From 60861b382306dc2e47dbe83e6956a4f788fb866d Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Tue, 28 Apr 2026 23:24:45 +0100
Subject: [PATCH] ci: use api key auth for Codex CLI backend smoke

---
 .../openclaw-live-and-e2e-checks-reusable.yml    | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml b/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
index ed126fac9fd..8448323d832 100644
--- a/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
+++ b/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
@@ -1875,18 +1875,20 @@ jobs:
           case "${{ matrix.suite_id }}" in
             live-cli-backend-docker)
               echo "OPENCLAW_LIVE_CLI_BACKEND_MODEL=codex-cli/gpt-5.5" >> "$GITHUB_ENV"
-              # The CLI backend Docker lane should exercise the same staged
-              # Codex auth path Peter uses locally so MCP cron creation and
-              # multimodal probes stay covered in CI. Replace the staged
-              # config.toml with a minimal CI-safe config so the repo stays
-              # trusted for MCP/tool use without inheriting maintainer-local
-              # provider/profile overrides that do not exist inside CI.
+              # Keep the release-blocking CI lane on Codex API-key auth. The
+              # staged auth-file path remains supported for local maintainer
+              # reruns, but it can hang on stale subscription/session state in
+              # an otherwise healthy release run.
+              echo "OPENCLAW_LIVE_CLI_BACKEND_AUTH=api-key" >> "$GITHUB_ENV"
+              # Replace the staged config.toml with a minimal CI-safe config so
+              # the repo stays trusted for MCP/tool use without inheriting
+              # maintainer-local provider/profile overrides that do not exist
+              # inside CI.
               # Codex's workspace-write sandbox relies on user namespaces that
               # this Docker lane does not provide, so run Codex unsandboxed
               # inside the already-isolated container to keep MCP cron/tool
               # execution representative instead of failing on nested sandbox
               # setup.
-              echo 'OPENCLAW_LIVE_CLI_BACKEND_CLEAR_ENV=["OPENAI_API_KEY","OPENAI_BASE_URL"]' >> "$GITHUB_ENV"
               echo 'OPENCLAW_LIVE_CLI_BACKEND_ARGS=["exec","--json","--color","never","--sandbox","danger-full-access","--skip-git-repo-check"]' >> "$GITHUB_ENV"
               echo 'OPENCLAW_LIVE_CLI_BACKEND_RESUME_ARGS=["exec","resume","{sessionId}","-c","sandbox_mode=\"danger-full-access\"","--skip-git-repo-check"]' >> "$GITHUB_ENV"
               echo "OPENCLAW_LIVE_CLI_BACKEND_DEBUG=1" >> "$GITHUB_ENV"