Skip to content

Stop /review-pr from posting duplicate PR reviews#11

Merged
dceoy merged 2 commits into
mainfrom
fix/review-pr-duplicate-posting
Jul 2, 2026
Merged

Stop /review-pr from posting duplicate PR reviews#11
dceoy merged 2 commits into
mainfrom
fix/review-pr-duplicate-posting

Conversation

@dceoy

@dceoy dceoy commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Problem

A /review-pr run produced two PR postings: an opencode-agent[bot] summary (from the opencode github run integration, which already posts the agent final response) and an additional github-actions[bot] review/comment, because the bundled command instructed the agent to call GitHub write APIs directly via gh api .../pulls/$PR_NUMBER/reviews (with a gh pr comment fallback).

Change

Make /review-pr output-only so a review run yields a single OpenCode posting from opencode-agent[bot].

  • .opencode/commands/review-pr.md — replace the posting section with an output-only policy: return one concise markdown review response; do not call gh api, gh pr review, or gh pr comment. The surrounding opencode github run integration posts the final response. Reword the anchoring step to validate file:line references against the diff. Kept finding normalization, deduplication, severity grouping, and diff validation; kept file:line references in the summary body so the single OpenCode comment stays actionable.
  • .opencode/skills/review-pr/SKILL.md — mirror the same policy; remove the Review API, inline-comment, and fallback posting sections; update workflow integration wording.
  • README.md — document that /review-pr produces one OpenCode PR comment via opencode-agent[bot], not a separate github-actions[bot] review; drop the issues: write fallback requirement.

Inputs / outputs / secrets

No action inputs, outputs, or secret requirements changed.

Verification

  • npx -y prettier --write ./\*\*/\*.md — clean
  • .agents/skills/local-qa/scripts/validate-opencode.sh — OK: agent frontmatter and review-pr references valid
  • Full repo QA (qa.sh: prettier, yamllint, shellcheck, zizmor, actionlint, checkov, validate-opencode) passed via the pre-push hook

Acceptance

  • /review-pr no longer instructs the agent to call GitHub write APIs directly.
  • The final review output is a single concise markdown response the OpenCode GitHub integration posts.
  • A PR review run produces one user-visible OpenCode posting from opencode-agent[bot], not both a github-actions[bot] review and an opencode-agent[bot] summary.
  • No unrelated behavior or large refactor introduced; the OpenCode GitHub runner implementation is unchanged.

The OpenCode GitHub integration (opencode github run) already posts the
agent's final response to the PR as opencode-agent[bot]. The bundled
/review-pr command was also instructing the agent to call GitHub write
APIs directly (gh api .../reviews, gh pr comment fallback), producing an
additional github-actions[bot] review/comment.

Make /review-pr output-only so a review run yields a single OpenCode
posting from opencode-agent[bot]:

- .opencode/commands/review-pr.md: replace the posting section with an
  output-only policy (return one concise markdown response; do not call
  gh api, gh pr review, or gh pr comment). Reword anchoring to validate
  file:line references; keep normalization, dedup, severity grouping,
  and diff validation. Keep file:line references in the summary body.
- .opencode/skills/review-pr/SKILL.md: mirror the same policy; remove
  Review API, inline-comment, and fallback posting sections; update
  workflow integration wording.
- README.md: document that /review-pr produces one OpenCode PR comment
  via opencode-agent[bot], not a separate github-actions[bot] review.
@dceoy dceoy self-assigned this Jul 1, 2026
@dceoy dceoy marked this pull request as ready for review July 1, 2026 12:49

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ce9a329435

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread README.md
@dceoy dceoy marked this pull request as draft July 1, 2026 13:00
Include GITHUB_TOKEN in curl request when fetching the latest OpenCode
release from GitHub API. This improves API rate limit handling and allows
authenticated requests when the token is available.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
@dceoy dceoy marked this pull request as ready for review July 1, 2026 13:17
@opencode-agent

opencode-agent Bot commented Jul 2, 2026

Copy link
Copy Markdown

Reviewed 4 changed files across documentation accuracy, project guideline compliance, and security.

Important (2)

  • README.md:85 — The permission requirements are incomplete for the token-backed path. The README now lists only GH_TOKEN/GITHUB_TOKEN for gh reads and omits pull-requests: write and issues: write. That is accurate when OpenCode posts via its App-token/OIDC path, but when the workflow sets use-github-token: true the integration posts the final response using the workflow GITHUB_TOKEN, which still requires pull-requests: write (and issues: write for issue-style comments). Restore a conditional note, e.g. "When using use-github-token: true, also grant pull-requests: write (and issues: write if the integration posts issue comments)."

  • action.yml:62 — Passing GITHUB_TOKEN: ${{ github.token }} unconditionally to the version-resolution step bypasses the existing use-github-token: false opt-out. Consumers who set use-github-token: false may reasonably expect the workflow token not to be used. Make the token conditional on the input, e.g. GITHUB_TOKEN: ${{ inputs.use-github-token == 'true' && github.token || '' }}, and gate the Authorization header on both the input being true and the token being non-empty.

Suggestions (1)

  • Same stale terminology in two files: .opencode/commands/review-pr.md:121 and .opencode/skills/review-pr/SKILL.md:107 both still tell the agent to "Leave line validation to the ... anchoring step", but the corresponding sections were renamed to "Validate file:line references against the diff" / "File:line Reference Validation". Update both references to the current terminology for consistency.

Verification note

npx prettier --write ran clean. The full .agents/skills/local-qa/scripts/qa.sh suite could not complete in this environment because uvx is not installed, so yamllint/shellcheck/zizmor/actionlint/checkov were not executed.

github run

@dceoy dceoy merged commit 3093e53 into main Jul 2, 2026
9 of 10 checks passed
@dceoy dceoy deleted the fix/review-pr-duplicate-posting branch July 2, 2026 03:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant