Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions .github/codex_auto_merge_policy.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
{
"version": 1,
"auto_merge_label": "auto-merge-ok",
"human_review_label": "human-review-required",
"monthly_marker_prefix": "<!-- codex-monthly-remediation:issue-",
"blocked_path_patterns": [
"(^|/)(\\.env|.*secret.*|.*credential.*|.*token.*|.*private.*|.*\\.pem|.*\\.key)$"
],
"risk_policy": {
"low": {
"prefixes": [
"docs/",
"tests/"
],
"exact": [
"README.md",
"README.zh-CN.md"
],
"reason": "docs/tests/readme-only changes"
},
"high": {
"reason": "source code changes require review"
}
},
"max_changed_files": 30,
"max_changed_lines": 2000,
"pr_review": {
"enabled": true,
"block_severities": [
"critical",
"high"
],
"skip_paths": [
"docs/**",
"**.md",
"**.txt",
"**.json",
"**.csv",
"LICENSE",
".github/dependabot*"
],
"skip_risk_levels": [
"low"
],
"timeout_minutes": 20,
"max_diff_lines": 2400,
"block_on_review_failure": false
}
}
53 changes: 53 additions & 0 deletions .github/workflows/codex_pr_review.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
name: Codex PR Review

# Always run on PRs to guarantee a check run exists for branch protection.
# The Python script handles skip logic internally for trivial changes.
on:
pull_request:
types: [opened, synchronize, reopened]

permissions:
contents: read
id-token: write
issues: write
pull-requests: write

concurrency:
group: codex-pr-review-${{ github.event.pull_request.number }}
cancel-in-progress: true

jobs:
review:
runs-on: ubuntu-latest
timeout-minutes: 30
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

steps:
- name: Checkout
uses: actions/checkout@v6

- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.11"

- name: Run Codex PR Review
id: review
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
ANTHROPIC_MODEL: ${{ vars.ANTHROPIC_MODEL || 'claude-sonnet-4-6' }}
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
OPENAI_MODEL: ${{ vars.OPENAI_MODEL || 'gpt-5.4-mini' }}
CODEX_AUDIT_SERVICE_URL: ${{ secrets.CODEX_AUDIT_SERVICE_URL }}
CODEX_AUDIT_SERVICE_AUDIENCE: ${{ vars.CODEX_AUDIT_SERVICE_AUDIENCE || 'quant-codex-audit' }}
run: python scripts/run_codex_pr_review.py

- name: Upload review diagnostics
if: always()
uses: actions/upload-artifact@v7
with:
name: codex-pr-review-${{ github.event.pull_request.number }}-${{ github.run_id }}
path: data/output/codex_pr_review/
if-no-files-found: warn
50 changes: 50 additions & 0 deletions prompts/pr_review.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
You are reviewing a pull request for a **production quantitative trading and data pipeline codebase**.

## Review priorities (in order)

1. **Security**: credential leaks, injection vectors, unauthorized data access
2. **Correctness**: logic errors, wrong calculations, data corruption
3. **Crash risks**: unhandled exceptions, null pointer dereferences, resource exhaustion
4. **Data integrity**: silent data loss, incorrect transformations, schema violations
5. **API compatibility**: breaking changes to function signatures, configuration formats
6. **Race conditions**: concurrent access to shared state, inconsistent reads

## What NOT to flag

- Code style or formatting preferences
- Variable/function naming suggestions
- Missing type annotations
- Documentation quality
- Minor refactoring opportunities
- Test coverage suggestions

## Severity definitions

| Severity | Definition | Example |
|----------|-----------|---------|
| critical | Causes data loss, security breach, or production crash | SQL injection, credential in plaintext, deletion without backup |
| high | Produces wrong results or breaks downstream systems | Wrong formula, API signature change, resource leak |
| medium | Degrades reliability or performance under load | Missing error handling, N+1 query, unbounded growth |
| low | Misleading or confusing but not dangerous | Stale comment, redundant code, unclear intent |

## Output format

Return exactly one JSON object (do not wrap in markdown fences):

```json
{
"summary": "Brief assessment of the PR (1-3 sentences)",
"findings": [
{
"severity": "critical",
"category": "security",
"file": "path/to/file.py",
"line": 42,
"description": "What's wrong",
"suggestion": "How to fix it"
}
]
}
```

If no issues found, return `"findings": []`.
Empty file added scripts/__init__.py
Empty file.
Loading
Loading