From c097d24da3c25d74887067bf8e3bde47a6d35c41 Mon Sep 17 00:00:00 2001
From: Rohan Mehta <rm@openai.com>
Date: Tue, 22 Jul 2025 11:10:21 -0400
Subject: [PATCH] Set up codex for issues and PRs

---
 .github/codex/home/config.toml        |  1 +
 .github/codex/labels/codex-attempt.md |  9 ++++
 .github/codex/labels/codex-review.md  |  7 ++++
 .github/codex/labels/codex-triage.md  |  7 ++++
 .github/workflows/codex.yml           | 60 +++++++++++++++++++++++++++
 5 files changed, 84 insertions(+)
 create mode 100644 .github/codex/home/config.toml
 create mode 100644 .github/codex/labels/codex-attempt.md
 create mode 100644 .github/codex/labels/codex-review.md
 create mode 100644 .github/codex/labels/codex-triage.md
 create mode 100644 .github/workflows/codex.yml

diff --git a/.github/codex/home/config.toml b/.github/codex/home/config.toml
new file mode 100644
index 000000000..94b7fc75c
--- /dev/null
+++ b/.github/codex/home/config.toml
@@ -0,0 +1 @@
+model = "o3"
diff --git a/.github/codex/labels/codex-attempt.md b/.github/codex/labels/codex-attempt.md
new file mode 100644
index 000000000..aaf402ba2
--- /dev/null
+++ b/.github/codex/labels/codex-attempt.md
@@ -0,0 +1,9 @@
+Attempt to solve the reported issue.
+
+If a code change is required, create a new branch, commit the fix, and open a pull request that resolves the problem.
+
+Here is the original GitHub issue that triggered this run:
+
+### {CODEX_ACTION_ISSUE_TITLE}
+
+{CODEX_ACTION_ISSUE_BODY}
\ No newline at end of file
diff --git a/.github/codex/labels/codex-review.md b/.github/codex/labels/codex-review.md
new file mode 100644
index 000000000..7c6c14ad5
--- /dev/null
+++ b/.github/codex/labels/codex-review.md
@@ -0,0 +1,7 @@
+Review this PR and respond with a very concise final message, formatted in Markdown.
+
+There should be a summary of the changes (1-2 sentences) and a few bullet points if necessary.
+
+Then provide the **review** (1-2 sentences plus bullet points, friendly tone).
+
+{CODEX_ACTION_GITHUB_EVENT_PATH} contains the JSON that triggered this GitHub workflow. It contains the `base` and `head` refs that define this PR. Both refs are available locally.
diff --git a/.github/codex/labels/codex-triage.md b/.github/codex/labels/codex-triage.md
new file mode 100644
index 000000000..12be75d66
--- /dev/null
+++ b/.github/codex/labels/codex-triage.md
@@ -0,0 +1,7 @@
+Troubleshoot whether the reported issue is valid.
+
+Provide a concise and respectful comment summarizing the findings.
+
+### {CODEX_ACTION_ISSUE_TITLE}
+
+{CODEX_ACTION_ISSUE_BODY}
\ No newline at end of file
diff --git a/.github/workflows/codex.yml b/.github/workflows/codex.yml
new file mode 100644
index 000000000..56c3d09a9
--- /dev/null
+++ b/.github/workflows/codex.yml
@@ -0,0 +1,60 @@
+name: Codex
+
+on:
+  issues:
+    types: [opened, labeled]
+  pull_request:
+    branches: [main]
+    types: [labeled]
+
+jobs:
+  codex:
+    # This `if` check provides complex filtering logic to avoid running Codex
+    # on every PR. Admittedly, one thing this does not verify is whether the
+    # sender has write access to the repo: that must be done as part of a
+    # runtime step.
+    #
+    # Note the label values should match the ones in the .github/codex/labels
+    # folder.
+    if: |
+      (github.event_name == 'issues' && (
+        (github.event.action == 'labeled' && (github.event.label.name == 'codex-attempt' || github.event.label.name == 'codex-triage'))
+      )) ||
+      (github.event_name == 'pull_request' && github.event.action == 'labeled' && github.event.label.name == 'codex-review')
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # can push or create branches
+      issues: write # for comments + labels on issues/PRs
+      pull-requests: write # for PR comments/labels
+    steps:
+      # TODO: Consider adding an optional mode (--dry-run?) to actions/codex
+      # that verifies whether Codex should actually be run for this event.
+      # (For example, it may be rejected because the sender does not have
+      # write access to the repo.) The benefit would be two-fold:
+      # 1. As the first step of this job, it gives us a chance to add a reaction
+      #    or comment to the PR/issue ASAP to "ack" the request.
+      # 2. It saves resources by skipping the clone and setup steps below if
+      #    Codex is not going to run.
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # We install the dependencies like we would for an ordinary CI job,
+      # particularly because Codex will not have network access to install
+      # these dependencies.
+      - name: Setup uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
+
+      - name: Install dependencies
+        run: make sync
+
+      # Note it is possible that the `verify` step internal to Run Codex will
+      # fail, in which case the work to setup the repo was worthless :(
+      - name: Run Codex
+        uses: ./.github/actions/codex
+        with:
+          openai_api_key: ${{ secrets.PROD_OPENAI_API_KEY }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          codex_home: ./.github/codex/home