[codex] Automate Dependabot maintenance#124
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e548018b9f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if: steps.merge_guard.outputs.should_merge == 'true' | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: gh pr merge "${{ steps.pr.outputs.pr_number }}" --repo "${GITHUB_REPOSITORY}" --rebase --delete-branch |
There was a problem hiding this comment.
Because this workflow is driven by a successful workflow_run, a Dependabot push that lands after CI passes but before this command runs will make gh pr merge merge the PR's latest head rather than the SHA that actually passed CI. I checked the existing .github/workflows/auto_merge_codex_pr.yml workflow, which guards this by comparing headRefOid to github.event.workflow_run.head_sha and merging with --match-head-commit; the GitHub CLI manual describes that flag as requiring the PR head to match a SHA before merge. Add the same stale-run guard here so untested dependency updates cannot be auto-merged.
Useful? React with 👍 / 👎.
1 participant
Summary
Validation