Skip to content

fix(dev-lead): trust chatgpt-codex-connector[bot] in the reusable workflow#445

Merged
don-petry merged 2 commits into
mainfrom
fix/trusted-bots-codex-sync
Jun 6, 2026
Merged

fix(dev-lead): trust chatgpt-codex-connector[bot] in the reusable workflow#445
don-petry merged 2 commits into
mainfrom
fix/trusted-bots-codex-sync

Conversation

@don-petry

Copy link
Copy Markdown
Collaborator

Root cause

dev-lead silently ignores all chatgpt-codex-connector[bot] reviews fleet-wide.

The dev-lead reusable workflow (what every repo actually runs via its stub) had a TRUSTED_BOTS default that omitted codex, while the standalone dev-lead.yml default and the unit tests include it:

Location codex in default?
dev-lead.yml:37 (standalone)
dev-lead-reusable.yml:46runs fleet-wide
scripts/dev-lead-intent.sh:106
tests/dev-lead/unit/test_intent_reviews.bats (codex COMMENTED → fix-reviews) ✅ expects it

vars.TRUSTED_BOTS is unset, so the reusable falls back to its default (no codex). is_trusted_bot does an exact full-line match (grep -qxF), so codex never matches → intent=skip reason=untrusted-reviewer.

Evidence

On petry-projects/.github#400, codex's review (chatgpt-codex-connector[bot], type Bot) triggered two dev-lead runs that both skipped:

  • run 27066366290 (pull_request_review): intent=skip reason=untrusted-reviewer
  • run 27066366309 (pull_request_review_comment): intent=skip reason=no-trigger-or-untrusted

codex's P2 comments were only ever fixed because a human (OWNER) re-issued them via @dev-lead (on-mention is trusted). Autonomously, dev-lead never acted on codex anywhere.

Fix

Add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow and the existing tests.

Verification

  • shellcheck clean; actionlint clean on my change (pre-existing SC2129 at line 97 is CI-ignored)
  • Full dev-lead unit suite: 223/223 pass, including the codex fix-reviews tests

🤖 Generated with Claude Code

…kflow

The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a
TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the
standalone dev-lead.yml default and the unit tests
(test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and
expect it. Because the reusable's default is what actually runs and
vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list
that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every
codex review with intent=skip reason=untrusted-reviewer.

Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across
every repo — codex review comments were only ever actioned when a trusted human
re-issued them via an @dev-lead mention (on-mention intent). Observed on
petry-projects/.github#400, where codex's review-driven dev-lead runs
(27066366290 / 27066366309) both classified skip/untrusted-reviewer.

Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both
dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow
and the existing tests. codex's event login is `chatgpt-codex-connector[bot]`
(type Bot), so the exact-match check now succeeds.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 6, 2026 16:38
@coderabbitai

coderabbitai Bot commented Jun 6, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 32 minutes and 30 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7293bf37-f945-4219-a72b-7d73d031f9fc

📥 Commits

Reviewing files that changed from the base of the PR and between 9259cbf and d579ea6.

📒 Files selected for processing (2)
  • .github/workflows/dev-lead-reusable.yml
  • scripts/dev-lead-intent.sh
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/trusted-bots-codex-sync

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the 'scripts/dev-lead-intent.sh' script to include 'chatgpt-codex-connector[bot]' in the 'TRUSTED_BOTS' environment variable default value. There are no review comments, and I have no feedback to provide.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes dev-lead’s fleet-wide bot trust defaults by adding chatgpt-codex-connector[bot] to the reusable workflow’s TRUSTED_BOTS fallback and to the intent classifier script, so codex reviews are no longer silently ignored when vars.TRUSTED_BOTS is unset.

Changes:

  • Add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in the reusable dev-lead workflow.
  • Add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in scripts/dev-lead-intent.sh (used by the reusable workflow).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
scripts/dev-lead-intent.sh Expands the default trusted-bot allowlist so codex actors match is_trusted_bot and route to fix-reviews instead of skip.
.github/workflows/dev-lead-reusable.yml Updates the fleet-wide reusable workflow’s default TRUSTED_BOTS so codex reviews are trusted when org/repo vars aren’t set.

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 969e5fb3c48f3f8fd06f7c6eaea4ce1a1d522cd4
Review mode: triage-approved (single reviewer)

Summary

Two-line default-string sync: adds chatgpt-codex-connector[bot] to the TRUSTED_BOTS fallback in .github/workflows/dev-lead-reusable.yml and scripts/dev-lead-intent.sh so they match the standalone dev-lead.yml:37 and the existing unit test (tests/dev-lead/unit/test_intent_reviews.bats:12). The diff is +1/−1 in each of the two files; behaviour is governed by an exact-match check (grep -qxF) against an overridable env default, and vars.TRUSTED_BOTS can still override at the org/repo level.

