installer: harden tmp cleanup, systemd checks, 0.0.0.0 bind defaults

Author: rickicode

.github/workflows/code-review.yml

@@ -6,6 +6,24 @@ on:
       - opened
       - synchronize
       - reopened
+  workflow_dispatch:
+    inputs:
+      base_sha:
+        description: "Base commit SHA (optional)"
+        required: false
+        type: string
+      head_sha:
+        description: "Head commit SHA (optional)"
+        required: false
+        type: string
+      pr_number:
+        description: "PR number to post review comment (optional)"
+        required: false
+        type: string
+      pr_title:
+        description: "PR title override for review prompt (optional)"
+        required: false
+        type: string
   issue_comment:
     types:
       - created
@@ -22,19 +40,52 @@ permissions:
 jobs:
   codereview:
     runs-on: ubuntu-latest
-    if: ${{ github.event_name == 'pull_request' && secrets.CODEXSESS_URL != '' && secrets.CODEXSESS_API_KEY != '' }}
+    if: ${{ (github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch') && secrets.CODEXSESS_URL != '' && secrets.CODEXSESS_API_KEY != '' }}
     steps:
       - name: Checkout
         uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
+      - name: Resolve review context
+        id: ctx
+        run: |
+          set -euo pipefail
+          EVENT="${{ github.event_name }}"
+
+          if [ "$EVENT" = "pull_request" ]; then
+            BASE_SHA="${{ github.event.pull_request.base.sha }}"
+            HEAD_SHA="${{ github.event.pull_request.head.sha }}"
+            PR_NUMBER="${{ github.event.pull_request.number }}"
+            PR_TITLE="${{ github.event.pull_request.title }}"
+          else
+            BASE_SHA="${{ github.event.inputs.base_sha }}"
+            HEAD_SHA="${{ github.event.inputs.head_sha }}"
+            PR_NUMBER="${{ github.event.inputs.pr_number }}"
+            PR_TITLE="${{ github.event.inputs.pr_title }}"
+          fi
+
+          if [ -z "$HEAD_SHA" ]; then
+            HEAD_SHA="$(git rev-parse HEAD)"
+          fi
+          if [ -z "$BASE_SHA" ]; then
+            BASE_SHA="$(git rev-parse "${HEAD_SHA}~1")"
+          fi
+          if [ -z "$PR_TITLE" ]; then
+            PR_TITLE="Manual code review ${BASE_SHA}...${HEAD_SHA}"
+          fi
+
+          echo "base_sha=$BASE_SHA" >> "$GITHUB_OUTPUT"
+          echo "head_sha=$HEAD_SHA" >> "$GITHUB_OUTPUT"
+          echo "pr_number=$PR_NUMBER" >> "$GITHUB_OUTPUT"
+          echo "pr_title=$PR_TITLE" >> "$GITHUB_OUTPUT"
+
       - name: Build PR diff
         id: diff
         run: |
           set -euo pipefail
-          BASE_SHA="${{ github.event.pull_request.base.sha }}"
-          HEAD_SHA="${{ github.event.pull_request.head.sha }}"
+          BASE_SHA="${{ steps.ctx.outputs.base_sha }}"
+          HEAD_SHA="${{ steps.ctx.outputs.head_sha }}"
           mkdir -p review_chunks review_out
           git diff --name-status "${BASE_SHA}...${HEAD_SHA}" > review_out/files.txt || true
           mapfile -t CHANGED_FILES < <(git diff --name-only "${BASE_SHA}...${HEAD_SHA}")
@@ -72,7 +123,7 @@ jobs:
             [ -f "review_chunks/${idx}.diff" ] || continue
             BODY=$(jq -n \
               --rawfile diff "review_chunks/${idx}.diff" \
-              --arg title "${{ github.event.pull_request.title }}" \
+              --arg title "${{ steps.ctx.outputs.pr_title }}" \
               --arg file "$file" \
               '{
                 model: "gpt-5.2-codex",
@@ -110,7 +161,7 @@ jobs:
           BODY=$(jq -n \
             --rawfile files review_out/files.txt \
             --rawfile chunk_reviews review_out/chunk_reviews.md \
-            --arg title "${{ github.event.pull_request.title }}" \
+            --arg title "${{ steps.ctx.outputs.pr_title }}" \
             '{
               model: "gpt-5.2-codex",
               language: "mixed",
@@ -132,14 +183,14 @@ jobs:
           jq -r '.review // "No review output returned."' review_out/final.json > review.txt
 
