Skip to content

Fix Codex environment variable override for custom API keys #880

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pelikhan merged 3 commits into from
Sep 17, 2025
Merged

Fix Codex environment variable override for custom API keys #880

pelikhan merged 3 commits into from
Sep 17, 2025

Conversation

Copy link
Contributor

Copilot AI commented Sep 17, 2025
edited
Loading

Fixes issue #668 where Codex workflows could not properly override the default OPENAI_API_KEY secret, preventing organizations from using custom API keys without secret duplication.

Problem

The codex login command was hardcoded to use ${{ secrets.OPENAI_API_KEY }}, ignoring any custom environment variable overrides specified in the engine configuration:

engine:
  id: codex
  env:
    OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY_CI }}  # This was ignored

This caused authentication failures when users tried to use organization-specific API keys, as the login command would always use the default secret regardless of the environment variable override.

Solution

Modified the Codex engine to use the environment variable $OPENAI_API_KEY instead of the hardcoded secret reference in the login command:

# Before
codex login --api-key "${{ secrets.OPENAI_API_KEY }}"

# After  
codex login --api-key "$OPENAI_API_KEY"

This change allows the login command to respect custom environment variable overrides while maintaining backward compatibility for existing workflows.

Changes

  1. Engine Fix: Updated pkg/workflow/codex_engine.go to use environment variable in login command
  2. Test Workflow: Added pkg/cli/workflows/test-codex-custom-env.md demonstrating the override functionality
  3. Documentation: Enhanced docs/src/content/docs/reference/frontmatter.md with detailed examples of secret overrides

Example Usage

Organizations can now override the default API key:

---
engine:
  id: codex
  model: gpt-4
  env:
    OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY_CI }}
---

# Your workflow content here

The generated workflow will use the custom secret for both the login command and the execution environment, enabling proper authentication with organization-specific API keys.

Backward Compatibility

Existing workflows continue to work unchanged - they still use the default OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} environment variable, which now properly flows through to the login command.

Closes #668

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • api.contoso.com
    • Triggering command: /tmp/go-build2070014085/b279/cli.test -test.testlogfile=/tmp/go-build2070014085/b279/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true (dns block)
    • Triggering command: /tmp/go-build2880104756/b279/cli.test -test.testlogfile=/tmp/go-build2880104756/b279/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true (dns block)
    • Triggering command: /tmp/go-build2129480747/b279/cli.test -test.testlogfile=/tmp/go-build2129480747/b279/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

pelikhan
pelikhan reviewed Sep 17, 2025
View reviewed changes
pkg/cli/workflows/test-codex-command.lock.yml
# Authenticate with Codex
codex login --api-key "${{ secrets.OPENAI_API_KEY }}"
codex login --api-key "$OPENAI_API_KEY"
Copy link
Contributor

@pelikhan pelikhan Sep 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dsyme fyi

@pelikhan pelikhan marked this pull request as ready for review September 17, 2025 14:24
@pelikhan pelikhan requested a review from dsyme September 17, 2025 14:24
Copilot AI changed the title [WIP] Following instructions in comment with your mention in https://github.com/githubnext/gh-aw/issues/668 Fix Codex environment variable override for custom API keys Sep 17, 2025
Copilot AI requested a review from pelikhan September 17, 2025 14:26
@pelikhan pelikhan merged commit 0056c18 into main Sep 17, 2025
14 of 20 checks passed
@pelikhan pelikhan deleted the copilot/fix-95f905a1-7f1e-40f3-8233-c0844d18bfe9 branch September 17, 2025 14:33
@Mossaka Mossaka mentioned this pull request Sep 30, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dsyme dsyme Awaiting requested review from dsyme

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Codex fails to report failure if unauthorised

2 participants

@pelikhan