Fix Codex engine auth wiring for gateway session keys and add harness diagnostics by Copilot · Pull Request #34470 · github/gh-aw

Copilot · 2026-05-24T15:20:34Z

Codex workflow runs were failing because the engine/harness path treated gateway-issued session keys like provider API keys. This change aligns the Codex auth contract end-to-end (engine → generated config → harness) and adds targeted logging to make auth misconfiguration immediately obvious.

Auth contract fix (Codex engine, Go)
- Route the gateway session key through the Codex engine as a session credential, not a raw Codex provider key.
- Normalize env/config fields so the harness receives the expected auth input consistently.
Harness auth handling + diagnostics (codex_harness.cjs)
- Read the session-key input from the generated config/env path used by the engine.
- Add redacted auth-source logging (presence/source/type only; never key material) to distinguish missing key vs wrong key path vs downstream rejection.
Generated lock/config alignment
- Update Codex lock-file config generation so auth fields match the harness contract.
- Remove/avoid mismatched key names that previously caused silent auth drift.
Spec/flags parity checks
- Reconcile Codex-specific flags with the AWF specification and existing Claude engine patterns to keep provider behavior consistent where contracts are shared.

// codex_harness.cjs (illustrative)
const sessionKey = process.env.AWF_SESSION_KEY ?? cfg.auth?.sessionKey;
if (!sessionKey) throw new Error("Codex auth missing: gateway session key not provided");

logger.info({
  authSource: process.env.AWF_SESSION_KEY ? "env" : "config",
  hasSessionKey: Boolean(sessionKey),
}, "Codex auth configured");

client = new CodexClient({ sessionKey }); // not providerApiKey

✨ PR Review Safe Output Test - Run 26365437982

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

accounts.google.com
android.clients.google.com
clients2.google.com
contentautofill.googleapis.com
safebrowsingohttpgateway.googleapis.com
www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · opus47 9.3M · ◷

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

pelikhan · 2026-05-24T15:21:05Z

@copilot merge main and recompute

pelikhan · 2026-05-24T15:23:29Z

@copilot the key is still passed through OPENAI_API_KEY but this is a session key, not the actual OpenAI key.

…ntic-engine-auth # Conflicts: # .github/workflows/daily-cache-strategy-analyzer.lock.yml # .github/workflows/daily-fact.lock.yml # .github/workflows/daily-observability-report.lock.yml # .github/workflows/dev.lock.yml # .github/workflows/duplicate-code-detector.lock.yml # .github/workflows/grumpy-reviewer.lock.yml # .github/workflows/issue-arborist.lock.yml # .github/workflows/necromancer.lock.yml # .github/workflows/schema-feature-coverage.lock.yml # .github/workflows/smoke-call-workflow.lock.yml # .github/workflows/smoke-codex.lock.yml Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2026-05-24T15:30:02Z

@copilot merge main and recompute

Done. I merged main and recomputed artifacts. Addressed in acc209b (merge) and c052f60 (recompiled lockfile).

github-actions · 2026-05-24T15:37:19Z

🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨

Caution

agentic threat detected
Threat detection flagged this output in warn mode. Manual review is REQUIRED before any follow-up automation.

Details

The threat detection results could not be parsed.

Review the workflow run logs for details.

github-actions · 2026-05-24T15:37:19Z

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

github-actions · 2026-05-24T15:37:20Z

🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧

github-actions · 2026-05-24T15:37:20Z

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

github-actions · 2026-05-24T15:37:23Z

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2026-05-24T15:39:28Z

@copilot the key is still passed through OPENAI_API_KEY but this is a session key, not the actual OpenAI key.

Fixed in 7c0f26e. Codex now uses CODEX_API_KEY for the proxy provider/env path, and we no longer emit OPENAI_API_KEY from the Codex execution env.

github-actions · 2026-05-24T15:40:43Z

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.54.0
jq	✅	1.7
yq	✅	4.53.2
curl	✅	8.5.0
gh	✅	2.92.0
node	✅	22.22.3
python3	✅	3.14.5
go	✅	1.24.13
java	✅	10.0.300
dotnet	❌	NOT FOUND

Result: 11/12 tools available ⚠️

Status: FAIL — dotnet (.NET runtime) is not available in this container.

🔧 Tool validation by Agent Container Smoke Test · sonnet46 505.8K · ◷

github-actions · 2026-05-24T15:41:03Z

Caution

agentic threat detected
Threat detection flagged this output in warn mode. Manual review is REQUIRED before any follow-up automation.

Details

The threat detection results could not be parsed.

Review the workflow run logs for details.

Smoke Test Results\n1. GitHub MCP Testing: ✅\n2. Web Fetch Testing: ✅\n3. File Writing Testing: ✅\n4. Bash Tool Testing: ✅\n5. Build gh-aw: ❌\n\nOverall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

✨ Smoke Gemini — Powered by Gemini · ◷

github-actions · 2026-05-24T15:48:15Z

🤖 Beep boop! The smoke test agent was here! Ran all systems checks and everything looks 💚. Don't mind me, just a robot making sure the lights are on. 🔦✨

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

accounts.google.com
android.clients.google.com
clients2.google.com
contentautofill.googleapis.com
safebrowsingohttpgateway.googleapis.com
www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · sonnet46 2.1M · ◷

github-actions · 2026-05-24T15:48:26Z

✅ Smoke test PASS — Run 26365438030

All 16 tests passed. @app/copilot-swe-agent, @pelikhan, @Copilot

Test
GitHub MCP	✅
MCP Scripts	✅
Serena CLI	✅
Playwright	✅
Web Fetch	✅
File Write/Bash	✅
Discussion Interaction	✅
Build gh-aw	✅
Upload Artifact	✅
Create Discussion	✅
Workflow Dispatch	✅
PR Review	✅
Comment Memory	✅
Sub-Agent	✅
Check Run	✅

Overall: PASS

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

accounts.google.com
android.clients.google.com
clients2.google.com
contentautofill.googleapis.com
safebrowsingohttpgateway.googleapis.com
www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · sonnet46 2.1M · ◷

github-actions · 2026-05-24T15:48:28Z

Comment Memory

# Smoke Test Notes

Smoke test run 26365438030 completed.

Tests run in silence
Code builds then the green light shines
Bugs vanish like mist

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

accounts.google.com
android.clients.google.com
clients2.google.com
contentautofill.googleapis.com
safebrowsingohttpgateway.googleapis.com
www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · sonnet46 2.1M · ◷

github-actions · 2026-05-24T15:48:53Z

📰 DEVELOPING STORY: Smoke Copilot reports failed to deliver outputs. Our correspondents are investigating the incident...

github-actions · 2026-05-24T15:50:17Z

🧪 Smoke Test: Claude — Run §26365437982

Core tests (#1–13): ✅ all green (Serena #3 ⚠️ — find_symbol returned 1 symbol before MCP connection closed)
PR-review tests (#14–20): ✅ #14 update, ✅ #15 inline comments, ✅ #16 review, ⚠️ #17 (no unresolved threads yet), ✅ #18 reviewer, ✅ #19 push, ⚠️ #20 (no safe test PR)

Overall status: PARTIAL ⚠️

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

accounts.google.com
android.clients.google.com
clients2.google.com
contentautofill.googleapis.com
safebrowsingohttpgateway.googleapis.com
www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · opus47 9.3M · ◷

github-actions

💥 Automated smoke test review - all systems nominal!

