Run Codex in CI without a login prompt

exec & automation

// what it does

In CI, authenticate once by piping a key into codex login --with-api-key, then run codex exec. --skip-git-repo-check lets it run outside a git repo, and you set --sandbox explicitly because exec is read-only by default. For GitHub Actions, the official openai/codex-action handles credentials for you.

// shell

$ printenv OPENAI_API_KEY | codex login --with-api-key
$ codex exec --skip-git-repo-check --sandbox workspace-write "apply the codemod"

// gotcha

exec refuses to run in a non-git directory unless you pass --skip-git-repo-check. Keep API keys in CI secrets, and prefer a read-only job that proposes changes over one holding both write access and your key.

// resources