feat(action): harden defaults and proxy lifecycle

.github/workflows/ci.yml

@@ -33,6 +33,9 @@ jobs:
       - name: Build bundles
         run: pnpm run build
 
+      - name: Run tests
+        run: pnpm test
+
       - name: Ensure dist matches bundled output
         run: |
           status_output="$(git status --short -- dist)"
@@ -41,3 +44,23 @@ jobs:
             echo "$status_output"
             exit 1
           fi
+
+  lint-workflows:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Install shellcheck
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y shellcheck
+
+      - name: Install actionlint
+        run: |
+          mkdir -p "$PWD/bin"
+          bash <(curl -sSfL https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) latest "$PWD/bin"
+          echo "$PWD/bin" >> "$GITHUB_PATH"
+
+      - name: Run actionlint
+        run: actionlint -color

CHANGELOG.md

@@ -1,5 +1,16 @@
 # codex-action Changelog
 
+## [Unreleased](https://github.com/openai/codex-action/tree/main)
+
+- set the default `model` input to `gpt-5.3-codex` while preserving opt-out via `model: ""`
+- pin the default `codex-version` input to `0.104.0` for deterministic installs
+- make proxy liveness checks active (port reachability) and restart when stale server-info is found
+- make `write-proxy-config` idempotent with managed blocks and legacy block cleanup
+- harden `codex-args` JSON parsing to require an array of strings
+- fix unprivileged temp schema cleanup path in `runCodexExec`
+- align bot bypass defaults so `allow-bots` defaults to `false` across CLI/action paths
+- expand CI to run tests plus workflow linting (`actionlint` + `shellcheck`)
+
 ## [v1.4](https://github.com/openai/codex-action/tree/v1.4) (2005-11-19)
 
 - [#58](https://github.com/openai/codex-action/pull/58) revert #56 and use the latest stable version of Codex CLI again

README.md

@@ -111,13 +111,13 @@ For a ChatGPT subscription auth variant, see `examples/code-review-subscription.
 | `prompt-file`            | Path (relative to the repository root) of a file that contains the prompt. Provide this or `prompt`.                                           | `""`        |
 | `output-file`            | File where the final Codex message is written. Leave empty to skip writing a file.                                                             | `""`        |
 | `working-directory`      | Directory passed to `codex exec --cd`. Defaults to the repository root.                                                                        | `""`        |
-| `sandbox`                | Sandbox mode for Codex. One of `workspace-write` (default), `read-only` or `danger-full-access`.                                               | `""`        |
-| `codex-version`          | Version of `@openai/codex` to install.                                                                                                         | `""`        |
+| `sandbox`                | Sandbox mode for Codex. One of `workspace-write` (default), `read-only` or `danger-full-access`.                                               | `workspace-write` |
+| `codex-version`          | Version of `@openai/codex` to install. Set to `""` to install the latest available version.                                                    | `0.104.0`   |
 | `codex-args`             | Extra arguments forwarded to `codex exec`. Accepts JSON arrays (`["--flag", "value"]`) or shell-style strings.                                 | `""`        |
 | `pass-through-env`       | Optional newline- or comma-separated list of environment variable names forwarded to Codex. Only include the specific secrets Codex must read. | `""`        |
 | `output-schema`          | Inline schema contents written to a temp file and passed to `codex exec --output-schema`. Mutually exclusive with `output-schema-file`.        | `""`        |
 | `output-schema-file`     | Schema file forwarded to `codex exec --output-schema`. Leave empty to skip passing the option.                                                 | `""`        |
-| `model`                  | Model the agent should use. Leave empty to let Codex pick its default.                                                                         | `""`        |
+| `model`                  | Model the agent should use. Defaults to `gpt-5.3-codex`; set `model: ""` to let Codex pick its default.                                       | `gpt-5.3-codex` |
 | `effort`                 | Reasoning effort the agent should use. Leave empty to let Codex pick its default.                                                              | `""`        |
 | `codex-home`             | Directory to use as the Codex CLI home (config/cache). Uses the CLI default when empty.                                                        | `""`        |
 | `safety-strategy`        | Controls how the action restricts Codex privileges. See [Safety strategy](#safety-strategy).                                                   | `drop-sudo` |

action.yml

@@ -38,7 +38,7 @@ inputs:
   codex-version:
     description: "Version of `@openai/codex` to install."
     required: false
-    default: ""
+    default: "0.104.0"
   codex-args:
     description: "Additional args to pass through to `codex exec`. If this value starts with `[`, it will be parsed as a JSON array; otherwise, it will be parsed as a shell-like string."
     required: false
@@ -59,9 +59,9 @@ inputs:
     required: false
     default: ""
   model:
-    description: "Model the agent should use."
+    description: "Model the agent should use. Defaults to `gpt-5.3-codex`; set to an empty string to defer to the Codex CLI/provider default."
     required: false
-    default: ""
+    default: "gpt-5.3-codex"
   effort:
     description: "Reasoning effort the agent should use."
     required: false
@@ -143,11 +143,23 @@ runs:
 
