fix(github): auto-deny permissions and emit events in non-interactive mode#6832
Open
elithrar wants to merge 7 commits intoanomalyco:devfrom
Open
fix(github): auto-deny permissions and emit events in non-interactive mode#6832elithrar wants to merge 7 commits intoanomalyco:devfrom
elithrar wants to merge 7 commits intoanomalyco:devfrom
Conversation
rekram1-node
reviewed
Jan 4, 2026
Contributor
|
Thanks for your contribution! This PR doesn't have a linked issue. All PRs must reference an existing issue. Please:
See CONTRIBUTING.md for details. |
elithrar
changed the title
- Add isInteractive() utility to detect CI/non-TTY environments - Auto-deny permission requests when running non-interactively - Emit permission.asked events before denying for visibility - Subscribe to permission events in github.ts and run.ts with actionable guidance - Add OPENCODE_EMIT_SUBAGENT_EVENTS flag for verbose subagent output - Add emit_subagent_events input to GitHub Action
GUI clients like the desktop app handle permissions through their own UI, so we should not auto-deny when OPENCODE_CLIENT is set to something other than 'cli'.
- Fix unsubscribeEvents shadowing bug in github.ts (cleanup was never called) - Make CI env var check case-insensitive (CI=TRUE now works) - Use bracket notation for env var access (codebase consistency) - Add unit tests for isInteractive() covering all code paths
elithrar
force-pushed
the
non-interactive-events-deny
branch
from
d6b2f38 to
1b409da
Compare
Contributor
Author
|
@rekram1-node wanted to bring this one back: getting more info in CI when 'headless' is hugely useful to us. right now any subagents are invisible, and any permissions errors just stall the workflows. also applies to sandbox environments - setting |
Contributor
Author
|
another example: https://github.com/ask-bonk/ask-bonk/actions/runs/22177421690/job/64129579673#step:3:281 (it’s hard to debug as it just stalls forever - it shouldn’t prompt for questions when non-interactive) |
Contributor
Author
|
updated and resolved conflicts |
…-deny # Conflicts: # github/action.yml
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes issues where permissions requests block indefinitely in CI/GitHub Actions, with no output indicating why. I keep running into this in CI runs, especially when the harness is trying to solve a problem or I'm testing/building plugins.
Since there's no way to prompt a user, it should just auto-deny by default + emit this to the logs so users can understand what happened.
Changes
isInteractive()utility - checksCIenv var,OPENCODE_CLIENT, and TTY state!isInteractive()(no one to approve)permission.askedevents before denying so they're visible in logsgithub.tsandrun.tswith actionable guidance on how to allowOPENCODE_EMIT_SUBAGENT_EVENTSflag for verbose subagent output in CIemit_subagent_eventsinput to GitHub Actionquestionpermission by default in GitHub Action sessions (merged from dev)isInteractive()LogicOnly auto-denies for the CLI client in non-TTY/CI environments:
OPENCODE_FORCE_INTERACTIVE=true→ interactive (for tests)CI=true→ non-interactive (auto-deny)OPENCODE_CLIENTis notcli(e.g.desktop) → interactive (GUI handles permissions)stdin.isTTY && stdout.isTTYcurrent possible
OPENCODE_CLIENTvalues:cli(default),desktopExample Output
When a permission is denied in CI: