Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 10 additions & 35 deletions .github/workflows/codex_pr_review.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
name: Codex PR Review

# Always run on PRs to guarantee a check run exists for branch protection.
# The Python script handles skip logic internally for trivial changes.
on:
pull_request:
types: [opened, synchronize, reopened]
Expand All @@ -18,36 +16,13 @@ concurrency:

jobs:
review:
runs-on: ubuntu-latest
timeout-minutes: 30
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

steps:
- name: Checkout
uses: actions/checkout@v6

- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.11"

- name: Run Codex PR Review
id: review
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
ANTHROPIC_MODEL: ${{ vars.ANTHROPIC_MODEL || 'claude-sonnet-4-6' }}
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
OPENAI_MODEL: ${{ vars.OPENAI_MODEL || 'gpt-5.4-mini' }}
CODEX_AUDIT_SERVICE_URL: ${{ secrets.CODEX_AUDIT_SERVICE_URL }}
CODEX_AUDIT_SERVICE_AUDIENCE: ${{ vars.CODEX_AUDIT_SERVICE_AUDIENCE || 'quant-codex-audit' }}
run: python scripts/run_codex_pr_review.py

- name: Upload review diagnostics
if: always()
uses: actions/upload-artifact@v7
with:
name: codex-pr-review-${{ github.event.pull_request.number }}-${{ github.run_id }}
path: data/output/codex_pr_review/
if-no-files-found: warn
uses: QuantStrategyLab/AIAuditBridge/.github/workflows/codex_pr_review.yml@main
with:
caller_concurrency_key: pr-${{ github.event.pull_request.number || github.run_id }}
allow_unconfigured_backend: true
secrets: inherit

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Restrict inherited secrets to audit credentials

When this workflow runs on same-repository PRs where secrets are available, secrets: inherit makes every caller repository/org secret available to the reusable workflow, whereas the deleted local job only exposed the audit backend credentials it needed. Because the called workflow is loaded from QuantStrategyLab/AIAuditBridge, any future or compromised change there can read unrelated secrets from this repository; pass only the required audit secrets explicitly instead of inheriting all of them.

Useful? React with 👍 / 👎.

permissions:
contents: read
id-token: write
issues: write
pull-requests: write
Loading
Loading