Linked issue analysis

No linked issue. The PR body and the commit message provide the root-cause evidence (codex reviews on petry-projects/.github#400 skipping with reason=untrusted-reviewer in runs 27066366290 and 27066366309). Verified against the repo:

  • dev-lead.yml:37 — already lists codex ✅
  • dev-lead-reusable.yml:46 — was missing codex (now fixed) ✅
  • scripts/dev-lead-intent.sh:106 — was missing codex (now fixed) ✅
  • tests/dev-lead/unit/test_intent_reviews.bats:12 — expects codex in TRUSTED_BOTS

Findings

None. The change is a strict consistency fix between three previously-divergent default strings. It is auth-adjacent (expands the trusted-bot allowlist), but the bot is already explicitly trusted by the standalone workflow and the test suite, so the effective trust surface across the fleet does not grow beyond what was clearly intended.

CI status

All 23 checks complete: 17 SUCCESS (CodeQL, SonarCloud, ShellCheck × 2, bats, unit-tests, AgentShield, gitleaks, validate-agent-profiles, Compile agentic workflows, gh-aw-compile, Lint, Agent Security Scan, CodeRabbit, SonarCloud Code Analysis), 6 SKIPPED (dependency-audit subjobs for ecosystems not present, dependabot-automerge, PR Review Agent, mention trigger). Triage assessment confirmed.


Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

@sonarqubecloud

sonarqubecloud Bot commented Jun 6, 2026

Copy link
Copy Markdown

@don-petry

Copy link
Copy Markdown
Collaborator Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

@don-petry don-petry merged commit 32dbe07 into main Jun 6, 2026
26 checks passed
@don-petry don-petry deleted the fix/trusted-bots-codex-sync branch June 6, 2026 16:52

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: d579ea6a19cb5c7db63263f3655a65ed908502b2
Review mode: triage-approved (single reviewer)

Summary

Two-line default-string sync: adds chatgpt-codex-connector[bot] to the TRUSTED_BOTS fallback in .github/workflows/dev-lead-reusable.yml:47 and scripts/dev-lead-intent.sh:106, matching the standalone .github/workflows/dev-lead.yml:38 and the existing unit test in tests/dev-lead/unit/test_intent_reviews.bats:12. The diff is +1/−1 in each of the two files; behaviour is governed by an exact-match check (grep -qxF) against an overridable env default, and vars.TRUSTED_BOTS can still override at the org/repo level.

Linked issue analysis

No linked issue. The PR body and commit message provide the root-cause evidence: codex reviews on petry-projects/.github#400 skipping with reason=untrusted-reviewer in runs 27066366290 (pull_request_review) and 27066366309 (pull_request_review_comment). Verified against the repo:

  • .github/workflows/dev-lead.yml:38 — already lists codex ✅
  • .github/workflows/dev-lead-reusable.yml:47 — was missing codex (now fixed) ✅
  • scripts/dev-lead-intent.sh:106 — was missing codex (now fixed) ✅
  • tests/dev-lead/unit/test_intent_reviews.bats:12 — expects codex in TRUSTED_BOTS
  • Codex event fixtures already exist (tests/dev-lead/fixtures/events/pr_review_codex_commented.json, pr_review_comment_codex.json) ✅

The new HEAD commit since the prior cascade review (969e5fb...d579ea6...) is a no-op merge from main (pulled in #435's bot-thread changes) and does not touch the two lines under review.

Findings

None. The change is a strict consistency fix between three previously-divergent default strings. It is auth-adjacent (expands the trusted-bot allowlist), but the bot is already explicitly trusted by the standalone workflow and the test suite, so the effective trust surface across the fleet does not grow beyond what was clearly intended. vars.TRUSTED_BOTS remains the override path for any org/repo that wants to tighten this.

CI status

All 25 checks complete: 19 SUCCESS (CodeQL ×2, SonarCloud ×2, ShellCheck ×2, bats, unit-tests, AgentShield, gitleaks, validate-agent-profiles, Compile agentic workflows, gh-aw-compile, Lint, Agent Security Scan, CodeRabbit status, Dev-Lead dispatch, PR Review Agent, dependency-audit detect), 6 SKIPPED (dependency-audit subjobs for ecosystems not present, dependabot-automerge, ci-relay). Triage assessment confirmed.


Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

don-petry added a commit that referenced this pull request Jun 7, 2026
…kflow (#445)

The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a
TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the
standalone dev-lead.yml default and the unit tests
(test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and
expect it. Because the reusable's default is what actually runs and
vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list
that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every
codex review with intent=skip reason=untrusted-reviewer.

Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across
every repo — codex review comments were only ever actioned when a trusted human
re-issued them via an @dev-lead mention (on-mention intent). Observed on
petry-projects/.github#400, where codex's review-driven dev-lead runs
(27066366290 / 27066366309) both classified skip/untrusted-reviewer.

Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both
dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow
and the existing tests. codex's event login is `chatgpt-codex-connector[bot]`
(type Bot), so the exact-match check now succeeds.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 7, 2026
…kflow (#445)

The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a
TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the
standalone dev-lead.yml default and the unit tests
(test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and
expect it. Because the reusable's default is what actually runs and
vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list
that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every
codex review with intent=skip reason=untrusted-reviewer.

Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across
every repo — codex review comments were only ever actioned when a trusted human
re-issued them via an @dev-lead mention (on-mention intent). Observed on
petry-projects/.github#400, where codex's review-driven dev-lead runs
(27066366290 / 27066366309) both classified skip/untrusted-reviewer.

Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both
dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow
and the existing tests. codex's event login is `chatgpt-codex-connector[bot]`
(type Bot), so the exact-match check now succeeds.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 8, 2026
…kflow (#445)

The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a
TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the
standalone dev-lead.yml default and the unit tests
(test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and
expect it. Because the reusable's default is what actually runs and
vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list
that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every
codex review with intent=skip reason=untrusted-reviewer.

Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across
every repo — codex review comments were only ever actioned when a trusted human
re-issued them via an @dev-lead mention (on-mention intent). Observed on
petry-projects/.github#400, where codex's review-driven dev-lead runs
(27066366290 / 27066366309) both classified skip/untrusted-reviewer.

Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both
dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow
and the existing tests. codex's event login is `chatgpt-codex-connector[bot]`
(type Bot), so the exact-match check now succeeds.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 12, 2026
…kflow (#445)

The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a
TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the
standalone dev-lead.yml default and the unit tests
(test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and
expect it. Because the reusable's default is what actually runs and
vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list
that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every
codex review with intent=skip reason=untrusted-reviewer.

Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across
every repo — codex review comments were only ever actioned when a trusted human
re-issued them via an @dev-lead mention (on-mention intent). Observed on
petry-projects/.github#400, where codex's review-driven dev-lead runs
(27066366290 / 27066366309) both classified skip/untrusted-reviewer.

Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both
dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow
and the existing tests. codex's event login is `chatgpt-codex-connector[bot]`
(type Bot), so the exact-match check now succeeds.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 14, 2026
…kflow (#445)

The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a
TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the
standalone dev-lead.yml default and the unit tests
(test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and
expect it. Because the reusable's default is what actually runs and
vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list
that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every
codex review with intent=skip reason=untrusted-reviewer.

Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across
every repo — codex review comments were only ever actioned when a trusted human
re-issued them via an @dev-lead mention (on-mention intent). Observed on
petry-projects/.github#400, where codex's review-driven dev-lead runs
(27066366290 / 27066366309) both classified skip/untrusted-reviewer.

Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both
dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow
and the existing tests. codex's event login is `chatgpt-codex-connector[bot]`
(type Bot), so the exact-match check now succeeds.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 18, 2026
…kflow (#445)

The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a
TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the
standalone dev-lead.yml default and the unit tests
(test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and
expect it. Because the reusable's default is what actually runs and
vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list
that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every
codex review with intent=skip reason=untrusted-reviewer.

Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across
every repo — codex review comments were only ever actioned when a trusted human
re-issued them via an @dev-lead mention (on-mention intent). Observed on
petry-projects/.github#400, where codex's review-driven dev-lead runs
(27066366290 / 27066366309) both classified skip/untrusted-reviewer.

Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both
dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow
and the existing tests. codex's event login is `chatgpt-codex-connector[bot]`
(type Bot), so the exact-match check now succeeds.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 25, 2026
…kflow (#445)

The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a
TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the
standalone dev-lead.yml default and the unit tests
(test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and
expect it. Because the reusable's default is what actually runs and
vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list
that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every
codex review with intent=skip reason=untrusted-reviewer.

Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across
every repo — codex review comments were only ever actioned when a trusted human
re-issued them via an @dev-lead mention (on-mention intent). Observed on
petry-projects/.github#400, where codex's review-driven dev-lead runs
(27066366290 / 27066366309) both classified skip/untrusted-reviewer.

Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both
dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow
and the existing tests. codex's event login is `chatgpt-codex-connector[bot]`
(type Bot), so the exact-match check now succeeds.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 25, 2026
…kflow (#445)

The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a
TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the
standalone dev-lead.yml default and the unit tests
(test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and
expect it. Because the reusable's default is what actually runs and
vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list
that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every
codex review with intent=skip reason=untrusted-reviewer.

Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across
every repo — codex review comments were only ever actioned when a trusted human
re-issued them via an @dev-lead mention (on-mention intent). Observed on
petry-projects/.github#400, where codex's review-driven dev-lead runs
(27066366290 / 27066366309) both classified skip/untrusted-reviewer.

Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both
dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow
and the existing tests. codex's event login is `chatgpt-codex-connector[bot]`
(type Bot), so the exact-match check now succeeds.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants