🤖 Add CI job to block merge on unresolved Codex comments (#76)

ammario · web-flow · commit 5006273a8f37 · 2025-10-07T13:37:12.000-05:00
This PR adds a CI check that blocks merging when the `chatgpt-codex-connector[bot]` has unresolved comments on a PR. ## Changes - **New CI job**: `check-codex-comments` that runs on every PR - **Script**: `scripts/check_codex_comments.sh` that detects Codex bot comments - **Integration**: Added Codex check to `wait_pr_checks.sh` loop ## How it works 1. The CI job runs on every pull request 2. It checks for any comments from `chatgpt-codex-connector[bot]` 3. If comments exist, the check fails and blocks merge 4. The `wait_pr_checks.sh` script also checks before declaring a PR ready ## Example On PR #74, the bot left a comment about the macOS signing certificate. With this change, that PR would be blocked from merging until the comment is addressed or resolved. _Generated with `cmux`_
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -81,4 +81,19 @@ jobs:
         env:
           OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+
+  check-codex-comments:
+    name: Check Codex Comments
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Check for unresolved Codex comments
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          ./scripts/check_codex_comments.sh ${{ github.event.pull_request.number }}
+
 # Trigger CI run
diff --git a/scripts/check_codex_comments.sh b/scripts/check_codex_comments.sh
@@ -0,0 +1,88 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Check if PR number is provided
+if [ $# -eq 0 ]; then
+    echo "Usage: $0 <pr_number>"
+    exit 1
+fi
+
+PR_NUMBER=$1
+BOT_LOGIN_REST="chatgpt-codex-connector[bot]"  # REST API uses [bot] suffix
+BOT_LOGIN_GRAPHQL="chatgpt-codex-connector"    # GraphQL does not
+
+echo "Checking for unresolved Codex comments in PR #${PR_NUMBER}..."
+
+# Get all regular issue comments from the Codex bot (these can't be resolved)
+REGULAR_COMMENTS=$(gh api "/repos/{owner}/{repo}/issues/${PR_NUMBER}/comments" \
+    --jq "[.[] | select(.user.login == \"${BOT_LOGIN_REST}\")]")
+
+REGULAR_COUNT=$(echo "$REGULAR_COMMENTS" | jq 'length')
+
+# Use GraphQL to get review threads and their resolution status
+# Only count threads from the bot that are NOT resolved
+GRAPHQL_QUERY='query($owner: String!, $repo: String!, $pr: Int!) {
+  repository(owner: $owner, name: $repo) {
+    pullRequest(number: $pr) {
+      reviewThreads(first: 100) {
+        nodes {
+          isResolved
+          comments(first: 1) {
+            nodes {
+              author {
+                login
+              }
+              body
+              createdAt
+              path
+              line
+            }
+          }
+        }
+      }
+    }
+  }
+}'
+
+# Extract owner and repo from gh cli
+REPO_INFO=$(gh repo view --json owner,name --jq '{owner: .owner.login, name: .name}')
+OWNER=$(echo "$REPO_INFO" | jq -r '.owner')
+REPO=$(echo "$REPO_INFO" | jq -r '.name')
+
+# Query for unresolved review threads from the bot
+UNRESOLVED_THREADS=$(gh api graphql \
+    -f query="$GRAPHQL_QUERY" \
+    -F owner="$OWNER" \
+    -F repo="$REPO" \
+    -F pr="$PR_NUMBER" \
+    --jq "[.data.repository.pullRequest.reviewThreads.nodes[] | select(.isResolved == false and .comments.nodes[0].author.login == \"${BOT_LOGIN_GRAPHQL}\")]")
+
+UNRESOLVED_COUNT=$(echo "$UNRESOLVED_THREADS" | jq 'length')
+
+echo "Found ${REGULAR_COUNT} regular comment(s) from bot"
+echo "Found ${UNRESOLVED_COUNT} unresolved review thread(s) from bot"
+
+# If there are any unresolved comments or threads from Codex, fail
+TOTAL_UNRESOLVED=$((REGULAR_COUNT + UNRESOLVED_COUNT))
+
+if [ $TOTAL_UNRESOLVED -gt 0 ]; then
+    echo ""
+    echo "❌ Found ${TOTAL_UNRESOLVED} unresolved comment(s) from Codex in PR #${PR_NUMBER}"
+    echo ""
+    echo "Codex comments:"
+    
+    if [ $REGULAR_COUNT -gt 0 ]; then
+        echo "$REGULAR_COMMENTS" | jq -r '.[] | "  - [\(.created_at)] \(.body[0:100] | gsub("\n"; " "))..."'
+    fi
+    
+    if [ $UNRESOLVED_COUNT -gt 0 ]; then
+        echo "$UNRESOLVED_THREADS" | jq -r '.[] | "  - [\(.comments.nodes[0].createdAt)] \(.comments.nodes[0].path // "comment"):\(.comments.nodes[0].line // "") - \(.comments.nodes[0].body[0:100] | gsub("\n"; " "))..."'
+    fi
+    
+    echo ""
+    echo "Please address or resolve all Codex comments before merging."
+    exit 1
+else
+    echo "✅ No unresolved Codex comments found"
+    exit 0
+fi
diff --git a/scripts/wait_pr_checks.sh b/scripts/wait_pr_checks.sh
@@ -68,10 +68,21 @@ while true; do
   # Check if all checks passed and merge state is clean
   if echo "$CHECKS" | grep -q "pass" && ! echo "$CHECKS" | grep -qE "pending|fail"; then
     if [ "$MERGE_STATE" = "CLEAN" ]; then
-      echo "✅ All checks passed and PR is ready to merge!"
+      # Check for unresolved Codex comments
+      echo "✅ All checks passed!"
       echo ""
       gh pr checks "$PR_NUMBER"
-      exit 0
+      echo ""
+      echo "🤖 Checking for unresolved Codex comments..."
+      if ./scripts/check_codex_comments.sh "$PR_NUMBER"; then
+        echo ""
+        echo "✅ PR is ready to merge!"
+        exit 0
+      else
+        echo ""
+        echo "❌ Please resolve Codex comments before merging."
+        exit 1
+      fi
     elif [ "$MERGE_STATE" = "BLOCKED" ]; then
       echo "⏳ All checks passed but still blocked (waiting for required checks)..."
     fi
