From 3aa98a75037b3903d68c2f62255e34415f78a124 Mon Sep 17 00:00:00 2001 From: neodix Date: Wed, 19 Nov 2025 09:19:58 +0400 Subject: [PATCH 01/11] automatically add ""@codex review" comment to PRs --- .github/workflows/codex-review.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/workflows/codex-review.yml diff --git a/.github/workflows/codex-review.yml b/.github/workflows/codex-review.yml new file mode 100644 index 000000000..19e98021b --- /dev/null +++ b/.github/workflows/codex-review.yml @@ -0,0 +1,21 @@ +name: Codex auto review + +on: + pull_request: + types: [opened, reopened, synchronize] + +jobs: + request-codex-review: + runs-on: ubuntu-latest + steps: + - name: Comment to trigger Codex + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + body: "@codex review" + }) From f2addc4d2d1a017f993761ba5c8dc2e1323ce2a0 Mon Sep 17 00:00:00 2001 From: neodix Date: Wed, 19 Nov 2025 11:12:54 +0400 Subject: [PATCH 02/11] add more permissions to codex review job --- .github/workflows/codex-review.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/codex-review.yml b/.github/workflows/codex-review.yml index 19e98021b..00b518c51 100644 --- a/.github/workflows/codex-review.yml +++ b/.github/workflows/codex-review.yml @@ -4,6 +4,11 @@ on: pull_request: types: [opened, reopened, synchronize] +permissions: + contents: read + issues: write + pull-requests: write + jobs: request-codex-review: runs-on: ubuntu-latest From 89d700561d7de185dbcdb8ea71e51bd12975cd0e Mon Sep 17 00:00:00 2001 From: neodix Date: Wed, 19 Nov 2025 11:34:27 +0400 Subject: [PATCH 03/11] trigger automatic codex review only on specified gh users --- .github/workflows/codex-review.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/codex-review.yml b/.github/workflows/codex-review.yml index 00b518c51..6a8d129f6 100644 --- a/.github/workflows/codex-review.yml +++ b/.github/workflows/codex-review.yml @@ -11,6 +11,25 @@ permissions: jobs: request-codex-review: + if: | + github.event.pull_request.user.login == 'EmelyanenkoK' || + github.event.pull_request.user.login == 'tolya-yanot' || + github.event.pull_request.user.login == 'SpyCheese' || + github.event.pull_request.user.login == 'neodix42' || + github.event.pull_request.user.login == 'dungeon-master-666' || + github.event.pull_request.user.login == 'igroman787' || + github.event.pull_request.user.login == 'kdimentionaltree' || + github.event.pull_request.user.login == 'sonofmom' || + github.event.pull_request.user.login == 'Trinketer22' || + github.event.pull_request.user.login == 'xssnick' || + github.event.pull_request.user.login == 'tolk-vm' || + github.event.pull_request.user.login == 'DanShaders' || + github.event.pull_request.user.login == 'birydrad' || + github.event.pull_request.user.login == 'abacabadabacaba' || + github.event.pull_request.user.login == 'Mustang98' || + github.event.pull_request.user.login == 'avevad' || + github.event.pull_request.user.login == 'tvorogme' || + github.event.pull_request.user.login == 'krigga' runs-on: ubuntu-latest steps: - name: Comment to trigger Codex From 446c70d24417ce2e88cb7ef79440b4af14487a8c Mon Sep 17 00:00:00 2001 From: neodix Date: Wed, 19 Nov 2025 11:46:18 +0400 Subject: [PATCH 04/11] trigger automatic codex review when the review is submitted --- .github/workflows/codex-review.yml | 100 ++++++++++++++++++++++------- 1 file changed, 77 insertions(+), 23 deletions(-) diff --git a/.github/workflows/codex-review.yml b/.github/workflows/codex-review.yml index 6a8d129f6..88622158d 100644 --- a/.github/workflows/codex-review.yml +++ b/.github/workflows/codex-review.yml @@ -3,6 +3,8 @@ name: Codex auto review on: pull_request: types: [opened, reopened, synchronize] + pull_request_review: + types: [submitted] permissions: contents: read @@ -10,36 +12,88 @@ permissions: pull-requests: write jobs: - request-codex-review: - if: | - github.event.pull_request.user.login == 'EmelyanenkoK' || - github.event.pull_request.user.login == 'tolya-yanot' || - github.event.pull_request.user.login == 'SpyCheese' || - github.event.pull_request.user.login == 'neodix42' || - github.event.pull_request.user.login == 'dungeon-master-666' || - github.event.pull_request.user.login == 'igroman787' || - github.event.pull_request.user.login == 'kdimentionaltree' || - github.event.pull_request.user.login == 'sonofmom' || - github.event.pull_request.user.login == 'Trinketer22' || - github.event.pull_request.user.login == 'xssnick' || - github.event.pull_request.user.login == 'tolk-vm' || - github.event.pull_request.user.login == 'DanShaders' || - github.event.pull_request.user.login == 'birydrad' || - github.event.pull_request.user.login == 'abacabadabacaba' || - github.event.pull_request.user.login == 'Mustang98' || - github.event.pull_request.user.login == 'avevad' || - github.event.pull_request.user.login == 'tvorogme' || - github.event.pull_request.user.login == 'krigga' + # 1) Auto-trigger Codex when PR is opened/reopened/synchronized + codex-on-pr: + if: > + github.event_name == 'pull_request' && + ( + github.event.pull_request.user.login == 'EmelyanenkoK' || + github.event.pull_request.user.login == 'tolya-yanot' || + github.event.pull_request.user.login == 'SpyCheese' || + github.event.pull_request.user.login == 'neodix42' || + github.event.pull_request.user.login == 'dungeon-master-666' || + github.event.pull_request.user.login == 'igroman787' || + github.event.pull_request.user.login == 'kdimentionaltree' || + github.event.pull_request.user.login == 'sonofmom' || + github.event.pull_request.user.login == 'Trinketer22' || + github.event.pull_request.user.login == 'xssnick' || + github.event.pull_request.user.login == 'tolk-vm' || + github.event.pull_request.user.login == 'DanShaders' || + github.event.pull_request.user.login == 'birydrad' || + github.event.pull_request.user.login == 'abacabadabacaba' || + github.event.pull_request.user.login == 'Mustang98' || + github.event.pull_request.user.login == 'avevad' || + github.event.pull_request.user.login == 'tvorogme' || + github.event.pull_request.user.login == 'krigga' + ) runs-on: ubuntu-latest steps: - - name: Comment to trigger Codex + - name: Comment to trigger Codex (on PR event) uses: actions/github-script@v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - github.rest.issues.createComment({ + await github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number, body: "@codex review" - }) + }); + + # 2) Auto-trigger Codex when certain reviewers submit a review + codex-on-review: + if: > + github.event_name == 'pull_request_review' && + ( + github.event.review.user.login == 'EmelyanenkoK' || + github.event.review.user.login == 'tolya-yanot' || + github.event.review.user.login == 'SpyCheese' || + github.event.review.user.login == 'neodix42' || + github.event.review.user.login == 'dungeon-master-666' || + github.event.review.user.login == 'igroman787' || + github.event.review.user.login == 'kdimentionaltree' || + github.event.review.user.login == 'sonofmom' || + github.event.review.user.login == 'Trinketer22' || + github.event.review.user.login == 'xssnick' || + github.event.review.user.login == 'tolk-vm' || + github.event.review.user.login == 'DanShaders' || + github.event.review.user.login == 'birydrad' || + github.event.review.user.login == 'abacabadabacaba' || + github.event.review.user.login == 'Mustang98' || + github.event.review.user.login == 'avevad' || + github.event.review.user.login == 'tvorogme' || + github.event.review.user.login == 'krigga' + ) + runs-on: ubuntu-latest + steps: + - name: Comment to trigger Codex (on review) + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const reviewer = context.payload.review.user.login; + const state = context.payload.review.state; // approved | changes_requested | commented | dismissed + core.info(`Review by ${reviewer} with state: ${state}`); + + // Optional: restrict to certain review states + if (state !== 'approved' && state !== 'changes_requested') { + core.info('Skipping Codex trigger – review state not allowed'); + return; + } + + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + body: "@codex review" + }); From ae85e6e9dd2de1082bfbeee4fff75cc6eaa545fc Mon Sep 17 00:00:00 2001 From: neodix Date: Wed, 19 Nov 2025 11:12:54 +0400 Subject: [PATCH 05/11] add more permissions to codex review job --- .github/workflows/codex-review.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/codex-review.yml b/.github/workflows/codex-review.yml index 19e98021b..00b518c51 100644 --- a/.github/workflows/codex-review.yml +++ b/.github/workflows/codex-review.yml @@ -4,6 +4,11 @@ on: pull_request: types: [opened, reopened, synchronize] +permissions: + contents: read + issues: write + pull-requests: write + jobs: request-codex-review: runs-on: ubuntu-latest From 17a5e7d8b6bbbf666e76bb702055ff12daa31af9 Mon Sep 17 00:00:00 2001 From: neodix Date: Wed, 19 Nov 2025 11:34:27 +0400 Subject: [PATCH 06/11] trigger automatic codex review only on specified gh users --- .github/workflows/codex-review.