OpenCode plugin that automatically syncs your authentication credentials to GitHub repositories as secrets whenever they change.
When using OpenCode with Claude Max, OpenAI, or other OAuth providers, your tokens refresh periodically. This plugin watches for those changes and automatically syncs the updated credentials to your GitHub repositories, keeping your CI/CD workflows authenticated.
bunx @activade/opencode-auth-syncThe interactive setup wizard will:
- Check prerequisites (GitHub CLI)
- List your repositories
- Let you select which repos to sync
- Configure the plugin automatically
Running the wizard again will merge your changes with the existing configuration, preserving any custom settings like debounceMs or credentialsPath that you've modified.
Add to ~/.config/opencode/opencode.json:
{
"plugin": [
"@activade/opencode-auth-sync"
]
}Create ~/.config/opencode/opencode-auth-sync.json:
{
"$schema": "https://raw.githubusercontent.com/activadee/opencode-auth-sync/main/schema.json",
"enabled": true,
"repositories": [
"your-username/repo1",
"your-org/private-repo"
]
}| Option | Type | Default | Description |
|---|---|---|---|
enabled |
boolean | true |
Enable/disable the plugin |
credentialsPath |
string | ~/.local/share/opencode/auth.json |
Path to OpenCode auth file |
secretName |
string | OPENCODE_AUTH |
GitHub secret name |
repositories |
string[] | [] |
Repositories to sync (owner/repo format) |
debounceMs |
number | 1000 |
Debounce delay for file changes |
authFileHashes |
object | (auto-managed) | Per-repository SHA-256 hashes of last synced auth.json (managed by plugin) |
- GitHub CLI installed and authenticated (
gh auth login) - Write access to target repositories
- Plugin watches
~/.local/share/opencode/auth.jsonfor changes - When tokens refresh, the file updates
- Plugin computes a SHA-256 hash of the file content and compares it against the stored hash
- If the hash differs (content actually changed), syncs to configured repositories via
gh secret set - Toast notifications show sync status
The hash-based change detection reduces unnecessary GitHub API calls when file metadata changes but content remains the same.
# .github/workflows/example.yml
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Setup OpenCode Auth
run: |
mkdir -p ~/.local/share/opencode
echo '${{ secrets.OPENCODE_AUTH }}' > ~/.local/share/opencode/auth.json- name: Extract Anthropic Token
run: |
ANTHROPIC_TOKEN=$(echo '${{ secrets.OPENCODE_AUTH }}' | jq -r '.anthropic.access')
echo "::add-mask::$ANTHROPIC_TOKEN"
echo "ANTHROPIC_API_KEY=$ANTHROPIC_TOKEN" >> $GITHUB_ENVThe auth file contains credentials for all configured OpenCode providers:
anthropic- Claude Max (OAuth)openai- ChatGPT Plus/Pro (OAuth)google- Gemini (OAuth)- API key providers
bun testbun run type-checkbun run buildMIT
![@github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=64&v=4){kind=small}