CDX-301c · Module 1

GitHub Actions Setup & Authentication

4 min read

Running Codex in GitHub Actions requires three things: the Codex CLI installed in the runner, an OPENAI_API_KEY stored as a repository secret, and an AGENTS.md tuned for headless execution. The CLI installs via npm in seconds. The API key should be scoped to a service account with spending limits — never use a personal key in CI, because automated triggers can burn through budgets faster than any human. The AGENTS.md for CI should be stricter than your development config: no interactive prompts, no exploratory behavior, and explicit output format requirements.

Authentication in CI uses the OPENAI_API_KEY environment variable, just like local development. But CI introduces new considerations: key rotation (rotate every 90 days, automated via GitHub Actions secrets), spending limits (set per-key limits in the OpenAI dashboard), and audit trails (every CI run should log which key was used, though not the key itself). For organizations with multiple repos, a centralized key management system (HashiCorp Vault, AWS Secrets Manager) is better than per-repo GitHub secrets.

name: Codex CI Pipeline
on:
  pull_request:
    types: [opened, synchronize]
  push:
    branches: [main]

env:
  OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
  CODEX_PROFILE: ci

jobs:
  setup:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: npm
      - run: npm ci
      - run: npm install -g @openai/codex
      - name: Verify Codex installation
        run: codex --version
      - name: Verify API key
        run: |
          if [ -z "$OPENAI_API_KEY" ]; then
            echo "ERROR: OPENAI_API_KEY not set"
            exit 1
          fi
          echo "API key configured (length: ${#OPENAI_API_KEY})"
  1. Create a service account key Generate a dedicated OpenAI API key for CI. Set a monthly spending limit that matches your expected CI usage plus 50% buffer.
  2. Configure the workflow Create .github/workflows/codex-ci.yml with checkout, Node.js setup, Codex installation, and API key verification steps.
  3. Test with a dry run Push a test PR that triggers the workflow. Verify Codex runs, produces output, and the job completes within your timeout limit.