From b52ccf21705903f94e908eb2138e46d2df9df38c Mon Sep 17 00:00:00 2001 From: ltang-wise Date: Wed, 17 Dec 2025 08:00:45 +0000 Subject: [PATCH 01/14] extend to have option for codex action --- .../reusable-workflow-ci-ai-agents.yaml | 83 ++++++++++++++++++- workflow-templates/call-ci-ai-agents.yml | 8 +- 2 files changed, 85 insertions(+), 6 deletions(-) diff --git a/.github/workflows/reusable-workflow-ci-ai-agents.yaml b/.github/workflows/reusable-workflow-ci-ai-agents.yaml index 2de8a8e..4c04e4c 100644 --- a/.github/workflows/reusable-workflow-ci-ai-agents.yaml +++ b/.github/workflows/reusable-workflow-ci-ai-agents.yaml @@ -48,15 +48,48 @@ on: description: "LLM model to use for general purpose tasks" required: false type: string + codex_model: + description: "OpenAI model to use for Codex agent" + required: false + type: string + default: "o3" jobs: - run-ci-ai-agent: + detect-agent: if: | inputs.event_name == 'issues' || inputs.event_name == 'issue_comment' || inputs.event_name == 'pull_request_review_comment' || inputs.event_name == 'pull_request_review' runs-on: gha-production-medium + outputs: + agent: ${{ steps.parse.outputs.agent }} + codex_prompt: ${{ steps.parse.outputs.codex_prompt }} + steps: + - name: Parse agent from comment + id: parse + shell: bash + env: + EVENT_PAYLOAD: ${{ inputs.event_payload }} + run: | + comment=$(echo "$EVENT_PAYLOAD" | jq -r '.comment.body // .review.body // .issue.body // ""') + + if echo "$comment" | grep -q '/codex-'; then + echo "agent=codex" >> $GITHUB_OUTPUT + # Extract the command after /codex- (e.g., "review-pr" from "/codex-review-pr") + codex_cmd=$(echo "$comment" | grep -oE '/codex-[^ ]+' | head -1 | sed 's|/codex-||') + # Extract any additional context after the command on the same line or following lines + full_prompt=$(echo "$comment" | sed -n '/\/codex-/,$p' | sed '1s|.*/codex-[^ ]*||') + echo "codex_prompt=${codex_cmd}${full_prompt}" >> $GITHUB_OUTPUT + else + echo "agent=claude" >> $GITHUB_OUTPUT + echo "codex_prompt=" >> $GITHUB_OUTPUT + fi + + run-claude-agent: + needs: detect-agent + if: needs.detect-agent.outputs.agent == 'claude' + runs-on: gha-production-medium container: ci-images-release.arti.tw.ee/actions_java_17_and_21 permissions: contents: write @@ -107,4 +140,50 @@ jobs: ${{ secrets.ANTHROPIC_BEDROCK_BASE_URL }} claude_args: | --allowedTools "mcp__github_inline_comment__create_inline_comment,mcp__github_file_ops__commit_files,mcp__github_file_ops__delete_files" - --model ${{ inputs.generic_model != '' && inputs.generic_model || vars.ANTHROPIC_DEFAULT_HAIKU_MODEL }} \ No newline at end of file + --model ${{ inputs.generic_model != '' && inputs.generic_model || vars.ANTHROPIC_DEFAULT_HAIKU_MODEL }} + + run-codex-agent: + needs: detect-agent + if: needs.detect-agent.outputs.agent == 'codex' + runs-on: gha-production-medium + container: ci-images-release.arti.tw.ee/actions_java_17_and_21 + permissions: + contents: write + pull-requests: write + issues: write + id-token: write + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v5 + with: + fetch-depth: 1 + + - name: "Add repo as safe directory" + run: | + git config --global --add safe.directory "$GITHUB_WORKSPACE" + + - name: Sync caller event context + shell: bash + env: + CALLER_EVENT_PAYLOAD: ${{ inputs.event_payload }} + run: | + event_file="$RUNNER_TEMP/original_event.json" + printf '%s' "$CALLER_EVENT_PAYLOAD" > "$event_file" + { + echo "GITHUB_EVENT_PATH=$event_file" + echo "GITHUB_EVENT_NAME=${{ inputs.event_name }}" + echo "GITHUB_REPOSITORY=${{ inputs.repository }}" + echo "GITHUB_REF=${{ inputs.ref }}" + echo "GITHUB_SHA=${{ inputs.sha }}" + echo "GITHUB_ACTOR=${{ inputs.actor }}" + } >> "$GITHUB_ENV" + + - name: Run Codex Agent + uses: transferwise/codex-action@main + with: + prompt: ${{ needs.detect-agent.outputs.codex_prompt }} + openai-api-key: ${{ secrets.OPENAI_API_KEY }} + model: ${{ inputs.codex_model }} + sandbox: "workspace-write" + allow-users: "*" \ No newline at end of file diff --git a/workflow-templates/call-ci-ai-agents.yml b/workflow-templates/call-ci-ai-agents.yml index 93c7a47..3e63b52 100644 --- a/workflow-templates/call-ci-ai-agents.yml +++ b/workflow-templates/call-ci-ai-agents.yml @@ -13,10 +13,10 @@ on: jobs: call-ci-ai-agents: if: | - (github.event_name == 'issue_comment' && contains(github.event.comment.body, '/run-ci-ai-agents')) || - (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '/run-ci-ai-agents')) || - (github.event_name == 'pull_request_review' && contains(github.event.review.body, '/run-ci-ai-agents')) || - (github.event_name == 'issues' && (contains(github.event.issue.body, '/run-ci-ai-agents') || contains(github.event.issue.title, '/run-ci-ai-agents'))) + (github.event_name == 'issue_comment' && (contains(github.event.comment.body, '/run-ci-ai-agents') || contains(github.event.comment.body, '/codex-'))) || + (github.event_name == 'pull_request_review_comment' && (contains(github.event.comment.body, '/run-ci-ai-agents') || contains(github.event.comment.body, '/codex-'))) || + (github.event_name == 'pull_request_review' && (contains(github.event.review.body, '/run-ci-ai-agents') || contains(github.event.review.body, '/codex-'))) || + (github.event_name == 'issues' && (contains(github.event.issue.body, '/run-ci-ai-agents') || contains(github.event.issue.title, '/run-ci-ai-agents') || contains(github.event.issue.body, '/codex-') || contains(github.event.issue.title, '/codex-'))) uses: transferwise/.github/.github/workflows/reusable-workflow-ci-ai-agents.yaml@master secrets: inherit with: From 3b1cc3836bd78d82d0e6422fd5699173ab4f6465 Mon Sep 17 00:00:00 2001 From: ltang-wise Date: Wed, 17 Dec 2025 17:26:52 +0000 Subject: [PATCH 02/14] update brancht o use v1test release --- .github/workflows/reusable-workflow-ci-ai-agents.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-ci-ai-agents.yaml b/.github/workflows/reusable-workflow-ci-ai-agents.yaml index 4c04e4c..b48ab49 100644 --- a/.github/workflows/reusable-workflow-ci-ai-agents.yaml +++ b/.github/workflows/reusable-workflow-ci-ai-agents.yaml @@ -180,7 +180,7 @@ jobs: } >> "$GITHUB_ENV" - name: Run Codex Agent - uses: transferwise/codex-action@main + uses: transferwise/codex-action@v1test with: prompt: ${{ needs.detect-agent.outputs.codex_prompt }} openai-api-key: ${{ secrets.OPENAI_API_KEY }} From dbcd47f58dd3df6582d7d677d05a51575dd383e2 Mon Sep 17 00:00:00 2001 From: ltang-wise Date: Thu, 18 Dec 2025 08:32:41 +0000 Subject: [PATCH 03/14] use main again --- .github/workflows/reusable-workflow-ci-ai-agents.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-ci-ai-agents.yaml b/.github/workflows/reusable-workflow-ci-ai-agents.yaml index b48ab49..4c04e4c 100644 --- a/.github/workflows/reusable-workflow-ci-ai-agents.yaml +++ b/.github/workflows/reusable-workflow-ci-ai-agents.yaml @@ -180,7 +180,7 @@ jobs: } >> "$GITHUB_ENV" - name: Run Codex Agent - uses: transferwise/codex-action@v1test + uses: transferwise/codex-action@main with: prompt: ${{ needs.detect-agent.outputs.codex_prompt }} openai-api-key: ${{ secrets.OPENAI_API_KEY }} From d31dbbaa6fa5df9427befb88f548f3c2273b44e7 Mon Sep 17 00:00:00 2001 From: ltang-wise Date: Thu, 18 Dec 2025 08:41:11 +0000 Subject: [PATCH 04/14] use v1.4 --- .github/workflows/reusable-workflow-ci-ai-agents.