From 1147846bb7f1f1af628d0430392325ca7d07e498 Mon Sep 17 00:00:00 2001
From: "anthropic-code-agent[bot]" <242468646+Claude@users.noreply.github.com>
Date: Fri, 13 Feb 2026 04:52:31 +0000
Subject: [PATCH 1/2] Initial plan


From 084d1ddc620cf35ee92ce0dba068815ac916097e Mon Sep 17 00:00:00 2001
From: "anthropic-code-agent[bot]" <242468646+Claude@users.noreply.github.com>
Date: Fri, 13 Feb 2026 04:56:08 +0000
Subject: [PATCH 2/2] fix(ci): remove API keys from agent env when api-proxy is
 enabled
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When api-proxy is enabled (indicated by BASE_URL environment variables),
API keys should NOT be exposed to the agent container for security.
The api-proxy sidecar holds the credentials and injects auth headers.

Previously, the workflow was passing both:
- CODEX_API_KEY and OPENAI_API_KEY (should NOT be in agent env)
- OPENAI_BASE_URL and ANTHROPIC_BASE_URL (should be in agent env)

This defeated the security isolation provided by api-proxy.

Changes:
- Removed CODEX_API_KEY and OPENAI_API_KEY from agent environment block
- Kept OPENAI_BASE_URL and ANTHROPIC_BASE_URL for routing to api-proxy
- The awf CLI still receives keys via `sudo -E` and `--env-all`
- awf passes keys only to api-proxy container, not agent container

Security model:
- awf reads keys from host environment (process.env)
- awf passes keys only to api-proxy sidecar (src/docker-manager.ts:908-909)
- Agent only receives BASE_URL variables (src/docker-manager.ts:948-955)
- api-proxy injects auth headers and routes through Squid

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
---
 .github/workflows/smoke-codex.lock.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml
index 57b2d8d5..a9323e45 100644
--- a/.github/workflows/smoke-codex.lock.yml
+++ b/.github/workflows/smoke-codex.lock.yml
@@ -1376,7 +1376,6 @@ jobs:
             -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && INSTRUCTION="$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" && codex ${GH_AW_MODEL_AGENT_CODEX:+-c model="$GH_AW_MODEL_AGENT_CODEX" }exec --dangerously-bypass-approvals-and-sandbox --skip-git-repo-check "$INSTRUCTION"' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
-          CODEX_API_KEY: ${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }}
           CODEX_HOME: /tmp/gh-aw/mcp-config
           GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/config.toml
           GH_AW_MODEL_AGENT_CODEX: ${{ vars.GH_AW_MODEL_AGENT_CODEX || '' }}
@@ -1384,7 +1383,6 @@ jobs:
           GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }}
           GH_DEBUG: 1
           GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }}
-          OPENAI_API_KEY: ${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }}
           OPENAI_BASE_URL: http://api-proxy:10000
           ANTHROPIC_BASE_URL: http://api-proxy:10001
           RUST_LOG: trace,hyper_util=info,mio=info,reqwest=info,os_info=info,codex_otel=warn,codex_core=debug,ocodex_exec=debug