[codex] Use central Codex PR review workflow#85
Conversation
Co-Authored-By: Codex <noreply@openai.com>
ff9b86d to
5a86eca
Compare
Co-Authored-By: Codex <noreply@openai.com>
🤖 Codex PR ReviewPlease ensure a human reviewer checks this PR before merging. |
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
Co-Authored-By: Codex <noreply@openai.com>
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 73ecd63a58
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| name: codex-pr-review-${{ github.event.pull_request.number }}-${{ github.run_id }} | ||
| path: data/output/codex_pr_review/ | ||
| if-no-files-found: warn | ||
| uses: QuantStrategyLab/AIAuditBridge/.github/workflows/codex_pr_review.yml@main |
There was a problem hiding this comment.
Point to a valid reusable workflow
This now sends every PR review job to QuantStrategyLab/AIAuditBridge/.github/workflows/codex_pr_review.yml@main, but the current raw workflow on main is not callable: its intended on: workflow_call block is commented onto a single line and the rest is malformed, so the file has no active reusable-workflow trigger. GitHub's reusable-workflow syntax requires the called workflow to define on.workflow_call, so PR review runs in this repo will fail during workflow resolution instead of producing the review check until the central workflow is fixed or this caller is pinned to a valid ref.
Useful? React with 👍 / 👎.
Co-Authored-By: Codex <noreply@openai.com>
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c293037763
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| with: | ||
| caller_concurrency_key: pr-${{ github.event.pull_request.number || github.run_id }} | ||
| allow_unconfigured_backend: true | ||
| secrets: inherit |
There was a problem hiding this comment.
Restrict secrets passed to the reusable workflow
This switches the review job from explicitly exposing only the review credentials to secrets: inherit, which grants the called workflow in QuantStrategyLab/AIAuditBridge access to every repository/org secret available to this workflow. Because the reusable workflow is also referenced at mutable @main, any future or compromised change in that separate repo can read unrelated secrets from this repo; pass only the specific secrets the central review workflow needs instead.
Useful? React with 👍 / 👎.
Summary
QuantStrategyLab/AIAuditBridgeRollout note
QuantStrategyLab/AIAuditBridge#12being merged intomainCODEX_AUDIT_REUSABLE_WORKFLOW_TOKENwhen the caller repo cannot read AIAuditBridge with the default tokenValidation
actionlint -oneline .github/workflows/*.ymlgit diff --check