Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 30b640ee82
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| const hasAutomergeLabel = labels.includes('automerge'); | ||
| const isNotDraft = pr.draft === false; | ||
| const isCodexAuthor = pr.user && pr.user.login === 'chatgpt-codex-connector'; | ||
| const isCodexBranch = typeof pr.head?.ref === 'string' && pr.head.ref.startsWith('codex/'); |
There was a problem hiding this comment.
The automerge gate treats any PR whose head ref starts with codex/ as trusted (isCodexBranch), but it never verifies that the head branch comes from this repository (for example via pr.head.repo.full_name === repo.full_name). In pull_request_target with write permissions, a fork can use a codex/* branch name and satisfy this check; if a maintainer adds automerge, this workflow can merge untrusted fork code under the elevated token.
Useful? React with 👍 / 👎.
| '**/src/**/stripe*', | ||
| '**/src/**/payments*', | ||
| '**/src/**/auth*', | ||
| '**/src/**/sessions*', |
There was a problem hiding this comment.
The denylist patterns for stripe*, payments*, auth*, and sessions* only match final path segments, so edits inside those directories (for example src/auth/login.js) are not denied and can still be auto-merged. The fallback regexes on lines 72–75 have the same end-of-path limitation, so both matcher paths miss nested files in these sensitive areas.
Useful? React with 👍 / 👎.
|
Closing duplicate rollout PR to keep single Codex automerge PR per repo. |
Verification
.github/workflows/codex-automerge.ymldocs/codex-workflow.mdNotes
This PR adds a safe automerge workflow for Codex PRs using
pull_request_target.It only applies when:
automergeis presentchatgpt-codex-connectoror head ref starts withcodex/Do not label this PR as
automerge.