Skip to content

ci: improve opencode auth and workflow-only CI validation#400

Merged
MichaelFisher1997 merged 6 commits intodevfrom
ci/workflow-validation-and-scope
Apr 1, 2026
Merged

ci: improve opencode auth and workflow-only CI validation#400
MichaelFisher1997 merged 6 commits intodevfrom
ci/workflow-validation-and-scope

Conversation

@MichaelFisher1997
Copy link
Copy Markdown
Collaborator

@MichaelFisher1997 MichaelFisher1997 commented Apr 1, 2026

Summary

  • restore opencode workflow issue and PR interactions by using the correct GitHub token mode and token source for scheduled versus interactive review flows
  • scope the heavy Zig build workflow to code and build-relevant paths so workflow-only PRs do not trigger expensive build, unit, and integration runs
  • add a dedicated workflow validation workflow that runs actionlint plus YAML parsing for workflow and composite action changes

@github-actions github-actions bot added documentation Improvements or additions to documentation ci labels Apr 1, 2026
@MichaelFisher1997 MichaelFisher1997 mentioned this pull request Apr 1, 2026
Closed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 1, 2026

📋 Summary

No linked issues found in the PR description.

This PR improves CI infrastructure by: (1) scoping the heavy Zig build workflow to code-relevant paths, preventing expensive builds on workflow-only changes, (2) fixing token authentication by replacing secrets.OPENCODE_PAT with github.token and adding use_github_token: true across all opencode workflows, (3) adding a new workflow validation workflow with actionlint and YAML parsing, and (4) enhancing the triage workflow with trusted bot detection and automated-audit label support. The changes are focused, well-scoped, and follow GitHub Actions best practices.

🔴 Critical Issues (Must Fix - Blocks Merge)

None identified.

⚠️ High Priority Issues (Should Fix)

None identified.

💡 Medium Priority Issues (Nice to Fix)

None identified.

ℹ️ Low Priority Suggestions (Optional)

None identified.

📊 SOLID Principles Score

This PR modifies CI workflows only (no application code), so SOLID principles apply to workflow architecture:

Principle Score Notes
Single Responsibility 9 Each workflow has clear purpose; new validation workflow is dedicated to workflow checking
Open/Closed 8 Path filtering extends build workflow without modifying core logic; easy to add new paths
Liskov Substitution N/A N/A - workflows are not inherited/substituted
Interface Segregation 9 Separate workflows for build, validation, audit, triage, PR review - good separation
Dependency Inversion 8 Uses github.token instead of hardcoded PAT secret, more flexible and secure
Average 8.5

🎯 Final Assessment

Overall Confidence Score: 95%

How to interpret: 81-100%: High confidence, ready to merge or with trivial fixes

Confidence Breakdown:

  • Code Quality: 95% (Clean, well-structured workflow changes with clear intent)
  • Completeness: 95% (Addresses all stated goals in PR description)
  • Risk Level: 90% (Low risk - CI-only changes, but token changes need verification)
  • Test Coverage: 95% (New workflow validation provides self-testing for workflow changes)

Merge Readiness:

  • All critical issues resolved
  • SOLID average score >= 6.0
  • Overall confidence >= 60%
  • No security concerns
  • Tests present and passing (if applicable)

Verdict:

MERGE

This is a well-crafted CI improvement PR that enhances security (token handling), efficiency (path filtering), and reliability (workflow validation). The changes are minimal, focused, and follow GitHub Actions best practices.

New%20session%20-%202026-04-01T20%3A08%3A05.507Z
opencode session  |  github run

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 1, 2026

📋 Summary

No linked issues found in the PR description.

This PR improves CI infrastructure with three main goals: (1) scopes the heavy Zig build workflow to code-relevant paths to prevent expensive builds on workflow-only changes, (2) fixes token authentication by replacing secrets.OPENCODE_PAT with github.token and adding use_github_token: true, and (3) adds a new workflow validation workflow with actionlint and YAML parsing. The changes are well-scoped and follow GitHub Actions best practices.

🔴 Critical Issues (Must Fix - Blocks Merge)

[CRITICAL] .github/workflows/opencode.yml:1 - Missing permissions block
Confidence: High
Description: The opencode.yml workflow file lacks a permissions declaration, which means it will inherit default permissions from the repository settings. Since this workflow uses github.token to checkout code and run opencode, it needs explicit permissions to function correctly.
Impact: The workflow may fail with permission denied errors when trying to checkout the repository or access GitHub API.
Suggested Fix: Add the following permissions block after the on: section:

permissions:
  contents: read
  id-token: write

⚠️ High Priority Issues (Should Fix)

None identified.

💡 Medium Priority Issues (Nice to Fix)

[MEDIUM] .github/workflows/build.yml:23 - Permission pull-requests: read is unused
Confidence: Medium
Description: The changes job declares pull-requests: read permission, but the dorny/paths-filter action only needs contents: read to function. The extra permission is unnecessary.
Impact: Minor - unnecessarily broad permissions.
Suggested Fix: Remove pull-requests: read from the changes job permissions.

ℹ️ Low Priority Suggestions (Optional)

None identified.

📊 SOLID Principles Score

Principle Score Notes
Single Responsibility 9 Each workflow has a clear, focused purpose
Open/Closed 8 Path filtering extends build workflow without modifying core build logic
Liskov Substitution N/A N/A - workflows are not inherited/substituted
Interface Segregation 9 Separate workflows for build, validation, audit, triage, PR review
Dependency Inversion 8 Uses github.token instead of hardcoded PAT secret
Average 8.5

🎯 Final Assessment

Overall Confidence Score: 90%

Confidence Breakdown:

  • Code Quality: 90% (Clean workflow changes with clear intent, but missing permissions block)
  • Completeness: 95% (Addresses all stated goals in PR description)
  • Risk Level: 85% (Low risk CI changes, but token/permissions issues could break workflows)
  • Test Coverage: 95% (New workflow validation provides self-testing for workflow changes)

Merge Readiness:

  • All critical issues resolved
  • SOLID average score >= 6.0
  • Overall confidence >= 60%
  • No security concerns
  • Tests present and passing (if applicable)

Verdict:

MERGE WITH FIXES

Add the missing permissions block to .github/workflows/opencode.yml before merging. The PR is otherwise solid and well-crafted.

New%20session%20-%202026-04-01T20%3A10%3A24.789Z
opencode session  |  github run

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 1, 2026

📋 Summary

No linked issues found in the PR description.

This PR improves CI infrastructure with three main objectives: (1) adds path filtering to the heavy Zig build workflow to prevent expensive builds on workflow-only changes, (2) migrates from secrets.OPENCODE_PAT to github.token for better security and to restore workflow issue/PR interactions, and (3) introduces a new workflow validation workflow with actionlint and YAML parsing. The changes are well-structured and follow GitHub Actions best practices.

[FIXED] Previous critical issue: The opencode.yml workflow now has proper permissions declared (lines 21-25), resolving the missing permissions block issue from the previous review.

🔴 Critical Issues (Must Fix - Blocks Merge)

None identified. All previously reported critical issues have been resolved.

⚠️ High Priority Issues (Should Fix)

None identified.

💡 Medium Priority Issues (Nice to Fix)

None identified.

ℹ️ Low Priority Suggestions (Optional)

[LOW] .github/workflows/build.yml:22 - Unused pull-requests: read permission
Confidence: Medium
Description: The changes job declares pull-requests: read permission, but the dorny/paths-filter action only requires contents: read to function. This permission is unnecessary.
Impact: Minimal - unnecessarily broad permissions.
Suggested Fix: Remove pull-requests: read from the changes job permissions block.

📊 SOLID Principles Score

Principle Score Notes
Single Responsibility 9 Each workflow has a clear, focused purpose; validation workflow is dedicated
Open/Closed 8 Path filtering extends build workflow without modifying core logic
Liskov Substitution N/A N/A - workflows are not inherited/substituted
Interface Segregation 9 Separate workflows for build, validation, audit, triage, PR review
Dependency Inversion 9 Uses github.token instead of hardcoded PAT for most workflows
Average 8.8

🎯 Final Assessment

Overall Confidence Score: 95%

Confidence Breakdown:

  • Code Quality: 95% (Clean, well-structured workflow changes with clear intent)
  • Completeness: 95% (Addresses all stated goals in PR description)
  • Risk Level: 90% (Low risk - CI-only changes with proper permission scoping)
  • Test Coverage: 95% (New workflow validation provides self-testing)

Merge Readiness:

  • All critical issues resolved
  • SOLID average score >= 6.0
  • Overall confidence >= 60%
  • No security concerns
  • Tests present and passing (if applicable)

Verdict:

MERGE

This is a well-crafted CI improvement PR that enhances security (token handling), efficiency (path filtering), and reliability (workflow validation). The critical permissions issue from the previous review has been fixed. The only remaining suggestion is a minor cleanup of unused permissions.

