Security Scan Codex Worker #2163
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan Codex Worker | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| limit: | |
| description: "Deprecated alias for batch-limit" | |
| required: false | |
| default: "" | |
| batch-limit: | |
| description: "Maximum Codex scans to run in parallel per worker shard" | |
| required: true | |
| default: "4" | |
| max-jobs: | |
| description: "Optional total jobs cap per worker shard" | |
| required: false | |
| default: "" | |
| max-runtime-minutes: | |
| description: "Stop claiming new batches after this many minutes" | |
| required: true | |
| default: "40" | |
| schedule: | |
| - cron: "*/5 * * * *" | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: clawhub-security-scan | |
| cancel-in-progress: false | |
| jobs: | |
| codex-security-scan: | |
| name: Codex security scan shard ${{ matrix.shard }} | |
| runs-on: blacksmith-8vcpu-ubuntu-2404 | |
| timeout-minutes: 60 | |
| environment: Production | |
| strategy: | |
| fail-fast: false | |
| max-parallel: 2 | |
| matrix: | |
| shard: [0, 1, 2, 3] | |
| env: | |
| CONVEX_URL: ${{ vars.CONVEX_URL || vars.VITE_CONVEX_URL || 'https://wry-manatee-359.convex.cloud' }} | |
| CODEX_SECURITY_SCAN_LIMIT: ${{ inputs.limit || inputs['batch-limit'] || '4' }} | |
| CODEX_SECURITY_SCAN_MAX_JOBS: ${{ inputs['max-jobs'] || '' }} | |
| CODEX_SECURITY_SCAN_MAX_RUNTIME_MINUTES: ${{ inputs['max-runtime-minutes'] || '40' }} | |
| CODEX_SECURITY_SCAN_LEASE_MINUTES: "60" | |
| CODEX_SECURITY_SCAN_DIAGNOSTICS_DIR: codex-security-scan-diagnostics-${{ matrix.shard }} | |
| CODEX_SECURITY_SCAN_SHARD: ${{ matrix.shard }} | |
| CODEX_SECURITY_SCAN_WORKER_ID: "github-actions:${{ github.run_id }}:${{ github.run_attempt }}:${{ matrix.shard }}" | |
| SKILLSPECTOR_PROVIDER: openai | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: ./.github/actions/setup-bun | |
| - uses: actions/setup-python@v6 | |
| with: | |
| python-version: "3.12" | |
| - name: Install Codex CLI | |
| run: | | |
| set -euo pipefail | |
| if ! command -v codex >/dev/null 2>&1; then | |
| npm install -g @openai/codex@latest | |
| fi | |
| codex --version | |
| - name: Install SkillSpector | |
| run: | | |
| set -euo pipefail | |
| python -m venv "$RUNNER_TEMP/skillspector-venv" | |
| source "$RUNNER_TEMP/skillspector-venv/bin/activate" | |
| python -m pip install --upgrade pip | |
| python -m pip install 'git+https://github.com/NVIDIA/skillspector.git' | |
| echo "$RUNNER_TEMP/skillspector-venv/bin" >> "$GITHUB_PATH" | |
| skillspector --help >/dev/null | |
| - name: Authenticate Codex CLI | |
| env: | |
| OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} | |
| run: printf '%s' "$OPENAI_API_KEY" | codex login --with-api-key | |
| - name: Run Codex security worker | |
| env: | |
| OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} | |
| SECURITY_SCAN_WORKER_TOKEN: ${{ secrets.SECURITY_SCAN_WORKER_TOKEN }} | |
| run: | | |
| bun scripts/security/run-codex-scan-worker.ts \ | |
| --batch-limit "$CODEX_SECURITY_SCAN_LIMIT" \ | |
| --max-jobs "$CODEX_SECURITY_SCAN_MAX_JOBS" \ | |
| --max-runtime-minutes "$CODEX_SECURITY_SCAN_MAX_RUNTIME_MINUTES" \ | |
| --lease-minutes "$CODEX_SECURITY_SCAN_LEASE_MINUTES" | |
| - name: Prepare Codex security diagnostics scan | |
| if: ${{ !cancelled() }} | |
| run: mkdir -p "$CODEX_SECURITY_SCAN_DIAGNOSTICS_DIR" | |
| - name: Scan Codex security diagnostics for verified secrets | |
| id: diagnostics_secret_scan | |
| if: ${{ !cancelled() }} | |
| run: | | |
| docker run --rm \ | |
| -v "$PWD/$CODEX_SECURITY_SCAN_DIAGNOSTICS_DIR:/scan:ro" \ | |
| ghcr.io/trufflesecurity/trufflehog:3.95.5@sha256:56c25710275c4b8d74c4f1346a5e7c606fa7ff4afe996f680b288d0fae3fcd9c \ | |
| filesystem /scan \ | |
| --only-verified \ | |
| --fail \ | |
| --no-update \ | |
| --github-actions | |
| - name: Upload Codex security diagnostics | |
| if: ${{ !cancelled() && steps.diagnostics_secret_scan.outcome == 'success' }} | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: codex-security-scan-diagnostics-${{ github.run_id }}-${{ matrix.shard }} | |
| path: ${{ env.CODEX_SECURITY_SCAN_DIAGNOSTICS_DIR }} | |
| if-no-files-found: ignore |