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-ci-ai-agents.yaml b/.github/workflows/reusable-workflow-ci-ai-agents.yaml index 4c04e4c..03bee8b 100644 --- a/.github/workflows/reusable-workflow-ci-ai-agents.yaml +++ b/.github/workflows/reusable-workflow-ci-ai-agents.yaml @@ -180,7 +180,7 @@ jobs: } >> "$GITHUB_ENV" - name: Run Codex Agent - uses: transferwise/codex-action@main + uses: transferwise/codex-action@v1.4 with: prompt: ${{ needs.detect-agent.outputs.codex_prompt }} openai-api-key: ${{ secrets.OPENAI_API_KEY }} From c739f57a701bf6353a8f6a776265531a25a5c9b3 Mon Sep 17 00:00:00 2001 From: ltang-wise Date: Thu, 18 Dec 2025 08:55:51 +0000 Subject: [PATCH 05/14] use main again --- .github/workflows/reusable-workflow-ci-ai-agents.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-ci-ai-agents.yaml b/.github/workflows/reusable-workflow-ci-ai-agents.yaml index 03bee8b..4c04e4c 100644 --- a/.github/workflows/reusable-workflow-ci-ai-agents.yaml +++ b/.github/workflows/reusable-workflow-ci-ai-agents.yaml @@ -180,7 +180,7 @@ jobs: } >> "$GITHUB_ENV" - name: Run Codex Agent - uses: transferwise/codex-action@v1.4 + uses: transferwise/codex-action@main with: prompt: ${{ needs.detect-agent.outputs.codex_prompt }} openai-api-key: ${{ secrets.OPENAI_API_KEY }} From 1a270e8be06e42a8aceb15fcb0f7df9024ecc0e1 Mon Sep 17 00:00:00 2001 From: ltang-wise Date: Thu, 18 Dec 2025 10:57:25 +0000 Subject: [PATCH 06/14] use v1.4-test --- .github/workflows/reusable-workflow-ci-ai-agents.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-ci-ai-agents.yaml b/.github/workflows/reusable-workflow-ci-ai-agents.yaml index 4c04e4c..d818db2 100644 --- a/.github/workflows/reusable-workflow-ci-ai-agents.yaml +++ b/.github/workflows/reusable-workflow-ci-ai-agents.yaml @@ -180,7 +180,7 @@ jobs: } >> "$GITHUB_ENV" - name: Run Codex Agent - uses: transferwise/codex-action@main + uses: transferwise/codex-action@v1.4-test with: prompt: ${{ needs.detect-agent.outputs.codex_prompt }} openai-api-key: ${{ secrets.OPENAI_API_KEY }} From fb2e064c32a3f552f8ceff412882b13e79290bfc Mon Sep 17 00:00:00 2001 From: ltang-wise Date: Thu, 18 Dec 2025 11:07:19 +0000 Subject: [PATCH 07/14] test no container --- .github/workflows/reusable-workflow-ci-ai-agents.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-ci-ai-agents.yaml b/.github/workflows/reusable-workflow-ci-ai-agents.yaml index d818db2..30b64d5 100644 --- a/.github/workflows/reusable-workflow-ci-ai-agents.yaml +++ b/.github/workflows/reusable-workflow-ci-ai-agents.yaml @@ -146,7 +146,7 @@ jobs: needs: detect-agent if: needs.detect-agent.outputs.agent == 'codex' runs-on: gha-production-medium - container: ci-images-release.arti.tw.ee/actions_java_17_and_21 + # container: ci-images-release.arti.tw.ee/actions_java_17_and_21 permissions: contents: write pull-requests: write From 58ad09ff777dfae72360308474d9d9660c2da02d Mon Sep 17 00:00:00 2001 From: ltang-wise Date: Thu, 18 Dec 2025 11:14:32 +0000 Subject: [PATCH 08/14] add safety-strategy: "unsafe" --- .github/workflows/reusable-workflow-ci-ai-agents.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-ci-ai-agents.yaml b/.github/workflows/reusable-workflow-ci-ai-agents.yaml index 30b64d5..ce6a478 100644 --- a/.github/workflows/reusable-workflow-ci-ai-agents.yaml +++ b/.github/workflows/reusable-workflow-ci-ai-agents.yaml @@ -186,4 +186,5 @@ jobs: openai-api-key: ${{ secrets.OPENAI_API_KEY }} model: ${{ inputs.codex_model }} sandbox: "workspace-write" - allow-users: "*" \ No newline at end of file + allow-users: "*" + safety-strategy: "unsafe" \ No newline at end of file From a521112247cbe3c157804fb453e4246b5ef81e19 Mon Sep 17 00:00:00 2001 From: ltang-wise Date: Thu, 18 Dec 2025 11:47:35 +0000 Subject: [PATCH 09/14] test with container and new safety strategy --- .github/workflows/reusable-workflow-ci-ai-agents.