Skip to content

fix: require scoped Codex auto-resolve command#447

Merged
BigSimmo merged 8 commits into
mainfrom
codex/scoped-autoresolve-command
Jul 9, 2026
Merged

fix: require scoped Codex auto-resolve command#447
BigSimmo merged 8 commits into
mainfrom
codex/scoped-autoresolve-command

Conversation

@BigSimmo

@BigSimmo BigSimmo commented Jul 9, 2026

Copy link
Copy Markdown
Owner

Summary

  • Updates the Codex auto-resolve workflow to emit the scoped actionable-findings command required by AGENTS.md.
  • Tightens the CI guard so it rejects the old broad @codex resolve all review comments prompt and asserts the full scoped prompt.

Why

A Codex review found that the workflow and guard still allowed the old broad resolve command, which could ask Codex to address unrelated or stale review comments.

Verification

  • npm run check:codex-autofix-workflow passed.
  • git diff --check HEAD^ HEAD passed.

Notes

  • No dependency install, build, deployment, or provider/API workflow was run.

@supabase

supabase Bot commented Jul 9, 2026

Copy link
Copy Markdown

This pull request has been ignored for the connected project sjrfecxgysukkwxsowpy because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.


Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Caution

Review failed

An error occurred during the review process. Please try again later.

📝 Walkthrough

Walkthrough

The Codex auto-resolve workflow now uses a scoped actionable-findings resolve command and prompt instead of the broad resolve-all wording. The repository also adds GitHub Actions pin enforcement and updates workflows to pinned runner and action versions.

Changes

Scoped Codex resolve command update

Layer / File(s) Summary
Workflow trigger and prompt update
.github/workflows/codex-autofix-review-comments.yml
The auto-resolve workflow now treats the scoped actionable-findings trigger as an existing request, runs on Ubuntu 24.04, and emits the scoped Codex resolve prompt text.
Validation script updates
scripts/check-codex-autofix-workflow.mjs
Adds scoped resolve constants, forbids the broad resolve-all command, and requires both the scoped command check and scoped prompt text in the workflow source.

Workflow pinning checks

Layer / File(s) Summary
Pin check script and npm wiring
scripts/check-github-action-pins.mjs, package.json
Adds a workflow pin-check script that flags floating Ubuntu runners and unsupported action versions, and removes npm run sitemap:check from verify:cheap.
CI job pin check and runner updates
.github/workflows/ci.yml
Pins several CI jobs to Ubuntu 24.04, updates checkout to actions/checkout@v6, and adds a Workflow action pin check step to verify.
Other workflow pin updates
.github/workflows/docker-image.yml, .github/workflows/eval-canary.yml, .github/workflows/live-drift.yml, .github/workflows/sast.yml, .github/workflows/secret-scan.yml, .github/workflows/summary.yml
Updates the remaining workflows to Ubuntu 24.04, switches checkout steps to actions/checkout@v6, and changes the summary comment action to peter-evans/create-or-update-comment@v5.

Estimated code review effort: 3 (Moderate) | ~25 minutes

🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately summarizes the main change to the Codex auto-resolve command.
Description check ✅ Passed The description follows the template with Summary, Why, Verification, and Notes, and includes relevant checks and results.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Generated And Sensitive Files ✅ Passed No secrets or forbidden artifacts were committed; changes are source/docs plus an intentionally tracked schema manifest, with no raw credentials, dumps, caches, or build outputs.
Verification Claims ✅ Passed PR description names exact checks (npm run check:codex-autofix-workflow, git diff --check HEAD^ HEAD) and marks them passed; the 'not run' note gives a reason.
Risky Git Or Deployment Actions ✅ Passed No added lines in the PR recommend force-push/reset/branch deletion/destructive cleanup or deployment without confirmation; the workflow change only moves secret env usage.
Supabase Project And Schema Safety ✅ Passed PASS: Only workflow pins/guards and a Supabase drift manifest timestamp/replay update changed; the project ref and schema SHA stayed the same, with no DDL/RLS/policy changes.
Runtime And Package Manager Integrity ✅ Passed No package-manager/runtime changes were introduced; the only diffed workflow edit just moved a secret to step env, while npm ci and the Node 24/npm 11 pins remain unchanged.
Api Route Failure Handling ✅ Passed Touched RAG/ingestion paths either throw on bad input/env or catch and return deterministic fallbacks; no unsafe API/server-action change found.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/scoped-autoresolve-command
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch codex/scoped-autoresolve-command

Comment @coderabbitai help to get the list of available commands.

@chatgpt-codex-connector

Copy link
Copy Markdown

Summary

Testing

  • npm run check:codex-autofix-workflow
  • git diff --check HEAD^ HEAD
  • git status --short --branch

View task →

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
scripts/check-codex-autofix-workflow.mjs (1)

49-54: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Verified guard strings match the workflow's embedded prompt exactly.

Cross-checked scopedResolveCommand/scopedResolvePrompt against the workflow's line 41 skip-check substring and line 78 prompt text — they match verbatim, so this guard correctly enforces the scoped phrasing.

Since this exact string is now duplicated in two files (the workflow's embedded script and this validator), consider extracting the shared prompt into a single source of truth (e.g., a small JSON/text fixture both files read) to prevent the kind of drift that motivated this PR.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/check-codex-autofix-workflow.mjs` around lines 49 - 54, The scoped
resolve command and prompt text are duplicated between the workflow script and
this validator, which risks drift. Extract the shared values used by
`scopedResolveCommand` and `scopedResolvePrompt` into a single source of truth
that both `scripts/check-codex-autofix-workflow.mjs` and the workflow’s embedded
prompt read from. Update the validator to compare against that shared
fixture/value instead of hardcoded string literals so the skip-check and prompt
check stay in sync.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@scripts/check-codex-autofix-workflow.mjs`:
- Around line 49-54: The scoped resolve command and prompt text are duplicated
between the workflow script and this validator, which risks drift. Extract the
shared values used by `scopedResolveCommand` and `scopedResolvePrompt` into a
single source of truth that both `scripts/check-codex-autofix-workflow.mjs` and
the workflow’s embedded prompt read from. Update the validator to compare
against that shared fixture/value instead of hardcoded string literals so the
skip-check and prompt check stay in sync.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 3528f310-fb63-4883-b657-106dad506241

📥 Commits

Reviewing files that changed from the base of the PR and between 230ec3f and 99dce51.

📒 Files selected for processing (2)
  • .github/workflows/codex-autofix-review-comments.yml
  • scripts/check-codex-autofix-workflow.mjs

coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 9, 2026
@BigSimmo
BigSimmo enabled auto-merge (squash) July 9, 2026 12:49
auto-merge was automatically disabled July 9, 2026 13:18

Head branch was pushed to by a user without write access

coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 9, 2026
@BigSimmo
BigSimmo enabled auto-merge (squash) July 9, 2026 13:31
coderabbitai[bot]
coderabbitai Bot previously requested changes Jul 9, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
scripts/check-github-action-pins.mjs (1)

25-25: 🎯 Functional Correctness | 🔵 Trivial | 💤 Low value

Quoted uses: values silently bypass the check.

usesPattern requires the line to end immediately after the version digits (optionally followed by a comment); a quoted reference like uses: "actions/checkout@v6" won't match because of the trailing quote, so it would be silently skipped rather than validated.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/check-github-action-pins.mjs` at line 25, The usesPattern in
check-github-action-pins.mjs is too strict and misses quoted uses values, so
update the regex handling in that script to accept optional single or double
quotes around the action reference while still capturing the repository and vN
pin. Make sure the validation logic that reads uses: lines continues to flag
unpinned actions even when the value is quoted, rather than silently skipping
them.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/check-github-action-pins.mjs`:
- Around line 6-14: The supportedMajorRanges entry for actions/checkout has an
outdated v7 failure message; update the reason text in the checkGithubActionPins
logic to stop claiming v7 is unpublished and instead explain that the pin should
remain on v6 for security/documented support reasons. Keep the change localized
to the actions/checkout mapping so the emitted failure text matches the current
published major.

---

Nitpick comments:
In `@scripts/check-github-action-pins.mjs`:
- Line 25: The usesPattern in check-github-action-pins.mjs is too strict and
misses quoted uses values, so update the regex handling in that script to accept
optional single or double quotes around the action reference while still
capturing the repository and vN pin. Make sure the validation logic that reads
uses: lines continues to flag unpinned actions even when the value is quoted,
rather than silently skipping them.
🪄 Autofix (Beta)

✅ Autofix completed


ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 290ff168-104f-443a-abaf-373c4ce3500f

📥 Commits

Reviewing files that changed from the base of the PR and between aa45064 and 5bd607f.

📒 Files selected for processing (10)
  • .github/workflows/ci.yml
  • .github/workflows/codex-autofix-review-comments.yml
  • .github/workflows/docker-image.yml
  • .github/workflows/eval-canary.yml
  • .github/workflows/live-drift.yml
  • .github/workflows/sast.yml
  • .github/workflows/secret-scan.yml
  • .github/workflows/summary.yml
  • package.json
  • scripts/check-github-action-pins.mjs
✅ Files skipped from review due to trivial changes (2)
  • .github/workflows/live-drift.yml
  • .github/workflows/secret-scan.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/codex-autofix-review-comments.yml

Comment thread scripts/check-github-action-pins.mjs
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Fixes Applied Successfully

Fixed 1 file(s) based on 1 unresolved review comment.

Files modified:

  • scripts/check-github-action-pins.mjs

Commit: ce6dc4c0c6c2673cb34332158c3a8ab45383149f

The changes have been pushed to the codex/scoped-autoresolve-command branch.

Time taken: 3m 17s

Fixed 1 file(s) based on 1 unresolved review comment.

Co-authored-by: CodeRabbit <noreply@coderabbit.ai>
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 9, 2026
auto-merge was automatically disabled July 9, 2026 13:58

Head branch was pushed to by a user without write access

@BigSimmo
BigSimmo enabled auto-merge (squash) July 9, 2026 13:59
@BigSimmo
BigSimmo merged commit 4ba3deb into main Jul 9, 2026
10 of 11 checks passed
@BigSimmo
BigSimmo deleted the codex/scoped-autoresolve-command branch July 9, 2026 14:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants