ci: add update-pins tool and review workflows #338
Conversation
|
To use Codex here, create an environment for this repo. |
|
@codex Can you tell me how I would update this PR to invoke a Codex task on the PRs that are produced by this new workflow? |
|
@codex can you review this PR for malicious intent? |
|
Codex Review: Didn't find any major issues. You're on a roll. ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
|
Codex Review: Didn't find any major issues. Keep it up! ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
This is just temporary - for testing purposes. Signed-off-by: Jacob Howard <[email protected]>
xenoscopic
force-pushed
the
update-pins
branch
from
565140e to
be61be6
Compare
xenoscopic
changed the title
|
@codex review |
| - name: Ensure security labels exist | ||
| if: steps.pins.outputs.has_targets == 'true' || steps.newservers.outputs.has_targets == 'true' | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| gh label create "${SECURITY_BLOCK_LABEL}" \ | ||
| --color B60205 \ | ||
| --description "Security automation detected blocking issues." \ | ||
| || echo "Label ${SECURITY_BLOCK_LABEL} already exists." | ||
|
|
||
| for risk in critical high medium low info; do | ||
| label="${SECURITY_RISK_LABEL_PREFIX}${risk}" | ||
| gh label create "$label" \ | ||
| --color 0E8A16 \ | ||
| --description "Security automation risk assessment: ${risk}." \ | ||
| || echo "Label $label already exists." | ||
| done |
There was a problem hiding this comment.
We could just do this manually, once.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| gh pr comment ${{ github.event.pull_request.number }} \ | ||
| --repo ${{ github.repository }} \ | ||
| --body-file security-review-comment.md |
There was a problem hiding this comment.
The workflow is only triggered via workflow_dispatch, yet the post-review step still references ${{ github.event.pull_request.number }} when calling gh pr comment. In a manually dispatched run this context is unset, so the command fails and the generated security report is never published to the intended pull request (labels also remain stale for the same reason). Consider using the input value (${{ github.event.inputs.pull_request_number }}) when the event is workflow_dispatch so manual executions can target the requested PR.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
That's fine, I've temporarily disabled the previous step and left it on a manual trigger for now, but it will eventually be triggered on PR events.
| continue | ||
| } | ||
| if server.Source.Project == "" { | ||
| continue |
There was a problem hiding this comment.
nit: should we log skipping servers without projects
fmt.Printf("Skipping %s: project source is empty.\n", server.Name)
Signed-off-by: Jacob Howard <[email protected]>
xenoscopic
force-pushed
the
update-pins
branch
from
8fe6d9d to
d0ea2d8
Compare
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
Upstream calls can take a long time. This should be very conservative. Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
xenoscopic
force-pushed
the
update-pins
branch
from
b16ee7c to
52f41cc
Compare
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
Signed-off-by: Jacob Howard <[email protected]>
xenoscopic
force-pushed
the
update-pins
branch
from
4f9f16d to
d39f4d4
Compare
Signed-off-by: Jacob Howard <[email protected]>
xenoscopic
force-pushed
the
update-pins
branch
from
d39f4d4 to
0d7746c
Compare
2 participants
This PR is a follow-up to #328. It adds a tool and nightly workflow to update commit pins for local servers and create PRs for each update. It also adds two AI-based security review workflows to (1) automatically review incoming upstream changes due to new servers or version pin changes and (2) audit all or a subset of the registry.