ci: ai reviewer #71
ci: ai reviewer #71
Conversation
|
@codex review |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
| steps: | ||
| - uses: actions/github-script@v7 | ||
| with: | ||
| github-token: ${{ secrets.OWNER_PAT }} | ||
| script: | | ||
| github.rest.issues.createComment({ |
There was a problem hiding this comment.
This workflow is configured for pull_request events, which execute in the context of the contributor’s fork. In that mode GitHub does not expose repository secrets, so secrets.OWNER_PAT is resolved to an empty string and the actions/github-script call will 401 and fail for any external PR. The result is that community pull requests will carry a failing CI job and never receive the intended @codex review comment. Consider switching the trigger to pull_request_target, skipping forked PRs with an if: guard, or otherwise avoiding the need for a repository secret in this context.
Useful? React with 👍 / 👎.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
.github/workflows/pr-review.yml
Outdated
| - uses: actions/github-script@v7 | ||
| with: | ||
| github-token: ${{ secrets.OWNER_PAT }} |
There was a problem hiding this comment.
The job is triggered by pull_request but the step authenticates with secrets.OWNER_PAT. Secrets are not exposed to pull_request workflows for contributions from forks, so the step will fail and no @codex review comment will be added on most community PRs. If forked PRs should be supported, switch to pull_request_target or use the default GITHUB_TOKEN with the necessary write permission.
Useful? React with 👍 / 👎.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
| with: | ||
| github-token: ${{ secrets.PR_REVIEW_TOKEN }} | ||
| script: | | ||
| github.rest.issues.createComment({ | ||
| issue_number: context.issue.number, |
There was a problem hiding this comment.
This workflow posts @codex review using secrets.PR_REVIEW_TOKEN, but it is triggered on pull_request. Repository secrets are not exposed to workflows that run in the context of a forked PR, so any external contribution will cause this job to fail and no AI review comment will be created. If the intent is to handle community PRs, switch the trigger to pull_request_target or avoid using a secret so the workflow can run on forks.
Useful? React with 👍 / 👎.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
| on: | ||
| pull_request: | ||
| types: [opened, synchronize] | ||
|
|
||
| jobs: | ||
| comment: | ||
| if: github.event.pull_request.head.repo.fork == false | ||
| permissions: | ||
| issues: write | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/github-script@v7 | ||
| with: | ||
| github-token: ${{ secrets.PR_REVIEW_TOKEN }} |
There was a problem hiding this comment.
The job executes on pull_request events and the workflow file itself comes from the PR branch, but it injects the high-privilege secrets.PR_REVIEW_TOKEN into actions/github-script. A contributor with push access can modify this workflow in their PR to log or exfiltrate the token before review, because the secret is available when the job runs. To keep the PAT private, run the comment step from a pull_request_target workflow (which uses the base branch workflow) or rely on the default GITHUB_TOKEN instead of exposing a custom PAT.
Useful? React with 👍 / 👎.
Checklist: