github · lpcox · May 15, 2026 · May 15, 2026 · May 15, 2026
diff --git a/.github/workflows/secret-digger-codex.lock.yml b/.github/workflows/secret-digger-codex.lock.yml
diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml
diff --git a/scripts/ci/postprocess-smoke-workflows.test.ts b/scripts/ci/postprocess-smoke-workflows.test.ts
@@ -234,6 +234,50 @@ describe('cacheRestoreKeyPrefixRegex', () => {
   });
 });
 
+// ── Codex openai-proxy provider injection tests ──────────────────────────────
+// Mirrors the patterns in postprocess-smoke-workflows.ts.
+
+const codexConfigTomlHeredocRegex =
+  /^(\s+)(cat > "\/tmp\/gh-aw\/mcp-config\/config\.toml" << GH_AW_CODEX_SHELL_POLICY_\w+_EOF\n)(?:\1[^\n]*\n)*?(\1\[shell_environment_policy\])/m;
+const CODEX_PROXY_ENV_KEY_REGEX =
+  /(^\s+\[model_providers\.openai-proxy\]\n(?:^\s+.*\n)*?)^\s+env_key = "OPENAI_API_KEY"\n/m;
+
+describe('codexConfigTomlHeredocRegex + CODEX_PROXY_ENV_KEY_REGEX', () => {
+  it('injects openai-proxy provider without env_key', () => {
+    const input =
+      '          cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_hash_EOF\n' +
+      '          [shell_environment_policy]\n' +
+      '          inherit = "core"\n';
+    const match = input.match(codexConfigTomlHeredocRegex);
+    expect(match).not.toBeNull();
+    const indent = match![1];
+    const modelProvidersBlock =
+      `${indent}model_provider = "openai-proxy"\n` +
+      `${indent}\n` +
+      `${indent}[model_providers.openai-proxy]\n` +
+      `${indent}name = "OpenAI AWF proxy"\n` +
+      `${indent}base_url = "http://172.30.0.30:10000"\n` +
+      `${indent}supports_websockets = false\n` +
+      `${indent}\n`;
+    const result = input.replace(codexConfigTomlHeredocRegex, `$1$2${modelProvidersBlock}$3`);
+    expect(result).toContain('[model_providers.openai-proxy]');
+    expect(result).not.toContain('env_key = "OPENAI_API_KEY"');
+  });
+
+  it('removes legacy env_key from openai-proxy provider blocks', () => {
+    const input =
+      '          [model_providers.openai-proxy]\n' +
+      '          name = "OpenAI AWF proxy"\n' +
+      '          base_url = "http://172.30.0.30:10000"\n' +
+      '          env_key = "OPENAI_API_KEY"\n' +
+      '          supports_websockets = false\n' +
+      '          [shell_environment_policy]\n';
+    const result = input.replace(CODEX_PROXY_ENV_KEY_REGEX, '$1');
+    expect(result).not.toContain('env_key = "OPENAI_API_KEY"');
+    expect(result).toContain('supports_websockets = false');
+  });
+});
+
 // ── Session state dir injection and Copy step replacement tests ──────────────
 // Mirrors the patterns in postprocess-smoke-workflows.ts.
 

diff --git a/scripts/ci/postprocess-smoke-workflows.ts b/scripts/ci/postprocess-smoke-workflows.ts
@@ -775,14 +775,16 @@ for (const workflowPath of workflowPaths) {
 // custom provider "openai-proxy" that:
 //   - points to the AWF api-proxy sidecar at http://172.30.0.30:10000
 //   - sets supports_websockets=false to force REST (which respects base_url)
-//   - uses OPENAI_API_KEY (placeholder injected by AWF) for auth; the sidecar
-//     replaces it with the real key before forwarding to OpenAI
+//   - omits env_key so Codex does not hard-require OPENAI_API_KEY at startup;
+//     auth is handled by the sidecar
 // We then set model_provider = "openai-proxy" to activate it.
 //
 // See: https://developers.openai.com/codex/config-reference
 const codexConfigTomlHeredocRegex =
   /^(\s+)(cat > "\/tmp\/gh-aw\/mcp-config\/config\.toml" << GH_AW_CODEX_SHELL_POLICY_\w+_EOF\n)(?:\1[^\n]*\n)*?(\1\[shell_environment_policy\])/m;
 const CODEX_PROXY_PROVIDER_SENTINEL = 'model_providers.openai-proxy';
+const CODEX_PROXY_ENV_KEY_REGEX =
+  /(^\s+\[model_providers\.openai-proxy\]\n(?:^\s+.*\n)*?)^\s+env_key = "OPENAI_API_KEY"\n/m;
 
 // Apply Codex-specific transformations to OpenAI/Codex workflow files only.
 // These transformations must not be applied to Claude, Copilot, or other
@@ -810,7 +812,6 @@ for (const workflowPath of codexWorkflowPaths) {
         `${indent}[model_providers.openai-proxy]\n` +
         `${indent}name = "OpenAI AWF proxy"\n` +
         `${indent}base_url = "http://172.30.0.30:10000"\n` +
-        `${indent}env_key = "OPENAI_API_KEY"\n` +
         `${indent}supports_websockets = false\n` +
         `${indent}\n`;
       content = content.replace(
@@ -829,6 +830,14 @@ for (const workflowPath of codexWorkflowPaths) {
     console.log(`  openai-proxy custom provider already present in Codex config.toml`);
   }
 
+  // Remove legacy env_key for openai-proxy so Codex doesn't require OPENAI_API_KEY
+  // in the sandbox when auth is provided by the sidecar.
+  if (CODEX_PROXY_ENV_KEY_REGEX.test(content)) {
+    content = content.replace(CODEX_PROXY_ENV_KEY_REGEX, '$1');
+    modified = true;
+    console.log('  Removed legacy env_key from openai-proxy provider');
+  }
+
   // Preserve empty lines as truly empty (no trailing whitespace) to keep the
   // YAML block scalar clean and diff-friendly.
   function buildXpiaHeredoc(indent: string, appendSuffix: string): string {