Automate Only Stable Work

Lesson 10 · Automation · ~13 minutes

Automation should be the final form of a workflow that already succeeds interactively. Codex offers non-interactive CLI runs and scheduled app automations; both require explicit inputs, permissions, and outputs.

NeedUse
One scripted or CI runcodex exec
Machine-readable event streamcodex exec --json
Recurring independent checkStandalone automation
Recurring continuation of one threadThread automation

Start Read-Only

codex exec --ephemeral \
  "Review the last ten commits and report release-note omissions."

codex exec defaults to a read-only sandbox. Add --sandbox workspace-write only when the workflow genuinely needs edits. Use structured output when another program consumes the result.

The Promotion Ladder

Run manually → tighten prompt → verify repeatedly
→ package as skill → run with codex exec
→ schedule only when unattended behavior is safe
Unattended means no rescue prompt

An automation must say what to inspect, what counts as a finding, what it may change, where results go, and when it should stop or escalate.

Design the Output Contract

Human-readable prose is enough for an inbox. Downstream programs need stable fields and exit behavior. Choose the contract before writing the prompt.

ConsumerOutput
Human in a shellFinal message on standard output
Event processor--json JSONL stream
Another build step--output-schema with required fields
Later Codex stageResume the recorded session

Use an Automation Readiness Gate

  1. The workflow has succeeded manually at least twice.
  2. Inputs and repository state are explicit.
  3. The least required sandbox is known.
  4. Failure produces a visible, actionable report.
  5. External writes are separated from analysis when possible.
  6. The first scheduled runs will be reviewed.
  7. There is a clear stop or escalation condition.

Separate Analysis from Mutation

A safer CI pattern lets Codex analyze or generate a patch with read-only repository permissions, stores that patch as an artifact, and uses a separate controlled job to apply it or open a pull request. The code-reading job never receives unnecessary write authority.

Idempotence test

Ask what happens if the automation runs twice. A good recurring check produces the same result or recognizes completed work instead of duplicating comments, branches, or files.

Check Your Understanding

A new workflow has not succeeded interactively yet. What should happen before scheduling?
Correct. Stabilize and review the interactive workflow before scheduling it.
Automation multiplies ambiguity. First prove the workflow manually.

Your Complementary Operating Model

  1. Use the best existing agent for implementation.
  2. Give Codex an independent review or verification role.
  3. Use worktrees or cloud tasks for genuinely independent work.
  4. Capture repeated guidance in AGENTS.md and repeated procedures in skills.
  5. Automate only after the bounded workflow is reliable.
Primary Sources

Non-interactive mode and Codex automations.

Questions? Bring one recurring development task and we can decide whether it is mature enough for codex exec or scheduling.
← PreviousNext →