fix: add roles: all to smoke-codex workflow#841
Conversation
The smoke-codex workflow was missing `roles: all` in its frontmatter, unlike smoke-claude, smoke-copilot, and smoke-chroot. This caused the compiler to generate a `pre_activation` job with a team membership check, which failed for users with read-only access (e.g., Claude bot), skipping the entire workflow on pull_request events. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
There was a problem hiding this comment.
Pull request overview
This PR updates the Smoke Codex gh-aw workflow manifest to include roles: all, aligning it with other smoke workflows so the compiled workflow no longer includes a pre_activation team-membership gate that can cause pull_request runs to be skipped for low-permission bot users.
Changes:
- Add
roles: allto.github/workflows/smoke-codex.mdfrontmatter. - Regenerate
.github/workflows/smoke-codex.lock.ymlto remove thepre_activation/check_membershipjobs and update theactivationjob condition accordingly. - (Also included in the lockfile diff) Add
--enable-chrootto theawfinvocation for the Codex run step.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/smoke-codex.md | Adds roles: all to the workflow manifest frontmatter to disable role-gated pre-activation. |
| .github/workflows/smoke-codex.lock.yml | Updates the compiled workflow to remove the pre-activation gate; also changes the awf command flags. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| mkdir -p "$CODEX_HOME/logs" | ||
| sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,172.30.0.1,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,mcp.tavily.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \ | ||
| sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,172.30.0.1,api.openai.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,cdn.playwright.dev,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,mcp.tavily.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,openai.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,playwright.download.prss.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --build-local \ | ||
| -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && INSTRUCTION="$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" && codex ${GH_AW_MODEL_AGENT_CODEX:+-c model="$GH_AW_MODEL_AGENT_CODEX" }exec --dangerously-bypass-approvals-and-sandbox --skip-git-repo-check "$INSTRUCTION"' \ |
There was a problem hiding this comment.
The compiled workflow now adds --enable-chroot to the awf invocation. This isn’t mentioned in the PR description and appears unrelated to adding roles: all/removing the pre_activation gate. Please confirm this flag change is intentional (and update the PR summary accordingly), or recompile/regenerate to keep the .lock.yml change scoped to the role/frontmatter update (or apply the chroot change consistently across other smoke workflows if that’s the goal).
Build Test: Bun - Results
Overall: PASS ✅ All Bun build tests passed successfully.
|
Build Test: Node.js - Results
Overall: PASS ✅ All Node.js test projects built and tested successfully!
|
Go Build Test Results
Overall: PASS ✅ All Go projects successfully downloaded dependencies and passed tests.
|
C++ Build Test Results
Overall: PASS ✅ All C++ projects built successfully.
|
Smoke Test Results (Claude)Last 2 merged PRs:
Test Results:
Status: PASS
|
|
Smoke Test Results: PASS Last 2 merged PRs:
✅ GitHub MCP: Retrieved PR data Author: @Mossaka | Assignees:
|
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Java Build Test Results ✅Both projects compiled and tested successfully:
Overall: PASS All Java build tests completed successfully with Maven proxy configuration.
|
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
Go Build Test Results ✅All Go projects passed successfully!
Overall: PASS All module downloads completed successfully and all tests passed.
|
|
Smoke Test Results ✅ PASS Recent PRs:
Tests:
cc @Mossaka
|
Smoke Test Results - ClaudeLast 2 merged PRs:
Test Results:
Status: PASS
|
Bun Build Test Results
Overall: PASS ✅ All Bun projects successfully installed dependencies and passed their tests.
|
Build Test: Node.js - ResultsAll Node.js projects built and tested successfully! ✅
Overall: PASS ✅ All three projects installed dependencies and passed their test suites without errors.
|
Build Test: Deno - Results
Overall: ✅ PASS All Deno tests completed successfully.
|
.NET Build Test Results
Overall: PASS ✅ All .NET projects successfully restored, built, and ran with expected output.
|
C++ Build Test Results
Overall: PASS ✅ All C++ projects compiled successfully with CMake and make.
|
Java Build Test Results ✅
Overall: PASS All Java projects compiled and tested successfully through the AWF firewall with Maven proxy configuration.
|
|
Merged PRs: fix(ci): add missing ANTHROPIC_API_KEY to detection job; fix(workflow): correct api-proxy IP address in smoke-codex.lock.yml
|
🦀 Rust Build Test Results
Overall: ✅ PASS All Rust projects built and tested successfully.
|
1 participant
Summary
smoke-codexworkflow was missingroles: allin its frontmatter, unlike the other smoke workflows (claude, copilot, chroot)roles: all, the gh-aw compiler generates apre_activationjob with a team membership check requiringwritepermissionreadaccess, so the membership check fails and the entire workflow is skipped onpull_requesteventsroles: allremoves thepre_activationgate, matching the behavior of the other smoke workflowsFixes the skipped Smoke Codex checks on PR #796.
Test plan
pull_requestevent.lock.ymlno longer containspre_activationorcheck_membershipjobs🤖 Generated with Claude Code