fix(runtime): pin codex setup to rust-v0.118.0 for security#663
Merged
sergio-sisternes-epam merged 2 commits intomicrosoft:mainfrom Apr 10, 2026
Merged
Conversation
…t#662) - Pin CODEX_VERSION to rust-v0.118.0 (latest stable) instead of 'latest' to prevent supply-chain attacks via compromised upstream releases - Update wire_api from 'chat' to 'responses' (the only protocol supported by current Codex releases) - Add user-facing messages about the pin and how to override - Apply same changes to both .sh (Linux/macOS) and .ps1 (Windows) Closes microsoft#662 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Pins the Codex runtime setup scripts to a specific upstream Codex release to improve supply-chain safety and install reproducibility, and updates the generated Codex config to the current wire_api protocol expected by modern Codex releases.
Changes:
- Pin default Codex version from
latesttorust-v0.118.0in both Unix and Windows setup scripts. - Update generated Codex config from
wire_api = "chat"towire_api = "responses". - Add a changelog entry under Unreleased -> Fixed.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| scripts/runtime/setup-codex.sh | Pins default Codex version and updates generated config wire_api. Adds user-facing pin/override messaging. |
| scripts/runtime/setup-codex.ps1 | Same as above for PowerShell/Windows; includes user-facing messaging. |
| CHANGELOG.md | Records the change under Fixed in Unreleased. |
- Use correct CLI syntax: apm runtime setup codex --version <version> - Replace 'pinned to' wording with neutral 'Using Codex $VERSION' - Fix CHANGELOG entry to reference PR microsoft#663 instead of issue microsoft#662 - Update runtime-compatibility.md to reflect pinned default version Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
danielmeppiel
approved these changes
Apr 10, 2026
Open
5 tasks
edenfunf
added a commit
to edenfunf/apm
that referenced
this pull request
Apr 10, 2026
- Fix 1: include .cmd and .bat in Windows APM runtimes dir lookup so llm.cmd (installed by setup-llm.ps1) is found when ~/.apm/runtimes is not in PATH - Fix 2: rebase already picked up rust-v0.118.0 pin from origin/main (microsoft#663); resolve the setup-codex conflicts in favour of main - Fix 3: add ensure_path_within() checks in _discover_prompt_file and _resolve_prompt_file (PromptCompiler) to catch symlinks that resolve outside the project directory; also filter unsafe dependency matches from rglob results rather than silently including them - Fix runtime mis-detection: reorder _transform_runtime_command to check copilot before codex, preventing "copilot --model codex ..." from being routed to the codex path; replace substring match in _detect_runtime with Path.stem comparison so hyphenated tool names (run-codex-tool) are not mistakenly identified as a known runtime
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pin codex runtime setup scripts to
rust-v0.118.0instead of"latest"to prevent supply-chain attacks and ensure reproducible installs. Also updates the generated config fromwire_api = "chat"towire_api = "responses"— the only protocol supported by current Codex releases.Closes #662
Problem
Using
CODEX_VERSION="latest"means APM downloads whichever codex binary happens to be the newest release. This is a supply-chain risk — a compromised upstream release would be automatically pulled by everyapm runtime setup codexinvocation.Additionally, the generated Codex config used
wire_api = "chat", which has been removed from the Codex config schema entirely. All current releases only supportwire_api = "responses".Changes
scripts/runtime/setup-codex.sh: PinCODEX_VERSION="rust-v0.118.0", updatewire_apito"responses", add pin rationale messagingscripts/runtime/setup-codex.ps1: Same changes for WindowsCHANGELOG.md: Add entry under FixedContext
Discovered during CI investigation of PR #651 — an earlier attempt to pin to
0.1.2025051600(a deleted tag) caused integration test failures. See root cause analysis.Testing
rust-v0.118.0assets exist and are downloadable (HTTP 302) for all platformscodex-{platform}binary inside tar.gz) is compatible with existing extraction logicapm runtime setup codex latestor any specific version