GitHub

Use OpenSploit in GitHub issues and pull-requests.

OpenSploit integrates with your GitHub workflow. Mention /opensploit or /oc in your comment, and OpenSploit will execute tasks within your GitHub Actions runner.

Features

Triage issues: Ask OpenSploit to look into an issue and explain it to you.
Fix and implement: Ask OpenSploit to fix an issue or implement a feature. And it will work in a new branch and submits a PR with all the changes.
Secure: OpenSploit runs inside your GitHub’s runners.

Installation

Run the following command in a project that is in a GitHub repo:

opensploit github install

This will walk you through installing the GitHub app, creating the workflow, and setting up secrets.

Manual Setup

Or you can set it up manually.

Install the GitHub app

Head over to github.com/apps/opensploit-agent. Make sure it’s installed on the target repository.

Add the workflow

Add the following workflow file to .github/workflows/opensploit.yml in your repo. Make sure to set the appropriate model and required API keys in env.

name: opensploit

on:
  issue_comment:
    types: [created]
  pull_request_review_comment:
    types: [created]

jobs:
  opensploit:
    if: |
      contains(github.event.comment.body, '/oc') ||
      contains(github.event.comment.body, '/opensploit')
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    steps:
       - name: Checkout repository
         uses: actions/checkout@v6
         with:
           fetch-depth: 1
           persist-credentials: false

       - name: Run OpenSploit
        uses: silicon-works/opensploit/github@latest
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
        with:
          model: anthropic/claude-sonnet-4-20250514
          # share: true
          # github_token: xxxx

Store the API keys in secrets

In your organization or project settings, expand Secrets and variables on the left and select Actions. And add the required API keys.

Configuration

model: The model to use with OpenSploit. Takes the format of provider/model. This is required.
agent: The agent to use. Must be a primary agent. Falls back to default_agent from config or "build" if not found.
share: Whether to share the OpenSploit session. Defaults to true for public repositories.
prompt: Optional custom prompt to override the default behavior. Use this to customize how OpenSploit processes requests.
token: Optional GitHub access token for performing operations such as creating comments, committing changes, and opening pull requests. By default, OpenSploit uses the installation access token from the OpenSploit GitHub App, so commits, comments, and pull requests appear as coming from the app.

Alternatively, you can use the GitHub Action runner’s built-in GITHUB_TOKEN without installing the OpenSploit GitHub App. Just make sure to grant the required permissions in your workflow:
```
permissions:
  id-token: write
  contents: write
  pull-requests: write
  issues: write
```
You can also use a personal access tokens(PAT) if preferred.

Supported Events

OpenSploit can be triggered by the following GitHub events:

Event Type	Triggered By	Details
`issue_comment`	Comment on an issue or PR	Mention `/opensploit` or `/oc` in your comment. OpenSploit reads context and can create branches, open PRs, or reply.
`pull_request_review_comment`	Comment on specific code lines in a PR	Mention `/opensploit` or `/oc` while reviewing code. OpenSploit receives file path, line numbers, and diff context.
`issues`	Issue opened or edited	Automatically trigger OpenSploit when issues are created or modified. Requires `prompt` input.
`pull_request`	PR opened or updated	Automatically trigger OpenSploit when PRs are opened, synchronized, or reopened. Useful for automated reviews.
`schedule`	Cron-based schedule	Run OpenSploit on a schedule. Requires `prompt` input. Output goes to logs and PRs (no issue to comment on).
`workflow_dispatch`	Manual trigger from GitHub UI	Trigger OpenSploit on demand via Actions tab. Requires `prompt` input. Output goes to logs and PRs.

Schedule Example

Run OpenSploit on a schedule to perform automated tasks:

name: Scheduled OpenSploit Task

on:
  schedule:
    - cron: "0 9 * * 1" # Every Monday at 9am UTC

jobs:
  opensploit:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: write
      pull-requests: write
      issues: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          persist-credentials: false

      - name: Run OpenSploit
        uses: silicon-works/opensploit/github@latest
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
        with:
          model: anthropic/claude-sonnet-4-20250514
          prompt: |
            Review the codebase for any TODO comments and create a summary.
            If you find issues worth addressing, open an issue to track them.

For scheduled events, the prompt input is required since there’s no comment to extract instructions from. Scheduled workflows run without a user context to permission-check, so the workflow must grant contents: write and pull-requests: write if you expect OpenSploit to create branches or PRs.

Pull Request Example

Automatically review PRs when they are opened or updated:

name: opensploit-review

on:
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]

jobs:
  review:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
      pull-requests: read
      issues: read
    steps:
      - uses: actions/checkout@v6
        with:
          persist-credentials: false
      - uses: silicon-works/opensploit/github@latest
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          model: anthropic/claude-sonnet-4-20250514
          use_github_token: true
          prompt: |
            Review this pull request:
            - Check for code quality issues
            - Look for potential bugs
            - Suggest improvements

For pull_request events, if no prompt is provided, OpenSploit defaults to reviewing the pull request.

Issues Triage Example

Automatically triage new issues. This example filters to accounts older than 30 days to reduce spam:

name: Issue Triage

on:
  issues:
    types: [opened]

jobs:
  triage:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: write
      pull-requests: write
      issues: write
    steps:
      - name: Check account age
        id: check
        uses: actions/github-script@v7
        with:
          script: |
            const user = await github.rest.users.getByUsername({
              username: context.payload.issue.user.login
            });
            const created = new Date(user.data.created_at);
            const days = (Date.now() - created) / (1000 * 60 * 60 * 24);
            return days >= 30;
          result-encoding: string

      - uses: actions/checkout@v6
        if: steps.check.outputs.result == 'true'
        with:
          persist-credentials: false

      - uses: silicon-works/opensploit/github@latest
        if: steps.check.outputs.result == 'true'
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
        with:
          model: anthropic/claude-sonnet-4-20250514
          prompt: |
            Review this issue. If there's a clear fix or relevant docs:
            - Provide documentation links
            - Add error handling guidance for code examples
            Otherwise, do not comment.

For issues events, the prompt input is required since there’s no comment to extract instructions from.

Custom prompts

Override the default prompt to customize OpenSploit’s behavior for your workflow.

- uses: silicon-works/opensploit/github@latest
  with:
    model: anthropic/claude-sonnet-4-5
    prompt: |
      Review this pull request:
      - Check for code quality issues
      - Look for potential bugs
      - Suggest improvements

This is useful for enforcing specific review criteria, coding standards, or focus areas relevant to your project.

Examples

Here are some examples of how you can use OpenSploit in GitHub.

Explain an issue

Add this comment in a GitHub issue.
```
/opensploit explain this issue
```
OpenSploit will read the entire thread, including all comments, and reply with a clear explanation.
Fix an issue

In a GitHub issue, say:
```
/opensploit fix this
```
And OpenSploit will create a new branch, implement the changes, and open a PR with the changes.
Review PRs and make changes

Leave the following comment on a GitHub PR.
```
Delete the attachment from S3 when the note is removed /oc
```
OpenSploit will implement the requested change and commit it to the same PR.
Review specific code lines

Leave a comment directly on code lines in the PR’s “Files” tab. OpenSploit automatically detects the file, line numbers, and diff context to provide precise responses.
```
[Comment on specific lines in Files tab]
/oc add error handling here
```
When commenting on specific lines, OpenSploit receives:
- The exact file being reviewed
- The specific lines of code
- The surrounding diff context
- Line number information
This allows for more targeted requests without needing to specify file paths or line numbers manually.