AuditOrchestrator publishes a monthly GitHub issue that acts as the contract between GitHub Actions and the downstream Codex runner.
The monthly issue body should contain:
- the reporting month
- the target repository list
- the monthly label used for orchestration
- the auto-merge label used as a policy gate
- a machine-readable JSON payload in a fenced code block
Example payload shape:
{
"month": "2026-05",
"title": "Monthly Audit Review: 2026-05",
"monthly_label": "monthly-review",
"auto_merge_label": "auto-merge-ok",
"targets": [
"owner-one/repo-a",
"owner-two/repo-b"
]
}The Codex runner on the VPS should:
- read the monthly issue from GitHub
- decide which targets are eligible for code changes
- create a PR for each accepted change
- keep the PR open until CI and review conditions pass
- comment back to the monthly issue with the PR link or failure summary
If the runner fails, it should:
- write a clear comment back to the monthly issue
- exit non-zero so the workflow can surface the failure
- keep the failure visible in GitHub Actions instead of only local logs
Auto-merge is opt-in and label-driven:
- the PR must carry the configured auto-merge label
- CI must be green
- the review state must be clean
- high-risk actions should stay manual