From 2e9a90659353a5061427228cfad6ea2698a39fc2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=98=D0=BB=D0=B8=D1=8F?= Date: Tue, 26 May 2026 00:36:24 +0300 Subject: [PATCH] chore: migrate ReviewRouter to Codex rotating OAuth (#163) * chore: migrate ReviewRouter to Codex rotating OAuth * fix: restore ReviewRouter interaction workflow * fix: pin ReviewRouter codex runtime * fix: update ReviewRouter interaction action version * fix: pin ReviewRouter codex cleanup runtime --- .github/workflows/reviewrouter-codex.yml | 26 ++++++ .../workflows/reviewrouter-interaction.yml | 82 +++++++++++++++++-- .github/workflows/reviewrouter.yml | 51 ------------ 3 files changed, 100 insertions(+), 59 deletions(-) create mode 100644 .github/workflows/reviewrouter-codex.yml delete mode 100644 .github/workflows/reviewrouter.yml diff --git a/.github/workflows/reviewrouter-codex.yml b/.github/workflows/reviewrouter-codex.yml new file mode 100644 index 00000000..fe19cd24 --- /dev/null +++ b/.github/workflows/reviewrouter-codex.yml @@ -0,0 +1,26 @@ +name: ReviewRouter Codex OAuth + +on: + pull_request: + types: [opened, synchronize, reopened, ready_for_review] + +permissions: {} + +jobs: + codex-review: + name: codex-review + runs-on: ubuntu-24.04 + timeout-minutes: 30 + if: ${{ github.event.pull_request.draft == false && github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.user.type != 'Bot' }} + permissions: + id-token: write + steps: + - name: ReviewRouter Codex OAuth review + id: run_codex + uses: 777genius/review-router@51a487bbb7d2afaf335336a74b81bdee8d6aed5c + with: + mode: codex-oauth-rotating + api-url: "https://api.reviewrouter.site" + provider-instance-id: "codex-rotating:1163183284" + workflow-schema-version: "1" + auth-json: ${{ secrets.REVIEWROUTER_CODEX_AUTH_JSON }} diff --git a/.github/workflows/reviewrouter-interaction.yml b/.github/workflows/reviewrouter-interaction.yml index 15ba9b9b..4d91058e 100644 --- a/.github/workflows/reviewrouter-interaction.yml +++ b/.github/workflows/reviewrouter-interaction.yml @@ -3,6 +3,8 @@ name: ReviewRouter Interaction on: pull_request_review_comment: types: [created, edited] + issue_comment: + types: [created, edited] workflow_dispatch: permissions: @@ -15,11 +17,75 @@ permissions: jobs: interaction: name: interaction - uses: 777genius/review-router/.github/workflows/reviewrouter-interaction-reusable.yml@v1 - with: - runtime_ref: v1 - api_url: "https://api.reviewrouter.site" - runtime_config_mode: oidc - review_workflow_file: reviewrouter.yml - secrets: - REVIEW_ROUTER_LEDGER_KEY: ${{ secrets.REVIEW_ROUTER_LEDGER_KEY }} + runs-on: ubuntu-latest + if: ${{ github.event_name == 'workflow_dispatch' || ((github.event_name != 'issue_comment' || github.event.issue.pull_request) && github.event.comment.user.type != 'Bot') }} + env: + REVIEWROUTER_API_URL: "https://api.reviewrouter.site" + REVIEWROUTER_ACTION_VERSION: "51a487bbb7d2afaf335336a74b81bdee8d6aed5c" + REVIEWROUTER_OIDC_AUDIENCE: "reviewrouter" + REVIEWROUTER_RUNTIME_CONFIG_MODE: "oidc" + REVIEWROUTER_STATIC_CONFIG_FALLBACK: "true" + REVIEWROUTER_COMMENT_TOKEN_MODE: "app-oidc" + CODEX_AUTH_JSON_PRESENT: ${{ secrets.REVIEWROUTER_CODEX_AUTH_JSON != '' && '1' || '0' }} + OPENAI_API_KEY_PRESENT: ${{ secrets.OPENAI_API_KEY != '' && '1' || '0' }} + REVIEW_ROUTER_REVIEW_WORKFLOW_FILE: "reviewrouter-codex.yml" + steps: + - name: Fetch ReviewRouter runtime config + shell: bash + run: | + set -euo pipefail + if [ -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ] || [ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ]; then + echo "ReviewRouter OIDC is unavailable. Check id-token: write permission." + exit 1 + fi + echo "ReviewRouter runtime config will be fetched by the action using GitHub OIDC." + + - name: Preflight ReviewRouter interaction + id: