pluralsh
diff --git a/‎Makefile‎
Lines changed: 9 additions & 2 deletions b/‎Makefile‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎api/v1alpha1/agentruntime_types.go‎
Lines changed: 8 additions & 0 deletions b/‎api/v1alpha1/agentruntime_types.go‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 30 additions & 0 deletions b/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎charts/deployment-operator/crds/deployments.plural.sh_agentruntimes.yaml‎
Lines changed: 32 additions & 0 deletions b/‎charts/deployment-operator/crds/deployments.plural.sh_agentruntimes.yaml‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎config/crd/bases/deployments.plural.sh_agentruntimes.yaml‎
Lines changed: 32 additions & 0 deletions b/‎config/crd/bases/deployments.plural.sh_agentruntimes.yaml‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎dockerfiles/agent-harness/codex.Dockerfile‎
Lines changed: 2 additions & 2 deletions b/‎dockerfiles/agent-harness/codex.Dockerfile‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/api.md‎
Lines changed: 18 additions & 0 deletions b/‎docs/api.md‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎internal/controller/agentrun_controller.go‎
Lines changed: 36 additions & 4 deletions b/‎internal/controller/agentrun_controller.go‎
Lines changed: 36 additions & 4 deletions
diff --git a/‎internal/controller/agentrun_controller_test.go‎
Lines changed: 4 additions & 4 deletions b/‎internal/controller/agentrun_controller_test.go‎
Lines changed: 4 additions & 4 deletions
@@ -24,6 +24,7 @@ PLRL_GEMINI_MODEL := $(if $(PLRL_GEMINI_MODEL),$(PLRL_GEMINI_MODEL),"")
 PLRL_GEMINI_API_KEY := $(if $(PLRL_GEMINI_API_KEY),$(PLRL_GEMINI_API_KEY),"")
 PLRL_CODEX_MODEL := $(if $(PLRL_CODEX_MODEL),$(PLRL_CODEX_MODEL),"")
 PLRL_CODEX_API_KEY := $(if $(PLRL_CODEX_API_KEY),$(PLRL_CODEX_API_KEY),"")
+GIT_ACCESS_TOKEN := $(if $(GIT_ACCESS_TOKEN),$(GIT_ACCESS_TOKEN),"")
 
 
 VELERO_CHART_VERSION := 5.2.2 # It should be kept in sync with Velero chart version from console/charts/velero
@@ -147,14 +148,20 @@ agent-harness-opencode-run: docker-build-agent-harness-opencode ## run agent har
 
 .PHONY: agent-harness-codex-run
 agent-harness-codex-run: docker-build-agent-harness-codex ## run agent harness w/ codex
+	@KEY_TMP=$$(mktemp) && \
+	cp $${HOME}/.ssh/id_rsa $$KEY_TMP && \
+	chmod 644 $$KEY_TMP && \
 	docker run \
+		-v $$KEY_TMP:/plural/git/git-signing.key:ro \
 		-e PLRL_AGENT_RUN_ID=$(PLRL_AGENT_RUN_ID) \
 		-e PLRL_DEPLOY_TOKEN=$(PLRL_DEPLOY_TOKEN) \
 		-e PLRL_CONSOLE_URL=$(PLRL_CONSOLE_URL) \
 		-e PLRL_CODEX_MODEL=$(PLRL_CODEX_MODEL) \
 		-e PLRL_CODEX_API_KEY=$(PLRL_CODEX_API_KEY) \
+		-e GIT_ACCESS_TOKEN=$(GIT_ACCESS_TOKEN) \
 		--rm -it \
-		ghcr.io/pluralsh/agent-harness-codex --v=3
+		ghcr.io/pluralsh/agent-harness-codex --v=3; \
+	rm -f $$KEY_TMP
 
 .PHONY: agent-harness-claude-run
 agent-harness-claude-run: docker-build-agent-harness-claude ## run agent harness w/ claude
@@ -333,7 +340,7 @@ docker-build-agent-harness-claude: docker-build-agent-harness-base ## build clau
 
