name: Codex PR Review

on:
  pull_request_target:
    types: [opened, ready_for_review]

jobs:
  pr-review:
    # 仅对有写入权限的用户运行，且跳过 draft PR 和 bot
    if: |
      (github.event.pull_request.author_association == 'OWNER' ||
       github.event.pull_request.author_association == 'MEMBER' ||
       github.event.pull_request.author_association == 'CONTRIBUTOR' ||
       github.event.pull_request.author_association == 'COLLABORATOR') &&
      github.event.pull_request.draft == false &&
      !endsWith(github.actor, '[bot]')
    runs-on: ubuntu-latest
    concurrency:
      group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
      cancel-in-progress: false
    permissions:
      contents: read
      pull-requests: write
    outputs:
      review_result: ${{ steps.run_codex.outputs.final-message }}

    steps:
      - name: Checkout repository
        uses: actions/checkout@v5
        with:
          ref: refs/pull/${{ github.event.pull_request.number }}/merge
          fetch-depth: 0

      - name: Pre-fetch base and head refs
        run: |
          git fetch --no-tags origin \
            ${{ github.event.pull_request.base.ref }} \
            +refs/pull/${{ github.event.pull_request.number }}/head

      - name: Run Codex for Comprehensive PR Review
        id: run_codex
        uses: openai/codex-action@v1
        env:
          GH_TOKEN: ${{ github.token }}
          GITHUB_TOKEN: ${{ github.token }}
        with:
          openai-api-key: ${{ secrets.OPENAI_API_KEY }}
          responses-api-endpoint: ${{ secrets.OPENAI_BASE_URL }}
          model: ${{ vars.OPENAI_MODEL || 'gpt-5.2' }}
          effort: ${{ vars.OPENAI_EFFORT || 'xhigh' }}
          sandbox: danger-full-access
          safety-strategy: drop-sudo
          prompt-file: .github/prompts/codex-pr-review.md

  post-review:
    runs-on: ubuntu-latest
    needs: pr-review
    if: needs.pr-review.outputs.review_result != ''
    permissions:
      pull-requests: write
    steps:
      - name: Post Review Comment
        uses: actions/github-script@v7
        env:
          REVIEW_RESULT: ${{ needs.pr-review.outputs.review_result }}
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const body = process.env.REVIEW_RESULT;
            if (body && body.trim()) {
              await github.rest.pulls.createReview({
                owner: context.repo.owner,
                repo: context.repo.repo,
                pull_number: context.payload.pull_request.number,
                body: body,
                event: 'COMMENT'
              });
            }