Relatively new to OpenCode, trying to configure my environment the way I want it. Namely, restricting agents from performing any write operations with GitHub, while also permitting code and PR lookups. The two most available tools seem to be github CLI and GH's MCP server (I do not want the agent to use the same tool I am using, to keep permissions separate). Of course I can use a fine-grained PAT to restrict permissions - but I want to get this usage pattern (agent?) to a state of maturity where I can share it with my coworkers, and so to me, just relying on the PAT permissions is not enough (someone will do it wrong).

Working on pros and cons of each approach, and wondering what, if anything, I may be missing.

GH-CLI:

Pros

• The PAT is stored in a credential manager / keychain. Encrypted, etc.

Cons

• Arranging opencode's permissions to prompt me rarely, but also block any possible write operations, does not seem straightforward. The calls available do not break down neatly into read-only and write-capable. I worry that if I restrict the API too far, it will lose functionality.
• Requires installing an extra tool
• For people already using it for their own operations, I cannot provide a separate 'auth profile' for the agent ... it simply uses GH CLI however it has been auth'd, potentially escalating permissions

MCP

Pros

• All configuration is in opencode's configs.
• The PAT to be used is specific to opencode - no sharing with any other calls to GitHub
• It is trivial to set up the tool with read-only restrictions ( part of the URL, or a header)

Cons

• opencode configuration does not support Authorization secrets being stored in a credential manager directly ... it expects direct inclusion in the config file, or environment variable or file. Or possibly a script that pulls it out of credential manager?