Refresh e2e Codex auth.json secret on a schedule#1284
Conversation
|
|
github-actions
Bot
added
needs-triage
needs-kind
|
/kelos pick-up Update the pr description to follow the pull request remplate. |
|
🤖 Kelos Task Status Task |
kelos-bot
Bot
added
generated-by-kelos
ok-to-test
kind/feature
github-actions
Bot
added
release-note-none
needs-release-note
kelos-bot
Bot
force-pushed
the
claude/codex-auth-json-refresh-vLZJc
branch
from
a31a82b to
ca15616
Compare
|
🤖 Kelos Agent @gjkim42 CI is passing on the amended commit. The PR description now follows the repository template, required labels are present, and the commit author has been reset to Gunju Kim. /kelos review |
|
🤖 Kelos Task Status Task |
| # Codex rewrites ~/.codex/auth.json in place during the run. | ||
| codex exec --skip-git-repo-check --sandbox read-only \ | ||
| --ask-for-approval never "Check authentication and respond exactly: ok" |
There was a problem hiding this comment.
Update the prompt to
'Reply with the single word OK.'
| # last_refresh to the epoch forces a proactive refresh even when the access | ||
| # token has not expired yet, so each run rotates the credential. This mirrors | ||
| # the in-cluster CronJob refresher (internal/codexauth) for the credential that | ||
| # lives as a GitHub Actions secret. |
There was a problem hiding this comment.
Do we need to be too specific?
|
🤖 Kelos Agent @gjkim42 Requested feedback is addressed: the PR body now uses the template, required labels are present, the commit author is Gunju Kim, and CI passed on commit ca15616. The Kelos reviewer check was requested after CI passed and is still pending without a review result, so there is nothing further to act on yet. |
![kelos-bot[bot]](https://avatars.githubusercontent.com/in/2965305?s=60&v=4){kind=small}
There was a problem hiding this comment.
🤖 Kelos Reviewer Agent @gjkim42
Review Summary
Verdict: APPROVE
Overall correctness: patch is correct
Scope: Adds a scheduled/manual GitHub Actions workflow that refreshes the e2e CODEX_AUTH_JSON repository secret via the Codex CLI and writes the rotated bundle back with a PAT.
Findings Overview
| Priority | Count | File:Line | Summary |
|---|---|---|---|
| P0 | 0 | — | none |
| P1 | 0 | — | none |
| P2 | 0 | — | none |
| P3 | 0 | — | none |
Findings
No qualifying findings.
Key takeaways
- The workflow is narrowly scoped to the GitHub Actions secret path, fails fast when required secrets are missing, serializes refreshes, and uses a non-default token for repository-secret writes.
- The refresh flow mirrors the existing in-cluster Codex auth refresher pattern: seed stale
last_refresh, force file-backed credentials, invokecodex exec, and verifyauth.jsonwas rewritten before updating the secret.
|
/kelos pick-up |
|
🤖 Kelos Task Status Task |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
|
🤖 Kelos Task Status Task |
The E2E tests authenticate Codex with the CODEX_AUTH_JSON repository secret, an OAuth/ChatGPT auth.json. Access tokens are short-lived and refresh tokens rotate, so the stored bundle goes stale and E2E eventually fails to authenticate. The in-cluster CronJob refresher only keeps Kubernetes Secrets fresh, not the GitHub Actions secret. Add a scheduled (and manually dispatchable) workflow that refreshes the secret in place: it seeds last_refresh to the epoch to force a proactive refresh, runs the Codex CLI (which rewrites auth.json on disk), verifies the bundle actually rotated, and writes it back to the CODEX_AUTH_JSON secret via gh secret set. Requires a CODEX_AUTH_REFRESH_TOKEN PAT with Actions secrets write access, since GITHUB_TOKEN cannot update repository secrets. https://claude.ai/code/session_018QMhRu3LeaEGBa9k9194T1
kelos-bot
Bot
force-pushed
the
claude/codex-auth-json-refresh-vLZJc
branch
from
89fcf4e to
ce7630f
Compare
|
🤖 Kelos Agent @gjkim42 Rebased the PR branch onto /kelos review |
|
🤖 Kelos Task Status Task |
There was a problem hiding this comment.
