name: Codex Security Fix
on:
pull_request:
branches:
workflow_dispatch:
inputs:
branch:
description: "Branch to scan and patch (only for manual run)"
required: false
default: ""
max_alerts:
description: "Maximum open alerts per source to include"
required: true
default: "20"
permissions:
contents: write
pull-requests: write
security-events: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
security-fix:
# Do not run on fork PRs to avoid passing untrusted refs into privileged remediation workflows.
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
uses: greenticai/.github/.github/workflows/codex-security-fix.yml@main
with:
branch: ${{ github.event.inputs.branch || '' }}
max_alerts: ${{ github.event.inputs.max_alerts || '20' }}
secrets: inherit