openai/codex-action
Publicmirrored fromhttps://github.com/openai/codex-actionAvailable
docs/security.md
11lines · modecode
| 1 | # Security |
| 2 | |
| 3 | ## Recommendation: run `openai/codex-action` as the last step in a job |
| 4 | |
| 5 | Particularly if you run Codex with loose permissions, there are no guarantees what the state of the host is when the `openai/codex-action` completes. For example: |
| 6 | |
| 7 | - Codex could have spawned processes that are still running after Codex exits. |
| 8 | - Codex could have overwritten the source code of other actions on the host, such as `actions/github-script`. |
| 9 | - Codex could have written to key configuration files, such as those in your `.git/hooks` folder, with the expectation that privileged processes may run later in the workflow that exercise them. |
| 10 | |
| 11 | As shown in the example in the [`README`](../README.md), it is possible to take the output of the `openai/codex-action` and then pass it along to a new job within the workflow. |
| 12 | |