Skip to content

Allow PR review workflow OIDC for AiGateway#69

Merged
Pigbibi merged 1 commit into
mainfrom
codex/allow-pr-review-service-oidc
Jul 3, 2026
Merged

Allow PR review workflow OIDC for AiGateway#69
Pigbibi merged 1 commit into
mainfrom
codex/allow-pr-review-service-oidc

Conversation

@Pigbibi

@Pigbibi Pigbibi commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  • allow the Codex PR review workflow OIDC claims to call the AiGateway service
  • include PR merge refs in the deploy-time OIDC allowlist
  • add regression coverage to keep the deploy defaults aligned with the workflow

Why

The live PR review workflow reached AiGateway but failed with 401 OIDC repository is not allowed before any service job could be submitted. The deploy defaults only covered the monthly audit workflow on main, so PR review could not use the service path.

Validation

  • bash -n scripts/deploy_codex_audit_service.sh
  • python3 -m ruff check tests/test_run_monthly_codex_audit.py
  • python3 -m pytest tests/test_run_monthly_codex_audit.py -q
  • git diff --check

Co-Authored-By: Codex <noreply@openai.com>
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 Codex PR Review

⚠️ Review skipped: The Codex review could not be completed.

Codex service request failed: 401 {"status": "error", "error": "OIDC repository is not allowed"}

Please ensure a human reviewer checks this PR before merging.

@Pigbibi Pigbibi merged commit b6a12c8 into main Jul 3, 2026
4 checks passed
@Pigbibi Pigbibi deleted the codex/allow-pr-review-service-oidc branch July 3, 2026 20:35

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d27d8dbd4e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

ALLOWED_REPOSITORIES="${CODEX_AUDIT_SERVICE_ALLOWED_REPOSITORIES:-QuantStrategyLab/CodexAuditBridge,QuantStrategyLab/AIAuditBridge}"
ALLOWED_WORKFLOW_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS:-QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main,QuantStrategyLab/AIAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main}"
ALLOWED_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_REFS:-refs/heads/main}"
ALLOWED_WORKFLOW_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS:-QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/pull/*/merge,QuantStrategyLab/AIAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main}"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Match reusable PR-review callers instead

For workflow_call PR reviews (the workflow advertises uses: QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@main from other repos), adding the called workflow to CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS does not authorize the token the service validates: GitHub's OIDC repository/workflow_ref describe the caller repo/workflow, while the called reusable workflow is exposed separately as job_workflow_ref. Since service/auth/__init__.py still checks only repository, workflow_ref, and ref, consumer repos will continue to receive the same 401 instead of reaching AiGateway unless the allowlist/auth logic admits the caller repos and validates the reusable workflow claim.

Useful? React with 👍 / 👎.

ALLOWED_REPOSITORIES="${CODEX_AUDIT_SERVICE_ALLOWED_REPOSITORIES:-QuantStrategyLab/CodexAuditBridge,QuantStrategyLab/AIAuditBridge}"
ALLOWED_WORKFLOW_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS:-QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main,QuantStrategyLab/AIAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main}"
ALLOWED_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_REFS:-refs/heads/main}"
ALLOWED_WORKFLOW_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS:-QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/pull/*/merge,QuantStrategyLab/AIAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main}"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Add PR review repos to the source allowlist

When this new PR-review OIDC allowlist lets the same-repo pull_request workflow submit a job, scripts/run_codex_pr_review.py sends source_repository as GITHUB_REPOSITORY, so a CodexAuditBridge PR submits QuantStrategyLab/CodexAuditBridge. The service then checks CODEX_AUDIT_SERVICE_ALLOWED_SOURCE_REPOSITORIES, whose deploy default still contains only the four pipeline repos, so the request moves from the previous OIDC 401 to a source allowlist rejection before any review job is created.

Useful? React with 👍 / 👎.

Comment on lines +11 to +12
ALLOWED_WORKFLOW_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS:-QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/pull/*/merge,QuantStrategyLab/AIAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main}"
ALLOWED_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_REFS:-refs/heads/main,refs/pull/*/merge}"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Update explicit deploy overrides as well

When operators use the documented direct VPS deploy path, docs/async_service_deployment.md still exports explicit CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS and CODEX_AUDIT_SERVICE_ALLOWED_REFS values that override these new defaults with the old monthly-only allowlist. In that deployment path, a PR-review token on codex_pr_review.yml@refs/pull/.../merge is still rejected before reaching AiGateway, so the default change only works for deploys that omit those documented overrides.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant