ci: Add opencode

[MH0386]

Summary by Sourcery

Integrate Opencode as a comment-triggered CI job and streamline trunk lint settings

New Features:

• Add an Opencode GitHub Actions job triggered by issue comments containing '/oc' or '/opencode'

Enhancements:

• Extend the CI Tools workflow with an issue_comment trigger for the Opencode job
• Clean up trunk lint configuration by removing unused hooks and actions

CI:

• Introduce an opencode job in the CI Tools workflow using sst/opencode/github@latest
• Grant necessary permissions (id-token, contents, pull-requests, issues) for the Opencode job

[gitnotebooks]

Review these changes at https://app.gitnotebooks.com/AlphaSphereDotAI/chattr/pull/421

[sourcery-ai]

Reviewer's Guide

Adds an interactive 'opencode' GitHub Actions job triggered via issue comments in ci_tools.yaml and prunes obsolete linters and checks from the trunk.yaml configuration.

Sequence diagram for triggering the 'opencode' job via issue comment

sequenceDiagram
  actor User
  participant GitHub
  participant "CI Tools Workflow"
  participant "Opencode Job"
  User->>GitHub: Create issue comment with '/oc' or '/opencode'
  GitHub->>"CI Tools Workflow": Trigger workflow on issue_comment event
  "CI Tools Workflow"->>"Opencode Job": Start job if comment matches
  "Opencode Job"->>"Checkout Repository": Checkout code
  "Opencode Job"->>"sst/opencode/github Action": Run opencode with API key and model

Loading

Class diagram for updated trunk.yaml configuration

classDiagram
  class Lint {
    enabled: [email protected]
    enabled: [email protected]
    enabled: [email protected]
    enabled: [email protected]
    enabled: [email protected]
  }
  class Actions {
    enabled: commitizen
    enabled: trufflehog-pre-commit
    enabled: uv-lock
    enabled: uv-sync
    enabled: trunk-announce
    enabled: trunk-fmt-pre-commit
    enabled: trunk-upgrade-available
    enabled: trunk-check-pre-commit
  }
  %% Removed: [email protected] from Lint
  %% Removed: commented-out actions from Actions

Loading

File-Level Changes

Change	Details	Files
Add interactive 'opencode' CI job triggered by issue comments	Added issue_comment event to CI workflow triggers Introduced 'opencode' job with id-token and contents permissions Configured checkout and sst/opencode steps with API key and model	.github/workflows/ci_tools.yaml
Clean up trunk lint and action configurations	Removed pre-commit-hooks from enabled linters Disabled commitlint and uv-check actions Removed trunk-check-pre-push and its always variant	.trunk/trunk.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @MH0386, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on refining the continuous integration setup by cleaning up the .trunk/trunk.yaml configuration file. It removes an unnecessary linting hook and several commented-out action entries, aiming to simplify and clarify the project's CI/CD pipeline, potentially in preparation for new integrations or standards.

Highlights

• CI Configuration Refinement: The pull request streamlines the CI configuration by removing an explicit pre-commit-hooks entry from the lint section in .trunk/trunk.yaml.
• Cleanup of Unused Actions: Several commented-out and seemingly unused actions, such as commitlint, uv-check, and trunk-check-pre-push configurations, have been removed from the actions section in .trunk/trunk.yaml.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/ci_tools.yaml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[deepsource-io]

Here's the code health analysis summary for commits a1e8f52..331a8a5. View details on DeepSource ↗.

Analysis Summary

Analyzer	Status	Summary	Link
Shell	✅ Success		View Check ↗
Python	✅ Success		View Check ↗
Docker	✅ Success		View Check ↗
Secrets	✅ Success		View Check ↗

---

💡 If you’re a repository administrator, you can configure the quality gates from the settings.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

Blocking issues:

• An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)

General comments:

• Consider simplifying the issue_comment filter by using a single matches expression or regex so you don’t need separate contains and startsWith checks for /oc and /opencode.
• If this runner is only meant for pull request contexts, narrow the trigger to PR comments or otherwise guard against running on every new issue comment.
• You may want to clean up or remove the commented-out entries in .trunk/trunk.yaml to keep the config concise, or add a note explaining why they’re retained.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider simplifying the issue_comment filter by using a single `matches` expression or regex so you don’t need separate `contains` and `startsWith` checks for `/oc` and `/opencode`.
- If this runner is only meant for pull request contexts, narrow the trigger to PR comments or otherwise guard against running on every new issue comment.
- You may want to clean up or remove the commented-out entries in `.trunk/trunk.yaml` to keep the config concise, or add a note explaining why they’re retained.

## Individual Comments

### Comment 1
<location> `.github/workflows/ci_tools.yaml:64` </location>
<code_context>
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Run opencode
+        uses: sst/opencode/github@latest
+        env:
+          OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
</code_context>

<issue_to_address>
**suggestion:** Pin the opencode action to a specific version for reproducibility.

Referencing '@latest' can lead to unpredictable builds if the action changes upstream. Please use a specific version or commit hash for reliability.

Suggested implementation:

```
      - name: Run opencode
        uses: sst/opencode/[email protected]
        env:
          OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
        with:
          model: opencode/grok-code

```

Replace `v1.2.3` with the actual version or commit hash you want to pin to, based on the opencode action's releases or tags.
</issue_to_address>

### Comment 2
<location> `.github/workflows/ci_tools.yaml:64` </location>
<code_context>
        uses: sst/opencode/github@latest
</code_context>

<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

*Source: opengrep*
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[gemini-code-assist]

Code Review

This pull request updates the .trunk/trunk.yaml configuration. It removes the pre-commit-hooks linter and cleans up several commented-out actions. While the cleanup is beneficial, removing pre-commit-hooks might have unintended side effects on code quality, as it provides several useful generic checks. I've added a comment to seek clarification on this change. Furthermore, the PR title 'ci: Add opencode' seems to conflict with the changes, which are primarily removals. I recommend updating the title and adding a description to accurately reflect the PR's intent.

[mergify]

🧪 CI Insights

Here's what we observed from your CI run for 331a8a5.

🟢 All jobs passed!

But CI Insights is watching 👀

[MH0386]

🔍 Vulnerabilities of ghcr.io/alphaspheredotai/chattr:0cb471b-pr-421

📦 Image Reference ghcr.io/alphaspheredotai/chattr:0cb471b-pr-421

digest	sha256:295695feea192495eb31161833bf3093087bc0799f0707e2a16f209c50620ce2
vulnerabilities
platform	linux/amd64
size	325 MB
packages	500

pdfjs-dist 3.11.174 (npm) pkg:npm/[email protected] # Dockerfile (30:30) COPY --from=builder --chown=nonroot:nonroot --chmod=555 /home/nonroot/.local/ /home/nonroot/.local/ Improper Check for Unusual or Exceptional Conditions Affected range <=4.1.392 Fixed version 4.2.67 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 35.103% EPSS Percentile 97th percentile Description Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. Patches The patch removes the use of eval: mozilla/pdf.js#18015 Workarounds Set the option isEvalSupported to false. References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

gradio 5.49.1 (pypi) pkg:pypi/[email protected] # Dockerfile (30:30) COPY --from=builder --chown=nonroot:nonroot --chmod=555 /home/nonroot/.local/ /home/nonroot/.local/ OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2023-11-06 Fixed version Not Fixed CVSS Score 8.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N EPSS Score 1.662% EPSS Percentile 81st percentile Description Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository gradio-app/gradio prior to main.

pip 24.3.1 (pypi) pkg:pypi/[email protected] # Dockerfile (30:30) COPY --from=builder --chown=nonroot:nonroot --chmod=555 /home/nonroot/.local/ /home/nonroot/.local/ Improper Link Resolution Before File Access ('Link Following') Affected range <=25.2 Fixed version Not Fixed CVSS Score 5.9 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N EPSS Score 0.018% EPSS Percentile 3rd percentile Description Summary In the fallback extraction path for source distributions, pip used Python’s tarfile module without verifying that symbolic/hard link targets resolve inside the intended extraction directory. A malicious sdist can include links that escape the target directory and overwrite arbitrary files on the invoking host during pip install. Impact Successful exploitation enables arbitrary file overwrite outside the build/extraction directory on the machine running pip. This can be leveraged to tamper with configuration or startup files and may lead to further code execution depending on the environment, but the direct, guaranteed impact is integrity compromise on the vulnerable system. Conditions The issue is triggered when installing an attacker-controlled sdist (e.g., from an index or URL) and the fallback extraction code path is used. No special privileges are required beyond running pip install; active user action is necessary. Remediation The fix, while available as a patch that can be manually applied, has not yet been put into a numbered version but is planned for 25.3. Using a Python interpreter that implements the safe-extraction behavior described by PEP 706 provides additional defense in depth for other tarfile issues but is not a substitute for upgrading pip for this specific flaw.

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

[mergify]

Thank you for your contribution @MH0386! Your pull request has been merged.