body, '/oc-gpt-5-codex') || + contains(github.event.comment.body, ' /opencode-gpt-5-codex') || + startsWith(github.event.comment.body, '/opencode-gpt-5-codex')) runs-on: ubuntu-latest permissions: contents: read From 62b629b30644eab2134d0ddde2f0ffc8780a38b5 Mon Sep 17 00:00:00 2001 From: Damien Storm Date: Fri, 17 Oct 2025 16:09:58 -0400 Subject: [PATCH 3/4] feat(ci): enhance opencode workflow with comprehensive triggers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Expand opencode workflow to support multiple trigger events, add timeout/concurrency controls, and simplify command syntax. This brings the workflow to parity with the claude.yml pattern. Changes: - Add pull_request_review_comment, issues, and pull_request_review triggers - Add 30-minute timeout to accommodate extended Codex runs - Add concurrency grouping to prevent duplicate runs - Expand authorization checks to handle all event types with null checks - Simplify command from /oc-gpt-5-codex to /oc-codex - Add version pinning documentation comment 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- .github/workflows/opencode-gpt-5-codex.yml | 37 +++++++++++++++++++--- 1 file changed, 32 insertions(+), 5 deletions(-) diff --git a/.github/workflows/opencode-gpt-5-codex.yml b/.github/workflows/opencode-gpt-5-codex.yml index 020f349..d978d02 100644 --- a/.github/workflows/opencode-gpt-5-codex.yml +++ b/.github/workflows/opencode-gpt-5-codex.yml @@ -3,15 +3,41 @@ name: opencode-gpt-5-codex on: issue_comment: types: [created] + pull_request_review_comment: + types: [created] + issues: + types: [opened, edited] + pull_request_review: + types: [submitted] jobs: opencode: + timeout-minutes: 30 # to accomodate Codex's ability to run for extended periods + concurrency: + group: opencode-${{ github.event_name }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }} + cancel-in-progress: true if: | - contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) && - (contains(github.event.comment.body, ' /oc-gpt-5-codex') || - startsWith(github.event.comment.body, '/oc-gpt-5-codex') || - contains(github.event.comment.body, ' /opencode-gpt-5-codex') || - startsWith(github.event.comment.body, '/opencode-gpt-5-codex')) + ( + github.event_name == 'issue_comment' && + contains(github.event.comment.body, '/oc-codex') && + contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) + ) || ( + github.event_name == 'pull_request_review_comment' && + contains(github.event.comment.body, '/oc-codex') && + contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) + ) || ( + github.event_name == 'pull_request_review' && + github.event.review.body != null && + contains(github.event.review.body, '/oc-codex') && + contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association) + ) || ( + github.event_name == 'issues' && + ( + (github.event.issue.body != null && contains(github.event.issue.body, '/oc-codex')) || + contains(github.event.issue.title, '/oc-codex') + ) && + contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association) + ) runs-on: ubuntu-latest permissions: contents: read @@ -21,6 +47,7 @@ jobs: uses: actions/checkout@v4 - name: Run opencode + # They are moving fast at https://github.com/sst/opencode/releases, so pinning the version isn't practical yet. We'll keep it at `latest` for now and monitor the changes for a stable version. Latest version as of this writing is `v0.15.3`. uses: sst/opencode/github@latest env: OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY_FOR_OPENCODE }} From 67f005f1ab66dd7b3f2e67d9d6b70844129e3f2e Mon Sep 17 00:00:00 2001 From: Damien Storm Date: Fri, 17 Oct 2025 16:33:32 -0400 Subject: [PATCH 4/4] fix: correct typo --- .github/workflows/opencode-gpt-5-codex.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/opencode-gpt-5-codex.yml b/.github/workflows/opencode-gpt-5-codex.yml index d978d02..7066901 100644 --- a/.github/workflows/opencode-gpt-5-codex.yml +++ b/.github/workflows/opencode-gpt-5-codex.yml @@ -12,7 +12,7 @@ on: jobs: opencode: - timeout-minutes: 30 # to accomodate Codex's ability to run for extended periods + timeout-minutes: 30 # to accommodate Codex's ability to run for extended periods concurrency: group: opencode-${{ github.event_name }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }} cancel-in-progress: true