RepoJournal
OpenAI

OpenAI

Codex, the SDKs, and the engine behind ChatGPT

Pick a date

The Wire · Showcase

CODEX DECOUPLES SKILLS FROM EXECUTOR, NODE AND PYTHON TIGHTEN CI SECURITY

By RepoJournal · Filed · About OpenAI

Codex shipped a breaking refactor that makes hosted plugin skills invocable without an executor, while both Node and Python SDKs locked down their CI workflows to use scoped API key environments.

The codex team landed three interconnected changes that fundamentally reshape how skills integrate with the runtime. First, backend plugin skills are now invocable without an executor [1], which means app-server can properly surface hosted skills in the model's catalog and load their metadata through the `$skill` interface. Second, the skills catalog now renders locators by authority [2], telling the model whether a skill lives on disk or must be fetched through a remote source. Third, ThreadStore now owns persistence policy application [3], enabling store-specific projections over raw input. In parallel, ExecutorFileSystem is being migrated to PathUri [4] as the canonical internal path representation, with EnvironmentPathRef removed entirely [5]. On the SDK side, both openai-node and openai-python tightened their CI workflows to use scoped GitHub environments for API key access [6] [8], and the Node team bumped CI coverage to Node 20, 22, 24, and 26 [7], moving the default test line to Node 24 LTS. These aren't cosmetic updates: the codex changes fix a real gap where hosted skills were described as local files, and the SDK CI changes prevent API keys from being accessible to untrusted workflow contexts.

Action items

References

  1. [1] skills: make backend plugin skills invocable without an executor (#27387) openai/codex
  2. [2] skills: render catalog locators by authority (#27591) openai/codex
  3. [3] [codex] Move persistence policy application into ThreadStore ↗ openai/codex
  4. [4] [codex] migrate ExecutorFileSystem paths to PathUri ↗ openai/codex
  5. [5] [codex] remove EnvironmentPathRef ↗ openai/codex
  6. [6] test: Use CI environment for OpenAI API key workflows ↗ openai/openai-node
  7. [7] test: Update CI Node version coverage ↗ openai/openai-node
  8. [8] test: Use CI environment for examples API key ↗ openai/openai-python

FAQ

What changed in OpenAI on June 12, 2026?
Codex shipped a breaking refactor that makes hosted plugin skills invocable without an executor, while both Node and Python SDKs locked down their CI workflows to use scoped API key environments.
What should OpenAI teams do about it?
Review skills invocation patterns in your executor if you're hosting plugins • Upgrade Node CI workflows to use ci environment scope for OPENAI_API_KEY • Update Python CI workflows to use ci environment scope for OPENAI_API_KEY
Which OpenAI repositories shipped on June 12, 2026?
openai/codex, openai/openai-node, openai/openai-python

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.