I am unable to inject secrets into my Codex environment.
I am using go, and have private module dependencies. So, I need to add a GitHub token, so that I can download such dependencies in the environment setup script.
When I go to “Advanced” in the environment configuration I can add the secret. If I test my setup script, everything is injected fine, and my setup script can access the secret and I can update the git configuration to do an “insteadof” with the token in the right place in the url, and my “go mod download” in my setup script works great.
However, when I run a task against that environment, when the setup script is run, the secret is not injected and its env var is empty.
This means I am unable to use Codex with GO repos that have private dependencies (or that I am unable to run builds and tests at least).
This seems like a bug.
Has anyone else encountered this?
Also the “generate PR” functionality doesn’t seem to work when pushing to internal repos. Has anyone seen that ?
Any help on fixing those two issues would be awesome.
During the current phase of the research preview, Codex cloud environments lose internet access after the setup script runs. That’s why network calls like go mod download fail during task execution.
I know this. I have an environment setup script that runs go mod download.
The problem I have is that some of my repos have dependencies on private repos, and so I need to use a github token and configure git with git config --global url."https://${GITHUB_TOKEN}:x-oauth-basic@github.com/".insteadOf ... inside the setup script before running go mod download.
The problem with that is that injecting secrets seems to be broken.
The secrets are not injected into the enviornment when running the setup script during tasks execution.
Pulling down dependencies that don’t need secrets in the setup scripts works fine. It’s the secret injection that is not working.
Ok.
I will pass this on and link another related report here.
One idea that could possibly help is to allow access to the private repos directly via the GitHub connector instead of performing this step in the set-up script.
The github app has access to all the repos in my org.
But the app token used to download my repo is not made available to my setup script. So, if I have repo A which depends on repo B, you will checkout repo A using the app token, then run my setup scripts (but without giving them access to the token). So the only way I can pull down B is if I add a secret with a github token in it and configure git to use that token when accessing github.
But the secret injection seems to be broken.
I can work around this (right now, I’m using the tool with a repo that doesn’t have internal depdencies) and I can always vendor my go dependencies.
However, I would also like to use secrets so that I can sign commits (our repos require commit signing). Right now after generating the PR, I need to pull things down and re-push the commits signed with my key.
If secret injection worked I could just add the signing key and configure git during my setup script. And I wouldn’t have to vendor, which makes my day to day easier.
It is possible to embed the secret directly in the setup script, but that would leak the secret in the task logs. So, I don’t want to do that for obvious security reasons.
I’m not blocked, but it would be cool if the secret injection did work.
Codex now passes secrets through a short-lived file that is created just for the setup-script phase and deleted immediately afterwards. This change replaced the older “keep it in an env var for the whole task” approach to reduce the risk of leaking credentials.
So any commands that need GITHUB_TOKEN (or similar) must run inside the setup script itself.
How to get your build working
Double-check where you stored the token. It has to be under Secrets, not regular environment variables.
Run all go mod download and git-config steps inside the setup script. After that phase, the variable is intentionally wiped.
Add a quick sanity print in the script—e.g. echo "GH_TOKEN length: ${#GITHUB_TOKEN}". That shows the token is present without revealing its value.
That shows the token is present without revealing its value.
Re-save the environment (open Manage → Environments, click Edit → Save). This forces Codex to rebuild the container with the latest secret-injection code path. Retry a task. If the token length echoes as zero, please send us the Environment ID and a recent Task ID so we can pull logs.
Please ensure the following.
The OpenAI Codex app is installed on the repo with Contents: Read & Write and Pull requests: Read & Write. Your GitHub user can push to a test branch via CLI. Any branch-protection or approval gates include the Codex app, or you temporarily create a less-restricted branch for the agent to use.