Skip to content

fix(ci): gate Codex auto-resolve on completed review and post as a non-bot user#610

Merged
BigSimmo merged 2 commits into
mainfrom
claude/github-actions-codex-issue-f4t4s5
Jul 13, 2026
Merged

fix(ci): gate Codex auto-resolve on completed review and post as a non-bot user#610
BigSimmo merged 2 commits into
mainfrom
claude/github-actions-codex-issue-f4t4s5

Conversation

@BigSimmo

@BigSimmo BigSimmo commented Jul 13, 2026

Copy link
Copy Markdown
Owner

Summary

The Codex auto-resolve request never reached Codex, and it fired before a review completed. Two root causes in .github/workflows/codex-autofix-review-comments.yml:

  1. The @codex resolve … request was posted with the default GITHUB_TOKEN, so it was authored by github-actions[bot]. The Codex connector ignores @codex commands from bot accounts, so the request was silently dropped.
  2. The workflow triggered on pull_request_review_comment: [created] — the first inline comment — so a resolve pass could be requested mid-review, before findings were complete. Asking Codex to "resolve findings" when none exist yet is pointless.

Changes:

  • Trigger only after a completed review. The request now fires off the Codex-authored pull_request_review (submitted) event. It skips approved/dismissed reviews and reviews that carry zero inline comments, so it only runs when a real code review raised findings.
  • Post as a real user. The request is posted with a fine-grained PAT from the CODEX_TRIGGER_TOKEN secret so the Codex connector will act on the mention.
  • Dedup trusts the trigger-token account. The single-pass/duplicate guard now matches the identity that actually posts the request (resolved at runtime via the authenticated user) instead of hard-coding github-actions[bot].
  • Split thread resolution into its own job. The marker-driven thread-resolution logic is now a separate job that retains pull-requests: write and acts only on trusted <!-- codex-thread-disposition:resolved --> replies; the request job runs read-only and relies on the trigger token's own scope.
  • Updated AGENTS.md to match the new trigger, token, and dedup behavior.

⚠️ Requires a new repository secret before this works: CODEX_TRIGGER_TOKEN — a fine-grained PAT from an account with repo access and pull-requests: write (issue-comment) permission. Until it exists the request job will fail visibly rather than silently no-op.

Verification

  • Workflow YAML parses (js-yaml); both jobs and both on: triggers present
  • Both embedded github-script bodies syntax-check clean
  • npm run verify:pr-local — N/A: change is limited to a GitHub Actions workflow and AGENTS.md; no app source, build, or runtime surface is touched
  • npm run verify:ui — N/A: no UI, routing, styling, or browser behavior changed
  • npm run verify:release — N/A: no release/handoff claim

Clinical Governance Preflight

N/A — this change does not touch ingestion, answer generation, search/ranking, source rendering, document access, privacy, production env, or clinical output. It only changes CI automation and repo docs.

Notes

  • The Codex connector's bot-comment filtering is the reason the previous design (which the repo spec assumed would work with GITHUB_TOKEN) never triggered Codex. Now that a user identity posts the request, the existing per-PR marker + single-pass guards remain important to prevent re-trigger loops, and they are preserved.

🤖 Generated with Claude Code


Generated by Claude Code

Summary by CodeRabbit

  • Workflow Improvements

    • Codex auto-resolve requests now start when a review is submitted, rather than when individual comments are created.
    • Requests are limited to trusted Codex reviews and actionable review states.
    • Improved duplicate-request prevention and clearer reporting for permission or comment-creation failures.
    • Review threads are resolved only from explicitly marked, trusted responses.
  • Documentation

    • Updated workflow guidance with stricter security, permission, identity, and concurrency requirements.

… user

The auto-resolve request never reached Codex because it was authored by
github-actions[bot], whose @codex mentions the Codex connector ignores. It
also fired on the first inline review comment, before a review completed.

- Trigger the request off the Codex-authored `pull_request_review` (submitted)
  event instead of the first inline comment, so it runs only after a code
  review finishes. Skip approved/dismissed reviews and reviews with no inline
  findings — nothing to resolve.
- Post the request with a fine-grained PAT (CODEX_TRIGGER_TOKEN) so it comes
  from a real user identity the Codex connector will act on.
- Trust the dedup marker from the trigger-token account (resolved at runtime)
  rather than github-actions[bot].
- Split thread resolution into its own job that keeps `pull-requests: write`
  and acts only on trusted disposition-marker replies.
- Update AGENTS.md to match the new trigger, token, and dedup behavior.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01NrdqyvKzaovZUX9haKfgjM
@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@BigSimmo, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 5 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 6315a07e-60b2-48c5-8c7f-91056a75fe93

📥 Commits

Reviewing files that changed from the base of the PR and between a6f6493 and 1f4cdd5.

📒 Files selected for processing (3)
  • .github/workflows/codex-autofix-review-comments.yml
  • scripts/check-codex-autofix-workflow.mjs
  • tests/codex-autofix-workflow.test.ts
📝 Walkthrough

Walkthrough

The Codex auto-resolve workflow now responds to submitted reviews, authenticates with a dedicated trigger token, validates trusted identities and review states, deduplicates using runtime token identity, and resolves only explicitly marked Codex review threads. AGENTS.md documents these requirements.

Changes

Codex auto-resolve workflow

Layer / File(s) Summary
Submitted review trigger and validation
.github/workflows/codex-autofix-review-comments.yml, AGENTS.md
The workflow processes submitted Codex reviews, skips approved or dismissed reviews and reviews without actionable comments, and retrieves comments by review ID.
Authenticated request and deduplication
.github/workflows/codex-autofix-review-comments.yml, AGENTS.md
The workflow uses CODEX_TRIGGER_TOKEN, verifies its authenticated account for deduplication, adds a review-based source marker, and reports permission failures when creating comments.
Marker-driven thread resolution
.github/workflows/codex-autofix-review-comments.yml, AGENTS.md
Trusted replies with the resolved marker identify the containing review thread, which is resolved through GraphQL when still unresolved.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
  participant CodexConnectorBot
  participant GitHubWorkflow
  participant GitHubReviewsAPI
  participant GitHubGraphQL

  CodexConnectorBot->>GitHubWorkflow: submit review
  GitHubWorkflow->>GitHubReviewsAPI: fetch review comments
  GitHubReviewsAPI-->>GitHubWorkflow: actionable comments
  GitHubWorkflow->>GitHubReviewsAPI: create authenticated resolve request
  CodexConnectorBot->>GitHubWorkflow: reply with resolved marker
  GitHubWorkflow->>GitHubGraphQL: find containing review thread
  GitHubGraphQL-->>GitHubWorkflow: thread state
  GitHubWorkflow->>GitHubGraphQL: resolve unresolved thread
Loading

Possibly related PRs

  • BigSimmo/Database#446: Updates the same workflow and aligns review-submission triggers, connector identity checks, and source markers.
  • BigSimmo/Database#445: Modifies the same workflow’s comment retrieval, deduplication, and 403 permission handling.
  • BigSimmo/Database#435: Changes the same Codex auto-resolve workflow’s event handling, markers, and request creation.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: gating Codex auto-resolve on completed reviews and posting the request as a non-bot user.
Description check ✅ Passed The description follows the template with Summary, Verification, Clinical Governance Preflight, and Notes, and the required details are mostly complete.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/github-actions-codex-issue-f4t4s5

Comment @coderabbitai help to get the list of available commands.

@supabase

supabase Bot commented Jul 13, 2026

Copy link
Copy Markdown

This pull request has been ignored for the connected project sjrfecxgysukkwxsowpy because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.


Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

@chatgpt-codex-connector

Copy link
Copy Markdown

Summary

Git / PR

  • Created commit a12e534 with message test(ci): align Codex autofix workflow guard.
  • Created PR metadata via make_pr with title test(ci): align Codex autofix workflow guard.

Testing

  • node scripts/check-codex-autofix-workflow.mjs
  • node --check scripts/check-codex-autofix-workflow.mjs
  • npm run check:github-actions
  • ⚠️ npm run check:codex-autofix-workflow && node - <<'NODE' ... require('js-yaml') ... NODE — the guard passed, but the inline YAML parse could not run because js-yaml is not installed in this workspace.

