Add local Codex PR review script (ported from knowmarks)#54
Merged
Conversation
scripts/codex_review.py runs a local Codex review of a PR ($0, on the ChatGPT/Codex subscription — no API key), posts a structured verdict as a PR comment, and optionally squash-merges when Codex APPROVEs with no P1/P2 findings. CI (the GitHub-hosted Check workflow) verifies build/tests; this owns the correctness/logic review + merge. Ported from knowmarks with setlist-specific wiring (REPO, the Check/changes gateway, npm context) and all of the original hardening preserved: author == OWNER gate, untrusted-worktree instruction stripping, fail-closed CI-green gate, gate-self-modification guard, and head-SHA-pinned merge. Usage: python3 scripts/codex_review.py <PR> [--dry-run] [--no-ci-check] Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_014iR9LcchEebnoyt5GLRzev
48c2ae8 to
f8b3452
Compare
Owner
Author
🤖 Codex review — APPROVELocal Codex review of this PR's changes against Reviewed the PR diff and surrounding gate/CI context. The new local Codex review script is fail-closed on CI/query/review errors, strips PR-controlled Codex instruction files before review, pins the merge to the reviewed head SHA, and refuses auto-merge for gate-modifying PRs unless explicitly overridden. No blocking correctness or security issue found. No issues found. |
spaceshipmike
added a commit
that referenced
this pull request
Jun 25, 2026
Second /close. Covers the post-#53 work (#54 Codex script, RELEASING.md runbook, the notarized beta.22 release). INVARIANTS: filled the 'Release / propagation' placeholder with a PROSE invariant (CI-only notarized distribution; tag==versions+lockfile; tag/secrets clauses already ENFORCED by release.yml). lessons: +#desktop-app candidate (single-instance-lock-on-shared-userData trap; e2e tests out/ not the packaged artifact). Follow-up #57 (lockfile-sync gate). steward marker → 7b443be. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_014iR9LcchEebnoyt5GLRzev
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Ports knowmarks' local Codex PR-review tool to setlist as
scripts/codex_review.py.It runs a local Codex review of a PR ($0, on the ChatGPT/Codex subscription — no API key), posts a structured verdict (
APPROVE/REQUEST_CHANGES+ severity-tagged findings) as a PR comment, and can squash-merge when Codex approves with no P1/P2 findings. The GitHub-hostedCheckworkflow verifies build/tests; this owns the correctness/logic review + merge.Why this shape (setlist is public)
setlist is a public repo, so per
~/.claude/rules/self-hosted-ci-runner.mdit intentionally stays GitHub-hosted for CI — knowmarks' self-hosted NAS runner andpr-pipeline.ymlare deliberately not ported. This is the one piece that is safe and worth porting, because it runs on your Mac, never in CI.All of knowmarks' hardening is preserved:
author == OWNERgate — only ever reviews/merges your own PRs; a stranger's PR is rejected.AGENTS.md/codex.md/.codexfrom the reviewed worktree so a PR can't instruct its own approver (the diff still shows them as changes to scrutinize).CLAUDE.mdis left alone — Codex doesn't load it.changesgateway present-and-passing, so a pipeline that never ran can't read as green..github/workflows/is never auto-merged.Usage
Requires
gh(authenticated) andcodex(logged in) on PATH. Stdlib only — no uv/venv.Note: this PR adds a gate file, so by its own rules it will not auto-merge — it needs a human merge.
🤖 Generated with Claude Code