Skip to content

feat(autofix): auto-escalate to Codex when basic autofix insufficient#277

Merged
stranske merged 2 commits intomainfrom
fix/autofix-escalation-to-codex
Dec 29, 2025
Merged

feat(autofix): auto-escalate to Codex when basic autofix insufficient#277
stranske merged 2 commits intomainfrom
fix/autofix-escalation-to-codex

Conversation

@stranske
Copy link
Copy Markdown
Owner

@stranske stranske commented Dec 29, 2025
edited by agents-workflows-bot bot
Loading

Automated Status Summary

Scope

  • Context / problem:
  • - Current orchestration depends on PATs and/or mixed identities, which is fragile and painful to maintain.
  • - GitHub Actions has recursion protection: pushes/labels/comments made with GITHUB_TOKEN generally will NOT trigger other workflows.
  • - A GitHub App installation token is the cleanest way to get predictable “workflow triggers workflow” behavior without tying everything to a human PAT.
  • Goal:
  • - Create a GitHub App (single org/user app) that can be installed on your repos.
  • - Mint short-lived installation tokens inside workflows.
  • - Replace all PAT usage in orchestrator + keepalive + dispatch workflows with the App token.

Tasks

  • Create GitHub App (UI, not code): name it "agents-workflows-bot" (or similar)
  • Set App permissions (minimal but sufficient):
  • Contents: Read & write
  • Pull requests: Read & write
  • Issues: Read & write
  • Actions: Read & write (for dispatching / reading runs)
  • Metadata: Read-only
  • Install the App on: Workflows, Workflows-Integration-Tests, Travel-Plan-Permission, Portable-Alpha-Extension-Model, Trend_Model_Project
  • Add secrets to Workflows repo (or org secrets):
  • WORKFLOWS_APP_ID
  • WORKFLOWS_APP_PRIVATE_KEY (the PEM contents)
  • Update all workflows that currently use PATs to:
  • mint app token
  • export GH_TOKEN to that token
  • (optional) checkout using that token so git push is clean
  • Add a “compat mode” fallback (temporarily) so you can flip back to PAT if needed during rollout

Acceptance criteria

  • - No workflow in Workflows repo requires a PAT for:
  • - labeling PRs/issues
  • - creating comments
  • - pushing commits to PR branches
  • - dispatching workflows
  • - A commit pushed by the bot identity reliably triggers the Gate workflow (no “dead loop”).
  • - Secrets inventory is reduced: only App ID + private key (and OPENAI_API_KEY) are required for the automation system.
  • Rollout / safety:
  • - Roll out in Workflows-Integration-Tests first, then Workflows, then consumer repos.
  • - Add CODEOWNERS for .github/workflows/** and .github/scripts/** so this can’t get silently corrupted later.
  • Head SHA: cee2332
  • Latest Runs: ✅ success — Gate
  • Required: gate: ✅ success
  • | Workflow / Job | Result | Logs |
  • |----------------|--------|------|
  • | Agents PR meta manager | ❔ in progress | View run |
  • | CI Autofix Loop | ✅ success | View run |
  • | Copilot code review | ❔ in progress | View run |
  • | Gate | ✅ success | View run |
  • | Health 40 Sweep | ✅ success | View run |
  • | Health 44 Gate Branch Protection | ❌ failure | View run |
  • | Health 45 Agents Guard | ✅ success | View run |
  • | Health 50 Security Scan | ✅ success | View run |
  • | Maint 52 Validate Workflows | ✅ success | View run |
  • | PR 11 - Minimal invariant CI | ✅ success | View run |
  • | Selftest CI | ✅ success | View run |

Head SHA: 44d7419
Latest Runs: ❔ in progress — Gate
Required: gate: ❔ in progress

Workflow / Job Result Logs
Agents PR meta manager ❔ in progress View run
CI Autofix Loop ❔ in progress View run
Copilot code review ❌ failure View run
Gate ❔ in progress View run
Health 40 Sweep ✅ success View run
Health 44 Gate Branch Protection ✅ success View run
Health 45 Agents Guard ❔ in progress View run
Health 50 Security Scan ❔ in progress View run
Maint 52 Validate Workflows ✅ success View run
PR 11 - Minimal invariant CI ✅ success View run
Selftest CI ✅ success View run
Validate Sync Manifest ✅ success View run

@stranske
feat(autofix): auto-escalate to Codex when basic autofix insufficient
44d7419 
When a PR has:
- autofix:applied or autofix label (basic autofix ran)
- Gate still failing
- No explicit autofix config in PR body
- No agent:codex label

This change automatically adds agent:codex and autofix:escalated labels
to enable Codex to attempt more complex fixes beyond ruff/black.

Auto-escalated PRs get at most 2 Codex attempts (vs 3 for agent-initiated PRs)
to limit resource usage for automatically escalated fixes.

Closes #266 (Gap #2)
Copilot AI review requested due to automatic review settings December 29, 2025 06:16
@stranske stranske temporarily deployed to agent-high-privilege December 29, 2025 06:17 — with GitHub Actions Inactive
@agents-workflows-bot
Copy link
Copy Markdown
Contributor

agents-workflows-bot bot commented Dec 29, 2025

⚠️ Action Required: Unable to determine source issue for PR #277. The PR title, branch name, or body must contain the issue number (e.g. #123, branch: issue-123, or the hidden marker ).

Copilot AI reviewed Dec 29, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements auto-escalation from basic autofix (ruff/black) to Codex when basic fixes are insufficient to resolve Gate failures. When a PR has basic autofix applied but CI still fails, the workflow now automatically adds the agent:codex label to enable Codex assistance.

Key Changes:

  • Auto-escalation logic detects when basic autofix ran but Gate workflow failed
  • Automatically adds agent:codex and autofix:escalated labels to trigger Codex
  • Limits auto-escalated PRs to 2 Codex attempts (vs 3 for agent-initiated PRs)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@stranske
Copy link
Copy Markdown
Owner Author

stranske commented Dec 29, 2025

@codex fix comment

@stranske
fix(detect-changes): don't assume docker_changed when rate limited
001149c 
When rate limited, the fallback was setting docker_changed='true' which
causes the docker smoke test to run. But if there's no Dockerfile in the
repo (like the Workflows repo itself), this causes spurious failures.

Change the fallback to docker_changed='false' since:
1. Docker changes are less common than code changes
2. Missing a docker test on rare rate-limited PRs is better than
   failing CI on repos that don't use Docker
3. The workflow_changed='true' fallback still ensures workflow tests run
@chatgpt-codex-connector
Copy link
Copy Markdown

chatgpt-codex-connector bot commented Dec 29, 2025

Summary

Testing

  • ⚠️ Not run (workflow logic change only).

View task →

@stranske stranske temporarily deployed to agent-high-privilege December 29, 2025 06:25 — with GitHub Actions Inactive
@stranske stranske enabled auto-merge (squash) December 29, 2025 06:29
@stranske stranske merged commit 16bf07d into main Dec 29, 2025
33 of 39 checks passed
@stranske stranske deleted the fix/autofix-escalation-to-codex branch December 29, 2025 06:37
@stranske stranske mentioned this pull request Dec 29, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stranske