Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 10 additions & 35 deletions .github/workflows/codex_pr_review.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
name: Codex PR Review

# Always run on PRs to guarantee a check run exists for branch protection.
# The Python script handles skip logic internally for trivial changes.
on:
pull_request:
types: [opened, synchronize, reopened]
Expand All @@ -18,36 +16,13 @@ concurrency:

jobs:
review:
runs-on: ubuntu-latest
timeout-minutes: 30
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

steps:
- name: Checkout
uses: actions/checkout@v6

- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.11"

- name: Run Codex PR Review
id: review
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
ANTHROPIC_MODEL: ${{ vars.ANTHROPIC_MODEL || 'claude-sonnet-4-6' }}
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
OPENAI_MODEL: ${{ vars.OPENAI_MODEL || 'gpt-5.4-mini' }}
CODEX_AUDIT_SERVICE_URL: ${{ secrets.CODEX_AUDIT_SERVICE_URL }}
CODEX_AUDIT_SERVICE_AUDIENCE: ${{ vars.CODEX_AUDIT_SERVICE_AUDIENCE || 'quant-codex-audit' }}
run: python scripts/run_codex_pr_review.py

- name: Upload review diagnostics
if: always()
uses: actions/upload-artifact@v7
with:
name: codex-pr-review-${{ github.event.pull_request.number }}-${{ github.run_id }}
path: data/output/codex_pr_review/
if-no-files-found: warn
uses: QuantStrategyLab/AIAuditBridge/.github/workflows/codex_pr_review.yml@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Point to a valid reusable workflow

This now sends every PR review job to QuantStrategyLab/AIAuditBridge/.github/workflows/codex_pr_review.yml@main, but the current raw workflow on main is not callable: its intended on: workflow_call block is commented onto a single line and the rest is malformed, so the file has no active reusable-workflow trigger. GitHub's reusable-workflow syntax requires the called workflow to define on.workflow_call, so PR review runs in this repo will fail during workflow resolution instead of producing the review check until the central workflow is fixed or this caller is pinned to a valid ref.

Useful? React with 👍 / 👎.

with:
caller_concurrency_key: pr-${{ github.event.pull_request.number || github.run_id }}
allow_unconfigured_backend: true
secrets: inherit

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Restrict secrets passed to the reusable workflow

This switches the review job from explicitly exposing only the review credentials to secrets: inherit, which grants the called workflow in QuantStrategyLab/AIAuditBridge access to every repository/org secret available to this workflow. Because the reusable workflow is also referenced at mutable @main, any future or compromised change in that separate repo can read unrelated secrets from this repo; pass only the specific secrets the central review workflow needs instead.

Useful? React with 👍 / 👎.

permissions:
contents: read
id-token: write
issues: write
pull-requests: write
Loading
Loading