       - name: Upsert PR comment
-        if: steps.diff.outputs.has_diff == 'true'
+        if: steps.diff.outputs.has_diff == 'true' && steps.ctx.outputs.pr_number != ''
         uses: actions/github-script@v8
         with:
           script: |
             const fs = require('fs');
             const owner = context.repo.owner;
             const repo = context.repo.repo;
-            const issue_number = context.payload.pull_request.number;
+            const issue_number = Number('${{ steps.ctx.outputs.pr_number }}');
             const marker = '<!-- codexsess-code-review -->';
             let review = 'No review output returned.';
             try {
@@ -297,7 +348,7 @@ jobs:
 
       - name: Upload patch artifact
         if: steps.diff.outputs.has_diff == 'true' && steps.validate.outputs.valid == 'true'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: codexsess-autofix-patch-pr-${{ steps.pr.outputs.number }}
           path: autofix.patch

.github/workflows/release.yml

@@ -148,7 +148,7 @@ jobs:
           sha256sum packages/*.deb packages/*.rpm >> SHA256SUMS.txt
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: codexsess-build-${{ github.run_number }}
           path: |
@@ -187,29 +187,33 @@ jobs:
             echo "has_changelog=false" >> "$GITHUB_OUTPUT"
           fi
 
-      - name: Upload to release (with changelog)
-        if: startsWith(github.ref, 'refs/tags/v') && steps.changelog.outputs.has_changelog == 'true'
-        uses: softprops/action-gh-release@v2
-        with:
-          body_path: dist/release-notes.md
-          files: |
+      - name: Publish release assets
+        if: startsWith(github.ref, 'refs/tags/v')
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          TAG="${GITHUB_REF_NAME}"
+          ASSETS=(
             dist/codexsess-linux-amd64
             dist/codexsess-linux-arm64
             dist/codexsess-windows-amd64.exe
             dist/codexsess-windows-arm64.exe
             dist/SHA256SUMS.txt
             dist/packages/*.deb
             dist/packages/*.rpm
+          )
+
+          if gh release view "$TAG" >/dev/null 2>&1; then
+            if [ "${{ steps.changelog.outputs.has_changelog }}" = "true" ]; then
+              gh release edit "$TAG" --notes-file dist/release-notes.md
+            fi
+            gh release upload "$TAG" "${ASSETS[@]}" --clobber
+            exit 0
+          fi
 
-      - name: Upload to release (default)
-        if: startsWith(github.ref, 'refs/tags/v') && steps.changelog.outputs.has_changelog != 'true'
-        uses: softprops/action-gh-release@v2
-        with:
-          files: |
-            dist/codexsess-linux-amd64
-            dist/codexsess-linux-arm64
-            dist/codexsess-windows-amd64.exe
-            dist/codexsess-windows-arm64.exe
-            dist/SHA256SUMS.txt
-            dist/packages/*.deb
-            dist/packages/*.rpm
+          if [ "${{ steps.changelog.outputs.has_changelog }}" = "true" ]; then
+            gh release create "$TAG" "${ASSETS[@]}" --notes-file dist/release-notes.md
+          else
+            gh release create "$TAG" "${ASSETS[@]}" --title "$TAG"
+          fi

CHANGELOG.md

@@ -15,6 +15,14 @@ The format follows Keep a Changelog and uses semantic version tags (`vMAJOR.MINO
 - API/code-review integration and logging coverage were refined so review calls are visible and traceable in API logs.
 - Settings and documentation were expanded with code-review endpoint usage details and cURL examples.
 - GitHub Actions code-review and autofix automation are now consolidated into a single workflow file for simpler maintenance.
+- GitHub code-review workflow now supports manual run from Actions (`workflow_dispatch`) with optional base/head SHA and PR comment target.
+- Release and code-review workflows now use Node 24-ready artifact action (`actions/upload-artifact@v7`), and release publishing was migrated from `softprops/action-gh-release` to `gh release` CLI.
+- Fixed Linux installer cleanup trap to avoid `bash: line 1: tmp: unbound variable` after package install in strict shell mode (`set -u`).
+- Installer now prints default auth credentials (`admin / hijilabs`) and password change command (`codexsess --changepassword`) after install.
+- Server-mode installer now verifies `codexsess.service` active state and prints status check command (`systemctl status codexsess`).
+- Default bind address is now `0.0.0.0:<PORT>` (with `CODEXSESS_BIND_ADDR` override support), and server service unit sets `CODEXSESS_BIND_ADDR=0.0.0.0:3061`.
+- Installer terminal output now uses clearer colored status lines for info, success, and error messages.
+- README now documents `CODEXSESS_BIND_ADDR` and includes GUI-mode `~/.bashrc` bind override example for `0.0.0.0`.
 
