Allow PR review workflow OIDC for AiGateway#69
Conversation
Co-Authored-By: Codex <noreply@openai.com>
🤖 Codex PR ReviewPlease ensure a human reviewer checks this PR before merging. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d27d8dbd4e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| ALLOWED_REPOSITORIES="${CODEX_AUDIT_SERVICE_ALLOWED_REPOSITORIES:-QuantStrategyLab/CodexAuditBridge,QuantStrategyLab/AIAuditBridge}" | ||
| ALLOWED_WORKFLOW_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS:-QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main,QuantStrategyLab/AIAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main}" | ||
| ALLOWED_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_REFS:-refs/heads/main}" | ||
| ALLOWED_WORKFLOW_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS:-QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/pull/*/merge,QuantStrategyLab/AIAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main}" |
There was a problem hiding this comment.
Match reusable PR-review callers instead
For workflow_call PR reviews (the workflow advertises uses: QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@main from other repos), adding the called workflow to CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS does not authorize the token the service validates: GitHub's OIDC repository/workflow_ref describe the caller repo/workflow, while the called reusable workflow is exposed separately as job_workflow_ref. Since service/auth/__init__.py still checks only repository, workflow_ref, and ref, consumer repos will continue to receive the same 401 instead of reaching AiGateway unless the allowlist/auth logic admits the caller repos and validates the reusable workflow claim.
Useful? React with 👍 / 👎.
| ALLOWED_REPOSITORIES="${CODEX_AUDIT_SERVICE_ALLOWED_REPOSITORIES:-QuantStrategyLab/CodexAuditBridge,QuantStrategyLab/AIAuditBridge}" | ||
| ALLOWED_WORKFLOW_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS:-QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main,QuantStrategyLab/AIAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main}" | ||
| ALLOWED_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_REFS:-refs/heads/main}" | ||
| ALLOWED_WORKFLOW_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS:-QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/pull/*/merge,QuantStrategyLab/AIAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main}" |
There was a problem hiding this comment.
Add PR review repos to the source allowlist
When this new PR-review OIDC allowlist lets the same-repo pull_request workflow submit a job, scripts/run_codex_pr_review.py sends source_repository as GITHUB_REPOSITORY, so a CodexAuditBridge PR submits QuantStrategyLab/CodexAuditBridge. The service then checks CODEX_AUDIT_SERVICE_ALLOWED_SOURCE_REPOSITORIES, whose deploy default still contains only the four pipeline repos, so the request moves from the previous OIDC 401 to a source allowlist rejection before any review job is created.
Useful? React with 👍 / 👎.
| ALLOWED_WORKFLOW_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS:-QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/pull/*/merge,QuantStrategyLab/AIAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main}" | ||
| ALLOWED_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_REFS:-refs/heads/main,refs/pull/*/merge}" |
There was a problem hiding this comment.
Update explicit deploy overrides as well
When operators use the documented direct VPS deploy path, docs/async_service_deployment.md still exports explicit CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS and CODEX_AUDIT_SERVICE_ALLOWED_REFS values that override these new defaults with the old monthly-only allowlist. In that deployment path, a PR-review token on codex_pr_review.yml@refs/pull/.../merge is still rejected before reaching AiGateway, so the default change only works for deploys that omit those documented overrides.
Useful? React with 👍 / 👎.
Summary
Why
The live PR review workflow reached AiGateway but failed with
401 OIDC repository is not allowedbefore any service job could be submitted. The deploy defaults only covered the monthly audit workflow onmain, so PR review could not use the service path.Validation
bash -n scripts/deploy_codex_audit_service.shpython3 -m ruff check tests/test_run_monthly_codex_audit.pypython3 -m pytest tests/test_run_monthly_codex_audit.py -qgit diff --check