microsoft · sergio-sisternes-epam · Apr 10, 2026 · Apr 10, 2026 · Apr 10, 2026
@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- Pin codex setup to `rust-v0.118.0` for security and reproducibility; update config to `wire_api = "responses"` (#662)
 - Propagate headers and environment variables through OpenCode MCP adapter with defensive copies to prevent mutation (#622)
 ### Changed
 

@@ -1,9 +1,11 @@
 # Setup script for Codex runtime (Windows)
 # Downloads Codex binary from GitHub releases and configures with GitHub Models
 
+# Pin to a known stable release for security and reproducibility (#662).
+# Users can override with: apm runtime setup codex -Version <version> (e.g. 'latest')
 param(
     [switch]$Vanilla,
-    [string]$Version = "latest"
+    [string]$Version = "rust-v0.118.0"
 )
 
 $ErrorActionPreference = "Stop"
@@ -161,10 +163,12 @@ model = "openai/gpt-4o"
 name = "GitHub Models"
 base_url = "https://models.github.ai/inference/"
 env_key = "$githubTokenVar"
-wire_api = "chat"
+wire_api = "responses"
 "@ | Set-Content -Path $codexConfig -Encoding UTF8
 
         Write-Success "Codex configuration created at $codexConfig"
+        Write-Info "Codex is pinned to $Version for reproducibility."
+        Write-Info "To use a different version, run: apm runtime setup codex -Version <version> (e.g. 'latest')"
     } else {
         Write-Info "Vanilla mode: Skipping APM configuration"
     }

@@ -23,7 +23,9 @@ source "$SCRIPT_DIR/setup-common.sh"
 
 # Configuration
 CODEX_REPO="openai/codex"
-CODEX_VERSION="latest"  # Default version
+# Pin to a known stable release for security and reproducibility (#662).
+# Users can override with: apm runtime setup codex <version> (e.g. 'latest')
+CODEX_VERSION="rust-v0.118.0"
 VANILLA_MODE=false
 
 # Parse command line arguments
@@ -204,10 +206,12 @@ model = "openai/gpt-4o"
 name = "GitHub Models"
 base_url = "https://models.github.ai/inference/"
 env_key = "$github_token_var"
-wire_api = "chat"
+wire_api = "responses"
 EOF
 
         log_success "Codex configuration created at $codex_config"
+        log_info "Codex is pinned to $CODEX_VERSION for reproducibility."
+        log_info "To use a different version, run: apm runtime setup codex <version> (e.g. 'latest')"
         log_info "APM configured Codex with GitHub Models as default provider"
         log_info "Use 'apm install' to configure MCP servers for your projects"
     else