github-actions/.github/workflows/codex.yml at master · generoi/github-actions · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
name: "CI: @codex"

on:
  workflow_call:
    inputs:
      model:
        type: string
        default: o4-mini
    secrets:
      NPM_FONTAWESOME_AUTH_TOKEN:
        required: true
      PACKAGIST_GITHUB_TOKEN:
        required: true
      DB_ARTIFACT_KEY:
        required: true
      OPENAI_API_KEY:
        required: true

jobs:
  codex:
    runs-on: ubuntu-latest
    timeout-minutes: 60
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Setup project
        uses: generoi/github-actions/setup@v1
        with:
          npm_fontawesome_auth_token: ${{ secrets.NPM_FONTAWESOME_AUTH_TOKEN }}
          packagist_github_token: ${{ secrets.PACKAGIST_GITHUB_TOKEN }}

      - name: Install and build
        run: composer install:development

      - name: Setup DDEV
        uses: generoi/github-actions/setup-ddev@v1

      - name: Download database artifact
        uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
        with:
          workflow: sync-db.yml
          name: sanitized-db
          path: .github/fixtures/
          github_token: ${{ github.token }}

      - name: Decrypt and import database
        env:
          DB_ARTIFACT_KEY: ${{ secrets.DB_ARTIFACT_KEY }}
        run: |
          openssl enc -aes-256-cbc -pbkdf2 -d \
            -in .github/fixtures/sanitized-db.sql.gz.enc \
            -out .github/fixtures/sanitized-db.sql.gz \
            -pass env:DB_ARTIFACT_KEY
          ddev import-db --file=.github/fixtures/sanitized-db.sql.gz
          rm -f .github/fixtures/sanitized-db.sql.gz .github/fixtures/sanitized-db.sql.gz.enc

      - name: Optimize acorn
        run: ddev wp acorn optimize

      - name: Install Playwright browsers
        run: npx playwright install chromium

      - name: Create artifacts directory
        run: mkdir -p artifacts

      - name: Clone agency rules
        run: |
          git clone https://github.com/generoi/ai-agency.git ~/.claude/agency
          ln -sf ~/.claude/agency/rules ~/.claude/rules

      - name: Run Codex
        uses: openai/codex-action@f5c0ca71642badb34c1e66321d8d85685a0fa3dc # v1
        with:
          openai-api-key: ${{ secrets.OPENAI_API_KEY }}
          sandbox: danger-full-access
          model: ${{ inputs.model }}
          prompt: |
            You are working on the ${{ github.repository }} repository.
            Follow the instructions in AGENTS.md and .ai/instructions.md for project conventions.

            Environment:
            - DDEV is running. Use `ddev wp` for WP-CLI commands.
            - Check the project's .env or wp-cli.yml for site URLs (DDEV rewrites them on import).
            - Playwright and Chromium are installed. Use `npx playwright` for browser automation.
            - For screenshots, use Playwright with `--ignore-https-errors` flag (DDEV uses self-signed certs).
            - Save artifacts (screenshots, exports) to the `artifacts/` directory (pre-created, auto-uploaded as workflow artifact).
            - The database has real content from production (sanitized).

            Task from GitHub:
            ${{ github.event.issue.body || github.event.comment.body }}

      - name: Upload artifacts
        if: always()
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: codex-artifacts
          path: artifacts/
          if-no-files-found: ignore