ton-blockchain · DanShaders · Dec 8, 2025 · Dec 8, 2025 · Dec 3, 2025
diff --git a/.github/workflows/codex-review.yml b/.github/workflows/codex-review.yml
@@ -8,24 +8,26 @@ jobs:
   codex:
     # Only run Codex for PRs authored by allowed users
     if: |
-      github.event.pull_request.user.login == 'EmelyanenkoK' ||
-      github.event.pull_request.user.login == 'tolya-yanot' ||
-      github.event.pull_request.user.login == 'SpyCheese' ||
-      github.event.pull_request.user.login == 'neodix42' ||
-      github.event.pull_request.user.login == 'dungeon-master-666' ||
-      github.event.pull_request.user.login == 'igroman787' ||
-      github.event.pull_request.user.login == 'kdimentionaltree' ||
-      github.event.pull_request.user.login == 'sonofmom' ||
-      github.event.pull_request.user.login == 'Trinketer22' ||
-      github.event.pull_request.user.login == 'xssnick' ||
-      github.event.pull_request.user.login == 'tolk-vm' ||
-      github.event.pull_request.user.login == 'DanShaders' ||
-      github.event.pull_request.user.login == 'birydrad' ||
-      github.event.pull_request.user.login == 'abacabadabacaba' ||
-      github.event.pull_request.user.login == 'Mustang98' ||
-      github.event.pull_request.user.login == 'avevad' ||
-      github.event.pull_request.user.login == 'tvorogme' ||
-      github.event.pull_request.user.login == 'krigga'
+      github.event.pull_request.draft == false && (
+        github.event.pull_request.user.login == 'EmelyanenkoK' ||
+        github.event.pull_request.user.login == 'tolya-yanot' ||
+        github.event.pull_request.user.login == 'SpyCheese' ||
+        github.event.pull_request.user.login == 'neodix42' ||
+        github.event.pull_request.user.login == 'dungeon-master-666' ||
+        github.event.pull_request.user.login == 'igroman787' ||
+        github.event.pull_request.user.login == 'kdimentionaltree' ||
+        github.event.pull_request.user.login == 'sonofmom' ||
+        github.event.pull_request.user.login == 'Trinketer22' ||
+        github.event.pull_request.user.login == 'xssnick' ||
+        github.event.pull_request.user.login == 'tolk-vm' ||
+        github.event.pull_request.user.login == 'DanShaders' ||
+        github.event.pull_request.user.login == 'birydrad' ||
+        github.event.pull_request.user.login == 'abacabadabacaba' ||
+        github.event.pull_request.user.login == 'Mustang98' ||
+        github.event.pull_request.user.login == 'avevad' ||
+        github.event.pull_request.user.login == 'tvorogme' ||
+        github.event.pull_request.user.login == 'krigga'
+      )
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -34,42 +36,41 @@ jobs:
       final_message: ${{ steps.run_codex.outputs['final-message'] }}
 
     steps:
-      # 1. Checkout the trusted base commit
-      - name: Checkout base branch (trusted)
-        uses: actions/checkout@v5
+      - uses: actions/checkout@v5
         with:
-          ref: ${{ github.event.pull_request.base.sha }}
-          fetch-depth: 0
-          persist-credentials: false
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
 
-      # 2. Fetch PR head as a separate local branch, without checking it out
-      - name: Fetch PR head
+      - name: Pre-fetch base and head refs for the PR
         run: |
-          git fetch origin \
-            pull/${{ github.event.pull_request.number }}/head:pr-${{ github.event.pull_request.number }}
+          git fetch --no-tags origin \
+            ${{ github.event.pull_request.base.ref }} \
+            +refs/pull/${{ github.event.pull_request.number }}/head
 
-      # Optional diagnostics
-      - name: Show diff summary
-        run: |
-          git diff --stat \
-            ${{ github.event.pull_request.base.sha }}...pr-${{ github.event.pull_request.number }}
-
-      # 3. Run Codex safely
       - name: Run Codex
         id: run_codex
-        uses: openai/codex-action@02e7b2943818fbac9f077c3d1249a198ab358352
+        uses: openai/codex-action@02e7b2943818fbac9f077c3d1249a198ab358352 # v1.2
         with:
-          # IMPORTANT: this is safe only because:
-          # - workflow file lives in base repo (attacker cannot change it)
-          # - we do not run arbitrary PR code, only git commands
           openai-api-key: ${{ secrets.OPENAI_API_KEY }}
           prompt: |
             This is PR #${{ github.event.pull_request.number }} for ${{ github.repository }}.
 
-            Review ONLY the changes introduced by this PR.
+            Review ONLY the changes introduced by the PR, so consider:
+               git log --oneline ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }}
+
+            ${{ github.event.pull_request.user.login == 'DanShaders' && 'Commits are supposed to be atomic, so review them one-by-one. Commit descriptions might contain some helpful context.' || '' }}
+
+            CI automatically compiles C++ code and builds, lints, and typechecks all Python code, so
+            disregard any issues that will be found by these checks (this includes presumed
+            compilation errors, wrong Python package/Git submodule versions, or issues that will
+            fail the build in any other way). Even though CI runs unit and integration tests, do not
+            disregard issues that will potentially be found by the tests, as this may help PR
+            author with debugging and test coverage is far from perfect.
+
+            Suggest any improvements, potential bugs, or issues.
 
-            Diff range:
-              ${{ github.event.pull_request.base.sha }}...pr-${{ github.event.pull_request.number }}
+            Be concise and specific in your feedback. Do not summarize changes in any way unless the
+            issue is not localized to a single line/function and adding context will help
+            understanding the issue. if no issues are found, output only "No issues found."
 
             Pull request title and body:
             ----