fix(dev-lead): trust chatgpt-codex-connector[bot] in the reusable workflow#445
Conversation
…kflow The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the standalone dev-lead.yml default and the unit tests (test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and expect it. Because the reusable's default is what actually runs and vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every codex review with intent=skip reason=untrusted-reviewer. Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across every repo — codex review comments were only ever actioned when a trusted human re-issued them via an @dev-lead mention (on-mention intent). Observed on petry-projects/.github#400, where codex's review-driven dev-lead runs (27066366290 / 27066366309) both classified skip/untrusted-reviewer. Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow and the existing tests. codex's event login is `chatgpt-codex-connector[bot]` (type Bot), so the exact-match check now succeeds. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Warning Review limit reached
More reviews will be available in 32 minutes and 30 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR fixes dev-lead’s fleet-wide bot trust defaults by adding chatgpt-codex-connector[bot] to the reusable workflow’s TRUSTED_BOTS fallback and to the intent classifier script, so codex reviews are no longer silently ignored when vars.TRUSTED_BOTS is unset.
Changes:
- Add
chatgpt-codex-connector[bot]to theTRUSTED_BOTSdefault in the reusable dev-lead workflow. - Add
chatgpt-codex-connector[bot]to theTRUSTED_BOTSdefault inscripts/dev-lead-intent.sh(used by the reusable workflow).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| scripts/dev-lead-intent.sh | Expands the default trusted-bot allowlist so codex actors match is_trusted_bot and route to fix-reviews instead of skip. |
| .github/workflows/dev-lead-reusable.yml | Updates the fleet-wide reusable workflow’s default TRUSTED_BOTS so codex reviews are trusted when org/repo vars aren’t set. |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 969e5fb3c48f3f8fd06f7c6eaea4ce1a1d522cd4
Review mode: triage-approved (single reviewer)
Summary
Two-line default-string sync: adds chatgpt-codex-connector[bot] to the TRUSTED_BOTS fallback in .github/workflows/dev-lead-reusable.yml and scripts/dev-lead-intent.sh so they match the standalone dev-lead.yml:37 and the existing unit test (tests/dev-lead/unit/test_intent_reviews.bats:12). The diff is +1/−1 in each of the two files; behaviour is governed by an exact-match check (grep -qxF) against an overridable env default, and vars.TRUSTED_BOTS can still override at the org/repo level.
Linked issue analysis
No linked issue. The PR body and the commit message provide the root-cause evidence (codex reviews on petry-projects/.github#400 skipping with reason=untrusted-reviewer in runs 27066366290 and 27066366309). Verified against the repo:
dev-lead.yml:37— already lists codex ✅dev-lead-reusable.yml:46— was missing codex (now fixed) ✅scripts/dev-lead-intent.sh:106— was missing codex (now fixed) ✅tests/dev-lead/unit/test_intent_reviews.bats:12— expects codex inTRUSTED_BOTS✅
Findings
None. The change is a strict consistency fix between three previously-divergent default strings. It is auth-adjacent (expands the trusted-bot allowlist), but the bot is already explicitly trusted by the standalone workflow and the test suite, so the effective trust surface across the fleet does not grow beyond what was clearly intended.
CI status
All 23 checks complete: 17 SUCCESS (CodeQL, SonarCloud, ShellCheck × 2, bats, unit-tests, AgentShield, gitleaks, validate-agent-profiles, Compile agentic workflows, gh-aw-compile, Lint, Agent Security Scan, CodeRabbit, SonarCloud Code Analysis), 6 SKIPPED (dependency-audit subjobs for ecosystems not present, dependabot-automerge, PR Review Agent, mention trigger). Triage assessment confirmed.
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
|
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: d579ea6a19cb5c7db63263f3655a65ed908502b2
Review mode: triage-approved (single reviewer)
Summary
Two-line default-string sync: adds chatgpt-codex-connector[bot] to the TRUSTED_BOTS fallback in .github/workflows/dev-lead-reusable.yml:47 and scripts/dev-lead-intent.sh:106, matching the standalone .github/workflows/dev-lead.yml:38 and the existing unit test in tests/dev-lead/unit/test_intent_reviews.bats:12. The diff is +1/−1 in each of the two files; behaviour is governed by an exact-match check (grep -qxF) against an overridable env default, and vars.TRUSTED_BOTS can still override at the org/repo level.
