feat(ci): add Codex AI review pipeline for Woodpecker

Adds automated code quality and security review pipeline that runs on pull requests using OpenAI Codex with structured output schemas. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-09 22:04:34 -06:00
parent 281c7ab39b
commit af2e2b083d
4 changed files with 408 additions and 0 deletions
--- a/.woodpecker/README.md
+++ b/.woodpecker/README.md
@@ -0,0 +1,120 @@
+# Woodpecker CI Configuration for Mosaic Stack
+
+## Codex AI Review Pipeline
+
+This directory contains the Codex AI review pipeline configuration for automated code and security reviews on pull requests.
+
+### Setup
+
+1. **Add Codex API key to Woodpecker:**
+   - Go to mosaic-stack repo at `https://ci.mosaicstack.dev`
+   - Settings → Secrets
+   - Add secret: `codex_api_key` with your OpenAI API key
+
+2. **Enable the pipeline:**
+   - The `codex-review.yml` pipeline will automatically run on all PRs
+   - The main `.woodpecker.yml` handles primary CI tasks
+   - This codex pipeline is independent and focused solely on reviews
+
+### What Gets Reviewed
+
+**Code Review (`code-review` step):**
+
+- Correctness — logic errors, edge cases, error handling
+- Code Quality — complexity, duplication, naming
+- Testing — coverage, test quality
+- Performance — N+1 queries, blocking ops
+- Dependencies — deprecated packages
+- Documentation — comments, API docs
+
+**Security Review (`security-review` step):**
+
+- OWASP Top 10 vulnerabilities
+- Hardcoded secrets/credentials
+- Injection flaws (SQL, NoSQL, OS command)
+- XSS, CSRF, SSRF
+- Auth/authz gaps
+- Data exposure in logs
+
+### Pipeline Behavior
+
+- **Triggers:** Every pull request
+- **Runs:** Code review + Security review in parallel
+- **Fails if:**
+  - Code review finds **blockers**
+  - Security review finds **critical** or **high** severity issues
+- **Outputs:** Structured JSON results in CI logs
+
+### Local Testing
+
+Test the review scripts locally before pushing:
+
+```bash
+# Code review of uncommitted changes
+~/.claude/scripts/codex/codex-code-review.sh --uncommitted
+
+# Security review of uncommitted changes
+~/.claude/scripts/codex/codex-security-review.sh --uncommitted
+
+# Code review against main branch
+~/.claude/scripts/codex/codex-code-review.sh -b main
+
+# Security review and save JSON
+~/.claude/scripts/codex/codex-security-review.sh -b main -o security.json
+```
+
+### Schema Files
+
+The `schemas/` directory contains JSON schemas that enforce structured output from Codex:
+
+- `code-review-schema.json` — Defines output for code quality reviews
+- `security-review-schema.json` — Defines output for security reviews
+
+These schemas ensure consistent, machine-readable findings that the CI pipeline can parse and fail on.
+
+### Integration with Main Pipeline
+
+The main `.woodpecker.yml` in the repo root handles:
+
+- Type checking (TypeScript)
+- Linting (ESLint)
+- Unit tests (Vitest)
+- Integration tests (Playwright)
+- Docker image builds
+
+This `codex-review.yml` is independent and focuses solely on:
+
+- AI-powered code quality review
+- AI-powered security vulnerability scanning
+
+Both pipelines run in parallel on PRs.
+
+### Troubleshooting
+
+**Pipeline fails with "codex: command not found"**
+
+- Check that the node image in `codex-review.yml` matches a version with npm
+- Current: `node:22-slim`
+
+**Pipeline fails with auth errors**
+
+- Verify `codex_api_key` secret is set in Woodpecker
+- Test the key locally: `CODEX_API_KEY=<key> codex exec "test"`
+
+**Pipeline passes but should fail**
+
+- Check the failure conditions in `codex-review.yml`
+- Current thresholds: blockers, critical, or high findings
+
+## Files
+
+| File                                  | Purpose                                |
+| ------------------------------------- | -------------------------------------- |
+| `codex-review.yml`                    | Codex AI review pipeline configuration |
+| `schemas/code-review-schema.json`     | Code review output schema              |
+| `schemas/security-review-schema.json` | Security review output schema          |
+| `README.md`                           | This file                              |
+
+## Parent CI Pipeline
+
+The main `.woodpecker.yml` is located at the repository root and handles all build/test tasks.