Skip to content
This repository was archived by the owner on Jul 3, 2026. It is now read-only.
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions scripts/deploy_codex_audit_service.sh
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ DEPLOY_DIR="${CODEX_AUDIT_SERVICE_DEPLOY_DIR:-/opt/codex-audit-bridge}"
AUDIT_PORT="${CODEX_AUDIT_SERVICE_PORT:-8797}"
AUDIENCE="${CODEX_AUDIT_SERVICE_AUDIENCE:-quant-codex-audit}"
ALLOWED_REPOSITORIES="${CODEX_AUDIT_SERVICE_ALLOWED_REPOSITORIES:-QuantStrategyLab/CodexAuditBridge,QuantStrategyLab/AIAuditBridge}"
ALLOWED_WORKFLOW_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS:-QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main,QuantStrategyLab/AIAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main}"
ALLOWED_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_REFS:-refs/heads/main}"
ALLOWED_WORKFLOW_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS:-QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/pull/*/merge,QuantStrategyLab/AIAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main}"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Match reusable PR-review callers instead

For workflow_call PR reviews (the workflow advertises uses: QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@main from other repos), adding the called workflow to CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS does not authorize the token the service validates: GitHub's OIDC repository/workflow_ref describe the caller repo/workflow, while the called reusable workflow is exposed separately as job_workflow_ref. Since service/auth/__init__.py still checks only repository, workflow_ref, and ref, consumer repos will continue to receive the same 401 instead of reaching AiGateway unless the allowlist/auth logic admits the caller repos and validates the reusable workflow claim.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Add PR review repos to the source allowlist

When this new PR-review OIDC allowlist lets the same-repo pull_request workflow submit a job, scripts/run_codex_pr_review.py sends source_repository as GITHUB_REPOSITORY, so a CodexAuditBridge PR submits QuantStrategyLab/CodexAuditBridge. The service then checks CODEX_AUDIT_SERVICE_ALLOWED_SOURCE_REPOSITORIES, whose deploy default still contains only the four pipeline repos, so the request moves from the previous OIDC 401 to a source allowlist rejection before any review job is created.

Useful? React with 👍 / 👎.

ALLOWED_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_REFS:-refs/heads/main,refs/pull/*/merge}"
Comment on lines +11 to +12

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Update explicit deploy overrides as well

When operators use the documented direct VPS deploy path, docs/async_service_deployment.md still exports explicit CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS and CODEX_AUDIT_SERVICE_ALLOWED_REFS values that override these new defaults with the old monthly-only allowlist. In that deployment path, a PR-review token on codex_pr_review.yml@refs/pull/.../merge is still rejected before reaching AiGateway, so the default change only works for deploys that omit those documented overrides.

Useful? React with 👍 / 👎.

ALLOWED_REPOSITORY_VISIBILITIES="${CODEX_AUDIT_SERVICE_ALLOWED_REPOSITORY_VISIBILITIES:-public}"
ALLOWED_SOURCE_REPOSITORIES="${CODEX_AUDIT_SERVICE_ALLOWED_SOURCE_REPOSITORIES:-QuantStrategyLab/CryptoLivePoolPipelines,QuantStrategyLab/HkEquitySnapshotPipelines,QuantStrategyLab/UsEquitySnapshotPipelines,QuantStrategyLab/ResearchSignalContextPipelines}"
JOB_DIR="${CODEX_AUDIT_SERVICE_JOB_DIR:-/var/lib/codex-audit-bridge/jobs}"
Expand Down
2 changes: 2 additions & 0 deletions tests/test_run_monthly_codex_audit.py
Original file line number Diff line number Diff line change
Expand Up @@ -2263,6 +2263,8 @@ def test_vps_deploy_adds_nginx_audit_route_without_router_service(self) -> None:
self.assertIn("location = /v1/codex-audit", deploy_script)
self.assertIn("location ^~ /v1/codex-audit/", deploy_script)
self.assertIn("CODEX_AUDIT_SERVICE_JOB_DIR", deploy_script)
self.assertIn("codex_pr_review.yml@refs/pull/*/merge", deploy_script)
self.assertIn("refs/pull/*/merge", deploy_script)
self.assertIn("proxy_pass http://127.0.0.1:{port}", deploy_script)
self.assertIn('"# CodexAuditBridge route start" not in block', deploy_script)
self.assertIn("audit service did not become healthy", deploy_script)
Expand Down
Loading