You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The smoke-opencode.md workflow exists in .github/workflows/ but has not been compiled to a .lock.yml and is therefore not active in GitHub Actions. The file explicitly notes:
"Compilation is pending opencode engine support in gh-aw. Once the engine is supported, run gh-aw compile .github/workflows/smoke-opencode.md followed by npx tsx scripts/ci/postprocess-smoke-workflows.ts."
Additionally, the smoke-opencode.md only allows defaults + github network domains, which may not cover npm registry traffic needed for opencode-ai@1.2.14 installation, or provider-specific upstream domains (Anthropic, OpenAI, Google, Groq) depending on the OPENCODE_MODEL prefix used.
The api-proxy sidecar already handles OpenCode on port 10004 (containers/api-proxy/server.js:1057–1138) via resolveOpenCodeRoute(), supporting credential priority: OPENAI_API_KEY → ANTHROPIC_API_KEY → COPILOT_GITHUB_TOKEN
Types and constants already reference API_PROXY_PORTS.OPENCODE = 10004 (src/types.ts:47)
Root Cause
The smoke-opencode.md was written in anticipation of the OpenCode engine landing in gh-aw, but the compilation step was intentionally deferred. The gh-aw PR #25830 (re-applying the original #18403) is the prerequisite; once it merges, the firewall side needs to compile the workflow and validate the full path.
A secondary gap: the network: allowed list in smoke-opencode.md does not account for all domains that OpenCode needs depending on the model provider prefix (e.g., anthropic/, openai/, google/, groq/). The gh-aw side computes dynamic OpenCodeBaseDefaultDomains + per-provider openCodeProviderDomains at engine invocation time; the smoke test should exercise at least the default Copilot path.
Proposed Solution
After gh-aw #25830 merges, compile and post-process the smoke workflow:
This generates smoke-opencode.lock.yml with the correct local-build substitutions.
Verify network: allowed domains in smoke-opencode.md cover:
registry.npmjs.org (npm install of opencode-ai)
For the default Copilot routing path: api.githubcopilot.com is already covered by defaults; no extra domains needed for the default smoke test
Consider adding npmjs.org if not already in the defaults allowlist
Validate api-proxy routing for OpenCode: confirm resolveOpenCodeRoute() in containers/api-proxy/server.js:305 correctly falls back through OPENAI_API_KEY → ANTHROPIC_API_KEY → Copilot token derivation for each model prefix, and that the proxy correctly handles the /health endpoint on port 10004.
Run the smoke test on a PR to verify the full end-to-end path: OpenCode installs → connects to api-proxy:10004 → Squid allows api.githubcopilot.com → model responds.
Files to Touch
.github/workflows/smoke-opencode.md — review/update network: allowed if needed
.github/workflows/smoke-opencode.lock.yml — generate via compile + postprocess
containers/api-proxy/server.js — no changes expected, but verify resolveOpenCodeRoute handles WebSocket upgrades (line 1118) which OpenCode may require for streaming
Problem
The
smoke-opencode.mdworkflow exists in.github/workflows/but has not been compiled to a.lock.ymland is therefore not active in GitHub Actions. The file explicitly notes:Additionally, the
smoke-opencode.mdonly allowsdefaults+githubnetwork domains, which may not cover npm registry traffic needed foropencode-ai@1.2.14installation, or provider-specific upstream domains (Anthropic, OpenAI, Google, Groq) depending on theOPENCODE_MODELprefix used.Context
gh-aw(pkg/workflow/opencode_engine.go)containers/api-proxy/server.js:1057–1138) viaresolveOpenCodeRoute(), supporting credential priority:OPENAI_API_KEY→ANTHROPIC_API_KEY→COPILOT_GITHUB_TOKENAPI_PROXY_PORTS.OPENCODE = 10004(src/types.ts:47)Root Cause
The
smoke-opencode.mdwas written in anticipation of the OpenCode engine landing ingh-aw, but the compilation step was intentionally deferred. The gh-aw PR #25830 (re-applying the original #18403) is the prerequisite; once it merges, the firewall side needs to compile the workflow and validate the full path.A secondary gap: the
network: allowedlist insmoke-opencode.mddoes not account for all domains that OpenCode needs depending on the model provider prefix (e.g.,anthropic/,openai/,google/,groq/). The gh-aw side computes dynamicOpenCodeBaseDefaultDomains+ per-provideropenCodeProviderDomainsat engine invocation time; the smoke test should exercise at least the default Copilot path.Proposed Solution
After gh-aw #25830 merges, compile and post-process the smoke workflow:
This generates
smoke-opencode.lock.ymlwith the correct local-build substitutions.Verify
network: alloweddomains insmoke-opencode.mdcover:registry.npmjs.org(npm install ofopencode-ai)api.githubcopilot.comis already covered bydefaults; no extra domains needed for the default smoke testnpmjs.orgif not already in thedefaultsallowlistValidate api-proxy routing for OpenCode: confirm
resolveOpenCodeRoute()incontainers/api-proxy/server.js:305correctly falls back throughOPENAI_API_KEY→ANTHROPIC_API_KEY→ Copilot token derivation for each model prefix, and that the proxy correctly handles the/healthendpoint on port 10004.Run the smoke test on a PR to verify the full end-to-end path: OpenCode installs → connects to api-proxy:10004 → Squid allows
api.githubcopilot.com→ model responds.Files to Touch
.github/workflows/smoke-opencode.md— review/updatenetwork: allowedif needed.github/workflows/smoke-opencode.lock.yml— generate via compile + postprocesscontainers/api-proxy/server.js— no changes expected, but verifyresolveOpenCodeRoutehandles WebSocket upgrades (line 1118) which OpenCode may require for streaming