Migrate GitHub AI workflows to Codex

[Kyle-Ye]

Summary

• Replace the @claude workflow with an @codex workflow backed by openai/codex-action@v1.
• Move PR and issue triage off the shared Claude workflows and into local Codex-backed workflows that validate labels before applying them.
• Migrate release note highlights from Claude Code to Codex, with placeholder fallback when OPENAI_API_KEY is unavailable.

Safety shape

• Uses OPENAI_API_KEY instead of CLAUDE_CODE_OAUTH_TOKEN.
• Gates Codex runs on repository write access where user content can trigger the workflow.
• Treats issue, PR, comment, patch, branch, and changelog text as untrusted data in prompts.
• Runs Codex with sandbox: read-only and safety-strategy: drop-sudo.
• Keeps GitHub mutations in separate github-script or shell steps that validate Codex output first.

Validation

• ruby -ryaml -e 'ARGV.each { |f| YAML.load_file(f); puts "yaml ok #{f}" }' .github/workflows/codex.yml .github/workflows/issue-triage.yml .github/workflows/pr-triage.yml .github/workflows/release_notes.yml
• /tmp/actionlint-1.7.12/actionlint -color=false .github/workflows/codex.yml .github/workflows/issue-triage.yml .github/workflows/pr-triage.yml .github/workflows/release_notes.yml
• git diff --check
• Dry-ran the PR and issue context collection paths with gh/jq.

[chatgpt-codex-connector]

Summary

• I reviewed the requested Codex migration/safety items against the current workflows, and they already appear implemented:
  • @codex mention handling, openai/codex-action@v1, OPENAI_API_KEY, write-permission gating, and untrusted-input prompt framing are present in .github/workflows/codex.yml. .github/workflows/codex.ymlL1-L120 .github/workflows/codex.ymlL214-L239
  • Issue triage and PR triage are local Codex-backed workflows that validate labels before applying them via github-script. .github/workflows/issue-triage.ymlL65-L222 .github/workflows/pr-triage.ymlL66-L240
  • Release notes use Codex with OPENAI_API_KEY and fall back to placeholder highlights when the key is unavailable or output is invalid. .github/workflows/release_notes.ymlL104-L176
• No file edits were necessary, so there was nothing to commit and no follow-up PR was created.

Testing

• ✅ ruby -ryaml -e 'ARGV.each { |f| YAML.load_file(f); puts "yaml ok #{f}" }' .github/workflows/codex.yml .github/workflows/issue-triage.yml .github/workflows/pr-triage.yml .github/workflows/release_notes.yml && git diff --check
• ⚠️ /tmp/actionlint-1.7.12/actionlint -color=false .github/workflows/codex.yml .github/workflows/issue-triage.yml .github/workflows/pr-triage.yml .github/workflows/release_notes.yml (warning: binary not present in this environment: No such file or directory)

View task →

[augmentcode]

🤖 Augment PR Summary

Summary: This PR migrates the repository’s GitHub AI automation from the shared Claude workflow to local Codex-backed workflows.

Changes:

• Removes the reusable claude.yml workflow and adds a new codex.yml responder powered by openai/codex-action@v1.
• Collects issue/PR + recent comments context via gh/jq and builds a single prompt file for Codex.
• Gates Codex responses on @codex mention (or manual dispatch), and additionally checks the triggering actor has write-level repository permission.
• Migrates issue triage and PR triage from shared workflows into local workflows that ask Codex for labels.
• Validates Codex label output against the repository’s current labels before applying, preventing invalid label mutations.
• Adds per-issue/PR concurrency keys to avoid overlapping triage runs.
• Updates release note highlights generation to use Codex, with strict output validation and a placeholder fallback when OPENAI_API_KEY is absent.
• Moves sensitive GitHub mutations (commenting, labeling, releasing) into explicit github-script / shell steps after validation.

Technical Notes: Codex runs with sandbox: read-only and safety-strategy: drop-sudo, and the prompts explicitly treat GitHub content as untrusted input.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 1 suggestion posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

jq -r '.issue.number' can yield the literal string null if the expected field is missing, which won’t trip the -z "$target_number" guard and can later break gh api .../issues/$TARGET_NUMBER / --argjson targetNumber "$TARGET_NUMBER". Consider treating null as empty (e.g., via // empty) so the workflow reliably skips instead of failing on unexpected payload shapes.

Severity: medium

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 14.40%. Comparing base (8b4076e) to head (9610087).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #854      +/-   ##
==========================================
- Coverage   14.41%   14.40%   -0.01%     
==========================================
  Files         634      634              
  Lines       39006    39006              
==========================================
- Hits         5621     5619       -2     
- Misses      33385    33387       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.