1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# Auto-generated by .github/scripts/sync-deepseek-codex.sh — do not edit manually.
# Caller for the central greenticai/.github DeepSeek security-remediation
# reusable (`codex-security-fix.yml`). The file name keeps the `codex-`
# prefix until Phase G of plans/migrate-codex-deepseek.md so callers and the
# `notify-failure.yml` Slack-mute guard (`startsWith(workflow-name, 'Codex ')`)
# both stay valid through the silent pilot.
name: Codex Security Fix
on:
schedule:
- cron: "17 3 * * *"
workflow_dispatch:
inputs:
branch:
description: "Branch to scan and patch (only for manual run)"
required: false
default: ""
max_alerts:
description: "Maximum open alerts per source to include"
required: true
default: "20"
permissions:
contents: write
pull-requests: write
security-events: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
security-fix:
# Fork-PR guard kept defense-in-depth; the reusable also gates internally.
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
uses: greenticai/.github/.github/workflows/codex-security-fix.yml@main
with:
branch: ${{ github.event.inputs.branch || '' }}
max_alerts: ${{ github.event.inputs.max_alerts || '20' }}
secrets: inherit