Seb/codex reviewer#143
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| - name: Check out pull request merge ref | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| ref: refs/pull/${{ steps.prepare.outputs.pr_number }}/merge | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Load architecture docs |
| - name: Pre-fetch base and head refs | ||
| run: | | ||
| git fetch --no-tags origin \ | ||
| "${{ steps.prepare.outputs.base_ref }}:refs/remotes/origin/${{ steps.prepare.outputs.base_ref }}" \ | ||
| "+refs/pull/${{ steps.prepare.outputs.pr_number }}/head:refs/remotes/pull/${{ steps.prepare.outputs.pr_number }}/head" | ||
|
|
||
| - name: Create runtime Codex prompt |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Found 4 material issues:
.github/workflows/codex-review.yaml:182/:329execute JavaScript from the checked-out PR afterrefs/pull/.../mergeis checked out. On the manual@reviewpath, that gives the PR a way to run repository-credentialed code by modifyingscripts/ci/*.mjs..github/workflows/codex-review.yaml:201and:320load the review prompt/schema from the PR checkout itself. That makes the reviewer self-modifiable: a PR can rewrite Codex's instructions or output contract and force a falselgtm..github/workflows/codex-review.yaml:24only excludes bots before honoring@review. Any account that can comment on the PR can repeatedly trigger a paidgpt-5.4/xhighrun..github/workflows/codex-review.yaml:312assumesOPENAI_API_KEYis available on everypull_requestrun. This repo already special-cases missing secrets for fork/Dependabot PRs in.github/workflows/architecture-docs-freshness.yml; without the same guard here, those PRs have no successful automatic review path.
Codex Reference Context
- NaradaAI/api-docs: not loaded (default-main; gh: Not Found (HTTP 404))
- NaradaAI/caddie: not loaded (default-main; gh: Not Found (HTTP 404))
- NaradaAI/desktop-automation-app: not loaded (default-main; gh: Not Found (HTTP 404))
- NaradaAI/frontend: not loaded (default-main; gh: Not Found (HTTP 404))
Automated review by Codex via GitHub Actions.
| ( | ||
| github.event_name == 'issue_comment' && | ||
| github.event.issue.pull_request != null && | ||
| (github.event.comment.user.type || '') != 'Bot' && |
There was a problem hiding this comment.
This only filters bots. There is no collaborator/permission check, so any account that can comment on the PR can retrigger a paid Codex run with @review. If the manual trigger is meant to be maintainer-only, gate it on author_association or a repo-permission lookup.
| REVIEW_CONTEXT_FILE: ${{ steps.prepare.outputs.context_file }} | ||
| DEFAULT_REFERENCE_REPOS: caddie frontend api-docs desktop-automation-app | ||
| run: | | ||
| node ./scripts/ci/load-codex-reference-repos.mjs |
There was a problem hiding this comment.
By this point the job has checked out refs/pull/.../merge, so this is executing PR-authored JS with GH_TOKEN in its environment (same problem later for post-codex-review.mjs with GITHUB_TOKEN). A malicious PR can replace these scripts and exfiltrate repo credentials when @review is used; the privileged path needs code pinned from the default branch or a fork skip.
| const fs = require('node:fs'); | ||
| const path = require('node:path'); | ||
|
|
||
| const template = fs.readFileSync('.github/codex/prompts/pr-review.md', 'utf8').trim(); |
There was a problem hiding this comment.
This makes the reviewer self-modifiable: the PR can change .github/codex/prompts/pr-review.md here (and the schema passed on line 320) to force lgtm or suppress findings. If the review is supposed to be trustworthy, load these assets from the default branch or a pinned action artifact instead of the merge ref.
| - name: Run Codex review | ||
| uses: openai/codex-action@v1 | ||
| with: | ||
| openai-api-key: ${{ secrets.OPENAI_API_KEY }} |
There was a problem hiding this comment.
This unconditionally requires OPENAI_API_KEY, but the repo already treats fork/Dependabot pull_request runs as missing normal secrets in architecture-docs-freshness.yml. Without the same guard here, those PRs cannot complete the automatic review path and will needlessly fail the workflow.
2 participants
Adds codex reviewer for narada-python-sdk