ci(codex): bump public-workflows pin to v2.4.0#120
Conversation
|
Codex review skipped — non-code PR (only changed files matching |
|
Claude review skipped — non-code PR (only changed files matching |
|
Gemini review skipped — non-code PR (only changed files matching |
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
WalkthroughThis PR updates ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/codex-code.yml:
- Line 21: The reusable-workflow reference line using
praetorian-inc/public-workflows at commit
f7fb4810ccab4ab589499b632fb61983124ece79 is mismatched with the comment "#
v2.4.0"; update the pinned SHA in the uses declaration to the actual commit for
v2.4.0 (9e1d2193fa6773e70233e100190f4c09c7bdfda0) or alternatively change the
comment to reflect the pinned commit, and while editing verify the configured
model name (gpt-5.5) in the workflow action inputs is a supported model for that
provider and correct it if invalid.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 1f1c6a22-fa62-4199-be1e-a26c195e459b
📒 Files selected for processing (1)
.github/workflows/codex-code.yml
| jobs: | ||
| codex-review: | ||
| uses: praetorian-inc/public-workflows/.github/workflows/codex-code.yml@25c08fbd15a931e275f207ecee1758c931f89ea5 # v2.1.0 # v2.1.2 (private repo pre-fetch fix) | ||
| uses: praetorian-inc/public-workflows/.github/workflows/codex-code.yml@f7fb4810ccab4ab589499b632fb61983124ece79 # v2.4.0 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify the commit hash matches the v2.4.0 tag
cd $(mktemp -d)
git clone --filter=blob:none --no-checkout https://github.com/praetorian-inc/public-workflows.git .
git fetch origin tag v2.4.0 --no-tags
echo "=== Commit hash for v2.4.0 tag ==="
git rev-parse v2.4.0
echo ""
echo "=== Expected hash from workflow ==="
echo "f7fb4810ccab4ab589499b632fb61983124ece79"
echo ""
echo "=== Verification ==="
if [ "$(git rev-parse v2.4.0)" = "f7fb4810ccab4ab589499b632fb61983124ece79" ]; then
echo "✓ Commit hash matches v2.4.0 tag"
else
echo "✗ Commit hash does NOT match v2.4.0 tag"
fiRepository: praetorian-inc/brutus
Length of output: 381
Fix reusable-workflow pin/tag mismatch in codex-code.yml
./.github/workflows/codex-code.yml:21claimspraetorian-inc/public-workflows@f7fb4810ccab4ab589499b632fb61983124ece79is# v2.4.0, butv2.4.0actually points to9e1d2193fa6773e70233e100190f4c09c7bdfda0.- Update the pinned SHA to the real
v2.4.0commit (or correct the comment) so the workflow pins the intended release contents. - Also sanity-check that the workflow’s configured model
gpt-5.5is a supported/valid model for the referenced action/provider.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/codex-code.yml at line 21, The reusable-workflow reference
line using praetorian-inc/public-workflows at commit
f7fb4810ccab4ab589499b632fb61983124ece79 is mismatched with the comment "#
v2.4.0"; update the pinned SHA in the uses declaration to the actual commit for
v2.4.0 (9e1d2193fa6773e70233e100190f4c09c7bdfda0) or alternatively change the
comment to reflect the pinned commit, and while editing verify the configured
model name (gpt-5.5) in the workflow action inputs is a supported model for that
provider and correct it if invalid.
Bumps the Codex PR reviewer pin to
v2.4.0(f7fb4810).Why: this repo was pinned to a pre-fix
public-workflowsversion (v2.1.0 / v2.3.1) where Harden-Runner'sdisable-sudo-and-containerspre-disables sudo on the codex job.openai/codex-actionneeds sudo to lock its proxy file before it irreversibly drops sudo, so the action exits 1 before any review runs — the Codex review silently fails on every real code PR. (Green checks on docs/release-only PRs are preflight-skips, which masked this.)Fixed upstream in praetorian-inc/public-workflows#80, released in v2.4.0 (also carries the gpt-5.5 default + CVE-2025-32955 container-lockdown hardening).
🤖 Generated with Claude Code