Disable use of GITHUB_TOKEN in opencode GitHub Action

[Jordonbc]

Motivation

• Prevent the opencode action from using the repository GITHUB_TOKEN and enforce use of external API keys for security.

Description

• Remove the GITHUB_TOKEN environment variable and set use_github_token: false for both the primary and fallback opencode steps in .github/workflows/opencode.yml.

Testing

• No automated tests were run for this PR; validation will occur when the updated GitHub Actions workflow executes.

---

Codex Task

[github-actions]

Review Summary

PR: Disable use of GITHUB_TOKEN in opencode GitHub Action
Files Changed: .github/workflows/opencode.yml (+2/-1)

Assessment

Code Quality: ✓ The YAML is valid and well-formatted.

Security: ✓ The change correctly:

• Removes explicit GITHUB_TOKEN env var
• Sets use_github_token: false for both primary and fallback steps
• Enforces use of external API keys (OPENAI_API_KEY, OPENCODE_API_KEY) instead

No Issues Found:

• The change is minimal and focused on the stated security goal
• Both steps now consistently disable GITHUB_TOKEN usage
• The continue-on-error: true on primary with fallback on failure is correctly preserved

Minor Note: Since this workflow has contents: write and pull-requests: write permissions, with use_github_token: false, the action will rely entirely on external API keys for any GitHub API operations. Ensure this aligns with expected behavior (e.g., if the action needs to create commits/PRs, the external keys must have appropriate permissions).

Verdict: Safe to merge. No bugs or quality concerns.

opencode session  |  github run