     - name: Install Codex CLI
       shell: bash
-      run: npm install -g "@openai/codex@${{ inputs['codex-version'] }}"
+      run: |
+        version="${{ inputs['codex-version'] }}"
+        if [ -n "$version" ]; then
+          npm install -g "@openai/codex@$version"
+        else
+          npm install -g "@openai/codex"
+        fi
 
     - name: Install Codex Responses API proxy
       shell: bash
-      run: npm install -g "@openai/codex-responses-api-proxy@${{ inputs['codex-version'] }}"
+      run: |
+        version="${{ inputs['codex-version'] }}"
+        if [ -n "$version" ]; then
+          npm install -g "@openai/codex-responses-api-proxy@$version"
+        else
+          npm install -g "@openai/codex-responses-api-proxy"
+        fi
 
     - name: Resolve Codex home
       id: resolve_home
@@ -177,18 +189,13 @@ runs:
           echo "exists=false" >> "$GITHUB_OUTPUT"
         fi
 
-    - name: Check Responses API proxy status
-      id: start_proxy
+    - name: Probe existing Responses API proxy
+      id: probe_proxy
       if: ${{ inputs['openai-api-key'] != '' }}
       shell: bash
       run: |
         server_info_file="${{ steps.derive_server_info.outputs.server_info_file }}"
-        if [ -s "$server_info_file" ]; then
-          echo "Responses API proxy already appears to be running (found $server_info_file)."
-          echo "server_info_file_exists=true" >> "$GITHUB_OUTPUT"
-        else
-          echo "server_info_file_exists=false" >> "$GITHUB_OUTPUT"
-        fi
+        node "${{ github.action_path }}/dist/main.js" probe-proxy "$server_info_file"
 
     - name: Write Codex auth.json (subscription auth)
       if: ${{ inputs['codex-auth-json-b64'] != '' }}
@@ -206,17 +213,20 @@ runs:
     # key do not end up in the memory of the `codex-responses-api-proxy`
     # process where environment variables are stored.
     - name: Start Responses API proxy
-      if: ${{ inputs['openai-api-key'] != '' && steps.start_proxy.outputs.server_info_file_exists == 'false' }}
+      if: ${{ inputs['openai-api-key'] != '' && steps.probe_proxy.outputs.healthy != 'true' }}
       env:
         PROXY_API_KEY: ${{ inputs['openai-api-key'] }}
       shell: bash
       run: |
         upstream_url="${{ inputs['responses-api-endpoint'] }}"
+        server_info_file="${{ steps.derive_server_info.outputs.server_info_file }}"
+
+        rm -f "$server_info_file"
 
         args=(
           codex-responses-api-proxy
           --http-shutdown
-          --server-info "${{ steps.derive_server_info.outputs.server_info_file }}"
+          --server-info "$server_info_file"
         )
 
         if [ -n "$upstream_url" ]; then
@@ -228,18 +238,20 @@ runs:
         ) &
 
     - name: Wait for Responses API proxy
-      if: ${{ inputs['openai-api-key'] != '' && steps.start_proxy.outputs.server_info_file_exists == 'false' }}
+      if: ${{ inputs['openai-api-key'] != '' && steps.probe_proxy.outputs.healthy != 'true' }}
       shell: bash
       run: |
         server_info_file="${{ steps.derive_server_info.outputs.server_info_file }}"
-        for _ in {1..10}; do
-          if [ -s "$server_info_file" ]; then
+        for _ in {1..15}; do
+          if [ -s "$server_info_file" ] && \
+            node "${{ github.action_path }}/dist/main.js" probe-proxy "$server_info_file" --fail-unhealthy >/dev/null 2>&1; then
             break
           fi
           sleep 1
         done
-        if [ ! -s "$server_info_file" ]; then
-          echo "responses-api-proxy did not write server info" >&2
+
+        if ! node "${{ github.action_path }}/dist/main.js" probe-proxy "$server_info_file" --fail-unhealthy; then
+          echo "responses-api-proxy failed health check" >&2
           exit 1
         fi