fix(config): modernize Codex approval policy defaults#2
Merged
tianheil3 merged 4 commits intoApr 29, 2026
Conversation
Summary: - Changed the default codex.approval_policy from legacy reject object form to the string value never. - Added GITHUB_TOKEN resolution fallback to GH_TOKEN when WORKFLOW.md references $GITHUB_TOKEN and that variable is not set. - Updated core test expectations and README docs to reflect the new default policy and GitHub token fallback behavior. Rationale: - Current Codex app-server versions reject the legacy reject approval policy object, which can break session startup. - Some shells expose GitHub auth only via GH_TOKEN; allowing fallback avoids startup failures when WORKFLOW.md uses $GITHUB_TOKEN. Tests: - mix test test/symphony_elixir/core_test.exs (fails locally: Elixir 1.18.3, project requires ~> 1.19) Co-authored-by: Codex <codex@openai.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
🚧 Files skipped from review as they are similar to previous changes (2)
📝 WalkthroughWalkthroughDefault Codex approval policy changed from a nested Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 0/1 reviews remaining, refill in 60 minutes.Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
elixir/test/symphony_elixir/core_test.exs (1)
1633-1633: Add regression coverage forGH_TOKENfallback behaviorThese approval-policy assertions are correct, but this PR also changes GitHub token resolution. Please add tests for:
GH_TOKENis used whenGITHUB_TOKENis unset, andGITHUB_TOKENwins when both are present.Also applies to: 1660-1660
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@elixir/test/symphony_elixir/core_test.exs` at line 1633, Add two regression tests near the existing approval-policy assertions that verify token resolution: one that unsets GITHUB_TOKEN, sets GH_TOKEN to a known value, and asserts the token resolver (function get_github_token/0) returns the GH_TOKEN value; and a second that sets both GITHUB_TOKEN and GH_TOKEN to different values and asserts get_github_token/0 returns the GITHUB_TOKEN value. Ensure the tests manipulate System.put_env/2 and System.delete_env/1 around the assertions and clean up/reset env afterwards so other tests are unaffected.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@elixir/lib/symphony_elixir/config/schema.ex`:
- Around line 516-520: The tracker_env_value/2 path currently calls
System.get_env/1 directly which bypasses your GH_TOKEN fallback; change
tracker_env_value/2 to use the resolve_env_var/1 helper instead of
System.get_env/1 so GH_TOKEN is considered anywhere an env lookup for GitHub
token is needed (ensure any branches that handle unset or default token values
call resolve_env_var("GITHUB_TOKEN") or resolve_env_var(env_name) rather than
System.get_env(env_name)).
---
Nitpick comments:
In `@elixir/test/symphony_elixir/core_test.exs`:
- Line 1633: Add two regression tests near the existing approval-policy
assertions that verify token resolution: one that unsets GITHUB_TOKEN, sets
GH_TOKEN to a known value, and asserts the token resolver (function
get_github_token/0) returns the GH_TOKEN value; and a second that sets both
GITHUB_TOKEN and GH_TOKEN to different values and asserts get_github_token/0
returns the GITHUB_TOKEN value. Ensure the tests manipulate System.put_env/2 and
System.delete_env/1 around the assertions and clean up/reset env afterwards so
other tests are unaffected.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: f3d9fa23-a222-49b8-9845-6515c7979759
📒 Files selected for processing (3)
elixir/README.mdelixir/lib/symphony_elixir/config/schema.exelixir/test/symphony_elixir/core_test.exs
Summary: - Updated tracker env lookup to share the same GITHUB_TOKEN/GH_TOKEN fallback path used by token and path resolution helpers. - Added regression tests for GitHub token fallback behavior when GITHUB_TOKEN is missing and when both GITHUB_TOKEN and GH_TOKEN are set. Rationale: - This closes the consistency gap where tracker env fallback did not use the centralized resolver, which could bypass GH_TOKEN fallback. - Added explicit tests to guard precedence and fallback behavior. Tests: - mix test test/symphony_elixir/core_test.exs (fails locally: Elixir 1.18.3, project requires ~> 1.19) Co-authored-by: Codex <codex@openai.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@elixir/lib/symphony_elixir/config/schema.ex`:
- Around line 163-165: The formatter failure is caused by the multi-line
declaration of the approval_policy Ecto schema field; collapse and reformat the
field declaration for the :approval_policy field to a single,
mix-format-compliant line so it reads as a single field call (i.e., update the
field(:approval_policy, StringOrMap, default: "never") expression) ensuring
commas and spacing follow Elixir formatter expectations.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 167ded73-f875-498f-8986-4bfd4e48e1a1
📒 Files selected for processing (2)
elixir/lib/symphony_elixir/config/schema.exelixir/test/symphony_elixir/core_test.exs
Summary: - Reformat the `approval_policy` field declaration to single-line form so mix format --check-formatted passes. Rationale: - CI failed at fmt-check due to this exact style mismatch in config/schema.ex. Tests: - mix format --check-formatted Co-authored-by: Codex <codex@openai.com>
The branch changed the schema default to the app-server-compatible `"never"` value, but two CI assertions still exercised either the old fixture policy or the old default expectation. This narrows the startup test to the schema default path and updates the config default assertion without changing the shared safer-policy fixture used by other tests. Constraint: Newer Codex app-server rejects the legacy reject object default Rejected: Change the global test fixture default to `"never"` | it breaks tests that intentionally exercise safer explicit approval policies Confidence: high Scope-risk: narrow Tested: make -C elixir all Tested: mix test test/symphony_elixir/core_test.exs:1589 test/symphony_elixir/workspace_and_config_test.exs:722 test/symphony_elixir/app_server_test.exs:265 Co-authored-by: Codex <codex@openai.com>
Owner
Author
|
[codex] Pushed 7a2e4cf to fix CI by aligning approval-policy default tests while preserving explicit reject-map coverage. Local verification: make -C elixir all, plus targeted approval-policy regression tests. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
Newer Codex app-server versions reject the legacy
rejectapproval policy object at startup, and some environments expose GitHub auth asGH_TOKENinstead ofGITHUB_TOKEN.TL;DR
Use
"never"as the default Codex approval policy and acceptGH_TOKENas a GitHub token fallback.Summary
codex.approval_policynow uses"never"instead of the legacyrejectmap.GITHUB_TOKENresolution now falls back toGH_TOKENwhen needed.Alternatives
rejectmap by default; rejected because current Codex app-server rejects it.GITHUB_TOKEN; rejected becausegh-based environments commonly exposeGH_TOKEN.Test Plan
make -C elixir allmix test test/symphony_elixir/core_test.exs:1589 test/symphony_elixir/workspace_and_config_test.exs:722 test/symphony_elixir/app_server_test.exs:265