fix(ci): gate Codex auto-resolve on completed review and post as a non-bot user#610
Conversation
… user The auto-resolve request never reached Codex because it was authored by github-actions[bot], whose @codex mentions the Codex connector ignores. It also fired on the first inline review comment, before a review completed. - Trigger the request off the Codex-authored `pull_request_review` (submitted) event instead of the first inline comment, so it runs only after a code review finishes. Skip approved/dismissed reviews and reviews with no inline findings — nothing to resolve. - Post the request with a fine-grained PAT (CODEX_TRIGGER_TOKEN) so it comes from a real user identity the Codex connector will act on. - Trust the dedup marker from the trigger-token account (resolved at runtime) rather than github-actions[bot]. - Split thread resolution into its own job that keeps `pull-requests: write` and acts only on trusted disposition-marker replies. - Update AGENTS.md to match the new trigger, token, and dedup behavior. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01NrdqyvKzaovZUX9haKfgjM
|
Warning Review limit reached
Next review available in: 5 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughThe Codex auto-resolve workflow now responds to submitted reviews, authenticates with a dedicated trigger token, validates trusted identities and review states, deduplicates using runtime token identity, and resolves only explicitly marked Codex review threads. ChangesCodex auto-resolve workflow
Estimated code review effort: 4 (Complex) | ~45 minutes Sequence Diagram(s)sequenceDiagram
participant CodexConnectorBot
participant GitHubWorkflow
participant GitHubReviewsAPI
participant GitHubGraphQL
CodexConnectorBot->>GitHubWorkflow: submit review
GitHubWorkflow->>GitHubReviewsAPI: fetch review comments
GitHubReviewsAPI-->>GitHubWorkflow: actionable comments
GitHubWorkflow->>GitHubReviewsAPI: create authenticated resolve request
CodexConnectorBot->>GitHubWorkflow: reply with resolved marker
GitHubWorkflow->>GitHubGraphQL: find containing review thread
GitHubGraphQL-->>GitHubWorkflow: thread state
GitHubWorkflow->>GitHubGraphQL: resolve unresolved thread
Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
This pull request has been ignored for the connected project Preview Branches by Supabase. |
Summary
Git / PR
Testing
|
CI triageCI failed on this PR. Automated classification of the 3 failed job(s):
Heuristic only — a main-side or flake label is a starting point, not a verdict. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a6f64938c8
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/codex-autofix-review-comments.yml:
- Around line 184-186: Update the workflow’s concurrency group to include
github.event.comment.id alongside github.event.pull_request.number, giving each
resolved comment reply a distinct concurrency key while preserving
cancel-in-progress: false.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 660d4a56-d47e-4107-adb8-0ea73c98f0c9
📒 Files selected for processing (2)
.github/workflows/codex-autofix-review-comments.ymlAGENTS.md
…rency CI's Codex-autofix guard and its unit tests encoded the old single-job, issue_comment-forbidden design and blocked the new split-trigger workflow. - Update scripts/check-codex-autofix-workflow.mjs to the new contract: require the submitted-review trigger, event-name gates, review/comment identity checks for both jobs, the completed-review findings gate, the CODEX_TRIGGER_TOKEN / github.token bindings, and trigger-token-account dedup; keep forbidding issue_comment triggers, substring logins, loose marker trust, top-level concurrency, contents:write, and mutable pins. - Rewrite tests/codex-autofix-workflow.test.ts to extract and exercise both github-script blocks (request job on review payloads, thread job on comment payloads), covering identity, review-state/findings gating, dedup trust, single-pass, and visible permission failures. - Skip the request job gracefully (warning annotation) when CODEX_TRIGGER_TOKEN is unset, so the check is not permanently red before the secret is created. - Scope the thread-resolution concurrency group per comment id so a burst of disposition replies cannot evict queued thread resolutions. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01NrdqyvKzaovZUX9haKfgjM
Summary
Testing
|
Summary
The Codex auto-resolve request never reached Codex, and it fired before a review completed. Two root causes in
.github/workflows/codex-autofix-review-comments.yml:@codex resolve …request was posted with the defaultGITHUB_TOKEN, so it was authored bygithub-actions[bot]. The Codex connector ignores@codexcommands from bot accounts, so the request was silently dropped.pull_request_review_comment: [created]— the first inline comment — so a resolve pass could be requested mid-review, before findings were complete. Asking Codex to "resolve findings" when none exist yet is pointless.Changes:
pull_request_review(submitted) event. It skipsapproved/dismissedreviews and reviews that carry zero inline comments, so it only runs when a real code review raised findings.CODEX_TRIGGER_TOKENsecret so the Codex connector will act on the mention.github-actions[bot].pull-requests: writeand acts only on trusted<!-- codex-thread-disposition:resolved -->replies; the request job runs read-only and relies on the trigger token's own scope.AGENTS.mdto match the new trigger, token, and dedup behavior.Verification
js-yaml); both jobs and bothon:triggers presentgithub-scriptbodies syntax-check cleannpm run verify:pr-local— N/A: change is limited to a GitHub Actions workflow andAGENTS.md; no app source, build, or runtime surface is touchednpm run verify:ui— N/A: no UI, routing, styling, or browser behavior changednpm run verify:release— N/A: no release/handoff claimClinical Governance Preflight
N/A — this change does not touch ingestion, answer generation, search/ranking, source rendering, document access, privacy, production env, or clinical output. It only changes CI automation and repo docs.
Notes
GITHUB_TOKEN) never triggered Codex. Now that a user identity posts the request, the existing per-PR marker + single-pass guards remain important to prevent re-trigger loops, and they are preserved.🤖 Generated with Claude Code
Generated by Claude Code
Summary by CodeRabbit
Workflow Improvements
Documentation