1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
name: Codex Security Fix
# Moved off pull_request onto a nightly schedule. See plans/binary-bifurcation.md
# Phase A.4. Manual runs remain available via workflow_dispatch.
on:
schedule:
# 04:07 UTC — staggered against nightly-semver-advisory callers (05:xx)
# and against sibling codex callers across the Wave 1 repos.
- cron: "1 3 * * *"
workflow_dispatch:
inputs:
branch:
description: "Branch to scan and patch (only for manual run)"
required: false
default: ""
max_alerts:
description: "Maximum open alerts per source to include"
required: true
default: "20"
permissions:
contents: write
pull-requests: write
security-events: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
security-fix:
# Do not run on fork PRs to avoid passing untrusted refs into privileged remediation workflows.
# With pull_request trigger removed, this guard is a no-op; kept for defense-in-depth
# if pull_request is ever re-added.
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
uses: greenticai/.github/.github/workflows/codex-security-fix.yml@main
with:
branch: ${{ github.event.inputs.branch || '' }}
max_alerts: ${{ github.event.inputs.max_alerts || '20' }}
secrets: inherit