 ## [1.0.1] - 2026-03-18
 

README.md

@@ -162,7 +162,8 @@ GitHub Actions example (PR diff):
 
 | Variable | Default | Example | Description |
 |---|---|---|---|
-| `PORT` | `3061` | `PORT=8080` | HTTP server port. Bind address is `127.0.0.1:<PORT>`. |
+| `PORT` | `3061` | `PORT=8080` | HTTP server port used when `CODEXSESS_BIND_ADDR` is not explicitly set. |
+| `CODEXSESS_BIND_ADDR` | `0.0.0.0:<PORT>` | `CODEXSESS_BIND_ADDR=0.0.0.0:3061` | Full bind address override (`host:port`) for HTTP server. |
 | `CODEXSESS_NO_OPEN_BROWSER` | `false` | `CODEXSESS_NO_OPEN_BROWSER=true` | Disable automatic browser opening on startup. Truthy values: `1`, `true`, `yes`. |
 | `CODEXSESS_CODEX_SANDBOX` | `workspace-write` | `CODEXSESS_CODEX_SANDBOX=read-only` | Sandbox mode passed to `codex exec`. |
 | `CODEXSESS_CLEAN_EXEC` | `true` | `CODEXSESS_CLEAN_EXEC=false` | Run Codex execution in isolated mode (`true`) or normal environment (`false`). |
@@ -195,6 +196,15 @@ curl -fsSL https://raw.githubusercontent.com/rickicode/CodexSess/main/scripts/in
 curl -fsSL https://raw.githubusercontent.com/rickicode/CodexSess/main/scripts/install.sh | bash -s -- --mode update
 ```
 
+GUI mode bind override (via `~/.bashrc`):
+
+```bash
+echo 'export CODEXSESS_BIND_ADDR=0.0.0.0:3061' >> ~/.bashrc
+source ~/.bashrc
+```
+
+Then restart CodexSess GUI session.
+
 Windows installation:
 - Download `.exe` directly from:
   - https://github.com/rickicode/CodexSess/releases/latest

internal/config/config.go

@@ -6,6 +6,7 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
+	"net"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -142,7 +143,18 @@ func resolveBindAddr() string {
 			port = parsed
 		}
 	}
-	return fmt.Sprintf("127.0.0.1:%d", port)
+	if raw := strings.TrimSpace(os.Getenv("CODEXSESS_BIND_ADDR")); raw != "" {
+		if strings.HasPrefix(raw, ":") {
+			return "0.0.0.0" + raw
+		}
+		if _, _, err := net.SplitHostPort(raw); err == nil {
+			return raw
+		}
+		if !strings.Contains(raw, ":") {
+			return fmt.Sprintf("%s:%d", raw, port)
+		}
+	}
+	return fmt.Sprintf("0.0.0.0:%d", port)
 }
 
 func defaultDataDir(home string) string {

internal/config/config_test.go

@@ -14,3 +14,27 @@ func TestDefaultConfig(t *testing.T) {
 		t.Fatal("MasterKeyPath empty")
 	}
 }
+
+func TestResolveBindAddr_DefaultIsAllInterfaces(t *testing.T) {
+	t.Setenv("PORT", "")
+	t.Setenv("CODEXSESS_BIND_ADDR", "")
+	if got := resolveBindAddr(); got != "0.0.0.0:3061" {
+		t.Fatalf("unexpected default bind addr: %q", got)
+	}
+}
+
+func TestResolveBindAddr_UsesPortEnv(t *testing.T) {
+	t.Setenv("PORT", "4021")
+	t.Setenv("CODEXSESS_BIND_ADDR", "")
+	if got := resolveBindAddr(); got != "0.0.0.0:4021" {
+		t.Fatalf("unexpected bind addr with PORT: %q", got)
+	}
+}
+
+func TestResolveBindAddr_UsesExplicitBindAddr(t *testing.T) {
+	t.Setenv("PORT", "3061")
+	t.Setenv("CODEXSESS_BIND_ADDR", "127.0.0.1:9090")
+	if got := resolveBindAddr(); got != "127.0.0.1:9090" {
+		t.Fatalf("unexpected explicit bind addr: %q", got)
+	}
+}