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/codex-review.yml b/.github/workflows/codex-review.yml index 00b518c51..6a8d129f6 100644 --- a/.github/workflows/codex-review.yml +++ b/.github/workflows/codex-review.yml @@ -11,6 +11,25 @@ permissions: jobs: request-codex-review: + if: | + github.event.pull_request.user.login == 'EmelyanenkoK' || + github.event.pull_request.user.login == 'tolya-yanot' || + github.event.pull_request.user.login == 'SpyCheese' || + github.event.pull_request.user.login == 'neodix42' || + github.event.pull_request.user.login == 'dungeon-master-666' || + github.event.pull_request.user.login == 'igroman787' || + github.event.pull_request.user.login == 'kdimentionaltree' || + github.event.pull_request.user.login == 'sonofmom' || + github.event.pull_request.user.login == 'Trinketer22' || + github.event.pull_request.user.login == 'xssnick' || + github.event.pull_request.user.login == 'tolk-vm' || + github.event.pull_request.user.login == 'DanShaders' || + github.event.pull_request.user.login == 'birydrad' || + github.event.pull_request.user.login == 'abacabadabacaba' || + github.event.pull_request.user.login == 'Mustang98' || + github.event.pull_request.user.login == 'avevad' || + github.event.pull_request.user.login == 'tvorogme' || + github.event.pull_request.user.login == 'krigga' runs-on: ubuntu-latest steps: - name: Comment to trigger Codex From a492c35d287972698985bebd1469130a3c246dd0 Mon Sep 17 00:00:00 2001 From: neodix Date: Wed, 19 Nov 2025 11:46:18 +0400 Subject: [PATCH 07/11] trigger automatic codex review when the review is submitted --- .github/workflows/codex-review.yml | 100 ++++++++++++++++++++++------- 1 file changed, 77 insertions(+), 23 deletions(-) diff --git a/.github/workflows/codex-review.yml b/.github/workflows/codex-review.yml index 6a8d129f6..88622158d 100644 --- a/.github/workflows/codex-review.yml +++ b/.github/workflows/codex-review.yml @@ -3,6 +3,8 @@ name: Codex auto review on: pull_request: types: [opened, reopened, synchronize] + pull_request_review: + types: [submitted] permissions: contents: read @@ -10,36 +12,88 @@ permissions: pull-requests: write jobs: - request-codex-review: - if: | - github.event.pull_request.user.login == 'EmelyanenkoK' || - github.event.pull_request.user.login == 'tolya-yanot' || - github.event.pull_request.user.login == 'SpyCheese' || - github.event.pull_request.user.login == 'neodix42' || - github.event.pull_request.user.login == 'dungeon-master-666' || - github.event.pull_request.user.login == 'igroman787' || - github.event.pull_request.user.login == 'kdimentionaltree' || - github.event.pull_request.user.login == 'sonofmom' || - github.event.pull_request.user.login == 'Trinketer22' || - github.event.pull_request.user.login == 'xssnick' || - github.event.pull_request.user.login == 'tolk-vm' || - github.event.pull_request.user.login == 'DanShaders' || - github.event.pull_request.user.login == 'birydrad' || - github.event.pull_request.user.login == 'abacabadabacaba' || - github.event.pull_request.user.login == 'Mustang98' || - github.event.pull_request.user.login == 'avevad' || - github.event.pull_request.user.login == 'tvorogme' || - github.event.pull_request.user.login == 'krigga' + # 1) Auto-trigger Codex when PR is opened/reopened/synchronized + codex-on-pr: + if: > + github.event_name == 'pull_request' && + ( + github.event.pull_request.user.login == 'EmelyanenkoK' || + github.event.pull_request.user.login == 'tolya-yanot' || + github.event.pull_request.user.login == 'SpyCheese' || + github.event.pull_request.user.login == 'neodix42' || + github.event.pull_request.user.login == 'dungeon-master-666' || + github.event.pull_request.user.login == 'igroman787' || + github.event.pull_request.user.login == 'kdimentionaltree' || + github.event.pull_request.user.login == 'sonofmom' || + github.event.pull_request.user.login == 'Trinketer22' || + github.event.pull_request.user.login == 'xssnick' || + github.event.pull_request.user.login == 'tolk-vm' || + github.event.pull_request.user.login == 'DanShaders' || + github.event.pull_request.user.login == 'birydrad' || + github.event.pull_request.user.login == 'abacabadabacaba' || + github.event.pull_request.user.login == 'Mustang98' || + github.event.pull_request.user.login == 'avevad' || + github.event.pull_request.user.login == 'tvorogme' || + github.event.pull_request.user.login == 'krigga' + ) runs-on: ubuntu-latest steps: - - name: Comment to trigger Codex + - name: Comment to trigger Codex (on PR event) uses: actions/github-script@v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - github.rest.issues.createComment({ + await github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number, body: "@codex review" - }) + }); + + # 2) Auto-trigger Codex when certain reviewers submit a review + codex-on-review: + if: > + github.event_name == 'pull_request_review' && + ( + github.event.review.user.login == 'EmelyanenkoK' || + github.event.review.user.login == 'tolya-yanot' || + github.event.review.user.login == 'SpyCheese' || + github.event.review.user.login == 'neodix42' || + github.event.review.user.login == 'dungeon-master-666' || + github.event.review.user.login == 'igroman787' || + github.event.review.user.login == 'kdimentionaltree' || + github.event.review.user.login == 'sonofmom' || + github.event.review.user.login == 'Trinketer22' || + github.event.review.user.login == 'xssnick' || + github.event.review.user.login == 'tolk-vm' || + github.event.review.user.login == 'DanShaders' || + github.event.review.user.login == 'birydrad' || + github.event.review.user.login == 'abacabadabacaba' || + github.event.review.user.login == 'Mustang98' || + github.event.review.user.login == 'avevad' || + github.event.review.user.login == 'tvorogme' || + github.event.review.user.login == 'krigga' + ) + runs-on: ubuntu-latest + steps: + - name: Comment to trigger Codex (on review) + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const reviewer = context.payload.review.user.login; + const state = context.payload.review.state; // approved | changes_requested | commented | dismissed + core.info(`Review by ${reviewer} with state: ${state}`); + + // Optional: restrict to certain review states + if (state !== 'approved' && state !== 'changes_requested') { + core.info('Skipping Codex trigger – review state not allowed'); + return; + } + + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + body: "@codex review" + }); From 4ba8fec1d9b52b04209f4da6dfa90680bfdbaedf Mon Sep 17 00:00:00 2001 From: neodix Date: Wed, 19 Nov 2025 20:35:19 +0400 Subject: [PATCH 08/11] rework codex auto review --- .github/workflows/codex-review.yml | 133 +++++++++++------------------ 1 file changed, 51 insertions(+), 82 deletions(-) diff --git a/.github/workflows/codex-review.yml b/.github/workflows/codex-review.yml index 88622158d..4036a5a3e 100644 --- a/.github/workflows/codex-review.yml +++ b/.github/workflows/codex-review.yml @@ -1,99 +1,68 @@ -name: Codex auto review - +name: Codex PR auto review on: pull_request: - types: [opened, reopened, synchronize] - pull_request_review: - types: [submitted] - -permissions: - contents: read - issues: write - pull-requests: write + types: [opened] jobs: - # 1) Auto-trigger Codex when PR is opened/reopened/synchronized - codex-on-pr: - if: > - github.event_name == 'pull_request' && - ( - github.event.pull_request.user.login == 'EmelyanenkoK' || - github.event.pull_request.user.login == 'tolya-yanot' || - github.event.pull_request.user.login == 'SpyCheese' || - github.event.pull_request.user.login == 'neodix42' || - github.event.pull_request.user.login == 'dungeon-master-666' || - github.event.pull_request.user.login == 'igroman787' || - github.event.pull_request.user.login == 'kdimentionaltree' || - github.event.pull_request.user.login == 'sonofmom' || - github.event.pull_request.user.login == 'Trinketer22' || - github.event.pull_request.user.login == 'xssnick' || - github.event.pull_request.user.login == 'tolk-vm' || - github.event.pull_request.user.login == 'DanShaders' || - github.event.pull_request.user.login == 'birydrad' || - github.event.pull_request.user.login == 'abacabadabacaba' || - github.event.pull_request.user.login == 'Mustang98' || - github.event.pull_request.user.login == 'avevad' || - github.event.pull_request.user.login == 'tvorogme' || - github.event.pull_request.user.login == 'krigga' - ) + codex: runs-on: ubuntu-latest + permissions: + contents: read + outputs: + final_message: ${{ steps.run_codex.outputs.final-message }} steps: - - name: Comment to trigger Codex (on PR event) - uses: actions/github-script@v7 + - uses: actions/checkout@v5 with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - await github.rest.issues.createComment({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.issue.number, - body: "@codex review" - }); + # Explicitly check out the PR's merge commit. + ref: refs/pull/${{ github.event.pull_request.number }}/merge + + - name: Pre-fetch base and head refs for the PR + run: | + git fetch --no-tags origin \ + ${{ github.event.pull_request.base.ref }} \ + +refs/pull/${{ github.event.pull_request.number }}/head - # 2) Auto-trigger Codex when certain reviewers submit a review - codex-on-review: - if: > - github.event_name == 'pull_request_review' && - ( - github.event.review.user.login == 'EmelyanenkoK' || - github.event.review.user.login == 'tolya-yanot' || - github.event.review.user.login == 'SpyCheese' || - github.event.review.user.login == 'neodix42' || - github.event.review.user.login == 'dungeon-master-666' || - github.event.review.user.login == 'igroman787' || - github.event.review.user.login == 'kdimentionaltree' || - github.event.review.user.login == 'sonofmom' || - github.event.review.user.login == 'Trinketer22' || - github.event.review.user.login == 'xssnick' || - github.event.review.user.login == 'tolk-vm' || - github.event.review.user.login == 'DanShaders' || - github.event.review.user.login == 'birydrad' || - github.event.review.user.login == 'abacabadabacaba' || - github.event.review.user.login == 'Mustang98' || - github.event.review.user.login == 'avevad' || - github.event.review.user.login == 'tvorogme' || - github.event.review.user.login == 'krigga' - ) + # If you want Codex to build and run code, install any dependencies that + # need to be downloaded before the "Run Codex" step because Codex's + # default sandbox disables network access. + + - name: Run Codex + id: run_codex + uses: openai/codex-action@v1 + with: + openai-api-key: ${{ secrets.OPENAI_API_KEY }} + prompt: | + This is PR #${{ github.event.pull_request.number }} for ${{ github.repository }}. + + Review ONLY the changes introduced by the PR, so consider: + git log --oneline ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }} + + Suggest any improvements, potential bugs, or issues. + Be concise and specific in your feedback. + + Pull request title and body: + ---- + ${{ github.event.pull_request.title }} + ${{ github.event.pull_request.body }} + + post_feedback: runs-on: ubuntu-latest + needs: codex + if: needs.codex.outputs.final_message != '' + permissions: + issues: write + pull-requests: write steps: - - name: Comment to trigger Codex (on review) + - name: Report Codex feedback uses: actions/github-script@v7 + env: + CODEX_FINAL_MESSAGE: ${{ needs.codex.outputs.final_message }} with: - github-token: ${{ secrets.GITHUB_TOKEN }} + github-token: ${{ github.token }} script: | - const reviewer = context.payload.review.user.login; - const state = context.payload.review.state; // approved | changes_requested | commented | dismissed - core.info(`Review by ${reviewer} with state: ${state}`); - - // Optional: restrict to certain review states - if (state !== 'approved' && state !== 'changes_requested') { - core.info('Skipping Codex trigger – review state not allowed'); - return; - } - await github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, - issue_number: context.issue.number, - body: "@codex review" + issue_number: context.payload.pull_request.number, + body: process.env.CODEX_FINAL_MESSAGE, }); From c281facaaf97262201627998682273c285fc606b Mon Sep 17 00:00:00 2001 From: neodix Date: Wed, 19 Nov 2025 20:41:52 +0400 Subject: [PATCH 09/11] rework codex auto review --- .github/workflows/codex-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codex-review.yml b/.github/workflows/codex-review.yml index 4036a5a3e..46bc35c23 100644 --- a/.github/workflows/codex-review.yml +++ b/.github/workflows/codex-review.yml @@ -1,4 +1,4 @@ -name: Codex PR auto review +name: Codex auto review on: pull_request: types: [opened] From 7d33a6e9f85379dfadf9b488dc60821ffac86f1c Mon Sep 17 00:00:00 2001 From: neodix Date: Wed, 19 Nov 2025 21:12:40 +0400 Subject: [PATCH 10/11] rework codex auto review for PRs from forks --- .github/workflows/codex-review.yml | 65 ++++++++++++++++++++++-------- 1 file changed, 48 insertions(+), 17 deletions(-) diff --git a/.github/workflows/codex-review.yml b/.github/workflows/codex-review.yml index 46bc35c23..54b2710a9 100644 --- a/.github/workflows/codex-review.yml +++ b/.github/workflows/codex-review.yml @@ -1,44 +1,75 @@ name: Codex auto review + on: - pull_request: - types: [opened] + pull_request_target: + types: [opened, reopened, synchronize] jobs: codex: + # Only run Codex for PRs authored by allowed users + if: | + github.event.pull_request.user.login == 'EmelyanenkoK' || + github.event.pull_request.user.login == 'tolya-yanot' || + github.event.pull_request.user.login == 'SpyCheese' || + github.event.pull_request.user.login == 'neodix42' || + github.event.pull_request.user.login == 'dungeon-master-666' || + github.event.pull_request.user.login == 'igroman787' || + github.event.pull_request.user.login == 'kdimentionaltree' || + github.event.pull_request.user.login == 'sonofmom' || + github.event.pull_request.user.login == 'Trinketer22' || + github.event.pull_request.user.login == 'xssnick' || + github.event.pull_request.user.login == 'tolk-vm' || + github.event.pull_request.user.login == 'DanShaders' || + github.event.pull_request.user.login == 'birydrad' || + github.event.pull_request.user.login == 'abacabadabacaba' || + github.event.pull_request.user.login == 'Mustang98' || + github.event.pull_request.user.login == 'avevad' || + github.event.pull_request.user.login == 'tvorogme' || + github.event.pull_request.user.login == 'krigga' runs-on: ubuntu-latest permissions: contents: read + pull-requests: write outputs: final_message: ${{ steps.run_codex.outputs.final-message }} + steps: - - uses: actions/checkout@v5 + # 1. Checkout the trusted base commit + - name: Checkout base branch (trusted) + uses: actions/checkout@v5 with: - # Explicitly check out the PR's merge commit. - ref: refs/pull/${{ github.event.pull_request.number }}/merge + ref: ${{ github.event.pull_request.base.sha }} + fetch-depth: 0 + persist-credentials: false - - name: Pre-fetch base and head refs for the PR + # 2. Fetch PR head as a separate local branch, without checking it out + - name: Fetch PR head run: | - git fetch --no-tags origin \ - ${{ github.event.pull_request.base.ref }} \ - +refs/pull/${{ github.event.pull_request.number }}/head + git fetch origin \ + pull/${{ github.event.pull_request.number }}/head:pr-${{ github.event.pull_request.number }} - # If you want Codex to build and run code, install any dependencies that - # need to be downloaded before the "Run Codex" step because Codex's - # default sandbox disables network access. + # Optional diagnostics + - name: Show diff summary + run: | + git diff --stat \ + ${{ github.event.pull_request.base.sha }} pr-${{ github.event.pull_request.number }} + # 3. Run Codex safely - name: Run Codex id: run_codex - uses: openai/codex-action@v1 + uses: openai/codex-action@02e7b2943818fbac9f077c3d1249a198ab358352 with: + # IMPORTANT: this is safe only because: + # - workflow file lives in base repo (attacker cannot change it) + # - we do not run arbitrary PR code, only git commands openai-api-key: ${{ secrets.OPENAI_API_KEY }} prompt: | This is PR #${{ github.event.pull_request.number }} for ${{ github.repository }}. - Review ONLY the changes introduced by the PR, so consider: - git log --oneline ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }} + Review ONLY the changes introduced by this PR. - Suggest any improvements, potential bugs, or issues. - Be concise and specific in your feedback. + Diff range: + ${{ github.event.pull_request.base.sha }}...pr-${{ github.event.pull_request.number }} Pull request title and body: ---- From 0781fc1af6d9c3487feb7d706005b1a71caedfa4 Mon Sep 17 00:00:00 2001 From: neodix Date: Wed, 19 Nov 2025 21:40:13 +0400 Subject: [PATCH 11/11] fix based on a review --- .github/workflows/codex-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codex-review.yml b/.github/workflows/codex-review.yml index 54b2710a9..151d22acb 100644 --- a/.github/workflows/codex-review.yml +++ b/.github/workflows/codex-review.yml @@ -31,7 +31,7 @@ jobs: contents: read pull-requests: write outputs: - final_message: ${{ steps.run_codex.outputs.final-message }} + final_message: ${{ steps.run_codex.outputs['final-message'] }} steps: # 1. Checkout the trusted base commit