 .PHONY: docker-build-agent-harness-codex
 docker-build-agent-harness-codex: docker-build-agent-harness-base ## build codex docker agent harness image
-	docker build \
+	docker build --no-cache \
 		--build-arg=AGENT_HARNESS_BASE_IMAGE_TAG="latest" \
 		-t ghcr.io/pluralsh/agent-harness-codex \
 		-f dockerfiles/agent-harness/codex.Dockerfile \
 
@@ -67,6 +67,14 @@ type AgentRuntimeSpec struct {
 	// configure tooling, or perform any other setup required by the agent.
 	// +kubebuilder:validation:Optional
 	BootstrapScript *string `json:"bootstrapScript,omitempty"`
+
+	// Git configure commit signing on agent run. When provided, the runtime will be configured to sign git commits using the provided key reference.
+	Git *GitSpec `json:"git,omitempty"`
+}
+
+type GitSpec struct {
+	Proxy         *string                   `json:"proxy,omitempty"`
+	SigningKeyRef *corev1.SecretKeySelector `json:"signingKeyRef,omitempty"`
 }
 
 // Browser defines the browser to use for the agent runtime.
 
@@ -1867,6 +1867,38 @@ spec:
                   Dind enables Docker-in-Docker for this agent runtime.
                   When true, the runtime will be configured to run with DinD support.
                 type: boolean
+              git:
+                description: Git configure commit signing on agent run. When provided,
+                  the runtime will be configured to sign git commits using the provided
+                  key reference.
+                properties:
+                  proxy:
+                    type: string
+                  signingKeyRef:
+                    description: SecretKeySelector selects a key of a Secret.
+                    properties:
+                      key:
+                        description: The key of the secret to select from.  Must be
+                          a valid secret key.
+                        type: string
+                      name:
+                        default: ""
+                        description: |-
+                          Name of the referent.
+                          This field is effectively required, but due to backwards compatibility is
+                          allowed to be empty. Instances of this type with an empty value here are
+                          almost certainly wrong.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                      optional:
+                        description: Specify whether the Secret or its key must be
+                          defined
+                        type: boolean
+                    required:
+                    - key
+                    type: object
+                    x-kubernetes-map-type: atomic
+                type: object
               name:
                 description: |-
                   Name of this AgentRuntime.
 
@@ -1867,6 +1867,38 @@ spec:
                   Dind enables Docker-in-Docker for this agent runtime.
                   When true, the runtime will be configured to run with DinD support.
                 type: boolean
+              git:
+                description: Git configure commit signing on agent run. When provided,
+                  the runtime will be configured to sign git commits using the provided
+                  key reference.
+                properties:
+                  proxy:
+                    type: string
+                  signingKeyRef:
+                    description: SecretKeySelector selects a key of a Secret.
+                    properties:
+                      key:
+                        description: The key of the secret to select from.  Must be
+                          a valid secret key.
+                        type: string
+                      name:
+                        default: ""
+                        description: |-
+                          Name of the referent.
+                          This field is effectively required, but due to backwards compatibility is
+                          allowed to be empty. Instances of this type with an empty value here are
+                          almost certainly wrong.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                      optional:
+                        description: Specify whether the Secret or its key must be
+                          defined
+                        type: boolean
+                    required:
+                    - key
+                    type: object
+                    x-kubernetes-map-type: atomic
+                type: object
               name:
                 description: |-
                   Name of this AgentRuntime.
 
@@ -1,6 +1,6 @@
 ARG NODE_IMAGE_TAG=24
 ARG NODE_IMAGE=node:${NODE_IMAGE_TAG}-slim
-ARG AGENT_VERSION=latest
+ARG AGENT_VERSION=0.104.0
 
 ARG AGENT_HARNESS_BASE_IMAGE_TAG=latest
 ARG AGENT_HARNESS_BASE_IMAGE_REPO=ghcr.io/pluralsh/agent-harness-base
@@ -12,7 +12,7 @@ FROM $NODE_IMAGE AS node
 USER root
 
 # Install codex CLI globally using npm
-RUN npm install -g @openai/codex@$AGENT_VERSION
+RUN npm install -g @openai/codex@0.104.0
 
 # The codex script uses createRequire(import.meta.url) anchored at /usr/local/bin/codex.
 # Node's module resolution walks up from /usr/local/bin/ and won't find node_modules
 
