CDX-201a · Module 3
CI/CD Integration Patterns
4 min read
Codex in CI/CD pipelines unlocks automated code review, issue triage, test generation, and documentation updates — all triggered by Git events without human initiation. The key is running Codex in full-auto mode with a tightly scoped AGENTS.md and minimal execpolicy. In CI, the sandbox is less critical (the container itself is disposable), but the AGENTS.md rules become more important because there is no human in the loop to catch mistakes.
The most common CI integration pattern is automated PR review. When a pull request is opened, a GitHub Action runs codex review --base main --json, parses the structured output, and posts review comments on the PR. This provides instant feedback to the author — often within seconds of opening the PR — while human reviewers handle the deeper architectural and business logic review.
name: Codex PR Review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: 22
- run: npm install -g @openai/codex
- name: Run Codex Review
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
run: |
codex review --base origin/main --json > review.json
# Parse and post comments via GitHub API
node scripts/post-review-comments.js review.jsonDo This
- Use full-auto with a tightly scoped AGENTS.md for CI pipelines
- Store the OPENAI_API_KEY as a repository secret — never hardcode it
- Start with read-only CI tasks (review, analysis) before write tasks (fix, generate)
- Log all Codex CI output for audit and debugging
Avoid This
- Give CI Codex the same broad permissions as your development setup
- Skip AGENTS.md in CI — the agent needs context even more without a human
- Let CI Codex push directly to main without a review step
- Ignore CI Codex costs — automated triggers can burn API budget fast