Skip to content

ci: improve opencode auth and workflow-only CI validation #400

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
MichaelFisher1997 merged 6 commits into from
Apr 1, 2026
Merged

ci: improve opencode auth and workflow-only CI validation #400

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8d21ddb
fix(ci): restore opencode workflow GitHub interactions
MichaelFisher1997 Apr 1, 2026
28c7d8b
fix(ci): use GitHub token for opencode review flows
MichaelFisher1997 Apr 1, 2026
4fc3c14
ci: scope build workflow and validate workflow changes
MichaelFisher1997 Apr 1, 2026
ff9aac3
ci: report required checks while skipping irrelevant runs
MichaelFisher1997 Apr 1, 2026
b90d97f
ci: configure actionlint for custom runners
MichaelFisher1997 Apr 1, 2026
99fdba4
ci: load actionlint config from github directory
MichaelFisher1997 Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/actionlint.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
self-hosted-runner:
labels:
- blacksmith-2vcpu-ubuntu-2404
55 changes: 53 additions & 2 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,27 +16,62 @@
GIT_CONFIG_VALUE_0: main

jobs:
changes:
permissions:
contents: read
pull-requests: read
runs-on: ubuntu-latest
outputs:
code_changes: ${{ steps.filter.outputs.code_changes }}
steps:
- uses: actions/checkout@v4

- name: Detect build-relevant changes
id: filter
uses: dorny/paths-filter@v3
with:
filters: |
code_changes:
- 'src/**'
- 'libs/**'
- 'assets/shaders/**'
- 'build.zig'
- 'build.zig.zon'
- 'flake.nix'
- 'flake.lock'
- '.github/actions/setup-nix/**'

build:
permissions:
contents: read
id-token: write
runs-on: blacksmith-2vcpu-ubuntu-2404
timeout-minutes: 30
needs: changes
steps:
- uses: actions/checkout@v4

- name: Skip build for workflow-only changes
if: needs.changes.outputs.code_changes != 'true'
run: |
echo "No build-relevant changes detected. Skipping binary build."

- name: Setup Nix
if: needs.changes.outputs.code_changes == 'true'
uses: ./.github/actions/setup-nix

- name: Build
if: needs.changes.outputs.code_changes == 'true'
run: nix build -L

- name: Prepare Artifact
if: needs.changes.outputs.code_changes == 'true'
run: |
mkdir -p dist
cp -L result/bin/zigcraft dist/zigcraft-linux

- name: Upload Artifact
if: needs.changes.outputs.code_changes == 'true'
uses: actions/upload-artifact@v7
with:
name: zigcraft
Expand All @@ -49,14 +84,21 @@
id-token: write
runs-on: blacksmith-2vcpu-ubuntu-2404
timeout-minutes: 15
needs: build
needs: [changes, build]
steps:
- uses: actions/checkout@v4

- name: Skip unit tests for workflow-only changes
if: needs.changes.outputs.code_changes != 'true'
run: |
echo "No build-relevant changes detected. Skipping unit tests."

- name: Setup Nix
if: needs.changes.outputs.code_changes == 'true'
uses: ./.github/actions/setup-nix

- name: Run unit tests
if: needs.changes.outputs.code_changes == 'true'
run: nix develop --command zig build test
env:
ZIG_GLOBAL_CACHE_DIR: ${{ github.workspace }}/.zig-cache-global
Expand All @@ -67,15 +109,22 @@
id-token: write
runs-on: blacksmith-2vcpu-ubuntu-2404
timeout-minutes: 30
needs: unit-test
needs: [changes, unit-test]
steps:
- uses: actions/checkout@v4

- name: Skip integration tests for workflow-only changes
if: needs.changes.outputs.code_changes != 'true'
run: |
echo "No build-relevant changes detected. Skipping integration tests."

- name: Setup Nix
if: needs.changes.outputs.code_changes == 'true'
uses: ./.github/actions/setup-nix

- name: Start headless Wayland compositor
if: needs.changes.outputs.code_changes == 'true'
run: |

Check warning on line 127 in .github/workflows/build.yml

View workflow job for this annotation

GitHub Actions / actionlint 

[actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:6:47: Double quote to prevent globbing and word splitting [shellcheck]

Raw Output:
i:.github/workflows/build.yml:127:7: shellcheck reported issue in this script: SC2086:info:6:47: Double quote to prevent globbing and word splitting [shellcheck]

Check warning on line 127 in .github/workflows/build.yml

View workflow job for this annotation

GitHub Actions / actionlint 

[actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting [shellcheck]

Raw Output:
i:.github/workflows/build.yml:127:7: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting [shellcheck]
mkdir -p /tmp/runtime-runner
chmod 700 /tmp/runtime-runner
export XDG_RUNTIME_DIR=/tmp/runtime-runner
Expand All @@ -85,12 +134,14 @@
sleep 5

- name: Run integration smoke test
if: needs.changes.outputs.code_changes == 'true'
env:
ZIG_GLOBAL_CACHE_DIR: ${{ github.workspace }}/.zig-cache-global
run: |
nix develop --command zig build test-integration

- name: Run world load smoke test (headless)
if: needs.changes.outputs.code_changes == 'true'
env:
ZIG_GLOBAL_CACHE_DIR: ${{ github.workspace }}/.zig-cache-global
XDG_RUNTIME_DIR: /tmp/runtime-runner
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/opencode-audit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ jobs:
XDG_CACHE_HOME: /tmp/opencode-cache
with:
model: kimi-for-coding/k2p5
use_github_token: true
prompt: |
You are a senior Zig systems programming auditor performing a deep code audit.

Expand Down
20 changes: 13 additions & 7 deletions .github/workflows/opencode-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
id-token: write
contents: write
pull-requests: write
issues: read
issues: write

steps:
- name: Resolve PR context
Expand All @@ -48,7 +48,7 @@
with:
ref: ${{ steps.resolve-pr.outputs.pr_head_sha }}
fetch-depth: 0
token: ${{ secrets.OPENCODE_PAT }}
token: ${{ github.token }}

- name: Configure git
run: |
Expand Down Expand Up @@ -84,33 +84,39 @@
REVIEW_CONTENT="${REVIEW_CONTENT}No previous automated reviews found.\n"
fi

echo "PREVIOUS_REVIEWS<<EOF" >> $GITHUB_ENV
printf '%s\n' "$REVIEW_CONTENT" >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
{
echo "PREVIOUS_REVIEWS<<EOF"
printf '%s\n' "$REVIEW_CONTENT"
echo "EOF"
} >> "$GITHUB_ENV"

echo "Previous reviews fetched and formatted for context"
env:
GH_TOKEN: ${{ secrets.OPENCODE_PAT }}
GH_TOKEN: ${{ github.token }}

- name: Setup Nix
uses: ./.github/actions/setup-nix

- name: Prepare opencode cache
run: mkdir -p /tmp/opencode-cache && echo "XDG_CACHE_HOME=/tmp/opencode-cache" >> $GITHUB_ENV

Check warning on line 101 in .github/workflows/opencode-pr.yml

View workflow job for this annotation

GitHub Actions / actionlint 

[actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:78: Double quote to prevent globbing and word splitting [shellcheck]

Raw Output:
i:.github/workflows/opencode-pr.yml:101:9: shellcheck reported issue in this script: SC2086:info:1:78: Double quote to prevent globbing and word splitting [shellcheck]

- name: Run opencode
uses: anomalyco/opencode/github@latest
env:
GITHUB_TOKEN: ${{ secrets.OPENCODE_PAT }}
GITHUB_TOKEN: ${{ github.token }}
GH_TOKEN: ${{ github.token }}
KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }}
with:
model: kimi-for-coding/k2p5
use_github_token: true
prompt: |
You are reviewing a pull request for the ZigCraft repository.

**PR to review:** #${{ steps.resolve-pr.outputs.pr_number }}
Use `gh pr diff ${{ steps.resolve-pr.outputs.pr_number }}` and `gh pr view ${{ steps.resolve-pr.outputs.pr_number }}` to examine the changes.

Give full review coverage to PRs created by the automated test writer, especially PRs labeled `automated-test`, and verify whether any linked issues are fully addressed.

ZigCraft is a high-performance Minecraft-style voxel engine built with Zig, SDL3, and Vulkan. It uses Nix for dependency management, a custom RHI (Render Hardware Interface) abstraction layer, and a multithreaded job system for world generation and meshing.

**Tech Stack:**
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/opencode-test-writer.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
id: select-module
env:
INPUT_MODULE: ${{ inputs.module }}
run: |

Check warning on line 29 in .github/workflows/opencode-test-writer.yml

View workflow job for this annotation

GitHub Actions / actionlint 

[actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2034:warning:33:3: TOTAL appears unused. Verify use (or export if used externally) [shellcheck]

Raw Output:
w:.github/workflows/opencode-test-writer.yml:29:9: shellcheck reported issue in this script: SC2034:warning:33:3: TOTAL appears unused. Verify use (or export if used externally) [shellcheck]
GRAPHICS_MODULES=(
"graphics/vulkan-device"
"graphics/vulkan-resources"
Expand Down Expand Up @@ -199,6 +199,7 @@
XDG_CACHE_HOME: /tmp/opencode-cache
with:
model: kimi-for-coding/k2p5
use_github_token: true
prompt: |
You are a senior Zig systems programmer writing unit tests for a voxel engine. Your job is to find untested code, write thorough tests, and submit a pull request.

