From f0fc20d73e3325cd94fbd258633bef331f081c2b Mon Sep 17 00:00:00 2001 From: Sergio Sisternes Date: Fri, 10 Apr 2026 12:38:30 +0200 Subject: [PATCH 1/2] fix(runtime): pin codex setup to rust-v0.118.0 for security (#662) - Pin CODEX_VERSION to rust-v0.118.0 (latest stable) instead of 'latest' to prevent supply-chain attacks via compromised upstream releases - Update wire_api from 'chat' to 'responses' (the only protocol supported by current Codex releases) - Add user-facing messages about the pin and how to override - Apply same changes to both .sh (Linux/macOS) and .ps1 (Windows) Closes #662 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- CHANGELOG.md | 1 + scripts/runtime/setup-codex.ps1 | 8 ++++++-- scripts/runtime/setup-codex.sh | 8 ++++++-- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1dd952a19..4bcc071ad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed +- Pin codex setup to `rust-v0.118.0` for security and reproducibility; update config to `wire_api = "responses"` (#662) - Propagate headers and environment variables through OpenCode MCP adapter with defensive copies to prevent mutation (#622) ### Changed diff --git a/scripts/runtime/setup-codex.ps1 b/scripts/runtime/setup-codex.ps1 index 5396e4b8e..b22fff091 100644 --- a/scripts/runtime/setup-codex.ps1 +++ b/scripts/runtime/setup-codex.ps1 @@ -1,9 +1,11 @@ # Setup script for Codex runtime (Windows) # Downloads Codex binary from GitHub releases and configures with GitHub Models +# Pin to a known stable release for security and reproducibility (#662). +# Users can override with: apm runtime setup codex -Version (e.g. 'latest') param( [switch]$Vanilla, - [string]$Version = "latest" + [string]$Version = "rust-v0.118.0" ) $ErrorActionPreference = "Stop" @@ -161,10 +163,12 @@ model = "openai/gpt-4o" name = "GitHub Models" base_url = "https://models.github.ai/inference/" env_key = "$githubTokenVar" -wire_api = "chat" +wire_api = "responses" "@ | Set-Content -Path $codexConfig -Encoding UTF8 Write-Success "Codex configuration created at $codexConfig" + Write-Info "Codex is pinned to $Version for reproducibility." + Write-Info "To use a different version, run: apm runtime setup codex -Version (e.g. 'latest')" } else { Write-Info "Vanilla mode: Skipping APM configuration" } diff --git a/scripts/runtime/setup-codex.sh b/scripts/runtime/setup-codex.sh index 8e0593dd5..a2b68f997 100755 --- a/scripts/runtime/setup-codex.sh +++ b/scripts/runtime/setup-codex.sh @@ -23,7 +23,9 @@ source "$SCRIPT_DIR/setup-common.sh" # Configuration CODEX_REPO="openai/codex" -CODEX_VERSION="latest" # Default version +# Pin to a known stable release for security and reproducibility (#662). +# Users can override with: apm runtime setup codex (e.g. 'latest') +CODEX_VERSION="rust-v0.118.0" VANILLA_MODE=false # Parse command line arguments @@ -204,10 +206,12 @@ model = "openai/gpt-4o" name = "GitHub Models" base_url = "https://models.github.ai/inference/" env_key = "$github_token_var" -wire_api = "chat" +wire_api = "responses" EOF log_success "Codex configuration created at $codex_config" + log_info "Codex is pinned to $CODEX_VERSION for reproducibility." + log_info "To use a different version, run: apm runtime setup codex (e.g. 