feat: add OpenCode engine integration (re-apply PR #18403)#25830
Merged
feat: add OpenCode engine integration (re-apply PR #18403)#25830
Conversation
Add OpenCode as a new provider-agnostic agentic engine (BYOK). - Full API proxy support on port 10004 (default: Anthropic routing) - Full MCP Gateway integration with opencode.jsonc converter script - Dynamic domain allowlists based on model provider prefix - Headless CI mode via opencode run with auto-configured permissions - Smoke test workflow with 5 tests - 22 unit tests covering engine identity, secrets, installation, execution, firewall integration Agent-Logs-Url: https://github.com/github/gh-aw/sessions/3e72b185-d3f9-489e-bd5f-fe95a7f4586e Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/3e72b185-d3f9-489e-bd5f-fe95a7f4586e Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
pelikhan
April 11, 2026 16:04
View session
Collaborator
Contributor
There was a problem hiding this comment.
Pull request overview
Re-applies the OpenCode engine integration by adding a new built-in opencode agentic engine, wiring it into engine registration/catalog/schema/constants, and introducing an OpenCode-focused smoke workflow plus MCP gateway conversion support.
Changes:
- Added OpenCode engine implementation + MCP config rendering and comprehensive unit tests.
- Extended engine registry/catalog/constants/schema to recognize
opencodeas a built-in engine (now 5 total). - Added MCP gateway converter script for OpenCode and a dedicated smoke workflow + generated lock file.
Show a summary per file
| File | Description |
|---|---|
pkg/workflow/opencode_mcp.go |
Adds MCP JSON config rendering for OpenCode via shared renderer. |
pkg/workflow/opencode_engine.go |
Implements OpenCode engine install/execution/config writing and firewall integration. |
pkg/workflow/opencode_engine_test.go |
Adds unit tests for OpenCode identity, secrets, install, execution, firewall, and provider parsing. |
pkg/workflow/engine_definition.go |
Updates built-in engine count/comment to include opencode. |
pkg/workflow/engine_definition_test.go |
Extends built-in engine definition tests to cover opencode. |
pkg/workflow/engine_catalog_test.go |
Updates expected built-in engine IDs to include opencode. |
pkg/workflow/domains.go |
Adds OpenCode domain sets/provider parsing and registers OpenCode defaults in domain merging. |
pkg/workflow/data/engines/opencode.md |
Introduces embedded engine definition metadata for opencode. |
pkg/workflow/agentic_engine.go |
Registers NewOpenCodeEngine() in the engine registry. |
pkg/parser/schemas/main_workflow_schema.json |
Updates schema descriptions/examples to mention opencode. |
pkg/constants/version_constants.go |
Adds DefaultOpenCodeVersion constant. |
pkg/constants/engine_constants.go |
Adds OpenCodeEngine, updates AgenticEngines and EngineOptions, and introduces OpenCode model env var constant. |
pkg/constants/constants.go |
Adds OpenCodeLLMGatewayPort = 10004. |
pkg/constants/constants_test.go |
Updates tests for the expanded built-in engine list. |
actions/setup/sh/start_mcp_gateway.sh |
Adds opencode) branch to run the OpenCode gateway converter. |
actions/setup/sh/convert_gateway_config_opencode.sh |
Adds a converter from MCP gateway output to opencode.jsonc format. |
.github/workflows/smoke-opencode.md |
Adds a smoke workflow definition for OpenCode. |
.github/workflows/smoke-opencode.lock.yml |
Adds the compiled lock workflow for the OpenCode smoke test. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 18/18 changed files
- Comments generated: 4
Comment on lines
+129
to
+137
| // Prompt from file (positional argument to `opencode run`) | ||
| opencodeArgs = append(opencodeArgs, "\"$(cat /tmp/gh-aw/aw-prompts/prompt.txt)\"") | ||
|
|
||
| // Build command name | ||
| commandName := "opencode" | ||
| if workflowData.EngineConfig != nil && workflowData.EngineConfig.Command != "" { | ||
| commandName = workflowData.EngineConfig.Command | ||
| } | ||
| opencodeCommand := fmt.Sprintf("%s run %s", commandName, shellJoinArgs(opencodeArgs)) |
There was a problem hiding this comment.