Expand Down
18 changes: 16 additions & 2 deletions .github/workflows/opencode-triage.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,16 @@ jobs:
uses: actions/github-script@v7
with:
script: |
const trustedBots = new Set([
'opencode-agent[bot]',
'github-actions[bot]',
]);
const labels = (context.payload.issue.labels || []).map(label => label.name);

if (trustedBots.has(context.payload.issue.user.login) || labels.includes('automated-audit')) {
return true;
}

const user = await github.rest.users.getByUsername({
username: context.payload.issue.user.login
});
Expand All @@ -30,7 +40,7 @@ jobs:
- uses: actions/checkout@v4
if: steps.check.outputs.result == 'true'
with:
token: ${{ secrets.OPENCODE_PAT }}
token: ${{ github.token }}

- name: Configure git
if: steps.check.outputs.result == 'true'
Expand All @@ -41,14 +51,18 @@ jobs:
- uses: anomalyco/opencode/github@latest
if: steps.check.outputs.result == 'true'
env:
GITHUB_TOKEN: ${{ secrets.OPENCODE_PAT }}
GITHUB_TOKEN: ${{ github.token }}
GH_TOKEN: ${{ github.token }}
KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }}
with:
model: kimi-for-coding/k2p5
use_github_token: true
prompt: |
Analyze this issue. You have access to the codebase context.
**CRITICAL: Your only allowed action is to post a COMMENT on the issue. DO NOT create branches, pull requests, or attempt to modify the codebase.**

If this issue has the `automated-audit` label, treat it as a trusted machine-generated finding and focus on validating the report, checking for duplicates or related PRs, and suggesting the clearest next implementation steps.

1. **Classify**: Determine if this is a Bug, Feature Request, or Question.
2. **Validate & Request Info**:
- **Missing Data**: If critical information is needed to understand or reproduce the issue (e.g., reproduction steps, crash logs, version numbers, screenshots), explicitly ask the user to provide it.
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/opencode.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
- name: Checkout repository
uses: actions/checkout@v4
with:
token: ${{ secrets.OPENCODE_PAT }}
token: ${{ github.token }}

- name: Configure git
run: |
Expand All @@ -38,12 +38,14 @@
uses: ./.github/actions/setup-nix

- name: Prepare opencode cache
run: mkdir -p /tmp/opencode-cache && echo "XDG_CACHE_HOME=/tmp/opencode-cache" >> $GITHUB_ENV

Check warning on line 41 in .github/workflows/opencode.yml

View workflow job for this annotation

GitHub Actions / actionlint 

[actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2086:info:1:78: Double quote to prevent globbing and word splitting [shellcheck]

Raw Output:
i:.github/workflows/opencode.yml:41:9: shellcheck reported issue in this script: SC2086:info:1:78: Double quote to prevent globbing and word splitting [shellcheck]

- name: Run opencode
uses: anomalyco/opencode/github@latest
env:
GITHUB_TOKEN: ${{ secrets.OPENCODE_PAT }}
GITHUB_TOKEN: ${{ github.token }}
GH_TOKEN: ${{ github.token }}
KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }}
with:
model: kimi-for-coding/k2p5
use_github_token: true
45 changes: 45 additions & 0 deletions .github/workflows/workflow-validation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
name: Workflow Validation

on:
push:
branches: [ main, dev ]
paths:
- '.github/workflows/**'
- '.github/actions/**'
pull_request:
branches: [ main, dev ]
paths:
- '.github/workflows/**'
- '.github/actions/**'

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
actionlint:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4

- name: Run actionlint
uses: reviewdog/action-actionlint@v1
with:
fail_level: error

yaml-parse:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4

- name: Parse workflow YAML
run: |
ruby -e 'require "yaml"; Dir[".github/workflows/*.{yml,yaml}"].sort.each { |f| YAML.load_file(f); puts "OK #{f}" }'

- name: Parse composite action YAML
run: |
ruby -e 'require "yaml"; Dir[".github/actions/**/action.{yml,yaml}"].sort.each { |f| YAML.load_file(f); puts "OK #{f}" }'
Loading