@@ -268,6 +268,7 @@ _Appears in:_
 | `allowedRepositories` _string array_ | AllowedRepositories the git repositories allowed to be used with this runtime. |  | Optional: \{\} <br /> |
 | `browser` _[BrowserConfig](#browserconfig)_ | Browser configuration augments agent runtime with a headless browser.<br />When provided, the runtime will be configured to run with a headless browser available<br />for the agent to use. |  | Optional: \{\} <br /> |
 | `bootstrapScript` _string_ | BootstrapScript is a bash script that will be executed inside the cloned repository<br />directory before the coding agent starts. It can be used to install dependencies,<br />configure tooling, or perform any other setup required by the agent. |  | Optional: \{\} <br /> |
+| `git` _[GitSpec](#gitspec)_ | Git configure commit signing on agent run. When provided, the runtime will be configured to sign git commits using the provided key reference. |  |  |
 
 
 #### Binding
@@ -656,6 +657,23 @@ _Appears in:_
 | `inactivityTimeout` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | InactivityTimeout is the timeout for inactivity during gemini run. |  | Optional: \{\} <br /> |
 
 
+#### GitSpec
+
+
+
+
+
+
+
+_Appears in:_
+- [AgentRuntimeSpec](#agentruntimespec)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `proxy` _string_ |  |  |  |
+| `signingKeyRef` _[SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#secretkeyselector-v1-core)_ |  |  |  |
+
+
 
 
 #### HelmConfiguration
 
@@ -58,6 +58,8 @@ const (
 	EnvDindEnabled    = "PLRL_DIND_ENABLED"
 	EnvBrowserEnabled = "PLRL_BROWSER_ENABLED"
 	EnvExecTimeout    = "PLRL_EXEC_TIMEOUT"
+
+	EnvGitProxy = "PLRL_GIT_PROXY"
 )
 
 var (
@@ -358,6 +360,11 @@ func (r *AgentRunReconciler) reconcilePodSecret(ctx context.Context, run *v1alph
 		return nil, fmt.Errorf("failed to get agent runtime config: %w", err)
 	}
 
+	signingKey, err := r.resolveSigningKey(ctx, runtime)
+	if err != nil {
+		return nil, fmt.Errorf("failed to resolve git signing key: %w", err)
+	}
+
 	secret := &corev1.Secret{}
 	if err := r.Get(ctx, types.NamespacedName{Name: run.Name, Namespace: run.Namespace}, secret); err != nil {
 		if !errors.IsNotFound(err) {
@@ -366,7 +373,7 @@ func (r *AgentRunReconciler) reconcilePodSecret(ctx context.Context, run *v1alph
 
 		secret = &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{Name: run.Name, Namespace: run.Namespace},
-			StringData: r.getSecretData(run, config, runtime.Spec.Type),
+			StringData: r.getSecretData(run, config, runtime.Spec.Type, signingKey),
 		}
 
 		logger.V(2).Info("creating secret", "namespace", secret.Namespace, "name", secret.Name)
@@ -379,7 +386,7 @@ func (r *AgentRunReconciler) reconcilePodSecret(ctx context.Context, run *v1alph
 
 	if !r.hasSecretData(secret.Data, run) {
 		logger.V(2).Info("updating secret", "namespace", secret.Namespace, "name", secret.Name)
-		secret.StringData = r.getSecretData(run, config, runtime.Spec.Type)
+		secret.StringData = r.getSecretData(run, config, runtime.Spec.Type, signingKey)
 		if err := r.Update(ctx, secret); err != nil {
 			logger.Error(err, "unable to update secret")
 			return nil, err
@@ -388,7 +395,6 @@ func (r *AgentRunReconciler) reconcilePodSecret(ctx context.Context, run *v1alph
 
 	return secret, nil
 }
-
 func (r *AgentRunReconciler) getAgentRuntimeConfig(ctx context.Context, namespace string, config *v1alpha1.AgentRuntimeConfig) (*v1alpha1.AgentRuntimeConfigRaw, error) {
 	if config == nil {
 		return nil, nil
@@ -401,13 +407,39 @@ func (r *AgentRunReconciler) getAgentRuntimeConfig(ctx context.Context, namespac
 	})
 }
 