The prompt argument is being built as an element of opencodeArgs and then passed through shellJoinArgs. shellJoinArgs will single-quote strings containing "$()", which prevents command substitution when the firewall is disabled (the prompt won’t be read from prompt.txt). Build the command like the Claude/Gemini engines: join the flags with shellJoinArgs, but append the prompt command ("$(cat …)") as a raw positional argument outside of shellJoinArgs so it expands at runtime.
Suggested change
| // Prompt from file (positional argument to `opencode run`) | |
| opencodeArgs = append(opencodeArgs, "\"$(cat /tmp/gh-aw/aw-prompts/prompt.txt)\"") | |
| // Build command name | |
| commandName := "opencode" | |
| if workflowData.EngineConfig != nil && workflowData.EngineConfig.Command != "" { | |
| commandName = workflowData.EngineConfig.Command | |
| } | |
| opencodeCommand := fmt.Sprintf("%s run %s", commandName, shellJoinArgs(opencodeArgs)) | |
| // Prompt from file (positional argument to `opencode run`). | |
| // Keep this outside shellJoinArgs so command substitution expands at runtime. | |
| promptArg := "\"$(cat /tmp/gh-aw/aw-prompts/prompt.txt)\"" | |
| // Build command name | |
| commandName := "opencode" | |
| if workflowData.EngineConfig != nil && workflowData.EngineConfig.Command != "" { | |
| commandName = workflowData.EngineConfig.Command | |
| } | |
| opencodeCommand := fmt.Sprintf("%s run %s %s", commandName, shellJoinArgs(opencodeArgs), promptArg) |
Comment on lines
613
to
621
| // engineDefaultDomains maps each engine to its default required domains. | ||
| // Add new engines here to avoid adding new engine-specific domain functions. | ||
| var engineDefaultDomains = map[constants.EngineName][]string{ | ||
| constants.CopilotEngine: CopilotDefaultDomains, | ||
| constants.ClaudeEngine: ClaudeDefaultDomains, | ||
| constants.CodexEngine: CodexDefaultDomains, | ||
| constants.GeminiEngine: GeminiDefaultDomains, | ||
| constants.CopilotEngine: CopilotDefaultDomains, | ||
| constants.ClaudeEngine: ClaudeDefaultDomains, | ||
| constants.CodexEngine: CodexDefaultDomains, | ||
| constants.GeminiEngine: GeminiDefaultDomains, | ||
| constants.OpenCodeEngine: OpenCodeDefaultDomains, | ||
| } |
There was a problem hiding this comment.
Allowed domains for OpenCode are currently sourced from OpenCodeDefaultDomains via engineDefaultDomains, which is a static list and does not use extractProviderFromModel/GetOpenCodeDefaultDomains. As a result, provider-specific domains like api.groq.com/api.mistral.ai/api.x.ai are never added automatically, despite the presence of openCodeProviderDomains. Either wire GetOpenCodeDefaultDomains(workflowData.EngineConfig.Model) into the OpenCode allowed-domain computation (AWF + sanitization), or remove the unused dynamic-provider helpers to avoid misleading behavior.
See below for a potential fix:
// engineDefaultDomains maps each engine to its static default required domains.
// Engines with model-specific defaults (for example, OpenCode) are resolved in
// getDefaultDomainsForEngine instead of being stored directly in this map.
var engineDefaultDomains = map[constants.EngineName][]string{
constants.CopilotEngine: CopilotDefaultDomains,
constants.ClaudeEngine: ClaudeDefaultDomains,
constants.CodexEngine: CodexDefaultDomains,
constants.GeminiEngine: GeminiDefaultDomains,
}
// getDefaultDomainsForEngine returns the engine's default required domains.
// OpenCode domains are model/provider-specific, so they must be resolved via
// GetOpenCodeDefaultDomains(model) rather than the static engineDefaultDomains map.
