From 5864b385316f9c8fc368c41c705240ddb6f6a82b Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 22 May 2026 22:04:36 +0000
Subject: [PATCH 1/2] Initial plan


From 39ced986e10039f8b059f9e97b3965e68b8809c9 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 22 May 2026 22:18:35 +0000
Subject: [PATCH 2/2] fix codex awf proxy auth env key in agent job

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 pkg/workflow/codex_engine.go                                | 2 ++
 pkg/workflow/codex_engine_test.go                           | 5 ++++-
 pkg/workflow/codex_mcp.go                                   | 6 +++++-
 .../testdata/TestWasmGolden_AllEngines/codex.golden         | 3 ++-
 4 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/pkg/workflow/codex_engine.go b/pkg/workflow/codex_engine.go
index 33f41676443..554e08b6769 100644
--- a/pkg/workflow/codex_engine.go
+++ b/pkg/workflow/codex_engine.go
@@ -342,6 +342,8 @@ mkdir -p "$CODEX_HOME/logs"
 		"GH_AW_GITHUB_TOKEN":           effectiveGitHubToken,
 		"GITHUB_PERSONAL_ACCESS_TOKEN": effectiveGitHubToken,                                     // Used by GitHub MCP server via env_vars
 		"OPENAI_API_KEY":               "${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }}", // Fallback for CODEX_API_KEY
+		// Non-secret token required by Codex openai-proxy provider env_key check.
+		codexOpenAIProxyEnvVarName: codexOpenAIProxyEnvVarDefault,
 	}
 	injectWorkflowCallNetworkAllowedEnv(env, workflowData)
 	// Indicate the phase: "agent" for the main run, "detection" for threat detection
diff --git a/pkg/workflow/codex_engine_test.go b/pkg/workflow/codex_engine_test.go
index d8f1cddc6eb..1310f836f83 100644
--- a/pkg/workflow/codex_engine_test.go
+++ b/pkg/workflow/codex_engine_test.go
@@ -103,6 +103,9 @@ func TestCodexEngine(t *testing.T) {
 	if !strings.Contains(stepContent, "CODEX_API_KEY: ${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }}") {
 		t.Errorf("Expected CODEX_API_KEY environment variable in step content:\n%s", stepContent)
 	}
+	if !strings.Contains(stepContent, "GH_AW_OPENAI_PROXY_TOKEN: awf-openai-proxy") {
+		t.Errorf("Expected GH_AW_OPENAI_PROXY_TOKEN environment variable in step content:\n%s", stepContent)
+	}
 }
 
 func TestCodexEngineWithVersion(t *testing.T) {
@@ -344,7 +347,7 @@ func TestCodexEngineRenderMCPConfigOpenAIProxyProvider(t *testing.T) {
 			"[model_providers.openai-proxy]",
 			"name = \"OpenAI AWF proxy\"",
 			fmt.Sprintf("base_url = \"http://%s:%d\"", constants.AWFAPIProxyContainerIP, constants.ClaudeLLMGatewayPort),
-			"env_key = \"OPENAI_API_KEY\"",
+			"env_key = \"GH_AW_OPENAI_PROXY_TOKEN\"",
 			"supports_websockets = false",
 		}
 
diff --git a/pkg/workflow/codex_mcp.go b/pkg/workflow/codex_mcp.go
index 59dc125fe75..3da4a739ace 100644
--- a/pkg/workflow/codex_mcp.go
+++ b/pkg/workflow/codex_mcp.go
@@ -15,6 +15,10 @@ var codexMCPLog = logger.New("workflow:codex_mcp")
 const (
 	codexOpenAIProxyProviderID   = "openai-proxy"
 	codexOpenAIProxyProviderName = "OpenAI AWF proxy"
+	// Codex requires model provider env_key to exist, even when AWF apiProxy holds the
+	// real upstream credentials outside the agent container.
+	codexOpenAIProxyEnvVarName    = "GH_AW_OPENAI_PROXY_TOKEN"
+	codexOpenAIProxyEnvVarDefault = "awf-openai-proxy"
 )
 
 // RenderMCPConfig generates MCP server configuration for Codex
@@ -165,7 +169,7 @@ func (e *CodexEngine) renderOpenAIProxyProviderToml(yaml *strings.Builder, inden
 	yaml.WriteString(indent + "[model_providers." + codexOpenAIProxyProviderID + "]\n")
 	yaml.WriteString(indent + "name = \"" + codexOpenAIProxyProviderName + "\"\n")
 	yaml.WriteString(indent + "base_url = \"" + e.getOpenAIProxyProviderBaseURL() + "\"\n")
-	yaml.WriteString(indent + "env_key = \"OPENAI_API_KEY\"\n")
+	yaml.WriteString(indent + "env_key = \"" + codexOpenAIProxyEnvVarName + "\"\n")
 	yaml.WriteString(indent + "supports_websockets = false\n")
 }
 
diff --git a/pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden b/pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden
index 1026ac7f8f9..6b4384c3781 100644
--- a/pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden
+++ b/pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden
@@ -455,7 +455,7 @@ jobs:
           [model_providers.openai-proxy]
           name = "OpenAI AWF proxy"
           base_url = "http://172.30.0.30:10000"
-          env_key = "OPENAI_API_KEY"
+          env_key = "GH_AW_OPENAI_PROXY_TOKEN"
           supports_websockets = false
           [shell_environment_policy]
           inherit = "core"
@@ -500,6 +500,7 @@ jobs:
           CODEX_HOME: /tmp/gh-aw/mcp-config
           GH_AW_MCP_CONFIG: ${{ runner.temp }}/gh-aw/mcp-config/config.toml
           GH_AW_MODEL_DETECTION_CODEX: ${{ vars.GH_AW_MODEL_DETECTION_CODEX || '' }}
+          GH_AW_OPENAI_PROXY_TOKEN: awf-openai-proxy
           GH_AW_PHASE: agent
           GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
           GH_AW_VERSION: dev