github-materials/.github/workflows/pr-codex-review.yml at main · jacwu/github-materials · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: PR Codex Review

on:
  pull_request:
    types: [opened, reopened, ready_for_review, synchronize]


permissions:
  contents: read
  pull-requests: write

jobs:
  codex_pr_review:
    name: Codex PR Review
    runs-on: ubuntu-latest
    env:
      REVIEW_TABLE_FALLBACK: |
        | File | Concern | Recommendation | Severity |
        | --- | --- | --- | --- |
        | All files | No actionable feedback generated | None | info |
      AZURE_OPENAI_BASE_URL: ${{ secrets.AZURE_OPENAI_BASE_URL }}
      AZURE_OPENAI_MODEL: ${{ secrets.AZURE_OPENAI_MODEL || 'gpt-5-codex' }}
      AZURE_OPENAI_API_KEY: ${{ secrets.AZURE_OPENAI_API_KEY }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Compute diff and changed files
        id: diff
        run: |
          BASE_SHA="${{ github.event.pull_request.base.sha }}"
          HEAD_SHA="${{ github.event.pull_request.head.sha }}"

          git diff --name-only "$BASE_SHA" "$HEAD_SHA" > changed_files.txt
          git diff --unified=3 "$BASE_SHA" "$HEAD_SHA" > diff.patch

          if [ ! -s changed_files.txt ]; then
            echo "no_changes=true" >> "$GITHUB_OUTPUT"
          else
            echo "no_changes=false" >> "$GITHUB_OUTPUT"
          fi

      - name: Prepare fallback review
        if: steps.diff.outputs.no_changes == 'true'
        run: |
          printf '%s' "$REVIEW_TABLE_FALLBACK" > raw_review.md
          cp raw_review.md review_result.md

      - name: Install Codex CLI
        if: steps.diff.outputs.no_changes == 'false'
        run: |
          sudo apt-get update
          sudo apt-get install -y --no-install-recommends curl ca-certificates git
          npm install -g @openai/codex@latest
          mkdir -p ~/.codex
          cat <<EOF > ~/.codex/config.toml
          # Set the default model and provider
          model = "${AZURE_OPENAI_MODEL}"
          model_provider = "azure"
          preferred_auth_method = "apikey"

          # Configure the Azure provider
          [model_providers.azure]
          name = "Azure"

          # Make sure you set the appropriate subdomain for this URL.
          base_url = "${AZURE_OPENAI_BASE_URL}/openai/v1"
          env_key = "AZURE_OPENAI_API_KEY"
          wire_api = "responses"
          model_reasoning_effort = "high"
          EOF
          codex --version

      - name: Run Codex code review
        if: steps.diff.outputs.no_changes == 'false'
        run: |
          if [ -z "$AZURE_OPENAI_API_KEY" ]; then
            echo "AZURE_OPENAI_API_KEY secret is not configured." >&2
            exit 1
          fi

          HEADER="You are an expert software engineer performing a strict code review for the provided pull request diff."
          RULES="Rules:\n- Output ONLY a GitHub-flavored Markdown table with exactly these columns: File | Concern | Recommendation | Severity.\n- Every row must reference a real file path from the Changed files list.\n- Severity must be one of: info, minor, major, critical.\n- If no issues are found, return a single table row with 'All files' in the File column and 'No issues found' in the Concern column.\n- Cite line numbers from the diff using the format L<line>.\n- Do not wrap the table in backticks or add any prose before or after the table.\n- Focus on actionable feedback specific to the diff."

          CHANGED_FILES_SECTION="Changed files:\n$(cat changed_files.txt)"
          DIFF_SECTION="Unified diff:\n$(cat diff.patch)"

          export CODEX_PROMPT="$HEADER\n\n$RULES\n\n$CHANGED_FILES_SECTION\n\n$DIFF_SECTION"

          printf '%s\n' "$CODEX_PROMPT"

          codex exec --full-auto "$CODEX_PROMPT" | tee codex_raw.txt >/dev/null

          printf '\n\nRaw Codex Output:\n%s\n' "$(cat codex_raw.txt)"

          sed -E 's/\x1B\[[0-9;]*[A-Za-z]//g' codex_raw.txt | tr -d '\r' > raw_review.md

          if ! grep -q '|' raw_review.md; then
            printf '%s\n' "$REVIEW_TABLE_FALLBACK" > raw_review.md
          fi

      - name: Normalize review table with Azure OpenAI
        if: steps.diff.outputs.no_changes == 'false'
        run: |
          python3 -m pip install --quiet --upgrade pip 'openai>=1.45.0'
          python3 scripts/normalize_review_result.py

      - name: Post review as PR comment
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          if [ -f review_result.md ]; then
            BODY_FILE=review_result.md
          elif [ -f raw_review.md ]; then
            BODY_FILE=raw_review.md
          else
            printf '%s' "$REVIEW_TABLE_FALLBACK" > review_result.md
            BODY_FILE=review_result.md
          fi

          # Append attribution footer to the comment body
          printf '\n\nReviewed by Codex\n' >> "$BODY_FILE"

          gh pr comment ${{ github.event.pull_request.number }} --body-file "$BODY_FILE"

      - name: Upload Codex raw output
        if: steps.diff.outputs.no_changes == 'false'
        uses: actions/upload-artifact@v4
        with:
          name: codex-review-logs
          path: |
            codex_raw.txt
            raw_review.md
            review_result.md
            diff.patch
            changed_files.txt