[OW-5] Refactor OpenCode Auth to Use opencode-auth-sync Plugin

[activadee]

Description

The opencode-auth-sync plugin (https://github.com/activadee/opencode-auth-sync) enables automatic synchronization of OpenCode authentication from GitHub secrets, eliminating the need for a separate scheduled cache job. This refactoring simplifies the workflow setup and improves user experience by removing a required manual step.

Background

Currently, users opting for OAuth authentication must:

1. Install the opencode-auth.yml workflow
2. Manually run it to initialize the auth cache
3. Rely on scheduled cache refresh (daily)

With opencode-auth-sync, the ~/.local/share/opencode/auth.json file is automatically synced from the OPENCODE_AUTH secret, removing operational overhead and the cache workflow entirely.

Goals

• Simplify workflow setup by eliminating cache dependencies
• Promote the opencode-auth-sync plugin as the standard approach for OAuth users
• Maintain backward compatibility with API key authentication
• Improve CLI user experience with plugin installation option
• Reduce maintenance burden of the cache job workflow

Technical Changes

1. Update Workflow Templates

src/cli/templates/shared.ts

• Remove or deprecate CACHE_RESTORE_STEP constant
• Keep ENV_OPENCODE_AUTH and ENV_API_KEY as-is

src/cli/templates/pr-review.ts

• Remove conditional cache restore step
• Direct use of OPENCODE_AUTH secret without cache dependency
• Remove import of CACHE_RESTORE_STEP

src/cli/templates/issue-label.ts

• Remove conditional cache restore step
• Direct use of OPENCODE_AUTH secret without cache dependency
• Remove import of CACHE_RESTORE_STEP

src/cli/templates/doc-sync.ts

• Remove conditional cache restore step
• Direct use of OPENCODE_AUTH secret without cache dependency
• Remove import of CACHE_RESTORE_STEP

2. Update CLI Prompts and Flow

src/cli/index.ts

Changes:

• Remove automatic inclusion of opencode-auth workflow when OAuth is selected
• Add new prompt option: "Install opencode-auth-sync plugin? (recommended)" after OAuth selection
• Update next steps messaging for OAuth users:
  • Add step to install the plugin: bun install @activadee/opencode-auth-sync
  • Add step to configure the plugin in .github/workflows/ (if plugin provides setup automation)
  • Simplify secret setup: only requires OPENCODE_AUTH secret, no cache workflow
  • Remove instruction to manually run opencode-auth workflow
• Update help text (lines 27-57) to reflect that opencode-auth.yml is no longer required
• Show different next steps based on plugin installation choice

src/cli/installer.ts

Changes:

• Keep opencode-auth in WORKFLOW_GENERATORS for backward compatibility
• Optional: Add silent skip logic if opencode-auth is somehow requested without OAuth

3. Preserve Backward Compatibility

• Users with existing opencode-auth.yml workflows are unaffected
• API key authentication flow remains unchanged
• OPENCODE_AUTH secret usage continues to work (plugin handles sync)

4. Documentation Updates

.github/workflows/opencode-auth.yml

• Optional deprecation notice in file (not removed, for backward compatibility)
• Consider moving to docs/ directory if users still reference it

README.md

• Remove or de-emphasize the opencode-auth.yml cache job workflow
• Update authentication section to mention opencode-auth-sync as primary approach for OAuth
• Update quick start example to show plugin installation step (if automated by plugin)

Acceptance Criteria

• All imports of CACHE_RESTORE_STEP removed from template files (pr-review.ts, issue-label.ts, doc-sync.ts)
• Generated workflow templates for OAuth users do NOT include cache restore steps
• CLI no longer automatically includes opencode-auth.yml when OAuth is selected
• CLI prompts user for optional opencode-auth-sync plugin installation
• OAuth next steps messaging guides users to install the plugin instead of running manual cache workflow
• Help text (--help output) updated to remove reference to required opencode-auth.yml installation
• API key authentication flow unchanged (still uses ANTHROPIC_API_KEY)
• All existing tests pass
• New tests cover:
  • OAuth workflow generation without cache steps
  • CLI prompt flow for plugin installation
  • Next steps messaging for both plugin install and API key paths
  • Backward compatibility verification (old secrets still work)

Implementation Notes

Workflow Generation Changes:

Before (OAuth):

- uses: actions/cache/restore@v4
  with:
    path: ~/.local/share/opencode/auth.json
    key: opencode-auth-
- uses: activadee/open-workflows/actions/pr-review@main
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    OPENCODE_AUTH: ${{ secrets.OPENCODE_AUTH }}

After (OAuth with plugin):

- uses: activadee/open-workflows/actions/pr-review@main
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    OPENCODE_AUTH: ${{ secrets.OPENCODE_AUTH }}

CLI Flow Updates:

1. Multi-select workflows
2. OAuth vs API key choice
3. NEW: If OAuth selected, prompt: "Install opencode-auth-sync plugin?" (recommended)
4. Check existing files + override confirmation
5. Install workflows
6. Show next steps (different for plugin vs no-plugin):
   • With plugin: Install plugin, set OPENCODE_AUTH secret
   • Without plugin: Set OPENCODE_AUTH secret, manually run opencode-auth workflow (backward compat message)
   • API key: Set ANTHROPIC_API_KEY secret

Naming Conventions Followed:

• File naming: kebab-case (pr-review.ts, opencode-auth.ts) ✓
• Constants: SCREAMING_SNAKE_CASE ✓
• Functions: camelCase ✓
• Environment variables: SCREAMING_SNAKE_CASE ✓

Testing Strategy:

• Unit tests for template generation with/without cache steps
• Integration tests for CLI prompts and workflow installation
• Snapshot tests for generated workflow YAML
• E2E test verifying complete setup flow

References

• Repository: https://github.com/activadee/opencode-auth-sync
• Affected files: src/cli/templates/, src/cli/index.ts, src/cli/installer.ts
• Related workflows: .github/workflows/opencode-auth.yml