From c68706bb7bebe7ab56b72bd4e1e1e3c75cf1c6d7 Mon Sep 17 00:00:00 2001 From: Marc Seiler Date: Sun, 5 Jul 2026 19:14:09 -0400 Subject: [PATCH 1/2] ci: add codex review workflow --- .github/workflows/codex.yml | 77 +++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 .github/workflows/codex.yml diff --git a/.github/workflows/codex.yml b/.github/workflows/codex.yml new file mode 100644 index 0000000..81b6ab7 --- /dev/null +++ b/.github/workflows/codex.yml @@ -0,0 +1,77 @@ +name: Codex Review + +on: + pull_request: + types: [opened, synchronize, reopened, ready_for_review] + +permissions: + contents: read + +jobs: + codex: + name: Review Pull Request + if: github.event.pull_request.draft == false + runs-on: ubuntu-latest + outputs: + final_message: ${{ steps.run_codex.outputs.final-message }} + steps: + - name: Checkout pull request + uses: actions/checkout@v6 + with: + ref: refs/pull/${{ github.event.pull_request.number }}/merge + persist-credentials: false + + - name: Fetch pull request refs + env: + PR_BASE_REF: ${{ github.event.pull_request.base.ref }} + PR_NUMBER: ${{ github.event.pull_request.number }} + run: | + git fetch --no-tags origin \ + "$PR_BASE_REF" \ + "+refs/pull/$PR_NUMBER/head" + + - name: Run Codex review + id: run_codex + uses: openai/codex-action@v1 + with: + openai-api-key: ${{ secrets.OPENAI_API_KEY }} + permission-profile: ":workspace" + prompt: | + This is PR #${{ github.event.pull_request.number }} for ${{ github.repository }}. + + Review only the changes introduced by this pull request. Focus on bugs, + behavior regressions, security risks, and missing tests. Keep feedback + concise and specific, with file and line references where possible. + + Useful commands: + git log --oneline ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }} + git diff --stat ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }} + git diff ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }} + + Pull request title and body: + ---- + ${{ github.event.pull_request.title }} + ${{ github.event.pull_request.body }} + + post_feedback: + name: Post Codex Feedback + needs: codex + if: needs.codex.outputs.final_message != '' + runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write + steps: + - name: Comment on pull request + uses: actions/github-script@v7 + env: + CODEX_FINAL_MESSAGE: ${{ needs.codex.outputs.final_message }} + with: + github-token: ${{ github.token }} + script: | + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.payload.pull_request.number, + body: process.env.CODEX_FINAL_MESSAGE, + }); From be29af6064760f2ecd7e489c1ff0481f1952402c Mon Sep 17 00:00:00 2001 From: Marc Seiler Date: Sun, 5 Jul 2026 19:24:11 -0400 Subject: [PATCH 2/2] ci: harden codex review workflow --- .github/workflows/codex.yml | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codex.yml b/.github/workflows/codex.yml index 81b6ab7..7105ecd 100644 --- a/.github/workflows/codex.yml +++ b/.github/workflows/codex.yml @@ -10,7 +10,10 @@ permissions: jobs: codex: name: Review Pull Request - if: github.event.pull_request.draft == false + if: | + github.event.pull_request.draft == false && + github.actor != 'dependabot[bot]' && + github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-latest outputs: final_message: ${{ steps.run_codex.outputs.final-message }} @@ -56,7 +59,9 @@ jobs: post_feedback: name: Post Codex Feedback needs: codex - if: needs.codex.outputs.final_message != '' + if: | + needs.codex.result == 'success' && + needs.codex.outputs.final_message != '' runs-on: ubuntu-latest permissions: issues: write @@ -69,9 +74,29 @@ jobs: with: github-token: ${{ github.token }} script: | - await github.rest.issues.createComment({ + const marker = ''; + const body = `${marker}\n${process.env.CODEX_FINAL_MESSAGE}`; + const { data: comments } = await github.rest.issues.listComments({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.payload.pull_request.number, - body: process.env.CODEX_FINAL_MESSAGE, }); + const existing = comments.find((comment) => + comment.user.type === 'Bot' && comment.body?.includes(marker) + ); + + if (existing) { + await github.rest.issues.updateComment({ + owner: context.repo.owner, + repo: context.repo.repo, + comment_id: existing.id, + body, + }); + } else { + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.payload.pull_request.number, + body, + }); + }