From a1b22f52342a6761fb95ba62cede7d77be70774c Mon Sep 17 00:00:00 2001 From: Pigbibi <20649888+Pigbibi@users.noreply.github.com> Date: Fri, 10 Jul 2026 17:58:04 +0800 Subject: [PATCH 1/5] fix(review): run Codex review from trusted base Co-Authored-By: Codex --- .github/codex_auto_merge_policy.json | 2 +- .github/workflows/codex_pr_review.yml | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/codex_auto_merge_policy.json b/.github/codex_auto_merge_policy.json index e1f0a35..e7c7292 100644 --- a/.github/codex_auto_merge_policy.json +++ b/.github/codex_auto_merge_policy.json @@ -45,6 +45,6 @@ "timeout_minutes": 20, "max_diff_lines": 2400, "auto_converge_after": 3, - "block_on_review_failure": false + "block_on_review_failure": true } } diff --git a/.github/workflows/codex_pr_review.yml b/.github/workflows/codex_pr_review.yml index 27351f6..49d2626 100644 --- a/.github/workflows/codex_pr_review.yml +++ b/.github/workflows/codex_pr_review.yml @@ -1,7 +1,7 @@ name: Codex PR Review on: - pull_request: + pull_request_target: types: [opened, synchronize, reopened] permissions: @@ -16,10 +16,11 @@ concurrency: jobs: review: + if: github.event.pull_request.head.repo.full_name == github.repository uses: QuantStrategyLab/AIAuditBridge/.github/workflows/codex_pr_review.yml@main with: caller_concurrency_key: pr-${{ github.event.pull_request.number || github.run_id }} - allow_unconfigured_backend: true + allow_unconfigured_backend: false api_fallback_enabled: "false" direct_api_primary_enabled: "false" secrets: inherit From c18f133823a98d19d321f446897d75a03847000b Mon Sep 17 00:00:00 2001 From: Pigbibi <20649888+Pigbibi@users.noreply.github.com> Date: Fri, 10 Jul 2026 18:03:49 +0800 Subject: [PATCH 2/5] fix(review): disable automatic review convergence Co-Authored-By: Codex --- .github/codex_auto_merge_policy.json | 2 +- .github/workflows/codex_pr_review.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/codex_auto_merge_policy.json b/.github/codex_auto_merge_policy.json index e7c7292..792c7b5 100644 --- a/.github/codex_auto_merge_policy.json +++ b/.github/codex_auto_merge_policy.json @@ -44,7 +44,7 @@ ], "timeout_minutes": 20, "max_diff_lines": 2400, - "auto_converge_after": 3, + "auto_converge_after": 0, "block_on_review_failure": true } } diff --git a/.github/workflows/codex_pr_review.yml b/.github/workflows/codex_pr_review.yml index 49d2626..f2a048c 100644 --- a/.github/workflows/codex_pr_review.yml +++ b/.github/workflows/codex_pr_review.yml @@ -21,8 +21,8 @@ jobs: with: caller_concurrency_key: pr-${{ github.event.pull_request.number || github.run_id }} allow_unconfigured_backend: false - api_fallback_enabled: "false" - direct_api_primary_enabled: "false" + api_fallback_enabled: false + direct_api_primary_enabled: false secrets: inherit permissions: contents: read From 50f9e591af8a07680900f06e92a45e662f169b6d Mon Sep 17 00:00:00 2001 From: Pigbibi <20649888+Pigbibi@users.noreply.github.com> Date: Fri, 10 Jul 2026 18:42:25 +0800 Subject: [PATCH 3/5] chore(review): remove bypass policy fields Co-Authored-By: Codex --- .github/codex_auto_merge_policy.json | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/codex_auto_merge_policy.json b/.github/codex_auto_merge_policy.json index 792c7b5..50d2bfd 100644 --- a/.github/codex_auto_merge_policy.json +++ b/.github/codex_auto_merge_policy.json @@ -43,8 +43,6 @@ "low" ], "timeout_minutes": 20, - "max_diff_lines": 2400, - "auto_converge_after": 0, - "block_on_review_failure": true + "max_diff_lines": 2400 } } From 4d454184941c28165c11ddb1760dacc4c7c9f2cc Mon Sep 17 00:00:00 2001 From: Pigbibi <20649888+Pigbibi@users.noreply.github.com> Date: Fri, 10 Jul 2026 19:18:49 +0800 Subject: [PATCH 4/5] fix(review): pass explicit string fallback flags Co-Authored-By: Codex --- .github/workflows/codex_pr_review.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codex_pr_review.yml b/.github/workflows/codex_pr_review.yml index f2a048c..49d2626 100644 --- a/.github/workflows/codex_pr_review.yml +++ b/.github/workflows/codex_pr_review.yml @@ -21,8 +21,8 @@ jobs: with: caller_concurrency_key: pr-${{ github.event.pull_request.number || github.run_id }} allow_unconfigured_backend: false - api_fallback_enabled: false - direct_api_primary_enabled: false + api_fallback_enabled: "false" + direct_api_primary_enabled: "false" secrets: inherit permissions: contents: read From 87351d8af4c51fcdc47d428bcf8ba3a6ba7576bf Mon Sep 17 00:00:00 2001 From: Pigbibi <20649888+Pigbibi@users.noreply.github.com> Date: Fri, 10 Jul 2026 19:31:06 +0800 Subject: [PATCH 5/5] fix(review): fail closed for fork pull requests Co-Authored-By: Codex --- .github/workflows/codex_pr_review.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/codex_pr_review.yml b/.github/workflows/codex_pr_review.yml index 49d2626..037717e 100644 --- a/.github/workflows/codex_pr_review.yml +++ b/.github/workflows/codex_pr_review.yml @@ -16,7 +16,6 @@ concurrency: jobs: review: - if: github.event.pull_request.head.repo.full_name == github.repository uses: QuantStrategyLab/AIAuditBridge/.github/workflows/codex_pr_review.yml@main with: caller_concurrency_key: pr-${{ github.event.pull_request.number || github.run_id }}