Skip to content

feat(action): harden defaults and proxy lifecycle#6

Merged
activadee merged 1 commit intomainfrom
codex/harden-codex-action-defaults-and-proxy-lifecycle
Feb 25, 2026
Merged

feat(action): harden defaults and proxy lifecycle#6
activadee merged 1 commit intomainfrom
codex/harden-codex-action-defaults-and-proxy-lifecycle

Conversation

@activadee
Copy link
Owner

What changed

This PR hardens the composite action's defaults and runtime behavior across CLI install, proxy lifecycle checks, argument parsing, permission gating, and proxy config management.

User-facing impact

Before this change, action runs could incorrectly trust stale proxy server-info files, parse malformed JSON codex-args without validation, and write duplicate/legacy proxy config entries over repeated runs. Bot bypass behavior also differed between code paths, creating surprising access-control behavior.

With this change:

  • model now defaults to gpt-5.3-codex while allowing opt-out with model: "".
  • codex-version defaults to 0.104.0 for deterministic installs, while empty input still resolves to latest.
  • proxy startup now probes liveness and restarts unhealthy/stale instances.
  • proxy config writes are idempotent and managed-block based.
  • codex-args JSON parsing now enforces a JSON array of strings.
  • bot bypass defaults align to allow-bots=false consistently.
  • CI now runs tests and workflow lint checks.

Root causes addressed

  • Proxy readiness previously inferred health from file presence alone, which allowed stale state.
  • Extra-arg parsing accepted raw JSON parse output without structural validation.
  • Proxy config mutation relied on append/prepend behavior instead of robust managed-block reconciliation.
  • Legacy block stripping could consume unrelated TOML sections when next headers were array/commented forms.

Fix details

  • Added probe-proxy command and port reachability checks via src/probeProxy.ts.
  • Updated action workflow to probe/restart and verify proxy health before use.
  • Introduced parseExtraArgs helper with strict JSON-array/string validation and tests.
  • Refactored writeProxyConfig to render managed blocks idempotently and strip legacy blocks safely.
  • Extended TOML header detection to recognize [table], [[array_table]], and inline-comment headers to avoid accidental config loss.
  • Updated permission-check defaults and tests for bot handling.
  • Added/updated tests for new parsing, proxy probing, permission behavior, and proxy-config regression coverage.

Validation

  • pnpm test (18 passing tests)
  • pnpm run build

@github-actions
Copy link


Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.


I have read the CLA Document and I hereby sign the CLA


You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

@activadee activadee changed the title [codex] harden codex-action defaults and proxy lifecycle feat(action): harden defaults and proxy lifecycle Feb 25, 2026
@activadee activadee force-pushed the codex/harden-codex-action-defaults-and-proxy-lifecycle branch from 33e737e to f9a91cf Compare February 25, 2026 16:33
@activadee activadee marked this pull request as ready for review February 25, 2026 16:34
@activadee activadee merged commit e0fc69f into main Feb 25, 2026
2 of 3 checks passed
@activadee activadee deleted the codex/harden-codex-action-defaults-and-proxy-lifecycle branch February 25, 2026 16:35
@github-actions github-actions bot locked and limited conversation to collaborators Feb 25, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant