diff --git a/.changeset/patch-update-cli-tools.md b/.changeset/patch-update-cli-tools.md index 594ba8bb11..c12878047c 100644 --- a/.changeset/patch-update-cli-tools.md +++ b/.changeset/patch-update-cli-tools.md @@ -5,7 +5,7 @@ Updated the embedded agentic tooling stack: - Claude Code → 2.1.19 - Copilot CLI → 0.0.394 -- Codex → 0.89.0 +- Codex → 0.91.0 - Playwright MCP → 0.0.58 / Browser → v1.58.0 - Sandbox runtime → 0.0.32 diff --git a/.changeset/patch-update-codex.md b/.changeset/patch-update-codex.md new file mode 100644 index 0000000000..b0d5474149 --- /dev/null +++ b/.changeset/patch-update-codex.md @@ -0,0 +1,5 @@ +--- +"gh-aw": patch +--- + +Update the OpenAI Codex CLI from 0.89.0 to 0.91.0, regen the compiled workflows, and note the reduced sub-agent limit. diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 849658bb6c..89ad115daf 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -185,7 +185,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.89.0 + run: npm install -g --silent @openai/codex@0.91.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server @@ -552,7 +552,7 @@ jobs: engine_name: "Codex", model: "gpt-5.1-codex-mini", version: "", - agent_version: "0.89.0", + agent_version: "0.91.0", workflow_name: "Changeset Generator", experimental: true, supports_tools_allowlist: true, diff --git a/.github/workflows/codex-github-remote-mcp-test.lock.yml b/.github/workflows/codex-github-remote-mcp-test.lock.yml index 25c0476637..896f81816b 100644 --- a/.github/workflows/codex-github-remote-mcp-test.lock.yml +++ b/.github/workflows/codex-github-remote-mcp-test.lock.yml @@ -126,7 +126,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.89.0 + run: npm install -g --silent @openai/codex@0.91.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server @@ -212,7 +212,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.89.0", + agent_version: "0.91.0", workflow_name: "Codex GitHub Remote MCP Test", experimental: true, supports_tools_allowlist: true, diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index f17c184345..e396373785 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -131,7 +131,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.89.0 + run: npm install -g --silent @openai/codex@0.91.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server @@ -424,7 +424,7 @@ jobs: engine_name: "Codex", model: "gpt-5.1-codex-mini", version: "", - agent_version: "0.89.0", + agent_version: "0.91.0", workflow_name: "Daily Fact About gh-aw", experimental: true, supports_tools_allowlist: true, @@ -976,7 +976,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.89.0 + run: npm install -g --silent @openai/codex@0.91.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 949314e953..239f0c9528 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -195,7 +195,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.89.0 + run: npm install -g --silent @openai/codex@0.91.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server @@ -591,7 +591,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.89.0", + agent_version: "0.91.0", workflow_name: "Daily Issues Report Generator", experimental: true, supports_tools_allowlist: true, @@ -2115,7 +2115,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.89.0 + run: npm install -g --silent @openai/codex@0.91.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index c1416831da..184909a36a 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -150,7 +150,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.89.0 + run: npm install -g --silent @openai/codex@0.91.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server @@ -558,7 +558,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.89.0", + agent_version: "0.91.0", workflow_name: "Daily Observability Report for AWF Firewall and MCP Gateway", experimental: true, supports_tools_allowlist: true, @@ -1529,7 +1529,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.89.0 + run: npm install -g --silent @openai/codex@0.91.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index f1d3857aa9..d18a7f2e7a 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -185,7 +185,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.89.0 + run: npm install -g --silent @openai/codex@0.91.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server @@ -1052,7 +1052,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.89.0", + agent_version: "0.91.0", workflow_name: "Daily Project Performance Summary Generator (Using Safe Inputs)", experimental: true, supports_tools_allowlist: true, @@ -2216,7 +2216,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.89.0 + run: npm install -g --silent @openai/codex@0.91.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 14af3a03a2..d504a03e69 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -195,7 +195,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.89.0 + run: npm install -g --silent @openai/codex@0.91.