Skip to content

Pin VPS OIDC allowlist in workflow#70

Merged
Pigbibi merged 1 commit into
mainfrom
codex/pin-vps-oidc-allowlist
Jul 3, 2026
Merged

Pin VPS OIDC allowlist in workflow#70
Pigbibi merged 1 commit into
mainfrom
codex/pin-vps-oidc-allowlist

Conversation

@Pigbibi

@Pigbibi Pigbibi commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  • explicitly pass the AiGateway OIDC allowlists from the VPS deploy workflow
  • keep PR review workflow refs and PR merge refs in the deployed service unit

Why

The live PR review workflow still failed with OIDC repository is not allowed, which means the VPS deploy was likely inheriting an old runner/environment allowlist instead of the script default. Pinning the values in the workflow makes deployment deterministic.

Validation

  • bash -n scripts/deploy_codex_audit_service.sh
  • python3 -m ruff check tests/test_run_monthly_codex_audit.py
  • python3 -m pytest tests/test_run_monthly_codex_audit.py -q
  • git diff --check

Co-Authored-By: Codex <noreply@openai.com>
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 Codex PR Review

⚠️ Review skipped: The Codex review could not be completed.

Codex service request failed: 401 {"status": "error", "error": "OIDC repository is not allowed"}

Please ensure a human reviewer checks this PR before merging.

@Pigbibi Pigbibi merged commit 385af65 into main Jul 3, 2026
4 checks passed
@Pigbibi Pigbibi deleted the codex/pin-vps-oidc-allowlist branch July 3, 2026 20:45

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e417c8baec

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

CODEX_AUDIT_SSH_UNBAN_IP: ${{ inputs.ssh_unban_ip }}
CODEX_AUDIT_SERVICE_ALLOWED_REPOSITORIES: QuantStrategyLab/CodexAuditBridge,QuantStrategyLab/AIAuditBridge
CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS: QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/pull/*/merge,QuantStrategyLab/AIAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main
CODEX_AUDIT_SERVICE_ALLOWED_REFS: refs/heads/main,refs/pull/*/merge

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Restrict service access from PR merge refs

For same-repository PRs, the PR review workflow checks out the PR merge ref before running scripts/run_codex_pr_review.py, and this new refs/pull/*/merge allowlist gives that unmerged code a valid service OIDC identity plus the injected service URL. A PR can therefore change the review script and submit arbitrary Codex service jobs before the change is merged; if PR reviews need the service, run the service-calling code from a trusted base checkout instead of authorizing all PR merge refs.

Useful? React with 👍 / 👎.

Comment on lines +42 to +43
CODEX_AUDIT_SERVICE_ALLOWED_REPOSITORIES: QuantStrategyLab/CodexAuditBridge,QuantStrategyLab/AIAuditBridge
CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS: QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/pull/*/merge,QuantStrategyLab/AIAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Allow the actual reusable-workflow callers

For workflow_call PR-review consumers, the OIDC repository and workflow_ref claims describe the calling repository/workflow, while the reusable workflow is exposed separately; service/auth.verify_github_oidc only validates repository, workflow_ref, and ref. Pinning the allowlist to only the bridge repositories means documented source-repo PR review callers will still be rejected with OIDC repository is not allowed; add the caller repos/workflow refs here or validate the reusable-workflow claim explicitly.

Useful? React with 👍 / 👎.

env:
CODEX_AUDIT_SSH_UNBAN_IP: ${{ inputs.ssh_unban_ip }}
CODEX_AUDIT_SERVICE_ALLOWED_REPOSITORIES: QuantStrategyLab/CodexAuditBridge,QuantStrategyLab/AIAuditBridge
CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS: QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/pull/*/merge,QuantStrategyLab/AIAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Include PR review repos in source allowlist

When this newly authorized codex_pr_review path submits a job, scripts/run_codex_pr_review.py sends source_repository=GITHUB_REPOSITORY, but the deployed service still gets CODEX_AUDIT_SERVICE_ALLOWED_SOURCE_REPOSITORIES from the deploy-script default, which excludes QuantStrategyLab/CodexAuditBridge and QuantStrategyLab/AIAuditBridge. After OIDC succeeds, _handle_execute_async will reject these PR review jobs in _validate_source_repo, so pin the matching source allowlist here as well instead of leaving the workflow with a second authorization failure.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant