Skip to content

ci(codex): bump public-workflows pin to v2.4.0#120

Merged
nsportsman merged 1 commit into
mainfrom
ci/bump-codex-pin-v2.4.0
Jun 1, 2026
Merged

ci(codex): bump public-workflows pin to v2.4.0#120
nsportsman merged 1 commit into
mainfrom
ci/bump-codex-pin-v2.4.0

Conversation

@nsportsman

Copy link
Copy Markdown
Contributor

Bumps the Codex PR reviewer pin to v2.4.0 (f7fb4810).

Why: this repo was pinned to a pre-fix public-workflows version (v2.1.0 / v2.3.1) where Harden-Runner's disable-sudo-and-containers pre-disables sudo on the codex job. openai/codex-action needs sudo to lock its proxy file before it irreversibly drops sudo, so the action exits 1 before any review runs — the Codex review silently fails on every real code PR. (Green checks on docs/release-only PRs are preflight-skips, which masked this.)

Fixed upstream in praetorian-inc/public-workflows#80, released in v2.4.0 (also carries the gpt-5.5 default + CVE-2025-32955 container-lockdown hardening).

🤖 Generated with Claude Code

@github-actions

github-actions Bot commented Jun 1, 2026

Copy link
Copy Markdown

Codex review skipped — non-code PR (only changed files matching docs/**, .github/**, .claude-plugin/**, *.md, *.txt, images, or license-like files). Post @codex on a review comment to force a review.

@github-actions

github-actions Bot commented Jun 1, 2026

Copy link
Copy Markdown

Claude review skipped — non-code PR (only changed files matching docs/**, .github/**, .claude-plugin/**, *.md, *.txt, images, or license-like files). Post @claude on a review comment to force a review.

@github-actions

github-actions Bot commented Jun 1, 2026

Copy link
Copy Markdown

Gemini review skipped — non-code PR (only changed files matching docs/**, .github/**, .claude-plugin/**, *.md, *.txt, images, or license-like files). Post @gemini on a review comment to force a review.

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

@coderabbitai

coderabbitai Bot commented Jun 1, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

This PR updates .github/workflows/codex-code.yml to invoke the centralized Codex PR Review reusable workflow at a newer commit hash. The change advances the pinned workflow reference from v2.1.0/v2.1.2 to v2.4.0. No other workflow configuration—triggers, permissions, model selection, or secret wiring—is modified.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/bump-codex-pin-v2.4.0

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codex-code.yml:
- Line 21: The reusable-workflow reference line using
praetorian-inc/public-workflows at commit
f7fb4810ccab4ab589499b632fb61983124ece79 is mismatched with the comment "#
v2.4.0"; update the pinned SHA in the uses declaration to the actual commit for
v2.4.0 (9e1d2193fa6773e70233e100190f4c09c7bdfda0) or alternatively change the
comment to reflect the pinned commit, and while editing verify the configured
model name (gpt-5.5) in the workflow action inputs is a supported model for that
provider and correct it if invalid.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1f1c6a22-fa62-4199-be1e-a26c195e459b

📥 Commits

Reviewing files that changed from the base of the PR and between 49f54f5 and 51c3e3d.

📒 Files selected for processing (1)
  • .github/workflows/codex-code.yml

jobs:
codex-review:
uses: praetorian-inc/public-workflows/.github/workflows/codex-code.yml@25c08fbd15a931e275f207ecee1758c931f89ea5 # v2.1.0 # v2.1.2 (private repo pre-fetch fix)
uses: praetorian-inc/public-workflows/.github/workflows/codex-code.yml@f7fb4810ccab4ab589499b632fb61983124ece79 # v2.4.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the commit hash matches the v2.4.0 tag

cd $(mktemp -d)
git clone --filter=blob:none --no-checkout https://github.com/praetorian-inc/public-workflows.git .
git fetch origin tag v2.4.0 --no-tags

echo "=== Commit hash for v2.4.0 tag ==="
git rev-parse v2.4.0

echo ""
echo "=== Expected hash from workflow ==="
echo "f7fb4810ccab4ab589499b632fb61983124ece79"

echo ""
echo "=== Verification ==="
if [ "$(git rev-parse v2.4.0)" = "f7fb4810ccab4ab589499b632fb61983124ece79" ]; then
  echo "✓ Commit hash matches v2.4.0 tag"
else
  echo "✗ Commit hash does NOT match v2.4.0 tag"
fi

Repository: praetorian-inc/brutus

Length of output: 381


Fix reusable-workflow pin/tag mismatch in codex-code.yml

  • ./.github/workflows/codex-code.yml:21 claims praetorian-inc/public-workflows @f7fb4810ccab4ab589499b632fb61983124ece79 is # v2.4.0, but v2.4.0 actually points to 9e1d2193fa6773e70233e100190f4c09c7bdfda0.
  • Update the pinned SHA to the real v2.4.0 commit (or correct the comment) so the workflow pins the intended release contents.
  • Also sanity-check that the workflow’s configured model gpt-5.5 is a supported/valid model for the referenced action/provider.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codex-code.yml at line 21, The reusable-workflow reference
line using praetorian-inc/public-workflows at commit
f7fb4810ccab4ab589499b632fb61983124ece79 is mismatched with the comment "#
v2.4.0"; update the pinned SHA in the uses declaration to the actual commit for
v2.4.0 (9e1d2193fa6773e70233e100190f4c09c7bdfda0) or alternatively change the
comment to reflect the pinned commit, and while editing verify the configured
model name (gpt-5.5) in the workflow action inputs is a supported model for that
provider and correct it if invalid.

@nsportsman nsportsman merged commit bb7c70a into main Jun 1, 2026
20 checks passed
@nsportsman nsportsman deleted the ci/bump-codex-pin-v2.4.0 branch June 1, 2026 17:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant