From bac8233eaae5c2a19fef78ecb9bd85a2c3eba601 Mon Sep 17 00:00:00 2001
From: Alexandru Nedelcu <alexandru@users.noreply.github.com>
Date: Sat, 9 May 2026 10:25:59 +0300
Subject: [PATCH 1/3] Change permissions for opencode workflow to read-only

---
 .github/workflows/opencode-upgrades.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/opencode-upgrades.yml b/.github/workflows/opencode-upgrades.yml
index 29b4222..ab4038e 100644
--- a/.github/workflows/opencode-upgrades.yml
+++ b/.github/workflows/opencode-upgrades.yml
@@ -10,8 +10,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
-      contents: write
-      pull-requests: write
+      contents: read
+      pull-requests: read
       issues: write
     steps:
       - name: Checkout repository

From 380e70ab0f40457d0aba07fb27e7a5e650a39304 Mon Sep 17 00:00:00 2001
From: Alexandru Nedelcu <alexandru@users.noreply.github.com>
Date: Sat, 9 May 2026 10:28:45 +0300
Subject: [PATCH 2/3] Add GITHUB_TOKEN to opencode workflow

---
 .github/workflows/opencode.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/opencode.yml b/.github/workflows/opencode.yml
index ce8284a..40fc47d 100644
--- a/.github/workflows/opencode.yml
+++ b/.github/workflows/opencode.yml
@@ -35,5 +35,7 @@ jobs:
         uses: anomalyco/opencode/github@latest
         env:
           OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           model: opencode-go/deepseek-v4-pro
+          use_github_token: true

From 9c781487110524d99c6a73eab5055a2e01d2b936 Mon Sep 17 00:00:00 2001
From: Alexandru Nedelcu <alexandru@users.noreply.github.com>
Date: Sat, 9 May 2026 10:30:25 +0300
Subject: [PATCH 3/3] Update issues permission in workflow

Change issues permission from write to read.
---
 .github/workflows/opencode-upgrades.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/opencode-upgrades.yml b/.github/workflows/opencode-upgrades.yml
index ab4038e..c7efccb 100644
--- a/.github/workflows/opencode-upgrades.yml
+++ b/.github/workflows/opencode-upgrades.yml
@@ -12,7 +12,7 @@ jobs:
       id-token: write
       contents: read
       pull-requests: read
-      issues: write
+      issues: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6