'latest')" log_info "APM configured Codex with GitHub Models as default provider" log_info "Use 'apm install' to configure MCP servers for your projects" else From e1950cd2c8b40c416897736e4dc794538fe6a163 Mon Sep 17 00:00:00 2001 From: Sergio Sisternes Date: Fri, 10 Apr 2026 13:49:45 +0200 Subject: [PATCH 2/2] fix: address Copilot review feedback (#663) - Use correct CLI syntax: apm runtime setup codex --version - Replace 'pinned to' wording with neutral 'Using Codex $VERSION' - Fix CHANGELOG entry to reference PR #663 instead of issue #662 - Update runtime-compatibility.md to reflect pinned default version Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- CHANGELOG.md | 2 +- docs/src/content/docs/integrations/runtime-compatibility.md | 2 +- scripts/runtime/setup-codex.ps1 | 6 +++--- scripts/runtime/setup-codex.sh | 6 +++--- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4bcc071ad..cc4bcd896 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,7 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed -- Pin codex setup to `rust-v0.118.0` for security and reproducibility; update config to `wire_api = "responses"` (#662) +- Pin codex setup to `rust-v0.118.0` for security and reproducibility; update config to `wire_api = "responses"` (#663) - Propagate headers and environment variables through OpenCode MCP adapter with defensive copies to prevent mutation (#622) ### Changed diff --git a/docs/src/content/docs/integrations/runtime-compatibility.md b/docs/src/content/docs/integrations/runtime-compatibility.md index fd3d0550c..e2c90e21e 100644 --- a/docs/src/content/docs/integrations/runtime-compatibility.md +++ b/docs/src/content/docs/integrations/runtime-compatibility.md @@ -83,7 +83,7 @@ apm runtime setup codex ``` This automatically: -- Downloads the latest Codex binary for your platform +- Downloads Codex binary `rust-v0.118.0` for your platform (override with `--version`) - Installs to `~/.apm/runtimes/codex` - Creates configuration for GitHub Models (`github/gpt-4o`) - Updates your PATH diff --git a/scripts/runtime/setup-codex.ps1 b/scripts/runtime/setup-codex.ps1 index b22fff091..2b3f61a75 100644 --- a/scripts/runtime/setup-codex.ps1 +++ b/scripts/runtime/setup-codex.ps1 @@ -2,7 +2,7 @@ # Downloads Codex binary from GitHub releases and configures with GitHub Models # Pin to a known stable release for security and reproducibility (#662). -# Users can override with: apm runtime setup codex -Version (e.g. 'latest') +# Users can override with: apm runtime setup codex --version (e.g. 'latest') param( [switch]$Vanilla, [string]$Version = "rust-v0.118.0" @@ -167,8 +167,8 @@ wire_api = "responses" "@ | Set-Content -Path $codexConfig -Encoding UTF8 Write-Success "Codex configuration created at $codexConfig" - Write-Info "Codex is pinned to $Version for reproducibility." - Write-Info "To use a different version, run: apm runtime setup codex -Version (e.g. 'latest')" + Write-Info "Using Codex $Version." + Write-Info "Override with: apm runtime setup codex --version (e.g. 'latest')" } else { Write-Info "Vanilla mode: Skipping APM configuration" } diff --git a/scripts/runtime/setup-codex.sh b/scripts/runtime/setup-codex.sh index a2b68f997..ac87296fc 100755 --- a/scripts/runtime/setup-codex.sh +++ b/scripts/runtime/setup-codex.sh @@ -24,7 +24,7 @@ source "$SCRIPT_DIR/setup-common.sh" # Configuration CODEX_REPO="openai/codex" # Pin to a known stable release for security and reproducibility (#662). -# Users can override with: apm runtime setup codex (e.g. 'latest') +# Users can override with: apm runtime setup codex --version (e.g. 'latest') CODEX_VERSION="rust-v0.118.0" VANILLA_MODE=false @@ -210,8 +210,8 @@ wire_api = "responses" EOF log_success "Codex configuration created at $codex_config" - log_info "Codex is pinned to $CODEX_VERSION for reproducibility." - log_info "To use a different version, run: apm runtime setup codex (e.g. 'latest')" + log_info "Using Codex $CODEX_VERSION." + log_info "Override with: apm runtime setup codex --version (e.g. 'latest')" log_info "APM configured Codex with GitHub Models as default provider" log_info "Use 'apm install' to configure MCP servers for your projects" else