Jason Woltje
4a4d3efbfb
Woodpecker v3 ignores .woodpecker.yml when a .woodpecker/ directory exists, reading only files from the directory. Since develop has .woodpecker/codex-review.yml, the main build pipeline was invisible to Woodpecker on develop. Move it into the directory as build.yml. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Woodpecker CI Configuration for Mosaic Stack
Codex AI Review Pipeline
This directory contains the Codex AI review pipeline configuration for automated code and security reviews on pull requests.
Setup
-
Add Codex API key to Woodpecker:
- Go to mosaic-stack repo at
https://ci.mosaicstack.dev - Settings → Secrets
- Add secret:
codex_api_keywith your OpenAI API key
- Go to mosaic-stack repo at
-
Enable the pipeline:
- The
codex-review.ymlpipeline will automatically run on all PRs - The main
.woodpecker.ymlhandles primary CI tasks - This codex pipeline is independent and focused solely on reviews
- The
What Gets Reviewed
Code Review (code-review step):
- Correctness — logic errors, edge cases, error handling
- Code Quality — complexity, duplication, naming
- Testing — coverage, test quality
- Performance — N+1 queries, blocking ops
- Dependencies — deprecated packages
- Documentation — comments, API docs
Security Review (security-review step):
- OWASP Top 10 vulnerabilities
- Hardcoded secrets/credentials
- Injection flaws (SQL, NoSQL, OS command)
- XSS, CSRF, SSRF
- Auth/authz gaps
- Data exposure in logs
Pipeline Behavior
- Triggers: Every pull request
- Runs: Code review + Security review in parallel
- Fails if:
- Code review finds blockers
- Security review finds critical or high severity issues
- Outputs: Structured JSON results in CI logs
Local Testing
Test the review scripts locally before pushing:
# Code review of uncommitted changes
~/.claude/scripts/codex/codex-code-review.sh --uncommitted
# Security review of uncommitted changes
~/.claude/scripts/codex/codex-security-review.sh --uncommitted
# Code review against main branch
~/.claude/scripts/codex/codex-code-review.sh -b main
# Security review and save JSON
~/.claude/scripts/codex/codex-security-review.sh -b main -o security.json
Schema Files
The schemas/ directory contains JSON schemas that enforce structured output from Codex:
code-review-schema.json— Defines output for code quality reviewssecurity-review-schema.json— Defines output for security reviews
These schemas ensure consistent, machine-readable findings that the CI pipeline can parse and fail on.
Integration with Main Pipeline
The main .woodpecker.yml in the repo root handles:
- Type checking (TypeScript)
- Linting (ESLint)
- Unit tests (Vitest)
- Integration tests (Playwright)
- Docker image builds
This codex-review.yml is independent and focuses solely on:
- AI-powered code quality review
- AI-powered security vulnerability scanning
Both pipelines run in parallel on PRs.
Troubleshooting
Pipeline fails with "codex: command not found"
- Check that the node image in
codex-review.ymlmatches a version with npm - Current:
node:22-slim
Pipeline fails with auth errors
- Verify
codex_api_keysecret is set in Woodpecker - Test the key locally:
CODEX_API_KEY=<key> codex exec "test"
Pipeline passes but should fail
- Check the failure conditions in
codex-review.yml - Current thresholds: blockers, critical, or high findings
Files
| File | Purpose |
|---|---|
codex-review.yml |
Codex AI review pipeline configuration |
schemas/code-review-schema.json |
Code review output schema |
schemas/security-review-schema.json |
Security review output schema |
README.md |
This file |
Parent CI Pipeline
The main .woodpecker.yml is located at the repository root and handles all build/test tasks.