From 8d21ddb6849c19e525f1bb0eb285fa67d3a41182 Mon Sep 17 00:00:00 2001 From: MichaelFisher1997 Date: Wed, 1 Apr 2026 20:55:01 +0100 Subject: [PATCH 1/6] fix(ci): restore opencode workflow GitHub interactions --- .github/workflows/opencode-audit.yml | 1 + .github/workflows/opencode-pr.yml | 6 +++++- .github/workflows/opencode-test-writer.yml | 1 + .github/workflows/opencode-triage.yml | 14 ++++++++++++++ .github/workflows/opencode.yml | 2 ++ 5 files changed, 23 insertions(+), 1 deletion(-) diff --git a/.github/workflows/opencode-audit.yml b/.github/workflows/opencode-audit.yml index e897b12..e15c76d 100644 --- a/.github/workflows/opencode-audit.yml +++ b/.github/workflows/opencode-audit.yml @@ -93,6 +93,7 @@ jobs: XDG_CACHE_HOME: /tmp/opencode-cache with: model: kimi-for-coding/k2p5 + use_github_token: true prompt: | You are a senior Zig systems programming auditor performing a deep code audit. diff --git a/.github/workflows/opencode-pr.yml b/.github/workflows/opencode-pr.yml index 97edece..0758146 100644 --- a/.github/workflows/opencode-pr.yml +++ b/.github/workflows/opencode-pr.yml @@ -29,7 +29,7 @@ jobs: id-token: write contents: write pull-requests: write - issues: read + issues: write steps: - name: Resolve PR context @@ -102,15 +102,19 @@ jobs: uses: anomalyco/opencode/github@latest env: GITHUB_TOKEN: ${{ secrets.OPENCODE_PAT }} + GH_TOKEN: ${{ secrets.OPENCODE_PAT }} KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }} with: model: kimi-for-coding/k2p5 + use_github_token: true prompt: | You are reviewing a pull request for the ZigCraft repository. **PR to review:** #${{ steps.resolve-pr.outputs.pr_number }} Use `gh pr diff ${{ steps.resolve-pr.outputs.pr_number }}` and `gh pr view ${{ steps.resolve-pr.outputs.pr_number }}` to examine the changes. + Give full review coverage to PRs created by the automated test writer, especially PRs labeled `automated-test`, and verify whether any linked issues are fully addressed. + ZigCraft is a high-performance Minecraft-style voxel engine built with Zig, SDL3, and Vulkan. It uses Nix for dependency management, a custom RHI (Render Hardware Interface) abstraction layer, and a multithreaded job system for world generation and meshing. **Tech Stack:** diff --git a/.github/workflows/opencode-test-writer.yml b/.github/workflows/opencode-test-writer.yml index 0041da8..1963f43 100644 --- a/.github/workflows/opencode-test-writer.yml +++ b/.github/workflows/opencode-test-writer.yml @@ -199,6 +199,7 @@ jobs: XDG_CACHE_HOME: /tmp/opencode-cache with: model: kimi-for-coding/k2p5 + use_github_token: true prompt: | You are a senior Zig systems programmer writing unit tests for a voxel engine. Your job is to find untested code, write thorough tests, and submit a pull request. diff --git a/.github/workflows/opencode-triage.yml b/.github/workflows/opencode-triage.yml index 08e5843..2b258b8 100644 --- a/.github/workflows/opencode-triage.yml +++ b/.github/workflows/opencode-triage.yml @@ -19,6 +19,16 @@ jobs: uses: actions/github-script@v7 with: script: | + const trustedBots = new Set([ + 'opencode-agent[bot]', + 'github-actions[bot]', + ]); + const labels = (context.payload.issue.labels || []).map(label => label.name); + + if (trustedBots.has(context.payload.issue.user.login) || labels.includes('automated-audit')) { + return true; + } + const user = await github.rest.users.getByUsername({ username: context.payload.issue.user.login }); @@ -42,13 +52,17 @@ jobs: if: steps.check.outputs.result == 'true' env: GITHUB_TOKEN: ${{ secrets.OPENCODE_PAT }} + GH_TOKEN: ${{ secrets.OPENCODE_PAT }} KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }} with: model: kimi-for-coding/k2p5 + use_github_token: true prompt: | Analyze this issue. You have access to the codebase context. **CRITICAL: Your only allowed action is to post a COMMENT on the issue. DO NOT create branches, pull requests, or attempt to modify the codebase.