fix(integration): install codex CLI + isolate codex auth from the deepseek judge#808
Merged
Merged
Conversation
…eepseek judge The first full L3 run on #803 reached review-pack but failed: "codex binary not found" (the codex CLI was never installed) and, underneath, the codex auth was clobbered to DeepSeek by the per-rollout judge's OPENAI_* exports. - Install `@openai/codex@0.141.0` in both review-pack jobs (L2 advisory, L3 required) before the codex step; continue-on-error so a failed install still reaches the codex step's fail-closed verdict path. - codex_review.py: new `_codex_env` isolates the host `codex exec` (Pass 2) — it uses the REAL OpenAI key via CODEX_API_KEY and drops the DeepSeek OPENAI_BASE_URL (default OpenAI endpoint), while the Pass-1 deepseek judge keeps the original env. Workflows pass `CODEX_API_KEY: ${{ secrets.OPENAI_API_KEY }}` (L2 also drops its OPENAI_API_KEY override, which had paired the real key with the deepseek base). Plan ✓, all 10 rollouts ✓, deterministic grader ✓ on the prior run; this closes the last gap (codex). Regression test added for _codex_env.
Yiminnn
temporarily deployed
to
pypi-internal-preview
GitHub Actions
Inactive
Contributor
Greptile SummaryThis PR fixes two root causes that prevented codex from completing during L3 review-pack runs: the codex CLI was never installed, and the
Confidence Score: 4/5Safe to merge; the auth-isolation logic is correct and well-tested, and both workflow files apply the fix consistently. The
Important Files Changed
Sequence Diagram%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
participant WF as GitHub Actions Job
participant PS as provider-select
participant CR as codex_review.py
participant DS as DeepSeek Judge (Pass 1)
participant CX as codex exec (Pass 2)
WF->>PS: run provider-select
PS-->>WF: "writes OPENAI_API_KEY=ds-key,<br/>OPENAI_BASE_URL=deepseek to $GITHUB_ENV"
WF->>WF: "inject CODEX_API_KEY=secrets.OPENAI_API_KEY (step env)"
WF->>CR: "uv run codex_review.py (env includes DeepSeek OPENAI_*<br/>+ CODEX_API_KEY=real-key)"
CR->>DS: "run_deepseek_findings(env)<br/>(uses original env — DeepSeek OPENAI_API_KEY + BASE_URL)"
DS-->>CR: per-rollout findings
CR->>CR: "codex_env = _codex_env(env)<br/>→ OPENAI_API_KEY=real-key, OPENAI_BASE_URL dropped"
CR->>CR: "write_codex_auth(codex_env)<br/>→ auth.json with real OpenAI key"
CR->>CX: "subprocess.run(codex exec, env=codex_env)"
CX-->>CR: verdict output
CR-->>WF: final_verdict
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
participant WF as GitHub Actions Job
participant PS as provider-select
participant CR as codex_review.py
participant DS as DeepSeek Judge (Pass 1)
participant CX as codex exec (Pass 2)
WF->>PS: run provider-select
PS-->>WF: "writes OPENAI_API_KEY=ds-key,<br/>OPENAI_BASE_URL=deepseek to $GITHUB_ENV"
WF->>WF: "inject CODEX_API_KEY=secrets.OPENAI_API_KEY (step env)"
WF->>CR: "uv run codex_review.py (env includes DeepSeek OPENAI_*<br/>+ CODEX_API_KEY=real-key)"
CR->>DS: "run_deepseek_findings(env)<br/>(uses original env — DeepSeek OPENAI_API_KEY + BASE_URL)"
DS-->>CR: per-rollout findings
CR->>CR: "codex_env = _codex_env(env)<br/>→ OPENAI_API_KEY=real-key, OPENAI_BASE_URL dropped"
CR->>CR: "write_codex_auth(codex_env)<br/>→ auth.json with real OpenAI key"
CR->>CX: "subprocess.run(codex exec, env=codex_env)"
CX-->>CR: verdict output
CR-->>WF: final_verdict
Reviews (1): Last reviewed commit: "fix(integration): install the codex CLI ..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Comment on lines
+276
to
+281
| out = dict(env) | ||
| codex_key = env.get("CODEX_API_KEY") | ||
| if codex_key: | ||
| out["OPENAI_API_KEY"] = codex_key | ||
| out.pop("OPENAI_BASE_URL", None) | ||
| return out |
Contributor
There was a problem hiding this comment.
CODEX_API_KEY is not removed from the returned dict, so it is passed verbatim to the codex exec subprocess via run_codex_verdict. The current @openai/codex CLI relies on OPENAI_API_KEY and ignores CODEX_API_KEY, but if a future codex version interprets CODEX_API_KEY — which is a plausible variable name to adopt — the duplicate entry could override intended behaviour. Popping it keeps the subprocess env clean and consistent with the doc-comment intent of "isolated from the judge".
Suggested change
| out = dict(env) | |
| codex_key = env.get("CODEX_API_KEY") | |
| if codex_key: | |
| out["OPENAI_API_KEY"] = codex_key | |
| out.pop("OPENAI_BASE_URL", None) | |
| return out | |
| out = dict(env) | |
| codex_key = env.get("CODEX_API_KEY") | |
| if codex_key: | |
| out["OPENAI_API_KEY"] = codex_key | |
| out.pop("OPENAI_BASE_URL", None) | |
| out.pop("CODEX_API_KEY", None) | |
| return out |
This was referenced Jun 19, 2026
fix(integration): codex reviewer on gpt-5.5 (xhigh) + evidence serialization + R-OUTCOME demote
#810
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Third follow-up to #806/#807 to get the full L3 review green. The first full run on #803 reached
review-packwith plan ✓ + all 10 rollouts ✓ + deterministic grader ✓ — only codex failed.Root causes
codex binary not found: 'codex'— the review-pack job never installed the codex CLI.provider-selectexportsOPENAI_*=DeepSeek for the cheap Pass-1 judge;codex_review.pythen wrote the codexauth.jsonfrom that key and rancodex execagainst the DeepSeek base.Fix
@openai/codex@0.141.0in both review-pack jobs (L2 advisory, L3 required),continue-on-errorso a failed install still hits codex's fail-closed verdict._codex_envin codex_review.py isolates the hostcodex exec: real OpenAI key viaCODEX_API_KEY+ DeepSeekOPENAI_BASE_URLdropped (default OpenAI endpoint). The Pass-1 deepseek judge keeps the original env. Workflows passCODEX_API_KEY: secrets.OPENAI_API_KEY(L2 also drops itsOPENAI_API_KEYoverride, which paired the real key with the deepseek base).Test plan
_codex_envunit test (real-key isolation + backward-compat) green