From 7eb509db1486a65a198dd62683d6830e98476707 Mon Sep 17 00:00:00 2001
From: Aiden Cline <aidenpcline@gmail.com>
Date: Wed, 10 Dec 2025 21:45:46 -0600
Subject: [PATCH] ci: rm bash tool from opencode ci workflow, reduce risks

---
 .github/workflows/opencode.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/opencode.yml b/.github/workflows/opencode.yml
index 44c8d4a58..4c75ad2e0 100644
--- a/.github/workflows/opencode.yml
+++ b/.github/workflows/opencode.yml
@@ -29,5 +29,6 @@ jobs:
         uses: sst/opencode/github@latest
         env:
           OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
+          OPENCODE_PERMISSION: '{"bash": "deny"}'
         with:
           model: opencode/claude-haiku-4-5