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server @@ -614,7 +614,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.89.0", + agent_version: "0.91.0", workflow_name: "DeepReport - Intelligence Gathering Agent", experimental: true, supports_tools_allowlist: true, @@ -1716,7 +1716,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.89.0 + run: npm install -g --silent @openai/codex@0.91.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 3ba244c3b2..7cafe4eb07 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -142,7 +142,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.89.0 + run: npm install -g --silent @openai/codex@0.91.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server @@ -505,7 +505,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.89.0", + agent_version: "0.91.0", workflow_name: "Duplicate Code Detector", experimental: true, supports_tools_allowlist: true, @@ -1229,7 +1229,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.89.0 + run: npm install -g --silent @openai/codex@0.91.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 3dcac2eda4..59024a686a 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -153,7 +153,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.89.0 + run: npm install -g --silent @openai/codex@0.91.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server @@ -578,7 +578,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.89.0", + agent_version: "0.91.0", workflow_name: "Issue Arborist", experimental: true, supports_tools_allowlist: true, @@ -1298,7 +1298,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.89.0 + run: npm install -g --silent @openai/codex@0.91.0 - name: Run Codex run: | set -o pipefail diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index b2eafad2da..703e66ef40 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -189,7 +189,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.89.0 + run: npm install -g --silent @openai/codex@0.91.0 - name: Install awf binary run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.10.0 - name: Determine automatic lockdown mode for GitHub MCP server @@ -1230,7 +1230,7 @@ jobs: engine_name: "Codex", model: process.env.GH_AW_MODEL_AGENT_CODEX || "", version: "", - agent_version: "0.89.0", + agent_version: "0.91.0", workflow_name: "Smoke Codex", experimental: true, supports_tools_allowlist: true, @@ -1876,7 +1876,7 @@ jobs: node-version: '24' package-manager-cache: false - name: Install Codex - run: npm install -g --silent @openai/codex@0.89.0 + run: npm install -g --silent @openai/codex@0.91.0 - name: Run Codex run: | set -o pipefail diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index 0c04e7a032..485c137b68 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -283,7 +283,7 @@ const ( ) // DefaultCodexVersion is the default version of the OpenAI Codex CLI -const DefaultCodexVersion Version = "0.89.0" +const DefaultCodexVersion Version = "0.91.0" // DefaultGitHubMCPServerVersion is the default version of the GitHub MCP server Docker image const DefaultGitHubMCPServerVersion Version = "v0.29.0" diff --git a/pkg/constants/constants_test.go b/pkg/constants/constants_test.go index 310c107a7c..0bc89c8b58 100644 --- a/pkg/constants/constants_test.go +++ b/pkg/constants/constants_test.go @@ -282,7 +282,7 @@ func TestVersionConstants(t *testing.T) { }{ {"DefaultClaudeCodeVersion", DefaultClaudeCodeVersion, "2.1.19"}, {"DefaultCopilotVersion", DefaultCopilotVersion, "0.0.394"}, - {"DefaultCodexVersion", DefaultCodexVersion, "0.89.0"}, + {"DefaultCodexVersion", DefaultCodexVersion, "0.91.0"}, {"DefaultGitHubMCPServerVersion", DefaultGitHubMCPServerVersion, "v0.29.0"}, {"DefaultMCPGatewayVersion", DefaultMCPGatewayVersion, "v0.0.78"}, {"DefaultSandboxRuntimeVersion", DefaultSandboxRuntimeVersion, "0.0.32"}, diff --git a/pkg/workflow/codex_engine_test.go b/pkg/workflow/codex_engine_test.go index e84cc1e992..988b65cf88 100644 --- a/pkg/workflow/codex_engine_test.go +++ b/pkg/workflow/codex_engine_test.go @@ -316,11 +316,19 @@ func TestCodexEngineRenderMCPConfig(t *testing.T) { "{", "\"mcpServers\": {", "\"github\": {", - "\"url\": \"http://mcp-gateway:3001\",", - "\"serverName\": \"github\",", - "\"timeout\": 60000,", - "\"apiKey\": \"${MCP_GATEWAY_API_KEY}\"", + "\"container\": \"ghcr.io/github/github-mcp-server:v0.29.0\",", + "\"env\": {", + "\"GITHUB_LOCKDOWN_MODE\": \"$GITHUB_MCP_LOCKDOWN\",", + "\"GITHUB_PERSONAL_ACCESS_TOKEN\": \"$GITHUB_MCP_SERVER_TOKEN\",", + "\"GITHUB_READ_ONLY\": \"1\",", + "\"GITHUB_TOOLSETS\": \"context,repos,issues,pull_requests\"", + "}", "}", + "},", + "\"gateway\": {", + "\"port\": $MCP_GATEWAY_PORT,", + "\"domain\": \"${MCP_GATEWAY_DOMAIN}\",", + "\"apiKey\": \"${MCP_GATEWAY_API_KEY}\"", "}", "}", "MCPCONFIG_EOF",