[codex] Use central Codex PR review workflow#39
Conversation
Co-Authored-By: Codex <noreply@openai.com>
812b9f2 to
0f47583
Compare
Co-Authored-By: Codex <noreply@openai.com>
🤖 Codex PR ReviewPlease ensure a human reviewer checks this PR before merging. |
Co-Authored-By: Codex <noreply@openai.com>
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
Co-Authored-By: Codex <noreply@openai.com>
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f02be83211
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| with: | ||
| caller_concurrency_key: pr-${{ github.event.pull_request.number || github.run_id }} | ||
| allow_unconfigured_backend: true | ||
| secrets: inherit |
There was a problem hiding this comment.
Restrict inherited secrets to audit credentials
When this workflow runs on same-repository PRs where secrets are available, secrets: inherit makes every caller repository/org secret available to the reusable workflow, whereas the deleted local job only exposed the audit backend credentials it needed. Because the called workflow is loaded from QuantStrategyLab/AIAuditBridge, any future or compromised change there can read unrelated secrets from this repository; pass only the required audit secrets explicitly instead of inheriting all of them.
Useful? React with 👍 / 👎.
Co-Authored-By: Codex <noreply@openai.com>
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
Summary
QuantStrategyLab/AIAuditBridgeRollout note
QuantStrategyLab/AIAuditBridge#12being merged intomainCODEX_AUDIT_REUSABLE_WORKFLOW_TOKENwhen the caller repo cannot read AIAuditBridge with the default tokenValidation
actionlint -oneline .github/workflows/*.ymlgit diff --check