Linked issue analysis
No linked issue. The PR body and commit message provide the root-cause evidence: codex reviews on petry-projects/.github#400 skipping with reason=untrusted-reviewer in runs 27066366290 (pull_request_review) and 27066366309 (pull_request_review_comment). Verified against the repo:
.github/workflows/dev-lead.yml:38— already lists codex ✅.github/workflows/dev-lead-reusable.yml:47— was missing codex (now fixed) ✅scripts/dev-lead-intent.sh:106— was missing codex (now fixed) ✅tests/dev-lead/unit/test_intent_reviews.bats:12— expects codex inTRUSTED_BOTS✅- Codex event fixtures already exist (
tests/dev-lead/fixtures/events/pr_review_codex_commented.json,pr_review_comment_codex.json) ✅
The new HEAD commit since the prior cascade review (969e5fb... → d579ea6...) is a no-op merge from main (pulled in #435's bot-thread changes) and does not touch the two lines under review.
Findings
None. The change is a strict consistency fix between three previously-divergent default strings. It is auth-adjacent (expands the trusted-bot allowlist), but the bot is already explicitly trusted by the standalone workflow and the test suite, so the effective trust surface across the fleet does not grow beyond what was clearly intended. vars.TRUSTED_BOTS remains the override path for any org/repo that wants to tighten this.
CI status
All 25 checks complete: 19 SUCCESS (CodeQL ×2, SonarCloud ×2, ShellCheck ×2, bats, unit-tests, AgentShield, gitleaks, validate-agent-profiles, Compile agentic workflows, gh-aw-compile, Lint, Agent Security Scan, CodeRabbit status, Dev-Lead dispatch, PR Review Agent, dependency-audit detect), 6 SKIPPED (dependency-audit subjobs for ecosystems not present, dependabot-automerge, ci-relay). Triage assessment confirmed.
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
…kflow (#445) The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the standalone dev-lead.yml default and the unit tests (test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and expect it. Because the reusable's default is what actually runs and vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every codex review with intent=skip reason=untrusted-reviewer. Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across every repo — codex review comments were only ever actioned when a trusted human re-issued them via an @dev-lead mention (on-mention intent). Observed on petry-projects/.github#400, where codex's review-driven dev-lead runs (27066366290 / 27066366309) both classified skip/untrusted-reviewer. Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow and the existing tests. codex's event login is `chatgpt-codex-connector[bot]` (type Bot), so the exact-match check now succeeds. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…kflow (#445) The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the standalone dev-lead.yml default and the unit tests (test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and expect it. Because the reusable's default is what actually runs and vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every codex review with intent=skip reason=untrusted-reviewer. Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across every repo — codex review comments were only ever actioned when a trusted human re-issued them via an @dev-lead mention (on-mention intent). Observed on petry-projects/.github#400, where codex's review-driven dev-lead runs (27066366290 / 27066366309) both classified skip/untrusted-reviewer. Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow and the existing tests. codex's event login is `chatgpt-codex-connector[bot]` (type Bot), so the exact-match check now succeeds. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…kflow (#445) The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the standalone dev-lead.yml default and the unit tests (test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and expect it. Because the reusable's default is what actually runs and vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every codex review with intent=skip reason=untrusted-reviewer. Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across every repo — codex review comments were only ever actioned when a trusted human re-issued them via an @dev-lead mention (on-mention intent). Observed on petry-projects/.github#400, where codex's review-driven dev-lead runs (27066366290 / 27066366309) both classified skip/untrusted-reviewer. Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow and the existing tests. codex's event login is `chatgpt-codex-connector[bot]` (type Bot), so the exact-match check now succeeds. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…kflow (#445) The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the standalone dev-lead.yml default and the unit tests (test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and expect it. Because the reusable's default is what actually runs and vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every codex review with intent=skip reason=untrusted-reviewer. Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across every repo — codex review comments were only ever actioned when a trusted human re-issued them via an @dev-lead mention (on-mention intent). Observed on petry-projects/.github#400, where codex's review-driven dev-lead runs (27066366290 / 27066366309) both classified skip/untrusted-reviewer. Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow and the existing tests. codex's event login is `chatgpt-codex-connector[bot]` (type Bot), so the exact-match check now succeeds. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…kflow (#445) The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the standalone dev-lead.yml default and the unit tests (test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and expect it. Because the reusable's default is what actually runs and vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every codex review with intent=skip reason=untrusted-reviewer. Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across every repo — codex review comments were only ever actioned when a trusted human re-issued them via an @dev-lead mention (on-mention intent). Observed on petry-projects/.github#400, where codex's review-driven dev-lead runs (27066366290 / 27066366309) both classified skip/untrusted-reviewer. Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow and the existing tests. codex's event login is `chatgpt-codex-connector[bot]` (type Bot), so the exact-match check now succeeds. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…kflow (#445) The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the standalone dev-lead.yml default and the unit tests (test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and expect it. Because the reusable's default is what actually runs and vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every codex review with intent=skip reason=untrusted-reviewer. Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across every repo — codex review comments were only ever actioned when a trusted human re-issued them via an @dev-lead mention (on-mention intent). Observed on petry-projects/.github#400, where codex's review-driven dev-lead runs (27066366290 / 27066366309) both classified skip/untrusted-reviewer. Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow and the existing tests. codex's event login is `chatgpt-codex-connector[bot]` (type Bot), so the exact-match check now succeeds. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…kflow (#445) The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the standalone dev-lead.yml default and the unit tests (test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and expect it. Because the reusable's default is what actually runs and vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every codex review with intent=skip reason=untrusted-reviewer. Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across every repo — codex review comments were only ever actioned when a trusted human re-issued them via an @dev-lead mention (on-mention intent). Observed on petry-projects/.github#400, where codex's review-driven dev-lead runs (27066366290 / 27066366309) both classified skip/untrusted-reviewer. Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow and the existing tests. codex's event login is `chatgpt-codex-connector[bot]` (type Bot), so the exact-match check now succeeds. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…kflow (#445) The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the standalone dev-lead.yml default and the unit tests (test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and expect it. Because the reusable's default is what actually runs and vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every codex review with intent=skip reason=untrusted-reviewer. Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across every repo — codex review comments were only ever actioned when a trusted human re-issued them via an @dev-lead mention (on-mention intent). Observed on petry-projects/.github#400, where codex's review-driven dev-lead runs (27066366290 / 27066366309) both classified skip/untrusted-reviewer. Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow and the existing tests. codex's event login is `chatgpt-codex-connector[bot]` (type Bot), so the exact-match check now succeeds. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>



Root cause
dev-lead silently ignores all
chatgpt-codex-connector[bot]reviews fleet-wide.The dev-lead reusable workflow (what every repo actually runs via its stub) had a
TRUSTED_BOTSdefault that omitted codex, while the standalonedev-lead.ymldefault and the unit tests include it:dev-lead.yml:37(standalone)dev-lead-reusable.yml:46← runs fleet-widescripts/dev-lead-intent.sh:106tests/dev-lead/unit/test_intent_reviews.bats(codex COMMENTED → fix-reviews)vars.TRUSTED_BOTSis unset, so the reusable falls back to its default (no codex).is_trusted_botdoes an exact full-line match (grep -qxF), so codex never matches →intent=skip reason=untrusted-reviewer.Evidence
On
petry-projects/.github#400, codex's review (chatgpt-codex-connector[bot], type Bot) triggered two dev-lead runs that both skipped:27066366290(pull_request_review):intent=skip reason=untrusted-reviewer27066366309(pull_request_review_comment):intent=skip reason=no-trigger-or-untrustedcodex's P2 comments were only ever fixed because a human (OWNER) re-issued them via
@dev-lead(on-mention is trusted). Autonomously, dev-lead never acted on codex anywhere.Fix
Add
chatgpt-codex-connector[bot]to theTRUSTED_BOTSdefault indev-lead-reusable.ymlanddev-lead-intent.sh, matching the standalone workflow and the existing tests.Verification
fix-reviewstests🤖 Generated with Claude Code