fix(keepalive): add preflight secrets check before Codex call#107
fix(keepalive): add preflight secrets check before Codex call#107
Conversation
…e workflow The silent skip of the run-codex job was caused by secrets: inherit not properly passing secrets to the reusable workflow call. This changes to explicitly passing the required secrets, which matches how agents-autofix-loop.yml already does it.
The run-codex job was silently failing when calling the reusable workflow. This adds a preflight job that: 1. Runs in the agent-standard environment (where secrets are accessible) 2. Verifies CODEX_AUTH_JSON or WORKFLOWS_APP_ID is present 3. Outputs a secrets_ok flag 4. Blocks run-codex if secrets aren't available This will help diagnose whether the issue is secret availability vs something else in the reusable workflow.
stranske
temporarily deployed
to
agent-high-privilege
GitHub Actions
Inactive
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if [ "$HAS_CODEX_AUTH" = "true" ] || [ "$HAS_APP_ID" = "true" ]; then | ||
| echo "secrets_ok=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "::error::Neither CODEX_AUTH_JSON nor WORKFLOWS_APP_ID is set. Cannot run Codex." | ||
| echo "secrets_ok=false" >> $GITHUB_OUTPUT |
There was a problem hiding this comment.
The new preflight job returns secrets_ok=true when either CODEX_AUTH_JSON or WORKFLOWS_APP_ID is set. However, reusable-codex-run.yml always requires CODEX_AUTH_JSON (the Setup Codex auth step exits if it is empty), so runs where only the GitHub App credentials are available will still proceed to run-codex and then fail later. The preflight gate is supposed to block missing secrets, but with the current OR condition it provides a false green signal and doesn’t prevent the failing Codex invocation.
Useful? React with 👍 / 👎.
Automated Status SummaryHead SHA: fc8f708
Coverage Overview
Coverage Trend
Updated automatically; will refresh on subsequent CI/Docker completions. Keepalive checklistScope
Tasks
Acceptance criteria
|
stranske
temporarily deployed
to
agent-high-privilege
GitHub Actions
Inactive
There was a problem hiding this comment.
Pull request overview
This PR adds a preflight secrets verification job to diagnose why the run-codex job fails to appear in the keepalive workflow. The preflight job checks for the presence of required secrets (CODEX_AUTH_JSON or WORKFLOWS_APP_ID) and outputs a secrets_ok flag before the run-codex job executes.
Key Changes
- Added a new preflight job that verifies secrets availability in the agent-standard environment
- Modified run-codex job to depend on preflight and check its secrets_ok output
- Changed from secrets: inherit to explicit secret passing for CODEX_AUTH_JSON, WORKFLOWS_APP_ID, and WORKFLOWS_APP_PRIVATE_KEY
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - preflight | ||
| - run-codex |
There was a problem hiding this comment.
The summary job now depends on the preflight job, but this dependency will cause the summary job to be skipped when the preflight job is skipped (i.e., when needs.evaluate.outputs.action != 'run'). This breaks the intended behavior where the summary should run regardless of whether the preflight job executes. The summary job has if: always() which should allow it to run in all scenarios to update the keepalive status, but the hard dependency on preflight will prevent execution when preflight is skipped.
Consider removing preflight from the needs list in the summary job, since the summary doesn't actually use any outputs from preflight and should run independently to report the final state.
| - preflight | |
| - run-codex |
| needs: | ||
| - evaluate | ||
| - preflight | ||
| if: needs.evaluate.outputs.action == 'run' && needs.preflight.outputs.secrets_ok == 'true' |
There was a problem hiding this comment.
The condition checking secrets_ok == 'true' is redundant because the preflight job already exits with status 1 when secrets are not available. When preflight fails, needs.preflight.result would be 'failure', which would already prevent run-codex from executing due to the default behavior (jobs don't run when their dependencies fail unless you specify if: always() or check needs.X.result).
The current condition needs.preflight.outputs.secrets_ok == 'true' will never be false in practice because preflight will fail before setting secrets_ok to false makes any difference. Consider simplifying the condition to just needs.evaluate.outputs.action == 'run', or if you want to handle a failed preflight explicitly, check needs.preflight.result == 'success' instead.
| if: needs.evaluate.outputs.action == 'run' && needs.preflight.outputs.secrets_ok == 'true' | |
| if: needs.evaluate.outputs.action == 'run' |
| else | ||
| echo "::error::Neither CODEX_AUTH_JSON nor WORKFLOWS_APP_ID is set. Cannot run Codex." | ||
| echo "secrets_ok=false" >> "$GITHUB_OUTPUT" | ||
| exit 1 |
There was a problem hiding this comment.
The preflight job sets secrets_ok=false before exit 1, but this output won't be available to dependent jobs because GitHub Actions doesn't make outputs from failed jobs available. When a job fails (exit 1), its outputs are not propagated to needs.X.outputs in dependent jobs. This means the check in run-codex for needs.preflight.outputs.secrets_ok == 'true' won't work as intended - it will be empty/undefined rather than 'false'.
If you want to use the output value to control flow, the preflight job should succeed (exit 0) in both cases and let the run-codex job decide whether to proceed based on the secrets_ok output.
| exit 1 |
Summary
Adds a preflight job to diagnose why the run-codex job is silently not appearing.
Problem
When the keepalive loop determines action=run, the Keepalive next task job should execute. Instead:
Solution
Added a preflight job that:
This will show in the logs whether secrets are accessible, helping diagnose if the issue is:
Related
Automated Status Summary
Scope
Tasks
Acceptance criteria
Head SHA: 58da3fb
Latest Runs: ✅ success — Gate
Required: gate: ✅ success