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-ci-ai-agents.yaml b/.github/workflows/reusable-workflow-ci-ai-agents.yaml index ce6a478..17b93e0 100644 --- a/.github/workflows/reusable-workflow-ci-ai-agents.yaml +++ b/.github/workflows/reusable-workflow-ci-ai-agents.yaml @@ -146,7 +146,7 @@ jobs: needs: detect-agent if: needs.detect-agent.outputs.agent == 'codex' runs-on: gha-production-medium - # container: ci-images-release.arti.tw.ee/actions_java_17_and_21 + container: ci-images-release.arti.tw.ee/actions_java_17_and_21 permissions: contents: write pull-requests: write From 4e3e44ae8307fc22ebed7ba85d16675b22c7aba3 Mon Sep 17 00:00:00 2001 From: ltang-wise Date: Thu, 18 Dec 2025 11:50:55 +0000 Subject: [PATCH 10/14] revert back to no container --- .github/workflows/reusable-workflow-ci-ai-agents.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-ci-ai-agents.yaml b/.github/workflows/reusable-workflow-ci-ai-agents.yaml index 17b93e0..ce6a478 100644 --- a/.github/workflows/reusable-workflow-ci-ai-agents.yaml +++ b/.github/workflows/reusable-workflow-ci-ai-agents.yaml @@ -146,7 +146,7 @@ jobs: needs: detect-agent if: needs.detect-agent.outputs.agent == 'codex' runs-on: gha-production-medium - container: ci-images-release.arti.tw.ee/actions_java_17_and_21 + # container: ci-images-release.arti.tw.ee/actions_java_17_and_21 permissions: contents: write pull-requests: write From 431429c155e14845c65979e2d1cefc1e2f86cf7f Mon Sep 17 00:00:00 2001 From: ltang-wise Date: Fri, 19 Dec 2025 16:55:03 +0000 Subject: [PATCH 11/14] add eu openai URL --- .github/workflows/reusable-workflow-ci-ai-agents.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/reusable-workflow-ci-ai-agents.yaml b/.github/workflows/reusable-workflow-ci-ai-agents.yaml index ce6a478..9355fe6 100644 --- a/.github/workflows/reusable-workflow-ci-ai-agents.yaml +++ b/.github/workflows/reusable-workflow-ci-ai-agents.yaml @@ -181,6 +181,8 @@ jobs: - name: Run Codex Agent uses: transferwise/codex-action@v1.4-test + env: + GITHUB_API_URL: https://eu.api.openai.com with: prompt: ${{ needs.detect-agent.outputs.codex_prompt }} openai-api-key: ${{ secrets.OPENAI_API_KEY }} From 12ea81dc608487f9b03b87ab67f167e51740c511 Mon Sep 17 00:00:00 2001 From: Mulugeta Tamiru <122302373+moulougeta@users.noreply.github.com> Date: Fri, 6 Feb 2026 16:06:52 +0000 Subject: [PATCH 12/14] add mcp__github__update_pull_request --- .github/workflows/reusable-workflow-ci-ai-agents.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-ci-ai-agents.yaml b/.github/workflows/reusable-workflow-ci-ai-agents.yaml index 9355fe6..49a2bc0 100644 --- a/.github/workflows/reusable-workflow-ci-ai-agents.yaml +++ b/.github/workflows/reusable-workflow-ci-ai-agents.yaml @@ -139,7 +139,7 @@ jobs: api.github.com ${{ secrets.ANTHROPIC_BEDROCK_BASE_URL }} claude_args: | - --allowedTools "mcp__github_inline_comment__create_inline_comment,mcp__github_file_ops__commit_files,mcp__github_file_ops__delete_files" + --allowedTools "mcp__github_inline_comment__create_inline_comment,mcp__github_file_ops__commit_files,mcp__github_file_ops__delete_file,mcp__github__update_pull_request" --model ${{ inputs.generic_model != '' && inputs.generic_model || vars.ANTHROPIC_DEFAULT_HAIKU_MODEL }} run-codex-agent: From ddc473e01f3dc70a7529be11a4dac4c02c3a312f Mon Sep 17 00:00:00 2001 From: Mulugeta Tamiru <122302373+moulougeta@users.noreply.github.com> Date: Fri, 13 Feb 2026 16:42:28 +0000 Subject: [PATCH 13/14] update prompt for pr and model --- .../reusable-workflow-ci-ai-agents.yaml | 41 ++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-ci-ai-agents.yaml b/.github/workflows/reusable-workflow-ci-ai-agents.yaml index 49a2bc0..fcef722 100644 --- a/.github/workflows/reusable-workflow-ci-ai-agents.yaml +++ b/.github/workflows/reusable-workflow-ci-ai-agents.yaml @@ -59,6 +59,7 @@ jobs: if: | inputs.event_name == 'issues' || inputs.event_name == 