Conversation
- add husky hooks, commitlint, and guard scripts for branch, atomicity, artifacts, and secrets - add deterministic helpers for branch-from-task and staged commit message proposals - add local perf scripts for bundle, build, memory, assets, API, and DB checks - wire commands into package scripts for deterministic local and CI execution Tests: pnpm git:guard:all && pnpm perf:build
- add git hygiene, lockfile rationale, perf foundation, perf enforcement, and release workflows - add PR template, release metadata, and changelog scaffolding for repeatable release flow - add side and production lighthouse profiles plus committed perf baselines for diff gating - add Codex DoD and repo skills for git workflow and performance budget execution Tests: while IFS= read -r cmd; do eval ""; done < .codex/verify.commands
- use existing lint command for ui static gate inputs on repos without extra eslint config - skip Playwright tagged runs when tests/ui specs are absent instead of failing hard - keep explicit skip output so missing UI coverage remains visible in logs Tests: while IFS= read -r cmd; do eval ""; done < .codex/verify.commands
- set GITHUB_TOKEN for gitleaks PR scans to satisfy current action requirements - keep secrets workflow deterministic under pull_request triggers Tests: not run (CI-only workflow change)
- set checkout fetch-depth to 0 for secrets job - avoid gitleaks commit-range resolution failures on shallow clones Tests: not run (CI-only workflow change)
- install global git and performance baseline payload - add codex-os manifest and verification contracts - align repo with global policies under /Users/d/.codex/policies Tests: not run (bootstrap scaffolding only)
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
Codacy's Analysis Summary100 new issues (≤ 0 issue) Review Pull Request in Codacy →
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fcfed6a144
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| @@ -0,0 +1,6 @@ | |||
| pnpm ui:gate:static | |||
| pnpm ui:gate:regression | |||
| pnpm git:guard:all | |||
There was a problem hiding this comment.
quality-gates runs .codex/scripts/run_verify_commands.sh, and that file currently includes pnpm git:guard:all, which invokes scripts/git/guard-branch.sh and fails unless git rev-parse --abbrev-ref HEAD matches codex/...; in GitHub Actions checkout contexts this value is typically HEAD (detached), so the workflow fails before reaching substantive checks. This makes the CI gate unreliable for every PR/push run that uses detached checkouts.
Useful? React with 👍 / 👎.
|
|
||
| on: | ||
| push: | ||
| branches: [master] |
There was a problem hiding this comment.
The release workflow only listens to push events on master, so repositories using main as the default branch (including this one) will never execute release-please on normal release commits. That leaves automated version/changelog PR generation effectively disabled unless someone pushes to master.
Useful? React with 👍 / 👎.
|
|
||
| task="${1:-}" | ||
| kind="${2:-feat}" | ||
| base="${3:-origin/master}" |
There was a problem hiding this comment.
The branch bootstrap helper defaults base to origin/master, and later runs git checkout -b "$branch" "$base"; on repos that only have origin/main, this fails immediately and prevents branch creation unless callers override the third argument manually. The default should align with the repo’s primary branch to keep the helper usable out of the box.
Useful? React with 👍 / 👎.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - uses: actions/setup-node@v5 | ||
| with: | ||
| node-version: 22 | ||
|
|
||
| - uses: pnpm/action-setup@v4 | ||
| with: | ||
| version: 9 | ||
|
|
||
| - name: Install dependencies | ||
| run: pnpm install --frozen-lockfile | ||
|
|
||
| - name: Policy checks | ||
| run: node scripts/ci/require-tests-and-docs.mjs | ||
|
|
||
| - name: Verify commands | ||
| run: bash .codex/scripts/run_verify_commands.sh | ||
|
|
||
| - name: Diff coverage | ||
| run: | | ||
| python -m pip install --upgrade pip diff-cover | ||
| diff-cover coverage/lcov.info --compare-branch=origin/main --fail-under=90 | ||
|
|
||
| - name: Upload test artifacts on failure | ||
| if: failure() | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: test-artifacts | ||
| path: | | ||
| playwright-report/ | ||
| test-results/ | ||
| coverage/ |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, the fix is to add an explicit permissions: block to the workflow, ideally at the root level so it applies to all jobs, and restrict the GITHUB_TOKEN to the least privileges required. For this workflow, the steps only need to read the repository contents (for actions/checkout and scripts) and upload artifacts on failure. Uploading artifacts does not require repository write permissions; it uses its own actions: write permission scope. No steps create or modify pull requests, issues, or releases.