// Falls back to an empty default domain list for unknown engines.
func getDefaultDomainsForEngine(engine constants.EngineName, model string) []string {
if engine == constants.OpenCodeEngine {
return GetOpenCodeDefaultDomains(model)
}
return engineDefaultDomains[engine]
}
// GetAllowedDomainsForEngineWithModel merges the engine's default domains with
// NetworkPermissions, HTTP MCP server domains, and runtime ecosystem domains.
// For engines with model/provider-specific defaults (such as OpenCode), pass the
// selected model so the correct default domains are included.
// Returns a deduplicated, sorted, comma-separated string suitable for AWF's
// --allow-domains flag.
func GetAllowedDomainsForEngineWithModel(engine constants.EngineName, model string, network *NetworkPermissions, tools map[string]any, runtimes map[string]any) string {
return mergeDomainsWithNetworkToolsAndRuntimes(getDefaultDomainsForEngine(engine, model), network, tools, runtimes)
}
// GetAllowedDomainsForEngine merges the engine's default domains with NetworkPermissions,
// HTTP MCP server domains, and runtime ecosystem domains.
// Returns a deduplicated, sorted, comma-separated string suitable for AWF's --allow-domains flag.
// Falls back to an empty default domain list for unknown engines.
// For model/provider-specific engines such as OpenCode, prefer
// GetAllowedDomainsForEngineWithModel so provider domains are included.
func GetAllowedDomainsForEngine(engine constants.EngineName, network *NetworkPermissions, tools map[string]any, runtimes map[string]any) string {
return GetAllowedDomainsForEngineWithModel(engine, "", network, tools, runtimes)
Comment on lines
+224
to
+232
| command := fmt.Sprintf(`mkdir -p "$GITHUB_WORKSPACE" | ||
| CONFIG="$GITHUB_WORKSPACE/opencode.jsonc" | ||
| BASE_CONFIG='%s' | ||
| if [ -f "$CONFIG" ]; then | ||
| MERGED=$(jq -n --argjson base "$BASE_CONFIG" --argjson existing "$(cat "$CONFIG")" '$existing * $base') | ||
| echo "$MERGED" > "$CONFIG" | ||
| else | ||
| echo "$BASE_CONFIG" > "$CONFIG" | ||
| fi`, configJSON) |
There was a problem hiding this comment.
opencode.jsonc will contain MCP gateway headers/tokens after convert_gateway_config_opencode.sh merges MCP config. This step writes/merges the file without setting a restrictive umask or chmod, so it can end up world-readable (default umask 022). Match the other gateway/config scripts by using umask 077 and chmod 600 on the resulting opencode.jsonc.
Comment on lines
+12
to
+18
| set -e | ||
|
|
||
| # Required environment variables: | ||
| # - MCP_GATEWAY_OUTPUT: Path to gateway output configuration file | ||
| # - MCP_GATEWAY_DOMAIN: Domain to use for MCP server URLs (e.g., host.docker.internal) | ||
| # - MCP_GATEWAY_PORT: Port for MCP gateway (e.g., 80) | ||
| # - GITHUB_WORKSPACE: Workspace directory for project-level config |
There was a problem hiding this comment.
This converter writes ${GITHUB_WORKSPACE}/opencode.jsonc, which includes Authorization headers for MCP servers. Unlike convert_gateway_config_gemini.sh/start_mcp_gateway.sh, it doesn’t set a restrictive umask or chmod the output, so the config may be created with overly-permissive mode (e.g., 0644). Consider adding umask 077, set -euo pipefail, and chmod 600 on opencode.jsonc (and any temp files) after writing/merging.
Contributor
🧪 Test Quality Sentinel ReportTest Quality Score: 96/100✅ Excellent test quality
Test Classification Details📋 All 5 new test functions (click to expand)
Flagged Tests — Requires Review
|
| Component | Formula | Points |
|---|---|---|
| Behavioral Coverage | (5 design / 5 total) × 40 | 40/40 |
| Edge/Error Case Coverage | (5 with edge cases / 5 total) × 30 | 30/30 |
| Low Duplication | 0 duplicate clusters × 5 penalty | 20/20 |
| Proportional Growth | Ratio 1.46:1 (< 2:1 threshold) | 10/10 |
| Minor deduction | Missing assertion messages in TestExtractProviderFromModel |
−4 |
| Total | 96/100 |
Language Support
Tests analyzed:
- 🐹 Go (
*_test.go): 5 new top-level functions (unit,//go:build !integration) across 4 files. 3 additional files had minor modifications (adding"opencode"to expected-engine lists — correct maintenance of existing contracts).
Verdict
✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). The new
opencode_engine_test.gois well-structured with table-driven subtests, descriptive assertion messages (except inTestExtractProviderFromModel), proper build tags, zero mock usage, and solid behavioral coverage including negative/edge cases. Please add assertion messages to the bareassert.Equalcalls inTestExtractProviderFromModel.
📖 Understanding Test Classifications
Design Tests (High Value) verify what the system does:
- Assert on observable outputs, return values, or state changes
- Cover error paths and boundary conditions
- Would catch a behavioral regression if deleted
- Remain valid even after internal refactoring
Implementation Tests (Low Value) verify how the system does it:
- Assert on internal function calls (mocking internals)
- Only test the happy path with typical inputs
- Break during legitimate refactoring even when behavior is correct
- Give false assurance: they pass even when the system is wrong
Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.
🧪 Test quality analysis by Test Quality Sentinel · ● 717.5K · ◷
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
✅ Test Quality Sentinel: 96/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). One minor guideline issue: add assertion messages to the bare assert.Equal calls in TestExtractProviderFromModel (lines 331–345 of opencode_engine_test.go).
Generated by the Design Decision Gate workflow to document the architectural decision to integrate OpenCode as a provider-agnostic BYOK agentic engine with dynamic firewall domain allowlisting. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
|
Commit pushed:
|
Contributor
🏗️ Design Decision Gate — ADR RequiredThis PR makes significant changes to core business logic (713 new lines in AI has analyzed the PR diff and generated a draft ADR to help you get started: 📄 Draft ADR: The draft covers the following design decisions identified in the diff:
What to do next
Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision. Why ADRs Matter
ADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you. 📋 Michael Nygard ADR Format ReferenceAn ADR must contain these four sections to be considered complete:
All ADRs are stored in
|
Contributor
There was a problem hiding this comment.
This PR requires an Architecture Decision Record (ADR) before it can merge. A draft ADR has been generated and committed to your branch at docs/adr/25830-opencode-engine-integration.md. Please review, complete, and link it in the PR body. See the comment above for instructions.
Closed
Collaborator
|
@copilot review all comments |
…issions - Move prompt arg outside shellJoinArgs so command substitution expands at runtime - Wire GetOpenCodeDefaultDomains(model) into domain computation via getDefaultDomainsForEngine/GetAllowedDomainsForEngineWithModel so provider-specific API domains (groq, mistral, xai, etc.) are included - Add umask 077 + chmod 600 to opencode.jsonc config step and converter script to protect credential-bearing files Agent-Logs-Url: https://github.com/github/gh-aw/sessions/61b6fd43-989c-43cc-a63a-9516327a7156 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Addressed all four review comments in ce0f3e8:
Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Collaborator
|
@copilot default to copilot routing |
Change the OpenCode engine to route through the Copilot API by default (OpenAI-compatible endpoint) instead of Anthropic: - ANTHROPIC_API_KEY → OPENAI_API_KEY as default secret - ANTHROPIC_BASE_URL → OPENAI_BASE_URL for LLM gateway proxy - Default provider in extractProviderFromModel() changed to "copilot" - Added "copilot" entry to openCodeProviderDomains with Copilot API domains - Updated OpenCodeDefaultDomains static list to include api.githubcopilot.com - Updated engine definition auth secret and engine options metadata - Updated all tests to match new Copilot-first defaults Agent-Logs-Url: https://github.com/github/gh-aw/sessions/9e268586-d79a-426a-ab44-de1e618ff6fe Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/9e268586-d79a-426a-ab44-de1e618ff6fe Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Switched to Copilot routing in 5eff362:
Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Contributor
|
Hey
This PR looks ready for maintainer review. 🚀 Contribution check: 🟢 Aligned · lgtm · 2,539 lines changed across 19 files
|
Contributor
Author
Reviewed all engine references against Gemini and updated 15 files in 403dba4: Code: Added Schema: Added Docs: Updated Other: Updated The only references that correctly omit OpenCode are the Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
…ous-pull-request-18403 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/9f048657-6f8d-46f1-acad-714104424b9b Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Merged main and recompiled all 193 workflows in 474111f. Build and fmt pass cleanly. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Contributor
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Contributor
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
Contributor
|
🎯 Smoke OpenCode MISSION COMPLETE! OpenCode has delivered. ⚡ |
Contributor
|
|
Contributor
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
Contributor
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
Contributor
|
💥 Smoke Test 24542828858 — Claude engine
Status: PARTIAL (15 pass, 1 fail, 3 skip)
|
Contributor
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal! This review is part of automated smoke testing (run 24542828858) to validate the PR review safe output pipeline for the Claude engine.
