OpenAI Codex Best Practices for Autonomous Multi-File Code Migrations in Large Monorepos
OpenAI Codex Best Practices for Autonomous Multi-File Code Migrations
OpenAI Codex is a cloud-based AI coding agent that can autonomously execute multi-file code changes inside a sandboxed environment. When working with large monorepos, structuring your tasks, verifying changes in the sandbox, and integrating pull request review workflows become critical to shipping reliable migrations. This guide covers proven best practices for scoping tasks, running sandbox verification, and managing PR review workflows at scale.
Prerequisites and Setup
- Install the OpenAI CLI
pip install openai- Authenticate with your API key
- Connect your repository Link your GitHub repository through the Codex dashboard atexport OPENAI_API_KEY=YOUR_API_KEYcodex.openai.comor via the API. Ensure your repo has appropriate branch protection rules configured.- Configure environment Create acodex.jsonconfiguration file in your repo root:{ “sandbox”: { “install_command”: “npm install”, “test_command”: “npm test”, “lint_command”: “npx eslint . —ext .ts,.tsx” }, “defaults”: { “branch_prefix”: “codex/”, “auto_pr”: true, “max_files_per_task”: 50 } }
Step 1: Task Scoping for Large Monorepos
The most common failure mode in autonomous migrations is poorly scoped tasks. Codex performs best when given focused, well-bounded instructions.
Break Migrations into Atomic Units
Instead of asking Codex to migrate an entire monorepo at once, decompose the work by module or directory:
# Bad: Too broad
“Migrate the entire codebase from CommonJS to ESM.”
Good: Scoped to a specific package
“In the packages/auth directory, convert all CommonJS require()
statements to ESM import syntax. Update the package.json to set
type: module. Ensure all relative imports include .js extensions.”
Use a Task Manifest
For systematic migrations, create a task manifest that Codex can process sequentially:
# migration-tasks.yaml
tasks:
- scope: packages/auth
description: "Convert CJS to ESM imports"
verify: "cd packages/auth && npm test"
- scope: packages/api
description: "Convert CJS to ESM imports"
verify: "cd packages/api && npm test"
- scope: packages/shared
description: "Convert CJS to ESM imports"
verify: "cd packages/shared && npm test"
### Define Explicit Constraints
Always include constraints in your prompts to prevent unintended changes: - Specify which files or directories to modify- List files that must NOT be changed- Define the expected test and lint commands to pass- State the target branch for the PR ## Step 2: Sandbox Verification Codex runs every task inside an isolated sandbox environment. This is your primary safety net against breaking changes.
Configure Sandbox Commands
Provide explicit setup and verification commands in your task prompt:
“After making changes in packages/auth:
- Run: npm install
- Run: npm run build —workspace=packages/auth
- Run: npm test —workspace=packages/auth
Run: npx eslint packages/auth —ext .ts,.tsx All commands must exit with code 0.”
Leverage the Codex API for Programmatic Verification
import openai
client = openai.OpenAI(api_key="YOUR_API_KEY")
response = client.responses.create(
model="codex-mini-latest",
tools=[{
"type": "codex",
"repository": "your-org/your-monorepo",
"branch": "main",
"sandbox": {
"install_command": "npm ci",
"test_command": "npm test --workspace=packages/auth"
}
}],
input="Convert packages/auth from CommonJS to ESM. "
"All tests and linting must pass before submitting."
)
print(response.output)Review Sandbox Logs
Always inspect the sandbox execution logs before merging. Codex provides detailed output including: - Files created, modified, or deleted- Full stdout/stderr from each verification command- A diff summary of all changes ## Step 3: Pull Request Review Workflows Codex can automatically open pull requests for each completed task. Structure your review process to handle AI-generated changes efficiently.
Branch Naming Convention
Use a consistent prefix to identify Codex-generated branches:
codex/migrate-auth-cjs-to-esm
codex/migrate-api-cjs-to-esm
codex/update-shared-types
Automated PR Checks
Configure your CI pipeline to run additional checks on Codex branches:
# .github/workflows/codex-pr-review.yml
name: Codex PR Review
on:
pull_request:
branches: [main]
paths: ["packages/**"]
jobs:
verify:
if: startsWith(github.head_ref, 'codex/')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npm ci
- run: npm run build
- run: npm test
- run: npx eslint . --ext .ts,.tsx
- run: npm run type-check
### Human Review Checklist
Even with sandbox verification, human review is essential. Focus on these areas:
| Review Area | What to Check |
|---|---|
| Semantic correctness | Does the migrated code preserve original behavior? |
| Edge cases | Are dynamic imports, conditional requires handled? |
| Cross-package dependencies | Do dependent packages still resolve correctly? |
| Type safety | Are TypeScript types preserved or correctly updated? |
| Test coverage | Were any tests removed or weakened? |
AGENTS.md file in your repo root or in subdirectories to give Codex persistent context about coding conventions, forbidden patterns, and project-specific rules.- **Pin the model version:** Use codex-mini-latest for speed on straightforward migrations and specify exact model versions in CI for reproducibility.- **Dry-run first:** Ask Codex to describe the planned changes before executing them by including "First, list all files you plan to modify and summarize the changes" in your prompt.- **Parallelize safely:** Run independent package migrations in parallel Codex tasks, but serialize tasks that share cross-package boundaries.- **Set file limits:** Restrict the maximum number of files Codex can modify per task to keep PRs reviewable (aim for under 50 files per PR).
## Troubleshooting Common Issues
| Issue | Cause | Solution |
|---|---|---|
| Sandbox timeout | Install or test commands take too long | Scope tasks to smaller packages; increase timeout in sandbox config |
| Codex modifies unrelated files | Prompt scope is too broad | Add explicit directory constraints and a "do not modify" list to your prompt |
| Tests pass in sandbox but fail in CI | Environment differences between sandbox and CI | Align Node/Python versions; ensure sandbox install command matches CI exactly |
| PR contains merge conflicts | Stale base branch | Ensure the task targets the latest commit on main; rebase before opening PR |
| Partial migration left inconsistent state | Task was too large and timed out mid-execution | Break into smaller tasks; use the task manifest approach to track progress |
How many files can OpenAI Codex safely modify in a single task?
While there is no hard limit enforced by Codex, best practice is to scope each task to fewer than 50 files. This keeps pull requests reviewable, reduces sandbox execution time, and minimizes the risk of cascading errors. For large monorepos with hundreds of files to migrate, use a task manifest to break the work into package-level batches.
Can Codex handle cross-package dependencies during migrations?
Codex can reason about cross-package relationships when given sufficient context in the prompt. However, for safety, it is recommended to migrate packages in dependency order — starting with leaf packages that have no internal dependents, then working toward core shared packages. Always specify the dependency context explicitly in your prompt rather than relying on Codex to infer it.
How do I ensure Codex-generated code meets our team’s style guidelines?
Place an AGENTS.md file in your repository root containing your coding standards, linting rules, and forbidden patterns. Codex reads this file automatically. Additionally, include lint and format commands in your sandbox verification step so that any style violations cause the task to fail before a PR is opened. Combining AGENTS.md guidance with automated enforcement ensures consistent output.