[codex] Add durable project memory system#5
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3455ffb5a5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| prompt-file: .github/codex/prompts/weekly-memory-maintenance.md | ||
| sandbox: workspace-write | ||
| safety-strategy: drop-sudo | ||
| allow-bots: github-actions[bot] |
There was a problem hiding this comment.
The openai/codex-action input docs define allow-bots as a boolean defaulting to false, and the action's check-write-access parser accepts only boolean-style values; with github-actions[bot] here, any scheduled or manual run fails before Codex starts instead of allowing the bot actor. Use allow-bots: true and, if needed, put bot names in allow-bot-users per the upstream inputs: https://github.com/openai/codex-action#inputs.
Useful? React with 👍 / 👎.
| uses: peter-evans/create-pull-request@v7 | ||
| with: | ||
| token: ${{ github.token }} | ||
| commit-message: "docs: refresh project memory" |
There was a problem hiding this comment.
This runs after the workflow writes codex-weekly-memory-output.md, codex-weekly-memory.diff, and codex-weekly-memory-status.txt into the repository workspace. The create-pull-request action commits all new/modified files when add-paths is omitted, so every successful run can open or update a PR containing transient artifact files instead of just durable memory changes; constrain add-paths to the intended memory paths or remove the artifacts before this step. Upstream documents that default here: https://github.com/peter-evans/create-pull-request#action-inputs.
Useful? React with 👍 / 👎.
| env: | ||
| OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} |
There was a problem hiding this comment.
When OPENAI_API_KEY is configured, defining it at job scope makes the key available to every action in this job, including checkout, artifact upload, and the third-party PR action, even though only the secret check and openai/codex-action need it. This widens the exposure surface for a paid API key on every scheduled run; move the secret into the verify step's env and keep passing it only as the Codex action input.
Useful? React with 👍 / 👎.
| uses: actions/checkout@v5 | ||
| with: |
There was a problem hiding this comment.
The weekly prompt asks Codex to review the last 7 days of repository changes, but this checkout uses the action default, which fetches only the triggering commit, so git log-based review inside the scheduled run cannot see prior commits from the week. Set an explicit fetch-depth such as 0 or a sufficient bounded depth; the checkout docs call out the single-commit default here: https://github.com/actions/checkout#usage.
Useful? React with 👍 / 👎.
| - `#2` high-volume discovery expansion | ||
| - `#3` Resource Navigator design and README rewrite | ||
| - `#4` Resource Navigator foundation | ||
| - Current HEAD is commit `af319df`. |
There was a problem hiding this comment.
This new memory commit is 7efc73f..., so future sessions that follow AGENTS.md and read this durable memory first will immediately be told the current HEAD is the pre-memory baseline af319df. That makes the bootstrap state stale from the first use and can send agents auditing or diffing from the wrong commit; mark this as the baseline before the memory-system commit or remove the volatile HEAD fact.
Useful? React with 👍 / 👎.
| with: | ||
| openai-api-key: ${{ secrets.OPENAI_API_KEY }} | ||
| prompt-file: .github/codex/prompts/weekly-memory-maintenance.md | ||
| sandbox: workspace-write |
There was a problem hiding this comment.
The weekly prompt/skill asks this run to inspect recent PRs and issues, but Codex is launched in workspace-write without any GH_TOKEN or pre-fetched GitHub metadata. The Codex docs state workspace-write keeps network off unless explicitly enabled, and GitHub's CLI docs require GH_TOKEN in Actions, so scheduled runs can only see the checkout and will silently miss current PR/issue state; add a pre-Codex gh pr/issue list step that writes files for Codex, or give the agent a deliberately scoped token/network path. Docs: https://developers.openai.com/codex/agent-approvals-security and https://docs.github.com/actions/using-workflows/using-github-cli-in-workflows.
Useful? React with 👍 / 👎.
| 5. List unresolved ambiguities as `Needs verification`. | ||
| 6. Recommend `AGENTS.md` changes only when the guidance is recurring and repo-wide. | ||
| 7. Avoid making product, content, or architecture changes outside project-memory maintenance unless explicitly asked. | ||
| 8. Open or update a branch / PR instead of directly changing `main`. |
There was a problem hiding this comment.
In this scheduled workflow, Codex edits the checkout first and the later peter-evans/create-pull-request step is what creates or updates the branch/PR, but this prompt makes branch/PR creation a required task for Codex itself. A compliant run may try to change branches or call GitHub before the PR step, which can fail in the sandbox or leave the workspace in a state the PR action does not expect; rephrase this to say the workflow will open/update the PR after Codex writes the memory changes.
Useful? React with 👍 / 👎.
1 participant
Summary
Knowledge captured
Validation
pm run check
px --yes awesome-lint README.md
Retirement status
Do not archive or delete the old long-running thread yet. User review and explicit approval are still required.