chore: add CODEOWNERS and enforce approval for GHA Workflow changes (#654)

## Summary

Adds a `CODEOWNERS` file to enforce code review requirements for GitHub
Actions workflow changes.

- Creates `CODEOWNERS` file designating `@jdomeracki-coder` as owner of
`.github/` directory
- All changes to GitHub Actions workflows (`.github/` directory) now
require approval from the designated code owner
- Improves security posture by preventing unauthorized modifications to
CI/CD pipelines

  ## Why this change?

GitHub Actions workflows have elevated privileges and can access
repository secrets. Requiring explicit approval for workflow changes
helps prevent:

  - Accidental or malicious modifications to CI/CD pipelines
  - Unauthorized access to secrets
  - Supply chain security vulnerabilities

  ## Test plan

  - [x] Verify CODEOWNERS file is properly formatted
- [ ] Test that PRs modifying `.github/` directory require approval from
`@jdomeracki-coder`
- [ ] Confirm existing PRs not touching `.github/` continue to work
normally

.github/workflows/ci.yaml

@@ -93,7 +93,7 @@ jobs:
       - name: Validate formatting
         run: bun fmt:ci
       - name: Check for typos
-        uses: crate-ci/typos@v1.41.0
+        uses: crate-ci/typos@v1.42.0
         with:
           config: .github/typos.toml
   validate-readme-files:

CODEOWNERS

@@ -0,0 +1,2 @@
+# GitHub Actions Workflow Owners
+.github/ @jdomeracki-coder

registry/coder-labs/modules/codex/README.md

@@ -13,7 +13,7 @@ Run Codex CLI in your workspace to access OpenAI's models through the Codex inte
 ```tf
 module "codex" {
   source         = "registry.coder.com/coder-labs/codex/coder"
-  version        = "3.1.1"
+  version        = "4.0.0"
   agent_id       = coder_agent.example.id
   openai_api_key = var.openai_api_key
   workdir        = "/home/coder/project"
@@ -22,7 +22,6 @@ module "codex" {
 
 ## Prerequisites
 
-- You must add the [Coder Login](https://registry.coder.com/modules/coder/coder-login) module to your template
 - OpenAI API key for Codex access
 
 ## Examples
@@ -33,7 +32,7 @@ module "codex" {
 module "codex" {
   count          = data.coder_workspace.me.start_count
   source         = "registry.coder.com/coder-labs/codex/coder"
-  version        = "3.1.1"
+  version        = "4.0.0"
   agent_id       = coder_agent.example.id
   openai_api_key = "..."
   workdir        = "/home/coder/project"
@@ -44,27 +43,19 @@ module "codex" {
 ### Tasks integration
 
 ```tf
-data "coder_parameter" "ai_prompt" {
-  type        = "string"
-  name        = "AI Prompt"
-  default     = ""
-  description = "Initial prompt for the Codex CLI"
-  mutable     = true
+resource "coder_ai_task" "task" {
+  count  = data.coder_workspace.me.start_count
+  app_id = module.codex.task_app_id
 }
 
-module "coder-login" {
-  count    = data.coder_workspace.me.start_count
-  source   = "registry.coder.com/coder/coder-login/coder"
-  version  = "3.1.1"
-  agent_id = coder_agent.example.id
-}
+data "coder_task" "me" {}
 
 module "codex" {
   source         = "registry.coder.com/coder-labs/codex/coder"
-  version        = "3.1.1"
+  version        = "4.0.0"
   agent_id       = coder_agent.example.id
   openai_api_key = "..."
-  ai_prompt      = data.coder_parameter.ai_prompt.value
+  ai_prompt      = data.coder_task.me.prompt
   workdir        = "/home/coder/project"
 
