feat(auth): support ChatGPT subscription auth via base64 auth.json

- Add input "codex-auth-json-b64" and write auth.json securely
- New CLI command "write-auth-json" to decode/validate/write credentials
- Update safety steps to protect subscription creds
- Avoid proxy steps for subscription-only runs
- Add code-review example using subscription auth
- Update docs (README, security)

Author: activadee

README.md

@@ -88,12 +88,15 @@ jobs:
             });
 ```
 
+For a ChatGPT subscription auth variant, see `examples/code-review-subscription.yml`.
+
 ## Inputs
 
 | Name                     | Description                                                                                                                                    | Default     |
 | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
 | `openai-api-key`         | Secret used to start the Responses API proxy when you are using OpenAI (default). Store it in `secrets`.                                       | `""`        |
 | `responses-api-endpoint` | Optional Responses API endpoint override, e.g. `https://example.openai.azure.com/openai/v1/responses`. Leave empty to use the proxy's default. | `""`        |
+| `codex-auth-json-b64`    | Base64-encoded contents of `auth.json` for Codex CLI (ChatGPT subscription auth). The action decodes and writes it to `CODEX_HOME/auth.json`.  | `""`        |
 | `prompt`                 | Inline prompt text. Provide this or `prompt-file`.                                                                                             | `""`        |
 | `prompt-file`            | Path (relative to the repository root) of a file that contains the prompt. Provide this or `prompt`.                                           | `""`        |
 | `output-file`            | File where the final Codex message is written. Leave empty to skip writing a file.                                                             | `""`        |
@@ -169,6 +172,39 @@ Ultimately, your configured Action might look something like the following:
     prompt: "Debug all the things."
 ```
 
+### Using ChatGPT subscription auth
+
+If you already have a Codex login on a developer machine, you can export your CLI credentials and provide them to this action via a base64-encoded `auth.json`:
+
+1. On a trusted machine where `codex` is logged in, find `auth.json` under `~/.codex/auth.json`.
+2. Base64-encode it and save into a GitHub secret:
+
+   Linux/macOS:
+
+   ```bash
+   base64 -w0 ~/.codex/auth.json
+   ```
+
+   macOS (BSD base64):
+
+   ```bash
+   base64 -i ~/.codex/auth.json | tr -d '\n'
+   ```
+
+3. In your workflow, pass the secret to the action:
+
+```yaml
+- uses: openai/codex-action@v1
+  with:
+    codex-auth-json-b64: ${{ secrets.CODEX_AUTH_JSON_B64 }}
+    prompt: |
+      Hello from subscription auth.
+```
+
+Notes:
+- Do not provide both `openai-api-key` and `codex-auth-json-b64` unless you specifically want to use the Responses API proxy; if both are present, the proxy configuration takes precedence.
+- `auth.json` is sensitive. This action writes it with file mode `0600`. Prefer `safety-strategy: drop-sudo` or `unprivileged-user` to limit risk.
+
 ## Version History
 
 See the [`CHANGELOG`](./CHANGELOG.md) for details.

action.yml

@@ -22,6 +22,10 @@ inputs:
     description: "Optional Responses API endpoint override, e.g. https://example.openai.azure.com/openai/v1/responses. Defaults to the proxy's built-in endpoint when empty."
     required: false
     default: ""
+  codex-auth-json-b64:
+    description: "Base64-encoded contents of Codex auth.json (ChatGPT subscription auth)."
+    required: false
+    default: ""
   working-directory:
     description: "Working directory that Codex should use. Defaults to the repository root."
     required: false
@@ -155,6 +159,17 @@ runs:
         server_info_file="${{ steps.resolve_home.outputs.codex-home }}/${{ github.run_id }}.json"
         echo "server_info_file=$server_info_file" >> "$GITHUB_OUTPUT"
 
+    - name: Check server info file presence
+      id: check_server_info
+      shell: bash
+      run: |
+        server_info_file="${{ steps.derive_server_info.outputs.server_info_file }}"
+        if [ -s "$server_info_file" ]; then
+          echo "exists=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "exists=false" >> "$GITHUB_OUTPUT"
+        fi
+
     - name: Check Responses API proxy status
       id: start_proxy
       if: ${{ inputs['openai-api-key'] != '' }}
@@ -168,6 +183,17 @@ runs:
           echo "server_info_file_exists=false" >> "$GITHUB_OUTPUT"
         fi
 
+    - name: Write Codex auth.json (subscription auth)
+      if: ${{ inputs['codex-auth-json-b64'] != '' }}
+      env:
+        CODEX_AUTH_JSON_B64: ${{ inputs['codex-auth-json-b64'] }}
+      shell: bash
+      run: |
+        node "${{ github.action_path }}/dist/main.js" write-auth-json \
+          --codex-home "${{ steps.resolve_home.outputs.codex-home }}" \
+          --safety-strategy "${{ inputs['safety-strategy'] }}" \
+          --codex-user "${{ inputs['codex-user'] }}"
+
     # This is its own step to minimize the runtime logic that has access to the
     # API key. Note we use `env -u PROXY_API_KEY` to ensure extra copies of the
     # key do not end up in the memory of the `codex-responses-api-proxy`
@@ -218,7 +244,7 @@ runs:
     # This step has an output named `port`.
     - name: Read server info
       id: read_server_info
-      if: ${{ inputs['openai-api-key'] != '' || inputs.prompt != '' || inputs['prompt-file'] != '' }}
+      if: ${{ inputs['openai-api-key'] != '' || steps.check_server_info.outputs.exists == 'true' }}
       shell: bash
       run: node "${{ github.action_path }}/dist/main.js" read-server-info "${{ steps.derive_server_info.outputs.server_info_file }}"
 
@@ -232,7 +258,7 @@ runs:
           --safety-strategy "${{ inputs['safety-strategy'] }}"
 
     - name: Drop sudo privilege, if appropriate
-      if: ${{ inputs['safety-strategy'] == 'drop-sudo' && inputs['openai-api-key'] != '' }}
+      if: ${{ inputs['safety-strategy'] == 'drop-sudo' && (inputs['openai-api-key'] != '' || inputs['codex-auth-json-b64'] != '') }}
       shell: bash
       run: |
         case "${RUNNER_OS}" in
@@ -249,7 +275,7 @@ runs:
         esac
 
     - name: Verify sudo privilege removed
-      if: ${{ inputs['safety-strategy'] == 'drop-sudo' && inputs['openai-api-key'] != '' }}
+      if: ${{ inputs['safety-strategy'] == 'drop-sudo' && (inputs['openai-api-key'] != '' || inputs['codex-auth-json-b64'] != '') }}
       shell: bash
       run: |
         if sudo -n true 2>/dev/null; then