Professional development workflows: CI/CD, CodeRabbit AI Review, Branch Protection, and automatic upstream monitoring
This setup implements the same professionalism standard as Warrior AI Solutions (Weston):
| Component | Status | Purpose |
|---|---|---|
| CI Workflow | ✅ Active | Lint, Typecheck, Secret Scan on every PR |
| CodeRabbit | ⚙️ Configured | AI Code Review on all PRs |
| OpenCode Action | ✅ Active | /opencode commands in Issues/PRs |
| Upstream Sync | ✅ Active | Daily monitoring of forks |
| Branch Protection | 🔧 Manual | To be activated in GitHub Settings |
- Go to https://app.coderabbit.ai
- Log in with your GitHub Account
- Install CodeRabbit on your GitHub Account
- Select the
Steffen025/pai-opencoderepository
CodeRabbit is now active — it automatically reviews all PRs based on .coderabbit.yaml.
Go to Settings → Secrets and variables → Actions and add:
| Secret | Value | Required for |
|---|---|---|
UPSTREAM_SYNC_TOKEN |
GitHub Personal Access Token | Upstream Sync Workflows |
Create Token:
- https://github.com/settings/tokens → Generate new token (classic)
- Scopes:
repo(full control) +issues(write) - Copy the token and save as
UPSTREAM_SYNC_TOKEN
Optional (for OpenCode Agent):
| Secret | Value | Required for |
|---|---|---|
OPENCODE_API_KEY |
Your OpenCode/Zen API Key | OpenCode Action |
Go to Settings → Branches → Branch protection rules:
☑️ Require a pull request before merging
☑️ Require status checks to pass
- Search for: "CI — Lint, Typecheck, Secrets"
☑️ Restrict pushes that create files larger than 100 MB
☐ Do not allow bypassing the above settings (leave unchecked for now)
☑️ Require a pull request before merging
☑️ Require approvals: 1 (or 0 if you work alone)
☑️ Require status checks to pass
- Search for: "CI — Lint, Typecheck, Secrets"
☑️ Dismiss stale PR approvals when new commits are pushed
☑️ Do not allow force pushes
☑️ Do not allow deletions
Trigger: PRs to dev/main, pushes to dev/main
Jobs:
- Bun Setup —
oven-sh/setup-bun@v2(⚠️ NOT npm!) - Dependencies —
bun install - Typecheck —
bunx tsc --noEmit(only iftsconfig.jsonexists) - Biome Check —
bunx @biomejs/biome check .(only ifbiome.jsonexists) - Secret Scan — grep for
sk-*, api_key, client_secret, password, token - Tests —
bun test(only if.test.tsfiles exist)
Constraint Check: No npm install, npm ci, or npm run in this workflow!
Configuration:
- Profile:
chill(not too aggressive for AI-generated code) - Language: English
- Auto-Review: On PRs targeting
devormain - Path Instructions: Specific rules for:
.opencode/skills/**— PAI Skills Format.opencode/agents/**— Agent DefinitionsTools/**— CLI Tools (Bun-only)skill-packs/**— Modular Skill Packsdocs/**— Documentation
Trigger: Comments containing /opencode or /oc
Usage:
# In an Issue or PR comment:
/opencode Update the README with new features
# Or short:
/oc Fix the broken link in docs
Schedule: Daily at 08:00 UTC
Monitors: danielmiessler/Personal_AI_Infrastructure
Actions:
- Compares your fork with upstream
- Creates issue when new commits available:
- Label:
upstream-sync,pai,automated - Contains: Commit list, links, action checkboxes
- Label:
- Creates issue when new release:
- Label:
upstream-sync,pai,release,automated - Contains: Release notes, links, breaking changes check
- Label:
Schedule: Daily at 08:30 UTC (30min after PAI)
Monitors: anomalyco/opencode
Actions: Same pattern as PAI Sync, but:
- Label:
upstream-sync,opencode - Additional hints for SDK/Action changes
# 1. Create feature branch (from dev)
git checkout -b feature/new-feature origin/dev
# 2. Make changes
# ... edit files ...
# 3. Commit (Conventional Commits)
git commit -m "feat(skills): Add new Cloudflare skill
- Add Cloudflare Workers deployment skill
- Include wrangler.toml templates
Closes #42"
# 4. Push
git push origin feature/new-feature
# 5. Create PR (target: dev)
# - CI runs automatically
# - CodeRabbit reviews automatically
# - When CI green → Merge to dev
# 6. Release (manual)
# When dev is stable: create PR dev→main
# - Self review + Approval
# - Merge triggers no deployment (PAI is a template, not a service)# In a PR comment:
/opencode Review this PR for PAI v3.0 compliance
# Or:
/oc Add error handling to the migration tool
| ❌ Anti-Pattern | ✅ Correct |
|---|---|
npm install in workflows |
bun install |
eslint or prettier |
biome check . |
Direct commits to main |
PR via dev branch |
| Force push to protected branches | Never allowed |
| Manual upstream checking | Automatic issues |
→ Normal if no TypeScript configured yet. Add tsconfig.json or workflow adapts.
→ Check:
- CodeRabbit App installed? (https://app.coderabbit.ai)
.coderabbit.yamlin root?- PR target is
devormain?
→ Check:
UPSTREAM_SYNC_TOKENsecret set?- Token has
repoandissuesscopes? - Manually trigger workflow (Actions Tab → workflow_dispatch)
→ If legitimate strings are matched (e.g., sk- in filenames):
- Comment with
# pragma: allowlist secret - Or: Adjust scan regex in CI
| Feature | Warrior AI (Weston) | PAI-OpenCode |
|---|---|---|
| CI | ✅ Lint, Typecheck, Test, Secrets | ✅ Same pattern |
| CodeRabbit | ✅ Pro Tier (2 seats) | ✅ Free Tier |
| OpenCode Action | ✅ Self-hosted runner | ✅ GitHub-hosted |
| Branch Protection | 2 approvers (dev+main) | 1 approver (personal) |
| Self-hosted Runner | ✅ Vultr | ❌ Not needed |
| Upstream Sync | ❌ Not implemented | ✅ Automatic |
Key Difference: Warrior AI has enterprise features (self-hosted, 2 approvers), PAI-OpenCode is optimized for personal/OSS usage.
- ✅ Install CodeRabbit
- ✅ Configure secrets
- ✅ Activate branch protection
- ⏳ Wait for first upstream sync (tomorrow 08:00/08:30 UTC)
- ⏳ Optional: Add
biome.jsonandtsconfig.jsonfor full CI usage
Documentation created: 2026-03-03 Based on Warrior AI Solutions patterns