   # Custom configuration for full auto mode
@@ -108,7 +99,7 @@ For custom Codex configuration, use `base_config_toml` and/or `additional_mcp_se
 ```tf
 module "codex" {
   source  = "registry.coder.com/coder-labs/codex/coder"
-  version = "3.1.1"
+  version = "4.0.0"
   # ... other variables ...
 
   # Override default configuration
@@ -137,7 +128,7 @@ module "codex" {
 - Ensure your OpenAI API key has access to the specified model
 
 > [!IMPORTANT]
-> To use tasks with Codex CLI, ensure you have the `openai_api_key` variable set, and **you create a `coder_parameter` named `"AI Prompt"` and pass its value to the codex module's `ai_prompt` variable**. [Tasks Template Example](https://registry.coder.com/templates/coder-labs/tasks-docker).
+> To use tasks with Codex CLI, ensure you have the `openai_api_key` variable set. [Tasks Template Example](https://registry.coder.com/templates/coder-labs/tasks-docker).
 > The module automatically configures Codex with your API key and model preferences.
 > workdir is a required variable for the module to function correctly.
 

registry/coder-labs/modules/codex/main.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     coder = {
       source  = "coder/coder"
-      version = ">= 2.7"
+      version = ">= 2.12"
     }
   }
 }
@@ -110,12 +110,12 @@ variable "install_agentapi" {
 variable "agentapi_version" {
   type        = string
   description = "The version of AgentAPI to install."
-  default     = "v0.10.0"
+  default     = "v0.11.6"
 }
 
 variable "codex_model" {
   type        = string
-  description = "The model for Codex to use. Defaults to gpt-5."
+  description = "The model for Codex to use. Defaults to gpt-5.1-codex-max."
   default     = ""
 }
 
@@ -165,7 +165,7 @@ locals {
 
 module "agentapi" {
   source  = "registry.coder.com/coder/agentapi/coder"
-  version = "1.2.0"
+  version = "2.0.0"
 
   agent_id             = var.agent_id
   folder               = local.workdir
@@ -217,4 +217,8 @@ module "agentapi" {
     ARG_CODEX_INSTRUCTION_PROMPT='${base64encode(var.codex_system_prompt)}' \
     /tmp/install.sh
   EOT
-}
+}
+
+output "task_app_id" {
+  value = module.agentapi.task_app_id
+}

registry/coder-labs/modules/codex/scripts/install.sh

@@ -115,7 +115,7 @@ append_mcp_servers_section() {
 [mcp_servers.Coder]
 command = "coder"
 args = ["exp", "mcp", "server"]
-env = { "CODER_MCP_APP_STATUS_SLUG" = "${ARG_CODER_MCP_APP_STATUS_SLUG}", "CODER_MCP_AI_AGENTAPI_URL" = "${CODER_MCP_AI_AGENTAPI_URL}" , "CODER_AGENT_URL" = "${CODER_AGENT_URL}", "CODER_AGENT_TOKEN" = "${CODER_AGENT_TOKEN}" }
+env = { "CODER_MCP_APP_STATUS_SLUG" = "${ARG_CODER_MCP_APP_STATUS_SLUG}", "CODER_MCP_AI_AGENTAPI_URL" = "${CODER_MCP_AI_AGENTAPI_URL}" , "CODER_AGENT_URL" = "${CODER_AGENT_URL}", "CODER_AGENT_TOKEN" = "${CODER_AGENT_TOKEN}", "CODER_MCP_ALLOWED_TOOLS" = "coder_report_task" }
 description = "Report ALL tasks and statuses (in progress, done, failed) you are working on."
 type = "stdio"
 

registry/coder-labs/modules/codex/scripts/start.sh

@@ -182,7 +182,7 @@ build_codex_args() {
 
     if [ -n "$ARG_CODEX_TASK_PROMPT" ]; then
       if [ "${ARG_REPORT_TASKS}" == "true" ]; then
-        PROMPT="Complete the task at hand in one go. Every step of the way, report your progress using coder_report_task tool with proper summary and statuses. Your task at hand: $ARG_CODEX_TASK_PROMPT"
+        PROMPT="Complete the task at hand in one go. Every step of the way, report your progress using Coder.coder_report_task tool with proper summary and statuses. Your task at hand: $ARG_CODEX_TASK_PROMPT"
       else
         PROMPT="Your task at hand: $ARG_CODEX_TASK_PROMPT"
       fi