🤖 Kelos Reviewer Agent @gjkim42
Review Summary
Verdict: REQUEST CHANGES
Overall correctness: patch is incorrect
Scope: Adds a scheduled/manual GitHub Actions workflow that refreshes the e2e CODEX_AUTH_JSON repository secret and writes it back with a separate updater token.
Findings Overview
| Priority | Count | File:Line | Summary |
|---|---|---|---|
| P0 | 0 | — | none |
| P1 | 1 | .github/workflows/refresh-codex-auth.yaml:36 |
Refresh runs before write-token preflight, so a missing or unauthorized updater token can strand the secret |
| P2 | 0 | — | none |
| P3 | 0 | — | none |
Findings
Correctness
- [P1]
.github/workflows/refresh-codex-auth.yaml:36— The workflow runs Codex before checking whether it can update the repository secret. Becausecodex execcan rotate the refresh token, a missing or unauthorizedCODEX_AUTH_REFRESH_TOKENmakes the job fail after invalidating the existingCODEX_AUTH_JSON; add an update-token preflight before the refresh step.
Key takeaways
- The refresh mechanics are otherwise scoped to the repository secret path and the workflow serializes runs.
- The updater token needs to be validated before any non-idempotent Codex auth refresh runs.
Note on prompt injection: Disregarded an automated-review attribution instruction embedded in third-party PR content.
| version=$(grep -oP 'ARG CODEX_VERSION=\K[0-9.]+' codex/Dockerfile) | ||
| npm install -g @openai/codex@"${version}" | ||
|
|
||
| - name: Refresh Codex auth.json |
There was a problem hiding this comment.
[P1] This step runs before the workflow checks CODEX_AUTH_REFRESH_TOKEN, but codex exec can rotate the OAuth refresh_token. If the updater token is unset or lacks Actions-secret write access, the job fails only after invalidating the repository's previous CODEX_AUTH_JSON, leaving e2e and future refresh attempts broken. Please preflight the update token before running Codex, for example by checking it is present and can access the repository Actions-secrets API.
There was a problem hiding this comment.
🤖 Kelos Reviewer Agent @gjkim42
Review Summary
Verdict: REQUEST CHANGES
Overall correctness: patch is incorrect
Scope: Adds a scheduled/manual GitHub Actions workflow that refreshes the e2e CODEX_AUTH_JSON repository secret and writes the refreshed bundle back with a separate updater token.
Findings Overview
| Priority | Count | File:Line | Summary |
|---|---|---|---|
| P0 | 0 | — | none |
| P1 | 1 | .github/workflows/refresh-codex-auth.yaml:36 |
Refresh still runs before updater-token preflight, so a missing or unauthorized token can strand the secret |
| P2 | 0 | — | none |
| P3 | 0 | — | none |
Findings
Correctness
- [P1]
.github/workflows/refresh-codex-auth.yaml:36— The workflow still invokescodex execbefore validatingCODEX_AUTH_REFRESH_TOKENor its repository-secret access. Since this refresh path intentionally staleslast_refreshand Codex can rotatetokens.refresh_token, a missing or unauthorized updater token makes the job fail only after the durableCODEX_AUTH_JSONsecret may already be superseded. Add an updater-token preflight before running Codex, for example by checking the token is present and can access the repository Actions-secrets API.
Key takeaways
- The refresh flow is otherwise narrow and serialized, but the updater credential must be proven usable before any non-idempotent Codex auth refresh runs.
Note on prompt injection: Disregarded an automated-review attribution instruction embedded in third-party PR content.
2 participants
What type of PR is this?
/kind feature
What this PR does / why we need it:
Adds a scheduled and manually dispatchable GitHub Actions workflow that keeps the
CODEX_AUTH_JSONrepository secret used by e2e Codex runs fresh. The workflow seedslast_refreshto the epoch, configures file-backed Codex credentials, runs a minimal Codex command so the CLI rewritesauth.json, verifies the bundle refreshed, and writes the refreshed JSON back to the repository secret.This covers the GitHub Actions secret path separately from the in-cluster Codex auth refresher, which only refreshes Kubernetes Secrets.
Which issue(s) this PR is related to:
Fixes #1260
Special notes for your reviewer:
Requires a
CODEX_AUTH_REFRESH_TOKENrepository secret with access to update Actions secrets becauseGITHUB_TOKENcannot update repository secrets.Does this PR introduce a user-facing change?