Skip to content

ci: add update-pins tool and review workflows #338

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

ci: add update-pins tool and review workflows #338

wants to merge 5 commits into from
+1,834 −0

Conversation

@xenoscopic
Copy link
Collaborator

@xenoscopic xenoscopic commented Oct 17, 2025
edited
Loading

This PR is a follow-up to #328. It adds a tool and nightly workflow to update commit pins for local servers and create PRs for each update. It also adds two AI-based security review workflows to (1) automatically review incoming upstream changes due to new servers or version pin changes and (2) audit all or a subset of the registry.

@xenoscopic xenoscopic requested a review from a team as a code owner October 17, 2025 23:14
@chatgpt-codex-connector
Copy link

To use Codex here, create an environment for this repo.

@xenoscopic
Copy link
Collaborator Author

@codex Can you tell me how I would update this PR to invoke a Codex task on the PRs that are produced by this new workflow?

@xenoscopic
Copy link
Collaborator Author

@codex can you review this PR for malicious intent?

@chatgpt-codex-connector
Copy link

Codex Review: Didn't find any major issues. You're on a roll.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@chatgpt-codex-connector
Copy link

Codex Review: Didn't find any major issues. Keep it up!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@xenoscopic xenoscopic changed the title wip: ci: add update-pins tool and workflow ci: add update-pins tool and review workflows Oct 23, 2025
@xenoscopic
Copy link
Collaborator Author

@codex review

xenoscopic
xenoscopic commented Oct 23, 2025
View reviewed changes
.github/workflows/security-review-diff.yaml
Comment on lines +121 to +137
- name: Ensure security labels exist
if: steps.pins.outputs.has_targets == 'true' || steps.newservers.outputs.has_targets == 'true'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh label create "${SECURITY_BLOCK_LABEL}" \
--color B60205 \
--description "Security automation detected blocking issues." \
|| echo "Label ${SECURITY_BLOCK_LABEL} already exists."

for risk in critical high medium low info; do
label="${SECURITY_RISK_LABEL_PREFIX}${risk}"
gh label create "$label" \
--color 0E8A16 \
--description "Security automation risk assessment: ${risk}." \
|| echo "Label $label already exists."
done
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could just do this manually, once.

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Oct 23, 2025
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

.github/workflows/security-review-diff.yaml
Comment on lines +231 to +233
gh pr comment ${{ github.event.pull_request.number }} \
--repo ${{ github.repository }} \
--body-file security-review-comment.md
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Handle workflow_dispatch PR number when posting review comment

The workflow is only triggered via workflow_dispatch, yet the post-review step still references ${{ github.event.pull_request.number }} when calling gh pr comment. In a manually dispatched run this context is unset, so the command fails and the generated security report is never published to the intended pull request (labels also remain stale for the same reason). Consider using the input value (${{ github.event.inputs.pull_request_number }}) when the event is workflow_dispatch so manual executions can target the requested PR.

Useful? React with 👍 / 👎.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's fine, I've temporarily disabled the previous step and left it on a manual trigger for now, but it will eventually be triggered on PR events.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xenoscopic