** + If this issue has the `automated-audit` label, treat it as a trusted machine-generated finding and focus on validating the report, checking for duplicates or related PRs, and suggesting the clearest next implementation steps. + 1. **Classify**: Determine if this is a Bug, Feature Request, or Question. 2. **Validate & Request Info**: - **Missing Data**: If critical information is needed to understand or reproduce the issue (e.g., reproduction steps, crash logs, version numbers, screenshots), explicitly ask the user to provide it. diff --git a/.github/workflows/opencode.yml b/.github/workflows/opencode.yml index 9840a3c..db5bb0c 100644 --- a/.github/workflows/opencode.yml +++ b/.github/workflows/opencode.yml @@ -44,6 +44,8 @@ jobs: uses: anomalyco/opencode/github@latest env: GITHUB_TOKEN: ${{ secrets.OPENCODE_PAT }} + GH_TOKEN: ${{ secrets.OPENCODE_PAT }} KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }} with: model: kimi-for-coding/k2p5 + use_github_token: true From 28c7d8b849afe751b394139abb6bdbd5d8725daf Mon Sep 17 00:00:00 2001 From: MichaelFisher1997 Date: Wed, 1 Apr 2026 20:59:42 +0100 Subject: [PATCH 2/6] fix(ci): use GitHub token for opencode review flows --- .github/workflows/opencode-pr.yml | 8 ++++---- .github/workflows/opencode-triage.yml | 6 +++--- .github/workflows/opencode.yml | 6 +++--- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/opencode-pr.yml b/.github/workflows/opencode-pr.yml index 0758146..7870cc2 100644 --- a/.github/workflows/opencode-pr.yml +++ b/.github/workflows/opencode-pr.yml @@ -48,7 +48,7 @@ jobs: with: ref: ${{ steps.resolve-pr.outputs.pr_head_sha }} fetch-depth: 0 - token: ${{ secrets.OPENCODE_PAT }} + token: ${{ github.token }} - name: Configure git run: | @@ -90,7 +90,7 @@ jobs: echo "Previous reviews fetched and formatted for context" env: - GH_TOKEN: ${{ secrets.OPENCODE_PAT }} + GH_TOKEN: ${{ github.token }} - name: Setup Nix uses: ./.github/actions/setup-nix @@ -101,8 +101,8 @@ jobs: - name: Run opencode uses: anomalyco/opencode/github@latest env: - GITHUB_TOKEN: ${{ secrets.OPENCODE_PAT }} - GH_TOKEN: ${{ secrets.OPENCODE_PAT }} + GITHUB_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ github.token }} KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }} with: model: kimi-for-coding/k2p5 diff --git a/.github/workflows/opencode-triage.yml b/.github/workflows/opencode-triage.yml index 2b258b8..7831ba1 100644 --- a/.github/workflows/opencode-triage.yml +++ b/.github/workflows/opencode-triage.yml @@ -40,7 +40,7 @@ jobs: - uses: actions/checkout@v4 if: steps.check.outputs.result == 'true' with: - token: ${{ secrets.OPENCODE_PAT }} + token: ${{ github.token }} - name: Configure git if: steps.check.outputs.result == 'true' @@ -51,8 +51,8 @@ jobs: - uses: anomalyco/opencode/github@latest if: steps.check.outputs.result == 'true' env: - GITHUB_TOKEN: ${{ secrets.OPENCODE_PAT }} - GH_TOKEN: ${{ secrets.OPENCODE_PAT }} + GITHUB_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ github.token }} KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }} with: model: kimi-for-coding/k2p5 diff --git a/.github/workflows/opencode.yml b/.github/workflows/opencode.yml index db5bb0c..4c33b9c 100644 --- a/.github/workflows/opencode.yml +++ b/.github/workflows/opencode.yml @@ -27,7 +27,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 with: - token: ${{ secrets.OPENCODE_PAT }} + token: ${{ github.token }} - name: Configure git run: | @@ -43,8 +43,8 @@ jobs: - name: Run opencode uses: anomalyco/opencode/github@latest env: - GITHUB_TOKEN: ${{ secrets.OPENCODE_PAT }} - GH_TOKEN: ${{ secrets.OPENCODE_PAT }} + GITHUB_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ github.token }} KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }} with: model: kimi-for-coding/k2p5 From 4fc3c14a5b07114586fd11254d0146cdc15463c9 Mon Sep 17 00:00:00 2001 From: MichaelFisher1997 Date: Wed, 1 Apr 2026 21:06:55 +0100 Subject: [PATCH 3/6] ci: scope build workflow and validate workflow changes --- .github/workflows/build.yml | 18 ++++++++++ .github/workflows/workflow-validation.yml | 43 +++++++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 .github/workflows/workflow-validation.