New%20session%20-%202026-04-01T20%3A13%3A43.910Z
opencode session  |  github run

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 1, 2026

📋 Summary

No linked issues found in the PR description.

This PR improves CI infrastructure with three main objectives: (1) scopes the heavy Zig build workflow to code-relevant paths using dorny/paths-filter to prevent expensive builds on workflow-only changes, (2) migrates from secrets.OPENCODE_PAT to github.token for better security and restores workflow issue/PR interactions, and (3) introduces a new workflow validation workflow with actionlint and YAML parsing. The changes are well-structured and follow GitHub Actions best practices.

[FIXED] Previous critical issue: The opencode.yml workflow now has proper permissions declared, resolving the missing permissions block from earlier reviews.

🔴 Critical Issues (Must Fix - Blocks Merge)

None identified. All previously reported critical issues have been resolved.

⚠️ High Priority Issues (Should Fix)

None identified.

💡 Medium Priority Issues (Nice to Fix)

[MEDIUM] .github/workflows/build.yml:22 - Potentially redundant pull-requests: read permission
Confidence: Medium
Description: The changes job declares pull-requests: read permission. While the dorny/paths-filter action can use the GitHub API (which requires this permission), it can also detect changes using git commands which only require contents: read. Since the workflow runs on pull_request events, the git approach should work without the extra permission.
Impact: Minimal - unnecessarily broad permissions, though low risk.
Suggested Fix: Test if the workflow functions correctly without pull-requests: read. If so, remove it to follow the principle of least privilege:

permissions:
  contents: read

ℹ️ Low Priority Suggestions (Optional)

[LOW] .github/workflows/build.yml:48-49 - Skip message could be more informative
Confidence: Low
Description: The skip messages for workflow-only changes are generic. They could include what paths were actually changed to help with debugging.
Impact: Negligible - only affects debuggability.
Suggested Fix: Consider logging the actual changed paths when skipping:

run: |
  echo "No build-relevant changes detected in: src/**, libs/**, assets/shaders/**, build.zig, etc."
  echo "Changed files: ${{ steps.filter.outputs.changes }}"

📊 SOLID Principles Score

Principle Score Notes
Single Responsibility 9 Each workflow has clear, focused purpose
Open/Closed 8 Path filtering extends build workflow without modifying core logic
Liskov Substitution N/A N/A - workflows are not inherited/substituted
Interface Segregation 9 Separate workflows for build, validation, audit, triage, PR review
Dependency Inversion 9 Uses github.token instead of hardcoded PAT for most workflows
Average 8.8

🎯 Final Assessment

Overall Confidence Score: 95%

Confidence Breakdown:

  • Code Quality: 95% (Clean, well-structured workflow changes with clear intent)
  • Completeness: 95% (Addresses all stated goals in PR description)
  • Risk Level: 92% (Low risk - CI-only changes with proper permission scoping)
  • Test Coverage: 95% (New workflow validation provides self-testing)

Merge Readiness:

  • All critical issues resolved
  • SOLID average score >= 6.0
  • Overall confidence >= 60%
  • No security concerns
  • Tests present and passing (if applicable)

Verdict:

MERGE

This is a well-crafted CI improvement PR that enhances security (token handling), efficiency (path filtering), and reliability (workflow validation). The critical permissions issue from previous reviews has been fixed. The only remaining suggestion is a minor permission cleanup that can be addressed in a follow-up if desired.

New%20session%20-%202026-04-01T20%3A16%3A55.559Z
opencode session  |  github run

@MichaelFisher1997 MichaelFisher1997 merged commit 3063261 into dev Apr 1, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MichaelFisher1997