trace_include_sensitive_data=False does not apply to agents as tools #565
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Codex | |
on: | |
issues: | |
types: [opened, labeled] | |
pull_request: | |
branches: [main] | |
types: [labeled] | |
jobs: | |
codex: | |
# This `if` check provides complex filtering logic to avoid running Codex | |
# on every PR. Admittedly, one thing this does not verify is whether the | |
# sender has write access to the repo: that must be done as part of a | |
# runtime step. | |
# | |
# Note the label values should match the ones in the .github/codex/labels | |
# folder. | |
if: | | |
(github.event_name == 'issues' && ( | |
(github.event.action == 'labeled' && (github.event.label.name == 'codex-attempt' || github.event.label.name == 'codex-triage')) | |
)) || | |
(github.event_name == 'pull_request' && github.event.action == 'labeled' && github.event.label.name == 'codex-review') | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write # can push or create branches | |
issues: write # for comments + labels on issues/PRs | |
pull-requests: write # for PR comments/labels | |
steps: | |
# TODO: Consider adding an optional mode (--dry-run?) to actions/codex | |
# that verifies whether Codex should actually be run for this event. | |
# (For example, it may be rejected because the sender does not have | |
# write access to the repo.) The benefit would be two-fold: | |
# 1. As the first step of this job, it gives us a chance to add a reaction | |
# or comment to the PR/issue ASAP to "ack" the request. | |
# 2. It saves resources by skipping the clone and setup steps below if | |
# Codex is not going to run. | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
# We install the dependencies like we would for an ordinary CI job, | |
# particularly because Codex will not have network access to install | |
# these dependencies. | |
- name: Setup uv | |
uses: astral-sh/setup-uv@v5 | |
with: | |
enable-cache: true | |
- name: Install dependencies | |
run: make sync | |
# Note it is possible that the `verify` step internal to Run Codex will | |
# fail, in which case the work to setup the repo was worthless :( | |
- name: Run Codex | |
uses: openai/codex/.github/actions/codex@main | |
with: | |
openai_api_key: ${{ secrets.PROD_OPENAI_API_KEY }} | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
codex_home: ./.github/codex/home |