preflight + uses: 777genius/review-router@51a487bbb7d2afaf335336a74b81bdee8d6aed5c + env: + GITHUB_TOKEN: ${{ github.token }} + REVIEW_ROUTER_MODE: "interaction-preflight" + REVIEW_ROUTER_DISCUSSION_MODE: ${{ vars.REVIEW_ROUTER_DISCUSSION_MODE || 'off' }} + + - name: Setup Node.js for Codex discussion replies + if: ${{ steps.preflight.outputs.needs_discussion == 'true' && (env.CODEX_AUTH_JSON_PRESENT == '1' || env.OPENAI_API_KEY_PRESENT == '1') }} + uses: actions/setup-node@v6 + with: + node-version: "24" + + - name: Install Codex CLI for discussion replies + if: ${{ steps.preflight.outputs.needs_discussion == 'true' && (env.CODEX_AUTH_JSON_PRESENT == '1' || env.OPENAI_API_KEY_PRESENT == '1') }} + shell: bash + run: npm install -g @openai/codex@0.125.0 + + - name: Restore Codex subscription auth for discussion replies + if: ${{ steps.preflight.outputs.needs_discussion == 'true' && env.CODEX_AUTH_JSON_PRESENT == '1' }} + shell: bash + env: + CODEX_AUTH_JSON: ${{ secrets.REVIEWROUTER_CODEX_AUTH_JSON }} + run: | + set -euo pipefail + if [ -z "${CODEX_AUTH_JSON:-}" ]; then + echo "::error::REVIEWROUTER_CODEX_AUTH_JSON secret is missing. Re-run ReviewRouter Codex setup." + exit 1 + fi + export CODEX_HOME="${CODEX_HOME:-$HOME/.codex}" + mkdir -p "$CODEX_HOME" + chmod 700 "$CODEX_HOME" + printf '%s' "$CODEX_AUTH_JSON" > "$CODEX_HOME/auth.json" + chmod 600 "$CODEX_HOME/auth.json" + + - name: Run ReviewRouter interaction + if: ${{ steps.preflight.outputs.should_run == 'true' }} + uses: 777genius/review-router@51a487bbb7d2afaf335336a74b81bdee8d6aed5c + env: + GITHUB_TOKEN: ${{ github.token }} + REVIEW_ROUTER_MODE: "interaction" + REVIEW_ROUTER_DISCUSSION_MODE: ${{ vars.REVIEW_ROUTER_DISCUSSION_MODE || 'off' }} + REVIEW_ROUTER_DISCUSSION_MAX_PER_PR: ${{ vars.REVIEW_ROUTER_DISCUSSION_MAX_PER_PR || '20' }} + REVIEW_ROUTER_DISCUSSION_MAX_PER_THREAD: ${{ vars.REVIEW_ROUTER_DISCUSSION_MAX_PER_THREAD || '5' }} + REVIEW_ROUTER_DISCUSSION_TIMEOUT_SECONDS: ${{ vars.REVIEW_ROUTER_DISCUSSION_TIMEOUT_SECONDS || '60' }} + CODEX_MODEL: ${{ vars.REVIEW_CODEX_MODEL || 'gpt-5.5' }} + CODEX_REASONING_EFFORT: ${{ vars.REVIEW_CODEX_EFFORT || 'medium' }} + OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} diff --git a/.github/workflows/reviewrouter.yml b/.github/workflows/reviewrouter.yml deleted file mode 100644 index 116f1a27..00000000 --- a/.github/workflows/reviewrouter.yml +++ /dev/null @@ -1,51 +0,0 @@ -name: ReviewRouter - -on: - pull_request: - types: [opened, synchronize, reopened, ready_for_review] - merge_group: - workflow_dispatch: - inputs: - pr_number: - description: "Pull request number for manual reruns" - required: false - type: string - -permissions: - contents: read - pull-requests: write - issues: write - id-token: write - -jobs: - review: - name: review - uses: 777genius/review-router/.github/workflows/reviewrouter-reusable.yml@v1 - with: - runtime_ref: v1 - api_url: "https://api.reviewrouter.site" - runtime_config_mode: oidc - static_runtime_env_json: |- - { - "REVIEWROUTER_CONFIG_SCHEMA_VERSION": "2", - "CODEX_MODEL": "gpt-5.5", - "CODEX_REASONING_EFFORT": "medium", - "CODEX_AGENTIC_CONTEXT": "true", - "CODEX_FAST_MODE": "false", - "INLINE_MAX_COMMENTS": "5", - "INLINE_MIN_AGREEMENT": "1", - "TARGET_TOKENS_PER_BATCH": "50000", - "FAIL_ON_SEVERITY": "critical", - "PROVIDER_LIMIT": "1", - "PROVIDER_MAX_PARALLEL": "1", - "REVIEW_AUTH_MODE": "codex-oauth", - "REVIEW_PROVIDERS": "codex/gpt-5.5", - "SYNTHESIS_MODEL": "codex/gpt-5.5" - } - pr_number: ${{ github.event.pull_request.number || inputs.pr_number }} - secrets: - REVIEW_ROUTER_LEDGER_KEY: ${{ secrets.REVIEW_ROUTER_LEDGER_KEY }} - CODEX_AUTH_JSON: ${{ secrets.CODEX_AUTH_JSON }} - CODEX_CONFIG_TOML: ${{ secrets.CODEX_CONFIG_TOML }} - OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}