The Wire · Showcase
CODEX DECOUPLES SKILLS FROM EXECUTOR, NODE AND PYTHON TIGHTEN CI SECURITY
By RepoJournal · Filed · About OpenAI
Codex shipped a breaking refactor that makes hosted plugin skills invocable without an executor, while both Node and Python SDKs locked down their CI workflows to use scoped API key environments.
The codex team landed three interconnected changes that fundamentally reshape how skills integrate with the runtime. First, backend plugin skills are now invocable without an executor [1], which means app-server can properly surface hosted skills in the model's catalog and load their metadata through the `$skill` interface. Second, the skills catalog now renders locators by authority [2], telling the model whether a skill lives on disk or must be fetched through a remote source. Third, ThreadStore now owns persistence policy application [3], enabling store-specific projections over raw input. In parallel, ExecutorFileSystem is being migrated to PathUri [4] as the canonical internal path representation, with EnvironmentPathRef removed entirely [5]. On the SDK side, both openai-node and openai-python tightened their CI workflows to use scoped GitHub environments for API key access [6] [8], and the Node team bumped CI coverage to Node 20, 22, 24, and 26 [7], moving the default test line to Node 24 LTS. These aren't cosmetic updates: the codex changes fix a real gap where hosted skills were described as local files, and the SDK CI changes prevent API keys from being accessible to untrusted workflow contexts.
Action items
- → Review skills invocation patterns in your executor if you're hosting plugins openai/codex [plan]
- → Upgrade Node CI workflows to use ci environment scope for OPENAI_API_KEY openai/openai-node [immediate]
- → Update Python CI workflows to use ci environment scope for OPENAI_API_KEY openai/openai-python [immediate]
- → Test Node SDK against 20, 22, 24, and 26 before next release openai/openai-node [plan]
References
- [1] skills: make backend plugin skills invocable without an executor (#27387) openai/codex
- [2] skills: render catalog locators by authority (#27591) openai/codex
- [3] [codex] Move persistence policy application into ThreadStore ↗ openai/codex
- [4] [codex] migrate ExecutorFileSystem paths to PathUri ↗ openai/codex
- [5] [codex] remove EnvironmentPathRef ↗ openai/codex
- [6] test: Use CI environment for OpenAI API key workflows ↗ openai/openai-node
- [7] test: Update CI Node version coverage ↗ openai/openai-node
- [8] test: Use CI environment for examples API key ↗ openai/openai-python
FAQ
- What changed in OpenAI on June 12, 2026?
- Codex shipped a breaking refactor that makes hosted plugin skills invocable without an executor, while both Node and Python SDKs locked down their CI workflows to use scoped API key environments.
- What should OpenAI teams do about it?
- Review skills invocation patterns in your executor if you're hosting plugins • Upgrade Node CI workflows to use ci environment scope for OPENAI_API_KEY • Update Python CI workflows to use ci environment scope for OPENAI_API_KEY
- Which OpenAI repositories shipped on June 12, 2026?
- openai/codex, openai/openai-node, openai/openai-python