Conversation
… is specified Fixes issue where Codex used web search even when web-search tool was not included in the workflow tools section. Codex CLI enables web search by default, so --no-search must be explicitly passed to disable it. Also fixed a latent spacing bug where the search flag was concatenated directly to 'exec' without a space separator. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix Codex ability to use web search without tools
Disable Codex web search by default; enable only when Mar 12, 2026
web-search tool is configured
pelikhan
approved these changes
Mar 12, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR disables Codex CLI web search by default across generated execution steps and workflow lockfiles, only enabling it when the web-search tool is explicitly configured.
Changes:
- Update Codex engine execution command generation to pass
--no-searchby default and--searchonly whenweb-searchis present. - Add unit tests validating the presence/absence of
--no-search/--searchflags. - Update multiple GitHub Actions workflow lockfiles to include
--no-searchin Codex invocations.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/codex_engine.go | Default Codex executions to --no-search, conditionally enable --search when the web-search tool is configured. |
| pkg/workflow/codex_engine_test.go | Add tests to assert correct web search flag behavior in generated execution steps. |
| .github/workflows/smoke-codex.lock.yml | Add --no-search to Codex exec invocations in locked workflow. |
| .github/workflows/smoke-agent.lock.yml | Add --no-search to Codex exec invocations in locked workflow. |
| .github/workflows/issue-arborist.lock.yml | Add --no-search to Codex exec invocations in locked workflow. |
| .github/workflows/duplicate-code-detector.lock.yml | Add --no-search to Codex exec invocations in locked workflow. |
| .github/workflows/deep-report.lock.yml | Add --no-search to Codex exec invocations in locked workflow. |
| .github/workflows/daily-observability-report.lock.yml | Add --no-search to Codex exec invocations in locked workflow. |
| .github/workflows/daily-issues-report.lock.yml | Add --no-search to Codex exec invocations in locked workflow. |
| .github/workflows/daily-fact.lock.yml | Add --no-search to Codex exec invocations in locked workflow. |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Add --no-search to Codex exec invocation in locked workflow. |
| .github/workflows/changeset.lock.yml | Add --no-search to Codex exec invocation in locked workflow. |
| .github/workflows/ai-moderator.lock.yml | Add --no-search to Codex exec invocation in locked workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
github-actions bot
added a commit
that referenced
this pull request
Mar 12, 2026
- Add add-wizard command to CLI reference with --skip-secret flag (#20598) - Document that Codex web-search is disabled by default (#20607) - Clarify that draft is a configuration policy in create-pull-request (#20608) - Document compile-time warnings for push-to-pull-request-branch with target: "*" (#20580) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This was referenced Mar 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Codex CLI enables web search by default, so workflows without
tools: web-search:could still perform web searches. This explicitly passes--no-searchunlessweb-searchis configured.Changes
pkg/workflow/codex_engine.go: DefaultwebSearchParamchanged from""to" --no-search"; only passes" --search"whenweb-searchtool is present. Also fixes a latent spacing bug where the flag was concatenated directly ontoexec(e.g.,exec--search→exec --search).pkg/workflow/codex_engine_test.go: AddedTestCodexEngineWebSearchcovering both the default-disabled and explicitly-enabled cases.--no-searchby default.Before / After
Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
developers.openai.com/home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js(dns block)https://api.github.com/graphql/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git(http block)/usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name /usr/bin/git g_.a GO111MODULE ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git MrA09C0s6 GO111MODULE 0/x64/bin/node git(http block)/usr/bin/gh gh repo view owner/repo rev-�� --show-toplevel go /usr/bin/git 5441-28127/test-git GO111MODULE ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--show-toplevel git(http block)https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel ache/go/1.25.0/xGO111MODULE /usr/bin/git 7271034/b374/_pkgit GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/unpigz SH99/9ghqtkJWjf6git GO111MODULE 64/bin/go /usr/bin/unpigz(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v3/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha runs/20260311-235441-28127/test-4168370378/.github/workflows GO111MODULE 5400966/b369/vet.cfg l GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v5/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha user.name Test User /usr/bin/git che/go-build/a1/git GOPROXY 64/bin/go git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/xGO111MODULE /usr/bin/git /tmp/go-build357git -trimpath 64/bin/go /usr/bin/git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git -json GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--show-toplevel git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v6/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel -tests /tmp/go-build3145400966/b413/repoutil.test b7505c45f80cd646git GO111MODULE 64/bin/go /tmp/go-build3145400966/b413/repoutil.test -tes�� -test.paniconexit0(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/gh-aw-test-runs/20260311-235441-28127/test-4116172278/.github/workflows rev-parse /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link g/sliceutil/slicgit g/sliceutil/slicrev-parse 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link -o /tmp/go-build3145400966/b422/styles.test -importcfg(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel go /usr/bin/git e-analyzer.md GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git(http block)https://api.github.com/repos/actions/github-script/git/ref/tags/v8/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build3145400966/b389/importcfg -pack /tmp/go-build3145400966/b389/_testmain.go env 7271034/b356/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD erignore go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/actions/setup-go/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha k/gh-aw/gh-aw/pkg/styles/theme.go(http