README.md: Add openai-api-key to sensitive information masking; codex.ts: remove commented code; github.ts: truncate output for PR comments and body

Author: potproject

README.md

@@ -152,4 +152,4 @@ Claude Code or Codex will analyze the request and create a new Pull Request with
 ## Security
 
 * **Permission Checks:** Before executing core logic, the action verifies if the triggering user (`github.context.actor`) has `write` or `admin` permissions for the repository.
-* **Sensitive Information Masking:** Any occurrences of the provided `github-token` and `anthropic-api-key`, `AWS Credentials` within the output posted to GitHub are automatically masked (replaced with `***`) to prevent accidental exposure.
+* **Sensitive Information Masking:** Any occurrences of the provided `github-token` and `anthropic-api-key`, `AWS Credentials`, `openai-api-key` within the output posted to GitHub are automatically masked (replaced with `***`) to prevent accidental exposure.

src/client/codex.ts

@@ -72,7 +72,8 @@ export async function runCodex(workspace: string, config: ActionConfig, prompt:
       textResult = jsonResult.content[0].text + '\n\n';
     }
 
-    return textResult + "<details><summary>Codex Result</summary>\n\n" + codeResult + "\n</details>";
+    // return textResult + "<details><summary>Codex Result</summary>\n\n" + codeResult + "\n</details>";
+    return textResult;
 
   } catch (error) {
     // Log the full error for debugging, check for timeout

src/github/github.ts

@@ -262,7 +262,7 @@ export async function createPullRequest(
       title: `${commitMessage}`,
       head: branchName,
       base: baseBranch, // Use the default branch as base
-      body: `Applied changes based on Issue #${issueNumber}.\n\n${output}`,
+      body: `Applied changes based on Issue #${issueNumber}.\n\n${truncateOutput(output)}`,
       maintainer_can_modify: true,
     });
 
@@ -371,7 +371,7 @@ export async function postComment(
       await octokit.rest.issues.createComment({
         ...repo,
         issue_number: issueNumber,
-        body: body,
+        body: truncateOutput(body),
       });
       core.info(`Comment posted to Issue/PR #${issueNumber}`);
     } else if ('pull_request' in event) {
@@ -385,7 +385,7 @@ export async function postComment(
           ...repo,
           pull_number: prNumber,
           comment_id: inReplyTo ?? commentId, // Use the original comment ID if no reply
-          body: body,
+          body: truncateOutput(body),
         });
         core.info(`Comment posted to PR #${prNumber} Reply to comment #${commentId}`);
 
@@ -396,7 +396,7 @@ export async function postComment(
         await octokit.rest.issues.createComment({
           ...repo,
           issue_number: prNumber,
-          body: body,
+          body: truncateOutput(body),
         });
         core.info(`Regular comment posted to PR #${prNumber}`);
       }
@@ -631,3 +631,14 @@ async function getPullRequestData(
     throw new Error(`Could not retrieve data for pull request #${pullNumber}: ${error instanceof Error ? error.message : error}`);
   }
 }
+
+
+// Truncate the output if it exceeds 60000 characters
+// GitHub API has a limit of 65536 characters for the body of a PR
+function truncateOutput(output: string): string {
+  if (output.length > 60000) {
+    core.warning(`Output exceeds 60000 characters, truncating...`);
+    return output.substring(0, 60000);
+  }
+  return output;
+}