use codex in a GitHub/Gitea/Forgejo action
  • TypeScript 93.8%
  • Nix 6.2%
Find a file
doctor fd133063dc
All checks were successful
check / check (push) Successful in 36s
check / action (push) Successful in 9s
release / linux (push) Successful in 37s
bump: v0.3.1 -> v0.3.2
2026-07-16 22:02:30 +00:00
.forgejo chore(deps): update spotdemo4/nix-init action to v1.58.0 (#13) 2026-07-15 05:16:43 -04:00
.github/workflows chore(deps): update spotdemo4/nix-init action to v1.58.0 (#13) 2026-07-15 05:16:43 -04:00
.vscode Initial commit 2026-07-08 19:17:52 -04:00
.zed Initial commit 2026-07-08 19:17:52 -04:00
build feat(action): add PR comment model footer 2026-07-11 00:21:39 -04:00
src chore(deps): update dependency openai/codex to v0.144.5 (#14) 2026-07-16 05:10:36 -04:00
tests feat(action): add PR comment model footer 2026-07-11 00:21:39 -04:00
.envrc.project Initial commit 2026-07-08 19:17:52 -04:00
.gitattributes chore(git): mark build artifacts as linguist-generated 2026-07-09 06:51:28 -04:00
.gitignore chore(project): replace template metadata with codex-action 2026-07-08 19:37:01 -04:00
.npmignore Initial commit 2026-07-08 19:17:52 -04:00
.npmrc Initial commit 2026-07-08 19:17:52 -04:00
.oxfmtrc.json Initial commit 2026-07-08 19:17:52 -04:00
.oxlintrc.json Initial commit 2026-07-08 19:17:52 -04:00
action.yaml feat(action): add dry-run mode for local-only Codex updates 2026-07-09 03:41:12 -04:00
AGENTS.md Initial commit 2026-07-08 19:17:52 -04:00
CLAUDE.md Initial commit 2026-07-08 19:17:52 -04:00
flake.lock chore(deps): lock file maintenance (#7) 2026-07-12 05:56:18 -04:00
flake.nix bump: v0.3.1 -> v0.3.2 2026-07-16 22:02:30 +00:00
LICENSE Initial commit 2026-07-08 19:17:52 -04:00
package-lock.json bump: v0.3.1 -> v0.3.2 2026-07-16 22:02:30 +00:00
package.json bump: v0.3.1 -> v0.3.2 2026-07-16 22:02:30 +00:00
README.md feat(action): add PR comment model footer 2026-07-11 00:21:39 -04:00
rolldown.config.ts Initial commit 2026-07-08 19:17:52 -04:00
treefmt.toml chore(project): replace template metadata with codex-action 2026-07-08 19:37:01 -04:00
tsconfig.json Initial commit 2026-07-08 19:17:52 -04:00

codex-action

check vulnerable node

Use Codex in a GitHub/Gitea/Forgejo action

Examples

GitHub App

This is the recommended GitHub setup. The action creates a repository-scoped installation token with the permissions it needs, stores refreshed Codex auth in CODEX_ACTION_AUTH, and commits as <app-slug>[bot].

name: codex

on:
  workflow_dispatch:

permissions:
  contents: read

jobs:
  codex:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false

      - uses: spotdemo4/codex-action@main
        with:
          auth: ${{ secrets.CODEX_ACTION_AUTH }}
          client-id: ${{ vars.CLIENT_ID }}
          private-key: ${{ secrets.PRIVATE_KEY }}
          prompt: Update the documentation for the latest changes.

The GitHub App installation must grant these repository permissions:

  • Actions: read
  • Contents: read and write
  • Issues: read and write
  • Pull requests: read and write
  • Secrets: read and write

MCP Context

The action exposes the matching platform MCP server to Codex with the same API token used by the action. This lets Codex inspect pull request comments, issues, repository data, and workflow context through MCP tools instead of relying on pre-generated prompt text.

No container runtime is required. The action downloads the matching release binary and caches it in both the runner tool cache and, when available, the Actions cache service:

  • github-mcp-server from github/github-mcp-server on GitHub, with the repos, issues, pull_requests, and actions toolsets in read-only mode.
  • gitea-mcp from gitea/gitea-mcp on Gitea, pointed at the current server URL.
  • forgejo-mcp from goern/forgejo-mcp on Forgejo, pointed at the current server URL.

The API token is forwarded through environment variables and is not written to Codex MCP configuration. On GitHub App setups, the installation must include the Actions read permission so Codex can inspect workflow context.

Set CODEX_PATH to a preinstalled Codex executable to skip the Codex binary download and cache lookup entirely.

Prompt File

If prompt points to a file in the workspace, the action reads that file. Otherwise, the input value is used as the prompt text.

- uses: spotdemo4/codex-action@main
  with:
    auth: ${{ secrets.CODEX_ACTION_AUTH }}
    client-id: ${{ vars.CLIENT_ID }}
    private-key: ${{ secrets.PRIVATE_KEY }}
    prompt: .github/prompts/refactor.md

Writing Prompts

Prompts should describe the repository task clearly enough for Codex to complete it without follow-up questions. For reusable automation, prefer a prompt file in the repository such as .github/prompts/refactor.md.

Effective prompts usually include:

  • The concrete goal or outcome.
  • Relevant context, files, packages, or workflows to inspect first.
  • What is in scope and out of scope.
  • Required formatting, build, or test commands.
  • Project constraints such as compatibility, style, or minimal-change expectations.
  • What to do if the requested change cannot be completed safely.

Do not ask Codex to commit, push, or post comments directly. This action handles commits, pushes, pull request comments, and automerge after Codex finishes.

Set dry-run: true to let Codex run and create a local commit while skipping pushes, pull request comments, and automerge updates. Refreshed Codex auth is still saved to the configured repository secret.

Codex runs with workspace write access and without shell network access. The configured MCP server can access the platform API with the action token.

Pull Requests

On pull request events, Codex can leave a PR comment and optionally toggle automerge. Non-empty comments include a footer identifying Codex and the model used for the run. When model is omitted, the action resolves and uses Codex's current default model.

name: codex-pr

on:
  pull_request:

jobs:
  codex:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false

      - uses: spotdemo4/codex-action@main
        with:
          auth: ${{ secrets.CODEX_ACTION_AUTH }}
          client-id: ${{ vars.CLIENT_ID }}
          private-key: ${{ secrets.PRIVATE_KEY }}
          automerge: true
          prompt: Review this pull request and fix straightforward issues.

Gitea or Forgejo

On Gitea and Forgejo, pass a token with repository contents, pull request, issue comment, workflow, and Actions secret access.

name: codex

on:
  workflow_dispatch:

jobs:
  codex:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false

      - uses: spotdemo4/codex-action@main
        with:
          auth: ${{ secrets.CODEX_ACTION_AUTH }}
          token: ${{ secrets.CODEX_ACTION_TOKEN }}
          prompt: Make the requested repository update.