Run Codex in CI without a login prompt
exec & automation
// what it does
In CI, authenticate once by piping a key into codex login --with-api-key, then run codex exec. --skip-git-repo-check lets it run outside a git repo, and you set --sandbox explicitly because exec is read-only by default. For GitHub Actions, the official openai/codex-action handles credentials for you.
// shell
$ printenv OPENAI_API_KEY | codex login --with-api-key$ codex exec --skip-git-repo-check --sandbox workspace-write "apply the codemod"// gotcha
exec refuses to run in a non-git directory unless you pass --skip-git-repo-check. Keep API keys in CI secrets, and prefer a read-only job that proposes changes over one holding both write access and your key.