'issue_comment' || + inputs.event_name == 'pull_request' || inputs.event_name == 'pull_request_review_comment' || inputs.event_name == 'pull_request_review' runs-on: gha-production-medium @@ -97,6 +98,43 @@ jobs: issues: write id-token: write actions: read + env: + PR_PROMPT: | + REPO: ${{ github.repository }} + PR NUMBER: ${{ github.event.pull_request.number }} + + Perform a comprehensive code review with the following focus areas: + + 1. **Code Quality** + - Clean code principles and best practices + - Proper error handling and edge cases + - Code readability and maintainability + + 2. **Security** + - Check for potential security vulnerabilities + - Validate input sanitization + - Review authentication/authorization logic + + 3. **Performance** + - Identify potential performance bottlenecks + - Review database queries for efficiency + - Check for memory leaks or resource issues + + 4. **Testing** + - Verify adequate test coverage + - Review test quality and edge cases + - Check for missing test scenarios + + 5. **Documentation** + - Ensure code is properly documented + - Verify README updates for new features + - Check API documentation accuracy + + Provide detailed feedback using inline comments for specific issues. + Use top-level comments for general observations or praise. + Update the PR description section in the PR body with a concise summary for the human + reviewer that surfaces security and correctness risks, highlights suspicious diffs, and + provides a brief change summary. steps: - name: Checkout repository uses: actions/checkout@v5 @@ -126,6 +164,7 @@ jobs: - name: Run AI Agent uses: transferwise/claude-code-action@main with: + prompt: ${{ inputs.event_name == 'pull_request' && env.PR_PROMPT || '' }} trigger_phrase: "/run-ci-ai-agents" use_commit_signing: "true" anthropic_bedrock_base_url: ${{ secrets.ANTHROPIC_BEDROCK_BASE_URL }} @@ -140,7 +179,7 @@ jobs: ${{ secrets.ANTHROPIC_BEDROCK_BASE_URL }} claude_args: | --allowedTools "mcp__github_inline_comment__create_inline_comment,mcp__github_file_ops__commit_files,mcp__github_file_ops__delete_file,mcp__github__update_pull_request" - --model ${{ inputs.generic_model != '' && inputs.generic_model || vars.ANTHROPIC_DEFAULT_HAIKU_MODEL }} + --model ${{ inputs.generic_model != '' && inputs.generic_model || vars.ANTHROPIC_DEFAULT_OPUS_MODEL }} run-codex-agent: needs: detect-agent From d861b7ea6e628ccd929548615e68f50305f605a8 Mon Sep 17 00:00:00 2001 From: Mulugeta Tamiru <122302373+moulougeta@users.noreply.github.com> Date: Fri, 13 Feb 2026 17:03:07 +0000 Subject: [PATCH 14/14] add more allowed tools and display claude exec output --- .github/workflows/reusable-workflow-ci-ai-agents.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/reusable-workflow-ci-ai-agents.yaml b/.github/workflows/reusable-workflow-ci-ai-agents.yaml index fcef722..8f1004a 100644 --- a/.github/workflows/reusable-workflow-ci-ai-agents.yaml +++ b/.github/workflows/reusable-workflow-ci-ai-agents.yaml @@ -178,9 +178,14 @@ jobs: api.github.com ${{ secrets.ANTHROPIC_BEDROCK_BASE_URL }} claude_args: | - --allowedTools "mcp__github_inline_comment__create_inline_comment,mcp__github_file_ops__commit_files,mcp__github_file_ops__delete_file,mcp__github__update_pull_request" + --allowedTools "Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),mcp__github_inline_comment__create_inline_comment,mcp__github_file_ops__commit_files,mcp__github_file_ops__delete_file,mcp__github__update_pull_request" --model ${{ inputs.generic_model != '' && inputs.generic_model || vars.ANTHROPIC_DEFAULT_OPUS_MODEL }} + - name: Show Claude execution output + if: always() + run: | + cat /__w/_temp/claude-execution-output.json + run-codex-agent: needs: detect-agent if: needs.detect-agent.outputs.agent == 'codex'