Skip to content

Skip OpenCode review for non-write actors#47

Merged
KagamiChan merged 2 commits into
masterfrom
fix/opencode-nonwrite-skip
Jul 5, 2026
Merged

Skip OpenCode review for non-write actors#47
KagamiChan merged 2 commits into
masterfrom
fix/opencode-nonwrite-skip

Conversation

@KagamiChan

Copy link
Copy Markdown
Member

Summary

  • Add an OpenCode workflow preflight that checks the trigger user's repository permission.
  • Skip checkout and OpenCode review unless the trigger user has admin/write access, while logging permission lookup failures before treating them as no permission.

Checks

  • pnpm exec prettier --check .github/workflows/opencode-review.yml

KagamiChan and others added 2 commits July 5, 2026 14:28
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a preflight gate to the OpenCode PR Review workflow so it only performs checkout and runs the OpenCode review when the triggering actor has sufficient repository permissions, and it logs permission lookup failures before treating them as “no permission”.

Changes:

  • Add a “trigger user permissions” check step that queries the actor’s repository permission via the GitHub API (via gh api).
  • Conditionally skip actions/checkout and the OpenCode review action unless the actor has write/admin access (with a fallback to “none” on lookup failure).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +41 to +45
if [[ "$permission" == "admin" || "$permission" == "write" ]]; then
echo "can_review=true" >> "$GITHUB_OUTPUT"
else
echo "can_review=false" >> "$GITHUB_OUTPUT"
echo "Skipping OpenCode review because ${TRIGGER_USER} has ${permission} repository permission, not write/admin."
@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown

No findings to report for this PR.

The permission guard is correctly implemented:

  • Uses github.actor (the trigger user) to check repository permissions via the GitHub API.
  • Fails safely: API errors default to permission=none, which results in can_review=false and the review is skipped.
  • Properly cleans up the temp file and logs API errors for debugging.
  • Conditionally gates both checkout and the OpenCode review step on the can_review output.

No correctness, security, reliability, or maintenance risks identified in the change.

New%20session%20-%202026-07-05T06%3A29%3A22.676Z
opencode session  |  github run

@KagamiChan KagamiChan merged commit 00b23c4 into master Jul 5, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants