github run: assertPermissions() fails for GitHub App bot actors even with use_github_token: true #17224
Description
Problem
When opencode github run is triggered by a pull_request event where the actor is a GitHub App bot (e.g. my-bot[bot]), the assertPermissions() check fails with:
Asserting permissions for user my-bot[bot]...
permission: none
User my-bot[bot] does not have write permissions
This happens because GitHub's Get repository permissions for a user API always returns permission: none for GitHub App bot accounts. Apps authenticate via installation tokens and are not traditional collaborators — their permissions come from the App installation, not the collaborators model.
Context
The use_github_token: true input is set, so the workflow is already managing its own authentication via a GitHub App token. The permission check is redundant in this mode since the caller has explicitly opted into providing their own GITHUB_TOKEN with the appropriate scopes.
Relevant code
In packages/opencode/src/cli/cmd/github.ts, the permission check runs unconditionally for all user events:
if (isUserEvent) {
await assertPermissions() // no bypass for useGithubToken mode
await addReaction(commentType)
}Suggested fix
Skip assertPermissions() when useGithubToken is true:
if (isUserEvent) {
if (!useGithubToken) {
await assertPermissions()
}
await addReaction(commentType)
}When use_github_token: true, the caller is explicitly providing a GITHUB_TOKEN and taking responsibility for permissions. The collaborator-level permission check is both unnecessary and broken for bot actors in this mode.
Reproduction
- Create a GitHub App that can open PRs on a repo
- Have the App open a PR (actor becomes
<app-name>[bot]) - Configure an opencode review workflow with
use_github_token: truetriggered onpull_requestevents - The review job fails with
User <app-name>[bot] does not have write permissions