The best fix is to add a top-level permissions: block after the name: and on: section, before jobs:, specifying contents: read and actions: write. contents: read is sufficient for checking out code and reading files; actions: write is needed so actions/upload-artifact@v4 can successfully upload artifacts. We do not need to modify any job steps or introduce new dependencies. No existing functionality should change, because these scopes cover everything the workflow is already doing while avoiding broad repository write access.
Concretely, in .github/workflows/quality-gates.yml, insert:
permissions:
contents: read
actions: writebetween the on: block and the jobs: block.
| @@ -5,6 +5,10 @@ | ||
| push: | ||
| branches: [main, master] | ||
|
|
||
| permissions: | ||
| contents: read | ||
| actions: write | ||
|
|
||
| jobs: | ||
| quality: | ||
| runs-on: ubuntu-latest |
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
| @@ -0,0 +1,14 @@ | |||
| import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs"; | |||
|
|
|||
| const readJson = (file) => (existsSync(file) ? JSON.parse(readFileSync(file, "utf8")) : null); | |||
There was a problem hiding this comment.
Codacy has a fix for the issue: ES2015 arrow function expressions are forbidden.
| const readJson = (file) => (existsSync(file) ? JSON.parse(readFileSync(file, "utf8")) : null); | |
| const readJson = function(file) { return (existsSync(file) ? JSON.parse(readFileSync(file, "utf8")) : null) }; |
| threshold: allowed, | ||
| }, | ||
| null, | ||
| 2, |
There was a problem hiding this comment.
Codacy has a fix for the issue: ES2017 trailing commas in parameter/argument lists are forbidden.
| 2, | |
| 2 |
| .map((line) => line.trim()) | ||
| .filter(Boolean); | ||
|
|
||
| const isProdCode = (file) => /^(src|app|server|api)\//.test(file) && !/\.(test|spec)\.[cm]?[jt]sx?$/.test(file); |
There was a problem hiding this comment.
Codacy has a fix for the issue: ES2015 arrow function expressions are forbidden.
| const isProdCode = (file) => /^(src|app|server|api)\//.test(file) && !/\.(test|spec)\.[cm]?[jt]sx?$/.test(file); | |
| const isProdCode = function(file) { return /^(src|app|server|api)\//.test(file) && !/\.(test|spec)\.[cm]?[jt]sx?$/.test(file) }; |
|
|
||
| const isProdCode = (file) => /^(src|app|server|api)\//.test(file) && !/\.(test|spec)\.[cm]?[jt]sx?$/.test(file); | ||
| const isTest = (file) => /^tests\//.test(file) || /\.(test|spec)\.[cm]?[jt]sx?$/.test(file); | ||
| const isDoc = (file) => /^docs\//.test(file) || /^openapi\//.test(file) || file === 'README.md'; |
There was a problem hiding this comment.
Codacy has a fix for the issue: ES2015 arrow function expressions are forbidden.
| const isDoc = (file) => /^docs\//.test(file) || /^openapi\//.test(file) || file === 'README.md'; | |
| const isDoc = function(file) { return /^docs\//.test(file) || /^openapi\//.test(file) || file === 'README.md' }; |
| }, | ||
| null, | ||
| 2, | ||
| ), |
There was a problem hiding this comment.
Codacy has a fix for the issue: ES2017 trailing commas in parameter/argument lists are forbidden.
| ), | |
| ) |
1 participant
What
Why
Testing
Risk / Notes
.codex/bootstrap-conflicts/*.newfiles and merge intentionally