💥 [THE END] — Illustrated by Smoke Claude · ● 214.7K
|
|
||
| - **`engine:`** - AI processor configuration | ||
| - String format: `"copilot"` (default, recommended), `"claude"`, `"codex"`, or `"gemini"` | ||
| - String format: `"copilot"` (default, recommended), `"claude"`, `"codex"`, `"gemini"`, or `"opencode"` (experimental) |
Contributor
There was a problem hiding this comment.
🤖 Smoke Test Review Comment #1 — The OpenCode engine string format description looks good! The addition of "opencode" (experimental) to the list of supported engines is clear and consistent with other engine entries. Consider adding a brief note about the BYOK model requirement in the description for discoverability. — Automated smoke test run 24542828858
| - **Note**: The `version`, `model`, and `max-turns` fields have sensible defaults and can typically be omitted unless you need specific customization. | ||
| - **`gemini` engine**: Google Gemini CLI. Requires `GEMINI_API_KEY` secret. Does not support `max-turns`, `web-fetch`, or `web-search`. Supports AWF firewall and LLM gateway. | ||
| - **`opencode` engine** (experimental): Provider-agnostic, open-source AI coding agent (BYOK). Defaults to Copilot routing via `COPILOT_GITHUB_TOKEN` (or `${{ github.token }}` with `copilot-requests` feature). Supports 75+ models via `provider/model` format. Supports AWF firewall and LLM gateway. | ||
|
|
Contributor
There was a problem hiding this comment.
🤖 Smoke Test Review Comment #2 — The new OpenCode engine documentation note is well-written. The mention of COPILOT_GITHUB_TOKEN as the default routing mechanism and the 75+ models via provider/model format gives users a clear picture. One suggestion: add an example provider/model value (e.g., anthropic/claude-opus-4-5) to make it even more actionable. — Automated smoke test run 24542828858
Contributor
Smoke Test Results — Run §24542828848
Overall: ✅ PASS
|
Contributor
There was a problem hiding this comment.
Smoke test review of PR #25830 — OpenCode engine integration. The documentation changes are well-structured, clearly marking opencode as experimental. Two minor suggestions: clarify BYOK terminology and ensure auth requirements are as prominent as they are for other engines (gemini's GEMINI_API_KEY note).
📰 BREAKING: Report filed by Smoke Copilot · ● 1.3M
|
|
||
| - **`engine:`** - AI processor configuration | ||
| - String format: `"copilot"` (default, recommended), `"claude"`, `"codex"`, or `"gemini"` | ||
| - String format: `"copilot"` (default, recommended), `"claude"`, `"codex"`, `"gemini"`, or `"opencode"` (experimental) |
Contributor
There was a problem hiding this comment.
✅ Good addition of opencode as an experimental engine option. The documentation clearly marks it as experimental, which is appropriate for a new integration. Consider adding a note about the required COPILOT_GITHUB_TOKEN or github.token with copilot-requests feature, similar to how gemini mentions GEMINI_API_KEY.
|
|
||
| - **Note**: The `version`, `model`, and `max-turns` fields have sensible defaults and can typically be omitted unless you need specific customization. | ||
| - **`gemini` engine**: Google Gemini CLI. Requires `GEMINI_API_KEY` secret. Does not support `max-turns`, `web-fetch`, or `web-search`. Supports AWF firewall and LLM gateway. | ||
| - **`opencode` engine** (experimental): Provider-agnostic, open-source AI coding agent (BYOK). Defaults to Copilot routing via `COPILOT_GITHUB_TOKEN` (or `${{ github.token }}` with `copilot-requests` feature). Supports 75+ models via `provider/model` format. Supports AWF firewall and LLM gateway. |
Contributor
There was a problem hiding this comment.
