Skip to content

fix(keepalive): pass secrets explicitly to reusable workflow#106

Merged
stranske merged 1 commit intomainfrom
codex/issue-79
Dec 24, 2025
Merged

fix(keepalive): pass secrets explicitly to reusable workflow#106
stranske merged 1 commit intomainfrom
codex/issue-79

Conversation

@stranske
Copy link
Copy Markdown
Owner

@stranske stranske commented Dec 24, 2025
edited by agents-workflows-bot bot
Loading

Summary

When the keepalive loop determines action == 'run', the Codex reusable workflow call was being silently skipped. This PR fixes it by explicitly passing secrets instead of using secrets: inherit.

Problem

The run-codex job in agents-keepalive-loop.yml was using secrets: inherit to pass secrets to the reusable workflow. This caused the job to be silently skipped when the workflow_run event context did not properly inherit secrets.

Evidence from workflow runs:

  • Run 20486004986: action='run' but only 2 jobs (Keepalive next task missing)
  • Run 20486087967: action='wait' and 3 jobs (Keepalive next task = skipped)

Solution

Changed from secrets: inherit to explicitly listing each secret name that the reusable workflow needs. This matches the pattern used in agents-autofix-loop.yml.

Fixes #79 (partial - Codex CLI integration)

Automated Status Summary

Scope

  • Scope section missing from source issue.

Tasks

  • Restrict triggers:
  • do not run agent workflows on forked PRs
  • avoid pull_request_target unless absolutely necessary
  • Ensure prompts are repo-owned:
  • use prompt-file from .github/codex/prompts/
  • build a small “context appendix” file that includes sanitized task text
  • Add allowlists:
  • allow-users / allow-bots in codex-action config
  • only repo collaborators can trigger
  • Add denylist behaviors:
  • Codex should not edit .github/workflows/** unless a special environment-approved mode is enabled
  • Codex should not touch secrets or tokens (explicit instruction + sandbox limits)
  • Add logging + red flags:
  • if prompt contains “ignore previous”, HTML comments, base64 blobs, etc, stop and require human

Acceptance criteria

  • - Malicious-looking issue text does not get passed verbatim into Codex execution.
  • - Agent workflows only run for trusted actors and trusted events.

Head SHA: 11979b3
Latest Runs: ⏹️ cancelled — Gate
Required: gate: ⏹️ cancelled

Workflow / Job Result Logs
Agents Keepalive Loop ❌ failure View run
Agents PR meta manager ❔ in progress View run
CI Autofix Loop ✅ success View run
Copilot code review ✅ success View run
Gate ⏹️ cancelled View run
Health 40 Sweep ✅ success View run
Health 44 Gate Branch Protection ✅ success View run
Health 45 Agents Guard ✅ success View run
Health 50 Security Scan ✅ success View run
Maint 52 Validate Workflows ✅ success View run
PR 11 - Minimal invariant CI ✅ success View run
Selftest CI ✅ success View run

@stranske
fix(keepalive): pass secrets explicitly instead of inherit to reusabl…
11979b3 
…e workflow

The silent skip of the run-codex job was caused by secrets: inherit not
properly passing secrets to the reusable workflow call. This changes to
explicitly passing the required secrets, which matches how
agents-autofix-loop.yml already does it.
@stranske stranske added the agent:codex Agent-created issues from Codex label Dec 24, 2025
Copilot AI review requested due to automatic review settings December 24, 2025 12:30
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Dec 24, 2025
edited
Loading

Automated Status Summary

Head SHA: 8246b35
Latest Runs: ⏳ pending — Gate
Required contexts: Gate / gate, Health 45 Agents Guard / Enforce agents workflow protections
Required: core tests (3.11): ⏳ pending, core tests (3.12): ⏳ pending, docker smoke: ⏳ pending, gate: ⏳ pending

Workflow / Job Result Logs
(no jobs reported) ⏳ pending

Coverage Overview

  • Coverage history entries: 1

Coverage Trend

Metric Value
Current 77.97%
Baseline 0.00%
Delta +77.97%
Minimum 70.00%
Status ✅ Pass

Updated automatically; will refresh on subsequent CI/Docker completions.

Keepalive checklist

Scope

No scope information available

Tasks

  • No tasks defined

Acceptance criteria

  • No acceptance criteria defined

@stranske stranske temporarily deployed to agent-high-privilege December 24, 2025 12:31 — with GitHub Actions Inactive
Copilot AI reviewed Dec 24, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a bug where the run-codex job in the keepalive loop workflow was being silently skipped when action == 'run'. The issue occurred because secrets: inherit doesn't properly pass secrets in workflow_run event contexts.

  • Changed from secrets: inherit to explicitly passing three required secrets
  • Matches the pattern already used in agents-autofix-loop.yml

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@stranske stranske merged commit 0b9071d into main Dec 24, 2025
128 of 133 checks passed
@stranske stranske deleted the codex/issue-79 branch December 24, 2025 12:32
@stranske stranske mentioned this pull request Dec 24, 2025
Merged
17 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

agent:codex Agent-created issues from Codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Prompt injection hardening for issue/PR-driven agents (beyond “human approves Issues.txt”)

2 participants

@stranske