block)https://api.github.com/repos/actions/setup-node/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /tmp/gh-aw-test-runs/20260311-235441-28127/test-3137468715/.github/workflows rev-parse /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile g/mathutil/mathugit g/mathutil/mathurev-parse 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -o /tmp/go-build3145400966/b418/_pkg_.a -trimpath /usr/bin/git -p github.com/githurev-parse -lang=go1.25 git(http block)https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b/usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha user.name Test User(http block)/usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha g_.a --conditions p/bin/git --experimental-ibasename --require run-script/lib/nalternatives.tar node /hom�� LdFMn28Wv git es/.bin/node --local --get ode-gyp-bin/git /opt/hostedtoolcrev-parse(http block)https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts/usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE TW/_9TGgVZ8A9Lmei-dz0cL/WkAPKH2k-trimpath(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts/usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts/usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go estl�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts/usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go estl�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts/usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go estl�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts/usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go estl�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts/usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/workflows/usr/bin/gh gh workflow list --json name,state,path -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE erignore env GOPATH); \ if coGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE ; \ fi(http block)https://api.github.com/repos/github/gh-aw/contents/.github%2Fworkflows%2Faudit-workflows.md/opt/hostedtoolcache/node/24.14.0/x64/bin/node /opt/hostedtoolcache/node/24.14.0/x64/bin/node --conditions node --conditions development --experimental-import-meta-resolve --require /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/suppress-warnings.cjs /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/dist/workers/forks.js --quiet run-script/lib/n--verify git bran�� -M main 0/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/git k/gh-aw/gh-aw/acnode h _modules/.bin/git git(http block)https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md/tmp/go-build3145400966/b383/cli.test /tmp/go-build3145400966/b383/cli.test -test.testlogfile=/tmp/go-build3145400966/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go ache�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha user.name Test User ache/node/24.14.0/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/git -m Initial commit n-dir/git git tion�� 25d88ac2b6e50eb2c898d19e..full-mode-branch full-mode-branch de_modules/.bin/node -m Auth cleanup basapi k/_temp/ghcca-nographql git(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha r.go git n-dir/bash auth-fail.txt git rigin/token-opti--noprofile /opt/hostedtoolcache/node/24.14.name --co�� node --conditions ache/node/24.14.0/x64/bin/node --experimental-i/usr/bin/gh --require /home/REDACTED/worgraphql ache/node/24.14.-f(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE datedAt,event,headBranch,headSha,displayTitle GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha 7271034/b392/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/envu-### GOMODCACHE go env dTEj/_5zZ7ABo6YP- GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 7271034/b392/impconfig(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha 7271034/b391/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env _1Pw/rKCk66xXAERGOSUMDB GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 7271034/b391/impconfig(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha 7271034/b398/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env tqcm/wUq8SO64fXE-errorsas GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 7271034/b398/imprev-parse(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha 7271034/b409/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env dcwK/oo-jD4-M4NJ-errorsas GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 7271034/b409/imprev-parse(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha 7271034/b393/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env C5LV/Ccyu-EEz2m--errorsas GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 7271034/b393/imp-tests(http block)https://api.github.com/repos/githubnext/agentics/git/ref/tags//usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha -m Initial commit ode_modules/.bin/home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/suppress-warnxterm-color auth.txt(http block)/usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha --quiet git 64/pkg/tool/linux_amd64/compile ve -- tions/setup/js/n/tmp/go-build2007508655/b001/exe/a.out 64/pkg/tool/linu-importcfg /hom�� ch-that-does-not-buildmode=exe git ache/go/1.25.0/x-s user.email e commit ode-gyp-bin/nodegraphql ache/go/1.25.0/x-f(http block)https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 1085686700/.github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/nonexistent/repo/actions/runs/12345/usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go estl�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/owner/repo/actions/workflows/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE erignore env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE erignore env tformat GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh workflow list --repo owner/repo --json name,path,state /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--show-toplevel git(http block)https://api.github.com/repos/owner/repo/contents/file.md/tmp/go-build3145400966/b383/cli.test /tmp/go-build3145400966/b383/cli.test -test.testlogfile=/tmp/go-build3145400966/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go ache�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/test-owner/test-repo/actions/secrets/usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE erignore m/_n�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/test/repo/usr/bin/gh gh api /repos/test/repo --jq .default_branch --show-toplevel go otOrdering2988299521/001/go/1.25.0/x64/bin/go -json GO111MODULE .cfg git rev-�� --show-toplevel go /usr/bin/git auto-triage-issugit GO111MODULE 0/x64/bin/node git(http block)If you need me to access, download, or install something from one of these locations, you can either:
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.