The new opencode engine description is comprehensive. One suggestion: the parenthetical "(BYOK)" might not be familiar to all users — consider spelling out "Bring Your Own Key" or linking to documentation explaining the BYOK model.
Contributor
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
Collaborator
|
@copilot pp Mark open code as experimental. |
Copilot stopped work on behalf of
pelikhan due to an error
April 17, 2026 01:50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Re-applies the OpenCode engine integration from #18403, adapted to current HEAD. OpenCode is a provider-agnostic, open-source AI coding agent supporting 75+ models via BYOK (Bring Your Own Key).
New engine (
pkg/workflow/opencode_engine.go,opencode_mcp.go)COPILOT_GITHUB_TOKEN(or${{ github.token }}whencopilot-requestsfeature is enabled)OPENAI_API_KEYenv var is sourced from the Copilot token for OpenAI-compatible API accessGetSecretValidationStepoverride skips validation whencopilot-requestsis enabled (matches Copilot engine pattern)copilot/,anthropic/,openai/,google/,groq/, etc.)opencode.jsoncwith all permissions set toallowto prevent CI hanging (umask 077+chmod 600for credential protection)convert_gateway_config_opencode.sh(gateway HTTP → OpenCoderemoteformat, withumask 077+chmod 600)opencode-ai@1.2.14)opencode.jsonc,AGENTS.md) and path prefixes (.opencode/) for fork PR injection protectionConstants & registration
OpenCodeLLMGatewayPort = 10004,OpenCodeCLIModelEnvVar = "OPENCODE_MODEL"data/engines/opencode.md, registered inNewEngineRegistry()AgenticEnginesupdated to 5 entries,EngineOptionsincludesCOPILOT_GITHUB_TOKENas primary secret withANTHROPIC_API_KEY/GOOGLE_API_KEYalternativesopencodeDomain allowlists (
domains.go)OpenCodeBaseDefaultDomains+openCodeProviderDomainsmap for dynamic per-provider domains (includingcopilot→api.githubcopilot.com)extractProviderFromModel()parsesprovider/modelformat, defaults tocopilotgetDefaultDomainsForEngine()/GetAllowedDomainsForEngineWithModel()wire dynamic provider-specific domains into AWF and sanitizationshellJoinArgsso$(cat ...)command substitution expands at runtimeSmoke test (
.github/workflows/smoke-opencode.md)make buildworkflow_dispatch,pull_request(labeled "smoke"), andreaction(no scheduled runs)Codebase-wide engine parity
"opencode"togetDefaultAgentModel()incompiler_yaml_lookups.go(returns"auto"like other built-in engines)--engineflag help text intokens_bootstrap.goand engine name completions testopencodeengines.md: available agents table, feature comparison, version pinning, custom API endpoints, tool timeout, summary tablesgithub-agentic-workflows.md: engine string format, config comments, engine notes, validation enumscli.md,faq.md,environment-variables.md: engine lists and model override variablesfrontmatter-full.mdfrom updated schemapkg/workflow/README.md,pkg/console/README.md,daily-rendering-scripts-verifier.mdworkflowAdaptations from original PR
SafeInputsreferences (not in current codebase)BuildStandardNpmEngineInstallSteps,collectCommonMCPSecrets,renderStandardJSONMCPConfigBaseEnginefields (supportsWebFetch,supportsPlugins)${RUNNER_TEMP}/gh-awconvention (not legacy/opt/gh-aw)Tests
engine_catalog_test.go,engine_definition_test.go,constants_test.gofor 5 built-in enginescompletions_test.gofor 5 engine names and wasm golden files✨ PR Review Safe Output Test - Run 24542828858