Test Codex PR workflow with small typo fixes

[LuaanNguyen]

This is a small, low-risk PR to trigger and validate the Codex GitHub Action on pull_request events.\n\nChanges:\n- Fix PostgreSQL typo in skills labels\n- Correct MySQL icon label/name\n\nIf Codex action is configured correctly, it should post automated review feedback on this PR.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
luannguyen-portfolio	Ready	Preview, Comment	Mar 11, 2026 6:52pm

[github-actions]

1. Findings (ordered by severity)

2. Medium - permission change is misplaced and over-privileged: codex-pr-review.yml:12 adds issues: write to the codex job, but PR comments are posted in post_feedback via codex-pr-review.yml:43.
   Impact: this may not fix comment-post failures (if default token perms are read-only in post_feedback) and unnecessarily broadens token scope in codex.

3. Low - missing test coverage for corrected skill mappings: Skills.tsx fixes data correctness (PostgreSQL and MySQL labels/alts), but there is no test coverage to prevent future icon/label mismatches. The repo also has no test runner configured in package.json.

4. Suggested fixes

5. Move/define permissions on post_feedback (where createComment runs), e.g.:

   • permissions: { issues: write } on post_feedback.

6. Reduce codex job permissions to least privilege (remove issues: write there unless truly needed by that job).

7. Add lightweight UI data checks for skillItems (at minimum asserting each item’s name matches its alt text) once a test framework is introduced.

8. Risk summary

• Overall risk: Low to Medium.
• UI changes are safe and corrective.
• Main risk is CI security/behavioral: permission scope is broadened in the wrong job, which can leave comment posting brittle while increasing blast radius.
• I could not run lint/tests locally because dependencies are not installed (next: not found).