Skip to content

ci: add Codex review workflow#97

Merged
dialupdisaster merged 2 commits into
mainfrom
chore/add-codex-action
Jul 6, 2026
Merged

ci: add Codex review workflow#97
dialupdisaster merged 2 commits into
mainfrom
chore/add-codex-action

Conversation

@dialupdisaster

@dialupdisaster dialupdisaster commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Description

Adds a GitHub Actions workflow that runs openai/codex-action on pull requests and posts Codex review feedback as a PR comment.

Type of change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)
  • Chore (dependency updates, etc.)

Checklist

  • I have read the CONTRIBUTING.md document
  • My code follows the style guidelines of this project
  • bun run lint passes with no errors
  • bun run check:jsdoc-coverage passes with no errors
  • bun run typecheck passes with no errors
  • bun test passes with no errors
  • I have added tests that prove my fix is effective or that my feature works
  • I have updated the documentation accordingly
  • My commits follow the Conventional Commits specification

Related issues

None.

Additional context

Uses OPENAI_API_KEY from repository secrets and permission-profile: ":workspace" per the Codex Action recommendations.

Summary by CodeRabbit

  • New Features
    • Added automated Codex review comments on pull requests.
    • Reviews run on new updates and reopened PRs, and only after a PR is ready for review.
    • When available, the review result is posted directly as a PR comment.

@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a new GitHub Actions workflow file that triggers Codex-based automated review on pull requests, runs the review via openai/codex-action, and posts the resulting feedback as a PR comment through a separate follow-up job.

Changes

Codex Review Automation

Layer / File(s) Summary
Workflow trigger and permissions
.github/workflows/codex.yml
Defines the "Codex Review" workflow name, pull_request event triggers (opened, synchronize, reopened, ready_for_review), read-only contents permission, and jobs section.
Codex review job
.github/workflows/codex.yml
Adds the codex job that skips draft PRs, checks out the PR merge ref, fetches base/head refs, and runs openai/codex-action@v1 with the API key and a review prompt, outputting final_message.
Feedback posting job
.github/workflows/codex.yml
Adds the post_feedback job that runs after codex, and when final_message is non-empty, uses actions/github-script@v7 with issues/pull-requests write permissions to post the message as a PR comment.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant GitHub as GitHub PR Event
  participant CodexJob as codex job
  participant CodexAction as openai/codex-action
  participant PostFeedback as post_feedback job
  participant PRComment as PR Comment

  GitHub->>CodexJob: pull_request event (not draft)
  CodexJob->>CodexAction: run with OPENAI_API_KEY and prompt
  CodexAction-->>CodexJob: final_message output
  CodexJob->>PostFeedback: job completes with final_message
  PostFeedback->>PRComment: create issue comment if final_message non-empty
Loading

Related Issues: None found
Related PRs: None found
Suggested labels: ci, github-actions
Suggested reviewers: None found

Poem:
A rabbit hops through workflow YAML,
Checking drafts, then off it runs to trail,
Codex whispers feedback in the night,
A comment blooms upon the PR in sight,
Hop, review, and merge — all's well in scale! 🐰

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly describes the main change: adding a Codex review GitHub Actions workflow.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/add-codex-action

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Findings

  • Medium: .github/workflows/codex.yml:37 uses secrets.OPENAI_API_KEY from a pull_request workflow, and line 62 expects write access to comment. For forked PRs and Dependabot PRs, GitHub does not pass non-GITHUB_TOKEN secrets and makes GITHUB_TOKEN read-only, so this workflow will not reliably run the Codex review or post feedback for those PRs. That contradicts the PR’s stated behavior for pull requests. Consider explicitly limiting this to trusted same-repo PRs, or redesigning with a safe privileged path such as pull_request_target/workflow_run without executing untrusted PR code. (docs.github.com)

No other actionable issues found in the introduced workflow.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/codex.yml (1)

56-77: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Avoid creating a new Codex comment on every PR update.

Every synchronize event posts another standalone comment. Consider adding a hidden marker and updating the existing Codex comment instead to keep PR discussions readable.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codex.yml around lines 56 - 77, The PR feedback step in
the codex workflow always creates a new comment, which causes duplicate Codex
comments on each update. Update the post_feedback logic in the github-script
step to look for an existing Codex comment using a hidden marker in the comment
body, then edit that comment instead of always calling createComment; keep the
marker in the message built from CODEX_FINAL_MESSAGE so the script can reliably
find and update the same comment.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/codex.yml:
- Around line 56-77: The PR feedback step in the codex workflow always creates a
new comment, which causes duplicate Codex comments on each update. Update the
post_feedback logic in the github-script step to look for an existing Codex
comment using a hidden marker in the comment body, then edit that comment
instead of always calling createComment; keep the marker in the message built
from CODEX_FINAL_MESSAGE so the script can reliably find and update the same
comment.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7e2d2f26-ce40-4d57-8e11-ce330e935c37

📥 Commits

Reviewing files that changed from the base of the PR and between f88839a and c68706b.

📒 Files selected for processing (1)
  • .github/workflows/codex.yml

@dialupdisaster

Copy link
Copy Markdown
Contributor Author

Updated in be29af6:

  • Limited the Codex review job to same-repository PRs so it only runs where repository secrets and write-token behavior are expected.
  • Explicitly skipped Dependabot-triggered runs because normal repository secrets are not available there.
  • Updated the feedback step to reuse a hidden-marker Codex comment instead of creating a new comment on every synchronize event.

Local validation passed: bun run typecheck and bun test.

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Findings

  • .github/workflows/codex.yml:24 checks out the mutable refs/pull/<n>/merge ref, and lines 32-34 fetch mutable base/head refs, while the prompt tells Codex to diff the event SHAs. If the PR is updated or force-pushed while a run is queued, Codex can review a different checkout or fail because the event SHAs are not present. Use the event merge SHA/default checkout and fetch the exact base/head SHAs, or use fetch-depth: 0.

  • .github/workflows/codex.yml:79 only reads the first page of issue comments before deciding whether to update or create the Codex comment. GitHub’s issue-comments API defaults to 30 results per page and ascending order, so PRs with more than 30 comments can get duplicate Codex comments instead of updating the existing one. Use github.paginate(...) or otherwise request/search all pages. (docs.github.com)

  • .github/workflows/codex.yml:59 has no concurrency guard, so multiple synchronize runs for the same PR can finish out of order and an older Codex result can overwrite a newer review comment. Add a PR-scoped concurrency group with cancel-in-progress: true.

I did not run tests; this was a workflow-only review.

@dialupdisaster dialupdisaster merged commit 127f38a into main Jul 6, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant