fix: harden Codex review auto-resolve flow#455
Conversation
|
This pull request has been ignored for the connected project Preview Branches by Supabase. |
📝 WalkthroughWalkthroughThe PR hardens Codex auto-resolve review-comment handling with exact bot checks, scoped deduplication, repair limits, explicit permission failures, immutable action validation, updated instructions, and end-to-end workflow tests. ChangesCodex auto-resolve hardening
Estimated code review effort: 4 (Complex) | ~45 minutes Sequence Diagram(s)sequenceDiagram
participant Reviewer
participant CodexAutofixWorkflow
participant GitHubAPI
Reviewer->>CodexAutofixWorkflow: post trusted review request
CodexAutofixWorkflow->>GitHubAPI: list PR comments
GitHubAPI-->>CodexAutofixWorkflow: comments or permission failure
CodexAutofixWorkflow->>CodexAutofixWorkflow: check head marker and repair limit
CodexAutofixWorkflow->>GitHubAPI: create scoped auto-resolve comment
Caution Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional.
❌ Failed checks (1 error, 1 warning)
✅ Passed checks (9 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@AGENTS.md`:
- Line 394: Update the wording in the AGENTS.md bullet to hyphenate the compound
adjective, changing “Node 24 based” to “Node 24-based.”
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 2cc1b2f4-229b-439d-b6f8-69afe52f9b27
📒 Files selected for processing (6)
.github/workflows/codex-autofix-review-comments.ymlAGENTS.mddocs/branch-review-ledger.mdscripts/check-codex-autofix-workflow.mjsscripts/check-github-action-pins.mjstests/codex-autofix-workflow.test.ts
The sole finding was fixed in 859624f, its thread is resolved, and the refreshed CodeRabbit plus all required CI/security checks passed on the updated head.
Summary
actions/github-scriptv9.0.0 to its verified immutable commit.Why
The previous bridge could be triggered by substring-matching identities, suppressed by spoofed markers, displaced by unrelated workflow runs, and silently succeed when GitHub denied comment permissions. It also allowed only one repair request for the entire PR and used a mutable action tag.
Areas changed
.github/workflows/codex-autofix-review-comments.ymlscripts/check-codex-autofix-workflow.mjsscripts/check-github-action-pins.mjstests/codex-autofix-workflow.test.tsAGENTS.mddocs/branch-review-ledger.mdVerification
npm run verify:cheapgit diff --checkpassedgit ls-remoteverified the pinnedgithub-scriptv9.0.0 commit.Checks not run
npm run verify:releasewas not run because it includes provider-backed Supabase/OpenAI governance and evaluation gates; this change does not touch application, clinical, database, or provider behavior.Risk and limitations