From 46237cd2d981f1d22a4bde9af2fd9b8a0b4f8100 Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Sun, 12 Apr 2026 14:20:16 +0100
Subject: [PATCH] =?UTF-8?q?fix(ci):=20resolve=20opencode=20workflow=20fail?=
 =?UTF-8?q?ures=20=E2=80=94=20PAT=20permissions,=20git=20identity,=20valid?=
 =?UTF-8?q?ation?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Switch audit workflow checkout and GH_TOKEN from github.token to OPENCODE_PAT
  (github.token is read-only for scheduled runs, causing 403 on push and issue creation)
- Add git identity config (user.name/email) before opencode steps in both workflows
  (prevents 'empty ident name' / 'Author identity unknown' fatal errors)
- Add PAT push permission pre-check in test-writer (fails fast instead of 6+ min wasted)
- Add module directory validation step in audit workflow
- Document required PAT scopes in both workflow headers
---
 .github/workflows/opencode-audit.yml       | 31 +++++++++++++++++++---
 .github/workflows/opencode-test-writer.yml | 23 ++++++++++++++++
 2 files changed, 51 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/opencode-audit.yml b/.github/workflows/opencode-audit.yml
index c75f3b01..e73353e2 100644
--- a/.github/workflows/opencode-audit.yml
+++ b/.github/workflows/opencode-audit.yml
@@ -1,5 +1,11 @@
 name: opencode-audit
 
+# Required repository secrets:
+# - OPENCODE_PAT: Classic PAT with `repo` scope OR fine-grained PAT with:
+#     Contents: Read, Issues: Read & Write, Pull requests: Read & Write
+#   Without proper scopes, gh issue create and label operations will fail.
+# - MINIMAX_API_KEY: API key for the MiniMax M2.7 model
+
 on:
   schedule:
     - cron: '0 6 * * *'
@@ -65,7 +71,12 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          token: ${{ github.token }}
+          token: ${{ secrets.OPENCODE_PAT }}
+
+      - name: Configure git identity
+        run: |
+          git config user.name "opencode[bot]"
+          git config user.email "opencode[bot]@users.noreply.github.com"
 
       - name: Setup Nix
         uses: ./.github/actions/setup-nix
@@ -78,7 +89,21 @@ jobs:
               --color "1D76DB" || true
           fi
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ secrets.OPENCODE_PAT }}
+
+      - name: Validate module directory exists
+        run: |
+          MODULE_PATH="${{ steps.select-module.outputs.module_path }}"
+          if [ ! -d "$MODULE_PATH" ]; then
+            echo "::warning::Module directory '$MODULE_PATH' does not exist — audit may be limited to partial or no source files"
+            echo "Listing parent directory:"
+            PARENT=$(dirname "$MODULE_PATH")
+            ls -la "$PARENT" 2>/dev/null || echo "Parent directory '$PARENT' also missing"
+          else
+            echo "Module directory confirmed: $MODULE_PATH"
+            echo "Files in module:"
+            find "$MODULE_PATH" -name '*.zig' | head -20
+          fi
 
       - name: Ensure opencode cache dir exists
         run: |
@@ -323,4 +348,4 @@ jobs:
             echo "✅ No compliance violations detected."
           fi
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ secrets.OPENCODE_PAT }}
diff --git a/.github/workflows/opencode-test-writer.yml b/.github/workflows/opencode-test-writer.yml
index ed8124e4..91ec5c67 100644
--- a/.github/workflows/opencode-test-writer.yml
+++ b/.github/workflows/opencode-test-writer.yml
@@ -1,5 +1,11 @@
 name: opencode-test-writer
 
+# Required repository secrets:
+# - OPENCODE_PAT: Classic PAT with `repo` scope OR fine-grained PAT with:
+#     Contents: Read & Write, Pull requests: Read & Write, Metadata: Read
+#   Without `repo` scope, git push will fail with 403 permission denied.
+# - MINIMAX_API_KEY: API key for the MiniMax M2.7 model
+
 on:
   schedule:
     - cron: '0 4 * * *'
@@ -133,6 +139,9 @@ jobs:
               ;;
           esac
 
+      # OPENCODE_PAT must be a classic PAT with `repo` scope (full control of private repositories)
+      # or a fine-grained PAT with Contents: Read & Write on this repository.
+      # Without write permission, git push will fail with 403.
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
@@ -140,6 +149,11 @@ jobs:
           fetch-depth: 0
           token: ${{ secrets.OPENCODE_PAT }}
 
+      - name: Configure git identity
+        run: |
+          git config user.name "opencode[bot]"
+          git config user.email "opencode[bot]@users.noreply.github.com"
+
       - name: Ensure test label exists
         run: |
           if ! gh label list --json name --jq '.[].name' | grep -q '^automated-test$'; then
@@ -184,6 +198,15 @@ jobs:
             echo "::warning::$MISSING scan path(s) missing — the scan_paths case statement in this workflow may need updating"
           fi
 
+      - name: Verify PAT push permissions
+        if: steps.check-existing.outputs.skip != 'true'
+        run: |
+          if ! git push --dry-run origin HEAD:${{ steps.select-module.outputs.base_branch }} 2>/dev/null; then
+            echo "::error::OPENCODE_PAT cannot push to repository. Ensure the PAT has 'repo' scope (classic) or Contents: Read & Write (fine-grained)."
+            exit 1
+          fi
+          echo "PAT has push permissions."
+
       - name: Setup Nix
         if: steps.check-existing.outputs.skip != 'true'
         uses: ./.github/actions/setup-nix