View task →

@github-actions

Copy link
Copy Markdown

CI triage

CI failed on this PR. Automated classification of the 3 failed job(s):

  • Safety and config checksneeds investigation.
  • Static PR checksneeds investigation.
  • PR requiredpossible known flake: UI/Playwright job; check tests/flake-ledger.json (tests/ui-smoke.spec.ts, tests/ui-smoke.spec.ts, tests/ui-tools.spec.ts, tests/ui-tools.spec.ts) and re-run before bisecting.

Heuristic only — a main-side or flake label is a starting point, not a verdict.

@BigSimmo
BigSimmo marked this pull request as ready for review July 13, 2026 16:40
@BigSimmo
BigSimmo enabled auto-merge (squash) July 13, 2026 16:41

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a6f64938c8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/codex-autofix-review-comments.yml

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codex-autofix-review-comments.yml:
- Around line 184-186: Update the workflow’s concurrency group to include
github.event.comment.id alongside github.event.pull_request.number, giving each
resolved comment reply a distinct concurrency key while preserving
cancel-in-progress: false.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 660d4a56-d47e-4107-adb8-0ea73c98f0c9

📥 Commits

Reviewing files that changed from the base of the PR and between b556f10 and a6f6493.

📒 Files selected for processing (2)
  • .github/workflows/codex-autofix-review-comments.yml
  • AGENTS.md

Comment thread .github/workflows/codex-autofix-review-comments.yml
…rency

CI's Codex-autofix guard and its unit tests encoded the old single-job,
issue_comment-forbidden design and blocked the new split-trigger workflow.

- Update scripts/check-codex-autofix-workflow.mjs to the new contract:
  require the submitted-review trigger, event-name gates, review/comment
  identity checks for both jobs, the completed-review findings gate, the
  CODEX_TRIGGER_TOKEN / github.token bindings, and trigger-token-account
  dedup; keep forbidding issue_comment triggers, substring logins, loose
  marker trust, top-level concurrency, contents:write, and mutable pins.
- Rewrite tests/codex-autofix-workflow.test.ts to extract and exercise both
  github-script blocks (request job on review payloads, thread job on
  comment payloads), covering identity, review-state/findings gating,
  dedup trust, single-pass, and visible permission failures.
- Skip the request job gracefully (warning annotation) when
  CODEX_TRIGGER_TOKEN is unset, so the check is not permanently red before
  the secret is created.
- Scope the thread-resolution concurrency group per comment id so a burst
  of disposition replies cannot evict queued thread resolutions.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01NrdqyvKzaovZUX9haKfgjM
@BigSimmo

BigSimmo commented Jul 13, 2026

Copy link
Copy Markdown
Owner Author

Resolved: CODEX_TRIGGER_TOKEN is now configured at repository Actions scope, required CI passed, and PR #610 merged into main as 8ce2908.

@chatgpt-codex-connector

Copy link
Copy Markdown

Summary

  • Extended the Codex auto-resolve workflow guard so it now requires the CODEX_TRIGGER_TOKEN missing-secret handling path: job env binding, empty-token warning branch, non-empty-token request branch, warning message, trigger-token binding, and thread-resolution token binding. scripts/check-codex-autofix-workflow.mjsL129-L138
  • Added a focused regression test that fails if the missing-token graceful-skip/warning behavior is removed from the workflow. tests/codex-autofix-workflow.test.tsL310-L338
  • Created commit 5220d6a with message test(ci): guard missing Codex trigger token handling.
  • Created PR metadata via make_pr with title test(ci): guard missing Codex trigger token handling.
  • Note: this does not provision or expose a token value; the repo still needs CODEX_TRIGGER_TOKEN configured as a GitHub Actions secret for auto-resolve requests to post as a non-bot user.

Testing

  • npm run check:codex-autofix-workflow
  • npm run test -- tests/codex-autofix-workflow.test.ts
  • npm run check:github-actions
  • git diff --check

View task →

@BigSimmo
BigSimmo merged commit 8ce2908 into main Jul 13, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants