PR 提交了,reviewer 还在开会。Bug 报上来了,你正在休假。 把 Codex 接入你的 CI/CD 流水线,让它在你不在的时候自动处理:审查代码、修 Bug、甚至合并 PR。
一、Codex CI/CD 集成能做什么
| 场景 | 自动化程度 | 怎么做 |
|---|---|---|
| PR 自动审查 | 提交时触发 | Codex 分析 diff,评论结果 |
| Issue 自动修复 | 分配时触发 | Codex 读 Issue → 改代码 → 提 PR |
| 测试失败自动定位 | CI 失败时触发 | Codex 分析日志 → 定位根因 → 提修复 |
| 定时代码维护 | 定时触发 | Codex 每天跑一次依赖更新、废弃代码清理 |
| 部署前安全检查 | 部署前触发 | Codex 审查即将部署的代码变更 |
二、GitHub Actions 集成
2.1 PR 自动审查 Workflow
在 .github/workflows/codex-review.yml 中:
name: Codex PR Review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Codex
run: npm install -g @openai/codex
- name: Codex Review
run: |
codex exec "
Review this PR's code changes.
Focus on:
1. Security vulnerabilities (SQL injection, XSS, auth bypass)
2. Logic errors (off-by-one, null pointer, race condition)
3. API compatibility (backward compatible?)
4. Test coverage (enough tests for the changes?)
5. Code style (matching project's AGENTS.md rules)
Output format:
- 🔴 Blocker (must fix): ...
- 🟡 Warning (should fix): ...
- 🟢 Suggestion (nice to have): ...
" --output-format json
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
- name: Post Review Comment
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const review = JSON.parse(fs.readFileSync('/tmp/codex-review.json'));
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `## Codex Review\n\n${review.result}`
});效果: 每次 PR 提交时,Codex 自动审查代码变更,在 PR 评论区输出 review 结果。
2.2 Issue 自动修复
name: Codex Auto Fix
on:
issues:
types: [labeled]
jobs:
auto-fix:
if: github.event.label.name == 'codex-fix'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Codex
run: npm install -g @openai/codex
- name: Fix Issue
run: |
codex exec "
Issue #${{ github.event.issue.number }}: ${{ github.event.issue.title }}
Description: ${{ github.event.issue.body }}
Please:
1. Understand the issue
2. Find the relevant code
3. Implement the fix
4. Add or update tests
5. Commit the changes
" --full-auto
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
- name: Create PR
run: |
git add -A
git commit -m "fix: ${{ github.event.issue.title }}"
git push -u origin auto-fix-${{ github.event.issue.number }}
gh pr create --title "fix: ${{ github.event.issue.title }}" \
--body "Auto-fix for issue #${{ github.event.issue.number }}"工作流:
- 有人提 Issue
- 打上
codex-fix标签 - Codex 自动读取 Issue → 分析代码 → 修改 → 提 PR
- 你去 review PR
三、GitLab CI 集成
# .gitlab-ci.yml
codex-review:
stage: test
only:
- merge_requests
script:
- npm install -g @openai/codex
- |
codex exec "
Review this MR's code diff.
Focus on: security, logic errors, performance, test coverage.
git diff origin/main...HEAD
" --output-format json > review.json
- |
# 将 review 结果作为 MR 评论
curl --request POST \
--header "PRIVATE-TOKEN: $GITLAB_TOKEN" \
--header "Content-Type: application/json" \
--data "{ \"body\": \"$(cat review.json | jq -r '.result')\" }" \
"$CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes"
variables:
OPENAI_API_KEY: $OPENAI_API_KEY四、定时维护任务
每周依赖更新检查
name: Weekly Dependency Check
on:
schedule:
- cron: "0 9 * * 1" # 每周一早 9 点
jobs:
deps:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Codex Check
run: |
codex exec "
Check the project's dependencies for:
1. Outdated major versions (check package.json or pyproject.toml)
2. Known security vulnerabilities
3. Deprecated packages
If any found, create an issue titled 'Dependency Review: $(date +%Y-%m-%d)'
with the findings.
" --full-auto每日废弃代码清理
name: Daily Code Cleanup
on:
schedule:
- cron: "0 2 * * *" # 每天凌晨 2 点
jobs:
cleanup:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Codex Cleanup
run: |
codex exec "
Find and fix:
1. TODO/FIXME comments older than 30 days
2. Unused imports
3. Dead code (functions/variables never called)
4. Deprecated API usage
For each finding: either fix it or create an issue tracking it.
" --full-auto五、部署前安全检查
name: Security Gate
on:
deployment:
types: [created]
jobs:
security-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Codex Security Review
run: |
git diff HEAD~5..HEAD > /tmp/deploy-diff.patch
codex exec "
SECURITY REVIEW for production deployment.
Review the following code changes that are about to be deployed:
$(cat /tmp/deploy-diff.patch)
CRITICAL checks:
1. Any hardcoded secrets/credentials?
2. Any authentication bypass?
3. Any SQL injection patterns?
4. Any sensitive data exposed in logs or responses?
5. Any new dependencies with known vulnerabilities?
Verdict: PASS / FAIL / NEEDS REVIEW
If FAIL, explain exactly what to fix before deployment.
" --output-format json
- name: Block Deployment if Critical
run: |
if grep -q '"verdict": "FAIL"' /tmp/security-review.json; then
echo "🚨 Security check failed. Deployment blocked."
exit 1
fi六、CI/CD 集成的注意事项
| 注意事项 | 说明 |
|---|---|
| API Key 安全 | 用 GitHub/GitLab Secrets,不要硬编码 |
| Token 预算 | CI 中频繁调用 Codex 会消耗额度 |
| 超时处理 | 大型 PR 的 review 可能超过 CI 超时时间(6h) |
| 误报处理 | Codex 的 review 可能有误报,建议设为 non-blocking |
| 权限控制 | CI 中的 Codex 只能访问 public repo 或已授权的 private repo |
推荐的安全配置
# CI 环境中的 Codex 参数
codex exec "
...
" --max-turns 10 # 限制最大轮次,防止无限循环
--no-session-persistence # 不存储 CI 会话
--output-format json # 结构化输出便于脚本处理七、效果统计
根据社区反馈,接入 Codex CI/CD 后的效果:
| 指标 | 改进 |
|---|---|
| PR Review 等待时间 | 从平均 4 小时降到 5 分钟 |
| Bug 修复周期 | 从平均 2 天降到 4 小时(+自动提 PR) |
| 安全漏洞遗漏 | 降低约 30%(Codex 善于发现已知模式的安全问题) |
| 开发者满意度 | 提升("不用等 review 了") |
八、一句话总结
Codex 在终端里很强大,在 CI/CD 里才是真正解放双手。 PR 自动审查、Issue 自动修复、部署前安全检查。 你只需要做一件事:review Codex 提交的 PR。 你的角色从"执行者"变成了"审批者"。