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 27f3a5d..b37716b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -3,8 +3,26 @@ name: Build on: push: branches: [ main, dev ] + paths: + - 'src/**' + - 'libs/**' + - 'assets/shaders/**' + - 'build.zig' + - 'build.zig.zon' + - 'flake.nix' + - 'flake.lock' + - '.github/actions/setup-nix/**' pull_request: branches: [ main, dev ] + paths: + - 'src/**' + - 'libs/**' + - 'assets/shaders/**' + - 'build.zig' + - 'build.zig.zon' + - 'flake.nix' + - 'flake.lock' + - '.github/actions/setup-nix/**' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/workflow-validation.yml b/.github/workflows/workflow-validation.yml new file mode 100644 index 0000000..1a5d5f4 --- /dev/null +++ b/.github/workflows/workflow-validation.yml @@ -0,0 +1,43 @@ +name: Workflow Validation + +on: + push: + branches: [ main, dev ] + paths: + - '.github/workflows/**' + - '.github/actions/**' + pull_request: + branches: [ main, dev ] + paths: + - '.github/workflows/**' + - '.github/actions/**' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + actionlint: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + + - name: Run actionlint + uses: rhysd/actionlint@v1 + + yaml-parse: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + + - name: Parse workflow YAML + run: | + ruby -e 'require "yaml"; Dir[".github/workflows/*.{yml,yaml}"].sort.each { |f| YAML.load_file(f); puts "OK #{f}" }' + + - name: Parse composite action YAML + run: | + ruby -e 'require "yaml"; Dir[".github/actions/**/action.{yml,yaml}"].sort.each { |f| YAML.load_file(f); puts "OK #{f}" }' From ff9aac38ff062b8c29ba09c26cd32f489a229a77 Mon Sep 17 00:00:00 2001 From: MichaelFisher1997 Date: Wed, 1 Apr 2026 21:09:45 +0100 Subject: [PATCH 4/6] ci: report required checks while skipping irrelevant runs --- .github/workflows/build.yml | 73 ++++++++++++++++------- .github/workflows/workflow-validation.yml | 4 +- 2 files changed, 56 insertions(+), 21 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b37716b..f0d8a06 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -3,26 +3,8 @@ name: Build on: push: branches: [ main, dev ] - paths: - - 'src/**' - - 'libs/**' - - 'assets/shaders/**' - - 'build.zig' - - 'build.zig.zon' - - 'flake.nix' - - 'flake.lock' - - '.github/actions/setup-nix/**' pull_request: branches: [ main, dev ] - paths: - - 'src/**' - - 'libs/**' - - 'assets/shaders/**' - - 'build.zig' - - 'build.zig.zon' - - 'flake.nix' - - 'flake.lock' - - '.github/actions/setup-nix/**' concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -34,27 +16,62 @@ env: GIT_CONFIG_VALUE_0: main jobs: + changes: + permissions: + contents: read + pull-requests: read + runs-on: ubuntu-latest + outputs: + code_changes: ${{ steps.filter.outputs.code_changes }} + steps: + - uses: actions/checkout@v4 + + - name: Detect build-relevant changes + id: filter + uses: dorny/paths-filter@v3 + with: + filters: | + code_changes: + - 'src/**' + - 'libs/**' + - 'assets/shaders/**' + - 'build.zig' + - 'build.zig.zon' + - 'flake.nix' + - 'flake.lock' + - '.github/actions/setup-nix/**' + build: permissions: contents: read id-token: write runs-on: blacksmith-2vcpu-ubuntu-2404 timeout-minutes: 30 + needs: changes steps: - uses: actions/checkout@v4 + - name: Skip build for workflow-only changes + if: needs.changes.outputs.code_changes != 'true' + run: | + echo "No build-relevant changes detected. Skipping binary build." + - name: Setup Nix + if: needs.changes.outputs.code_changes == 'true' uses: ./.github/actions/setup-nix - name: Build + if: needs.changes.outputs.code_changes == 'true' run: nix build -L - name: Prepare Artifact + if: needs.changes.outputs.code_changes == 'true' run: | mkdir -p dist cp -L result/bin/zigcraft dist/zigcraft-linux - name: Upload Artifact + if: needs.changes.outputs.code_changes == 'true' uses: actions/upload-artifact@v7 with: name: zigcraft @@ -67,14 +84,21 @@ jobs: id-token: write runs-on: blacksmith-2vcpu-ubuntu-2404 timeout-minutes: 15 - needs: build + needs: [changes, build] steps: - uses: actions/checkout@v4 + - name: Skip unit tests for workflow-only changes + if: needs.changes.outputs.code_changes != 'true' + run: | + echo "No build-relevant changes detected. Skipping unit tests." + - name: Setup Nix + if: needs.changes.outputs.code_changes == 'true' uses: ./.github/actions/setup-nix - name: Run unit tests + if: needs.changes.outputs.code_changes == 'true' run: nix develop --command zig build test env: ZIG_GLOBAL_CACHE_DIR: ${{ github.workspace }}/.zig-cache-global @@ -85,14 +109,21 @@ jobs: id-token: write runs-on: blacksmith-2vcpu-ubuntu-2404 timeout-minutes: 30 - needs: unit-test + needs: [changes, unit-test] steps: - uses: actions/checkout@v4 + - name: Skip integration tests for workflow-only changes + if: needs.changes.outputs.code_changes != 'true' + run: | + echo "No build-relevant changes detected. Skipping integration tests." + - name: Setup Nix + if: needs.changes.outputs.code_changes == 'true' uses: ./.github/actions/setup-nix - name: Start headless Wayland compositor + if: needs.changes.outputs.code_changes == 'true' run: | mkdir -p /tmp/runtime-runner chmod 700 /tmp/runtime-runner @@ -103,12 +134,14 @@ jobs: sleep 5 - name: Run integration smoke test + if: needs.changes.outputs.code_changes == 'true' env: ZIG_GLOBAL_CACHE_DIR: ${{ github.workspace }}/.zig-cache-global run: | nix develop --command zig build test-integration - name: Run world load smoke test (headless) + if: needs.changes.outputs.code_changes == 'true' env: ZIG_GLOBAL_CACHE_DIR: ${{ github.workspace }}/.zig-cache-global XDG_RUNTIME_DIR: /tmp/runtime-runner diff --git a/.github/workflows/workflow-validation.yml b/.github/workflows/workflow-validation.yml index 1a5d5f4..926dd6a 100644 --- a/.github/workflows/workflow-validation.yml +++ b/.github/workflows/workflow-validation.yml @@ -25,7 +25,9 @@ jobs: - uses: actions/checkout@v4 - name: Run actionlint - uses: rhysd/actionlint@v1 + uses: reviewdog/action-actionlint@v1 + with: + fail_level: error yaml-parse: runs-on: ubuntu-latest From b90d97f0b013d204c85166b1540224919c27f572 Mon Sep 17 00:00:00 2001 From: MichaelFisher1997 Date: Wed, 1 Apr 2026 21:13:05 +0100 Subject: [PATCH 5/6] ci: configure actionlint for custom runners --- .github/workflows/opencode-pr.yml | 8 +++++--- actionlint.yaml | 3 +++ 2 files changed, 8 insertions(+), 3 deletions(-) create mode 100644 actionlint.yaml diff --git a/.github/workflows/opencode-pr.yml b/.github/workflows/opencode-pr.yml index 7870cc2..ba07832 100644 --- a/.github/workflows/opencode-pr.yml +++ b/.github/workflows/opencode-pr.yml @@ -84,9 +84,11 @@ jobs: REVIEW_CONTENT="${REVIEW_CONTENT}No previous automated reviews found.\n" fi - echo "PREVIOUS_REVIEWS<> $GITHUB_ENV - printf '%s\n' "$REVIEW_CONTENT" >> $GITHUB_ENV - echo "EOF" >> $GITHUB_ENV + { + echo "PREVIOUS_REVIEWS<> "$GITHUB_ENV" echo "Previous reviews fetched and formatted for context" env: diff --git a/actionlint.yaml b/actionlint.yaml new file mode 100644 index 0000000..d953b67 --- /dev/null +++ b/actionlint.yaml @@ -0,0 +1,3 @@ +self-hosted-runner: + labels: + - blacksmith-2vcpu-ubuntu-2404 From 99fdba481e1264d2cb3a20d15ca1da3c998da872 Mon Sep 17 00:00:00 2001 From: MichaelFisher1997 Date: Wed, 1 Apr 2026 21:16:16 +0100 Subject: [PATCH 6/6] ci: load actionlint config from github directory --- actionlint.yaml => .github/actionlint.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename actionlint.yaml => .github/actionlint.yaml (100%) diff --git a/actionlint.yaml b/.github/actionlint.yaml similarity index 100% rename from actionlint.yaml rename to .github/actionlint.yaml