github · Copilot · May 22, 2026 · May 22, 2026
diff --git a/pkg/workflow/codex_engine.go b/pkg/workflow/codex_engine.go
@@ -342,6 +342,8 @@ mkdir -p "$CODEX_HOME/logs"
 		"GH_AW_GITHUB_TOKEN":           effectiveGitHubToken,
 		"GITHUB_PERSONAL_ACCESS_TOKEN": effectiveGitHubToken,                                     // Used by GitHub MCP server via env_vars
 		"OPENAI_API_KEY":               "${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }}", // Fallback for CODEX_API_KEY
+		// Non-secret token required by Codex openai-proxy provider env_key check.
+		codexOpenAIProxyEnvVarName: codexOpenAIProxyEnvVarDefault,
 	}
 	injectWorkflowCallNetworkAllowedEnv(env, workflowData)
 	// Indicate the phase: "agent" for the main run, "detection" for threat detection

diff --git a/pkg/workflow/codex_engine_test.go b/pkg/workflow/codex_engine_test.go
@@ -103,6 +103,9 @@ func TestCodexEngine(t *testing.T) {
 	if !strings.Contains(stepContent, "CODEX_API_KEY: ${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }}") {
 		t.Errorf("Expected CODEX_API_KEY environment variable in step content:\n%s", stepContent)
 	}
+	if !strings.Contains(stepContent, "GH_AW_OPENAI_PROXY_TOKEN: awf-openai-proxy") {
+		t.Errorf("Expected GH_AW_OPENAI_PROXY_TOKEN environment variable in step content:\n%s", stepContent)
+	}
 }
 
 func TestCodexEngineWithVersion(t *testing.T) {
@@ -344,7 +347,7 @@ func TestCodexEngineRenderMCPConfigOpenAIProxyProvider(t *testing.T) {
 			"[model_providers.openai-proxy]",
 			"name = \"OpenAI AWF proxy\"",
 			fmt.Sprintf("base_url = \"http://%s:%d\"", constants.AWFAPIProxyContainerIP, constants.ClaudeLLMGatewayPort),
-			"env_key = \"OPENAI_API_KEY\"",
+			"env_key = \"GH_AW_OPENAI_PROXY_TOKEN\"",
 			"supports_websockets = false",
 		}
 

diff --git a/pkg/workflow/codex_mcp.go b/pkg/workflow/codex_mcp.go
@@ -15,6 +15,10 @@ var codexMCPLog = logger.New("workflow:codex_mcp")
 const (
 	codexOpenAIProxyProviderID   = "openai-proxy"
 	codexOpenAIProxyProviderName = "OpenAI AWF proxy"
+	// Codex requires model provider env_key to exist, even when AWF apiProxy holds the
+	// real upstream credentials outside the agent container.
+	codexOpenAIProxyEnvVarName    = "GH_AW_OPENAI_PROXY_TOKEN"
+	codexOpenAIProxyEnvVarDefault = "awf-openai-proxy"
 )
 
 // RenderMCPConfig generates MCP server configuration for Codex
@@ -165,7 +169,7 @@ func (e *CodexEngine) renderOpenAIProxyProviderToml(yaml *strings.Builder, inden
 	yaml.WriteString(indent + "[model_providers." + codexOpenAIProxyProviderID + "]\n")
 	yaml.WriteString(indent + "name = \"" + codexOpenAIProxyProviderName + "\"\n")
 	yaml.WriteString(indent + "base_url = \"" + e.getOpenAIProxyProviderBaseURL() + "\"\n")
-	yaml.WriteString(indent + "env_key = \"OPENAI_API_KEY\"\n")
+	yaml.WriteString(indent + "env_key = \"" + codexOpenAIProxyEnvVarName + "\"\n")
 	yaml.WriteString(indent + "supports_websockets = false\n")
 }
 

diff --git a/pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden b/pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden
@@ -455,7 +455,7 @@ jobs:
           [model_providers.openai-proxy]
           name = "OpenAI AWF proxy"
           base_url = "http://172.30.0.30:10000"
-          env_key = "OPENAI_API_KEY"
+          env_key = "GH_AW_OPENAI_PROXY_TOKEN"
           supports_websockets = false
           [shell_environment_policy]
           inherit = "core"
@@ -500,6 +500,7 @@ jobs:
           CODEX_HOME: /tmp/gh-aw/mcp-config
           GH_AW_MCP_CONFIG: ${{ runner.temp }}/gh-aw/mcp-config/config.toml
           GH_AW_MODEL_DETECTION_CODEX: ${{ vars.GH_AW_MODEL_DETECTION_CODEX || '' }}
+          GH_AW_OPENAI_PROXY_TOKEN: awf-openai-proxy
           GH_AW_PHASE: agent
           GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
           GH_AW_VERSION: dev