Jason Woltje
af2e2b083d
Adds automated code quality and security review pipeline that runs on pull requests using OpenAI Codex with structured output schemas. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
91 lines
3.2 KiB
YAML
91 lines
3.2 KiB
YAML
# Codex AI Review Pipeline for Woodpecker CI
|
|
# Drop this into your repo's .woodpecker/ directory to enable automated
|
|
# code and security reviews on every pull request.
|
|
#
|
|
# Required secrets:
|
|
# - codex_api_key: OpenAI API key or Codex-compatible key
|
|
#
|
|
# Optional secrets:
|
|
# - gitea_token: Gitea API token for posting PR comments (if not using tea CLI auth)
|
|
|
|
when:
|
|
event: pull_request
|
|
|
|
variables:
|
|
- &node_image "node:22-slim"
|
|
- &install_codex "npm i -g @openai/codex"
|
|
|
|
steps:
|
|
# --- Code Quality Review ---
|
|
code-review:
|
|
image: *node_image
|
|
environment:
|
|
CODEX_API_KEY:
|
|
from_secret: codex_api_key
|
|
commands:
|
|
- *install_codex
|
|
- apt-get update -qq && apt-get install -y -qq jq git > /dev/null 2>&1
|
|
|
|
# Generate the diff
|
|
- git fetch origin ${CI_COMMIT_TARGET_BRANCH:-main}
|
|
- DIFF=$(git diff origin/${CI_COMMIT_TARGET_BRANCH:-main}...HEAD)
|
|
|
|
# Run code review with structured output
|
|
- |
|
|
codex exec \
|
|
--sandbox read-only \
|
|
--output-schema .woodpecker/schemas/code-review-schema.json \
|
|
-o /tmp/code-review.json \
|
|
"You are an expert code reviewer. Review the following code changes for correctness, code quality, testing, performance, and documentation issues. Only flag actionable, important issues. Categorize as blocker/should-fix/suggestion. If code looks good, say so.
|
|
|
|
Changes:
|
|
$DIFF"
|
|
|
|
# Output summary
|
|
- echo "=== Code Review Results ==="
|
|
- jq '.' /tmp/code-review.json
|
|
- |
|
|
BLOCKERS=$(jq '.stats.blockers // 0' /tmp/code-review.json)
|
|
if [ "$BLOCKERS" -gt 0 ]; then
|
|
echo "FAIL: $BLOCKERS blocker(s) found"
|
|
exit 1
|
|
fi
|
|
echo "PASS: No blockers found"
|
|
|
|
# --- Security Review ---
|
|
security-review:
|
|
image: *node_image
|
|
environment:
|
|
CODEX_API_KEY:
|
|
from_secret: codex_api_key
|
|
commands:
|
|
- *install_codex
|
|
- apt-get update -qq && apt-get install -y -qq jq git > /dev/null 2>&1
|
|
|
|
# Generate the diff
|
|
- git fetch origin ${CI_COMMIT_TARGET_BRANCH:-main}
|
|
- DIFF=$(git diff origin/${CI_COMMIT_TARGET_BRANCH:-main}...HEAD)
|
|
|
|
# Run security review with structured output
|
|
- |
|
|
codex exec \
|
|
--sandbox read-only \
|
|
--output-schema .woodpecker/schemas/security-review-schema.json \
|
|
-o /tmp/security-review.json \
|
|
"You are an expert application security engineer. Review the following code changes for security vulnerabilities including OWASP Top 10, hardcoded secrets, injection flaws, auth/authz gaps, XSS, CSRF, SSRF, path traversal, and supply chain risks. Include CWE IDs and remediation steps. Only flag real security issues, not code quality.
|
|
|
|
Changes:
|
|
$DIFF"
|
|
|
|
# Output summary
|
|
- echo "=== Security Review Results ==="
|
|
- jq '.' /tmp/security-review.json
|
|
- |
|
|
CRITICAL=$(jq '.stats.critical // 0' /tmp/security-review.json)
|
|
HIGH=$(jq '.stats.high // 0' /tmp/security-review.json)
|
|
if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then
|
|
echo "FAIL: $CRITICAL critical, $HIGH high severity finding(s)"
|
|
exit 1
|
|
fi
|
|
echo "PASS: No critical or high severity findings"
|