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

accounts.google.com
android.clients.google.com
clients2.google.com
contentautofill.googleapis.com
safebrowsingohttpgateway.googleapis.com
www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · opus47 9.3M

github-actions · 2026-05-24T15:50:18Z

 	yaml.WriteString(indent + "name = \"" + codexOpenAIProxyProviderName + "\"\n")
 	yaml.WriteString(indent + "base_url = \"" + e.getOpenAIProxyProviderBaseURL() + "\"\n")
-	yaml.WriteString(indent + "env_key = \"OPENAI_API_KEY\"\n")
+	yaml.WriteString(indent + "env_key = \"CODEX_API_KEY\"\n")


🤖 Smoke test review — switching env_key to CODEX_API_KEY aligns the proxy provider with the canonical session-key naming used elsewhere in the engine. Worth a quick mention in the PR body that any downstream consumers exporting OPENAI_API_KEY directly will need to set CODEX_API_KEY instead.

github-actions · 2026-05-24T15:50:18Z

 	envVars["CODEX_API_KEY"] = true
-	envVars["OPENAI_API_KEY"] = true // Fallback for CODEX_API_KEY

 	// Check each MCP tool for required environment variables


🤖 Smoke test review — keeping OPENAI_API_KEY exposed as a fallback in the shell environment policy is a sensible compatibility shim, but consider gating it behind a feature flag or adding a brief comment indicating when this fallback will be removed.

Apply remaining changes

5522ead

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI assigned Copilot and pelikhan May 24, 2026

Copilot created this pull request from a session on behalf of pelikhan May 24, 2026 15:20 View session

Copilot started work on behalf of pelikhan May 24, 2026 15:21 View session

Copilot AI and others added 2 commits May 24, 2026 15:28

Recompile lockfile after merging main

c052f60

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot finished work on behalf of pelikhan May 24, 2026 15:30

Copilot AI requested a review from pelikhan May 24, 2026 15:30

Copilot started work on behalf of pelikhan May 24, 2026 15:30 View session

pelikhan added the smoke label May 24, 2026

github-actions Bot removed the smoke label May 24, 2026

Use CODEX_API_KEY for Codex proxy auth path

7c0f26e

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot finished work on behalf of pelikhan May 24, 2026 15:39

github-actions Bot added the needs-review label May 24, 2026

pelikhan closed this May 24, 2026

github-actions Bot mentioned this pull request May 24, 2026

Smoke Test: Copilot - 26365438030 #34473

Closed

github-actions Bot added the smoke-copilot label May 24, 2026

github-actions Bot mentioned this pull request May 24, 2026

Smoke Test: Claude - 26365437982 #34475

Closed

github-actions Bot reviewed May 24, 2026

View reviewed changes

Conversation

Copilot AI commented May 24, 2026 • edited by github-actions Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

pelikhan commented May 24, 2026

Uh oh!

pelikhan commented May 24, 2026

Uh oh!

Copilot AI commented May 24, 2026

Uh oh!

github-actions Bot commented May 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented May 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented May 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented May 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented May 24, 2026

Uh oh!

Copilot AI commented May 24, 2026

Uh oh!

github-actions Bot commented May 24, 2026

Agent Container Tool Check

Uh oh!

github-actions Bot commented May 24, 2026

Smoke Test Results\n1. GitHub MCP Testing: ✅\n2. Web Fetch Testing: ✅\n3. File Writing Testing: ✅\n4. Bash Tool Testing: ✅\n5. Build gh-aw: ❌\n\nOverall status: FAIL

Uh oh!

github-actions Bot commented May 24, 2026

Uh oh!

github-actions Bot commented May 24, 2026

Uh oh!

github-actions Bot commented May 24, 2026

Comment Memory

Uh oh!

github-actions Bot commented May 24, 2026

Uh oh!

github-actions Bot commented May 24, 2026

🧪 Smoke Test: Claude — Run §26365437982

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions Bot May 24, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions Bot May 24, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Copilot AI commented May 24, 2026 •

edited by github-actions Bot

Loading

github-actions Bot commented May 24, 2026 •

edited

Loading

github-actions Bot commented May 24, 2026 •

edited

Loading

github-actions Bot commented May 24, 2026 •

edited

Loading

github-actions Bot commented May 24, 2026 •

edited

Loading