-func (r *AgentRunReconciler) getSecretData(run *v1alpha1.AgentRun, config *v1alpha1.AgentRuntimeConfigRaw, runtimeType console.AgentRuntimeType) map[string]string {
+// resolveSigningKey fetches the signing key value from the secret referenced in runtime.Spec.Git.SigningKeyRef.
+// It looks up the secret in the AgentRuntime's own namespace so that the source secret does not need
+// to exist in the pod's TargetNamespace. The returned bytes are later copied into the pod secret.
+func (r *AgentRunReconciler) resolveSigningKey(ctx context.Context, runtime *v1alpha1.AgentRuntime) ([]byte, error) {
+	if runtime.Spec.Git == nil || runtime.Spec.Git.SigningKeyRef == nil {
+		return nil, nil
+	}
+
+	ref := runtime.Spec.Git.SigningKeyRef
+	s := &corev1.Secret{}
+	if err := r.Get(ctx, client.ObjectKey{Namespace: runtime.Spec.TargetNamespace, Name: ref.Name}, s); err != nil {
+		return nil, fmt.Errorf("failed to get git signing key secret %q: %w", ref.Name, err)
+	}
+
+	value, ok := s.Data[ref.Key]
+	if !ok {
+		return nil, fmt.Errorf("key %q not found in secret %q", ref.Key, ref.Name)
+	}
+
+	return value, nil
+}
+
+func (r *AgentRunReconciler) getSecretData(run *v1alpha1.AgentRun, config *v1alpha1.AgentRuntimeConfigRaw, runtimeType console.AgentRuntimeType, signingKey []byte) map[string]string {
 	result := map[string]string{
 		EnvConsoleURL:  r.ConsoleURL,
 		EnvDeployToken: r.DeployToken,
 		EnvAgentRunID:  run.Status.GetID(),
 	}
 
+	if len(signingKey) > 0 {
+		result[gitSigningKeySecretKey] = string(signingKey)
+	}
+
 	if config == nil {
 		return result
 	}
 
@@ -606,7 +606,7 @@ var _ = Describe("AgentRun Controller", Ordered, func() {
 			run := &v1alpha1.AgentRun{}
 			run.Status.ID = lo.ToPtr("run-456")
 
-			data := reconciler.getSecretData(run, nil, console.AgentRuntimeTypeClaude)
+			data := reconciler.getSecretData(run, nil, console.AgentRuntimeTypeClaude, nil)
 			Expect(data).Should(HaveLen(3))
 			Expect(data[EnvConsoleURL]).Should(Equal("https://console.test.com"))
 			Expect(data[EnvDeployToken]).Should(Equal("test-token-123"))
@@ -662,7 +662,7 @@ var _ = Describe("AgentRun Controller", Ordered, func() {
 				},
 			}
 
-			data := reconciler.getSecretData(run, config, console.AgentRuntimeTypeClaude)
+			data := reconciler.getSecretData(run, config, console.AgentRuntimeTypeClaude, nil)
 			Expect(data[EnvClaudeModel]).Should(Equal("claude-3-opus"))
 			Expect(data[EnvClaudeToken]).Should(Equal("claude-api-key"))
 			Expect(data[EnvClaudeArgs]).Should(ContainSubstring("--verbose"))
@@ -686,7 +686,7 @@ var _ = Describe("AgentRun Controller", Ordered, func() {
 				},
 			}
 
-			data := reconciler.getSecretData(run, config, console.AgentRuntimeTypeOpencode)
+			data := reconciler.getSecretData(run, config, console.AgentRuntimeTypeOpencode, nil)
 			Expect(data[EnvOpenCodeProvider]).Should(Equal("openai"))
 			Expect(data[EnvOpenCodeEndpoint]).Should(Equal("https://api.openai.com"))
 			Expect(data[EnvOpenCodeModel]).Should(Equal("gpt-4"))
@@ -708,7 +708,7 @@ var _ = Describe("AgentRun Controller", Ordered, func() {
 				},
 			}
 
-			data := reconciler.getSecretData(run, config, console.AgentRuntimeTypeGemini)
+			data := reconciler.getSecretData(run, config, console.AgentRuntimeTypeGemini, nil)
 			Expect(data[EnvGeminiModel]).Should(Equal("gemini-pro"))
 			Expect(data[EnvGeminiAPIKey]).Should(Equal("gemini-api-key"))
 		})