Initial commit: OpenAI Codex Docker container

- Dockerfile with Node 22 slim base and Codex CLI
- docker-compose.yml for easy local running
- Entrypoint script with config initialization
- OAuth callback port exposure (1455)
- GitHub Actions workflow for multi-arch builds
- Comprehensive README with usage examples

MIT License

Author: bryant-ung

.dockerignore

@@ -0,0 +1,21 @@
+# Git
+.git
+.gitignore
+
+# Documentation
+README.md
+LICENSE
+
+# Environment files
+.env
+.env.*
+
+# Workspace
+workspace/
+
+# GitHub
+.github/
+
+# OS
+.DS_Store
+Thumbs.db

.env.example

@@ -0,0 +1,8 @@
+# OpenAI API Key (get one at https://platform.openai.com/api-keys)
+OPENAI_API_KEY=your-api-key-here
+
+# Optional: OpenAI organization ID
+# OPENAI_ORG_ID=org-...
+
+# Optional: Custom API base URL
+# OPENAI_API_BASE=https://api.openai.com/v1

.github/workflows/docker-publish.yml

@@ -0,0 +1,61 @@
+name: Build and Push Docker Image
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - main
+
+env:
+  REGISTRY: docker.io
+  IMAGE_NAME: ungb/codex
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.gitignore

@@ -0,0 +1,16 @@
+# Environment files
+.env
+.env.local
+
+# Workspace directory (user's code)
+workspace/
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo

Dockerfile

@@ -0,0 +1,43 @@
+FROM node:22-slim
+
+LABEL maintainer="ungb"
+LABEL description="OpenAI Codex CLI in a Docker container"
+LABEL org.opencontainers.image.source="https://github.com/ungb/codex-docker"
+
+# Install system dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    curl \
+    openssh-client \
+    ca-certificates \
+    jq \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install OpenAI Codex CLI globally
+RUN npm install -g @openai/codex
+
+# Create non-root user for security
+RUN useradd -m -s /bin/bash coder \
+    && mkdir -p /home/coder/.codex \
+    && chown -R coder:coder /home/coder
+
+# Set up workspace directory
+RUN mkdir -p /workspace && chown coder:coder /workspace
+
+# Copy entrypoint script
+COPY --chown=coder:coder entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+# Switch to non-root user
+USER coder
+WORKDIR /workspace
+
+# Environment variables
+ENV HOME=/home/coder
+ENV CODEX_CONFIG_DIR=/home/coder/.codex
+
+# Expose OAuth callback port
+EXPOSE 1455
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["codex"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,217 @@
+# Codex Docker
+
+Run [OpenAI Codex CLI](https://github.com/openai/codex) in a Docker container. Codex is OpenAI's lightweight coding agent that runs in your terminal.
+
+## Quick Start
+
+```bash
+# Pull and run (replace with your API key)
+docker run -it --rm \
+  -v $(pwd):/workspace \
+  -e OPENAI_API_KEY=your-key \
+  ungb/codex
+```
+
+## Prerequisites
+
+- [Docker](https://docs.docker.com/get-docker/) installed
+- [OpenAI API key](https://platform.openai.com/api-keys) or ChatGPT account for OAuth
+
+## Usage
+
+### Using Docker Run
+
+```bash
+# Basic usage with API key
+docker run -it --rm \
+  -v $(pwd):/workspace \
+  -e OPENAI_API_KEY=$OPENAI_API_KEY \
+  ungb/codex
+
+# With persistent config (remembers settings between runs)
+docker run -it --rm \
+  -v $(pwd):/workspace \
+  -v codex-config:/home/coder/.codex \
+  -e OPENAI_API_KEY=$OPENAI_API_KEY \
+  ungb/codex
+
+# With git/ssh support
+docker run -it --rm \
+  -v $(pwd):/workspace \
+  -v codex-config:/home/coder/.codex \
+  -v ~/.ssh:/home/coder/.ssh:ro \
+  -v ~/.gitconfig:/home/coder/.gitconfig:ro \
+  -e OPENAI_API_KEY=$OPENAI_API_KEY \
+  ungb/codex
+```
+
+### Using Docker Compose
+
+1. Clone this repo or copy `docker-compose.yml` to your project:
+
+```bash
+curl -O https://raw.githubusercontent.com/ungb/codex-docker/main/docker-compose.yml
+```
+
+2. Create a `.env` file with your API key:
+
+```bash
+echo "OPENAI_API_KEY=your-key-here" > .env
+```
+
+3. Run:
+
+```bash
+docker compose run --rm codex
+```
+
+### Run a Specific Command
+
+```bash
+# Run codex with arguments
+docker run -it --rm \
+  -v $(pwd):/workspace \
+  -e OPENAI_API_KEY=$OPENAI_API_KEY \
+  ungb/codex \
+  codex "explain this codebase"
+
+# Check version
+docker run -it --rm ungb/codex codex --version
+
+# Run with full auto-approve (be careful!)
+docker run -it --rm \
+  -v $(pwd):/workspace \
+  -e OPENAI_API_KEY=$OPENAI_API_KEY \
+  ungb/codex \
+  codex --full-auto "fix the tests"
+```
+
+## Authentication
+
+### Option 1: API Key (Recommended for Docker)
+
+Get an API key from [OpenAI Platform](https://platform.openai.com/api-keys) and pass it as an environment variable:
+
+```bash
+-e OPENAI_API_KEY=sk-...
+```
+
+### Option 2: ChatGPT OAuth Login
+
+For browser-based OAuth, expose port 1455 for the callback:
+
+```bash
+docker run -it --rm \
+  -p 1455:1455 \
+  -v $(pwd):/workspace \
+  -v codex-config:/home/coder/.codex \
+  ungb/codex \
+  codex login
+```
+
+Or use host network mode:
+
+```bash
+docker run -it --rm \
+  --network host \
+  -v $(pwd):/workspace \
+  -v codex-config:/home/coder/.codex \
+  ungb/codex \
+  codex login
+```
+
+## Volume Mounts
+
+| Mount | Purpose |
+|-------|---------|
+| `/workspace` | Your project directory (required) |
+| `/home/coder/.codex` | Codex config and cache (optional, for persistence) |
+| `/home/coder/.ssh` | SSH keys for git operations (optional, read-only) |
+| `/home/coder/.gitconfig` | Git configuration (optional, read-only) |
+
+## Environment Variables
+
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `OPENAI_API_KEY` | Yes* | Your OpenAI API key |
+| `OPENAI_ORG_ID` | No | OpenAI organization ID |
+| `OPENAI_API_BASE` | No | Custom API endpoint (for proxies) |
+
+*Required unless using OAuth login
+
+## Ports
+
+| Port | Purpose |
+|------|---------|
+| 1455 | OAuth callback for `codex login` |
+
+## Building Locally
+
+```bash
+git clone https://github.com/ungb/codex-docker.git
+cd codex-docker
+docker build -t codex .
+```
+
+## Troubleshooting
+
+### Permission Denied on Mounted Files
+
+The container runs as user `coder` (UID 1000). If you have permission issues:
+
+```bash
+# Run with your user ID
+docker run -it --rm \
+  --user $(id -u):$(id -g) \
+  -v $(pwd):/workspace \
+  -e OPENAI_API_KEY=$OPENAI_API_KEY \
+  ungb/codex
+```
+
+### Git Operations Failing
+
+Ensure SSH keys are mounted and git is configured:
+
+```bash
+docker run -it --rm \
+  -v $(pwd):/workspace \
+  -v ~/.ssh:/home/coder/.ssh:ro \
+  -v ~/.gitconfig:/home/coder/.gitconfig:ro \
+  -e OPENAI_API_KEY=$OPENAI_API_KEY \
+  ungb/codex
+```
+
+### OAuth Login Not Working
+
+Ensure port 1455 is exposed:
+
+```bash
+docker run -it --rm \
+  -p 1455:1455 \
+  -v $(pwd):/workspace \
+  -v codex-config:/home/coder/.codex \
+  ungb/codex \
+  codex login
+```
+
+## Sandbox Mode
+
+Codex supports running in sandbox mode using Docker. When you run Codex inside this container, it's already isolated. For nested Docker support (Docker-in-Docker), mount the Docker socket:
+
+```bash
+docker run -it --rm \
+  -v $(pwd):/workspace \
+  -v /var/run/docker.sock:/var/run/docker.sock \
+  -e OPENAI_API_KEY=$OPENAI_API_KEY \
+  ungb/codex
+```
+
+## License
+
+MIT License - see [LICENSE](LICENSE)
+
+## Links
+
+- [Codex CLI Documentation](https://github.com/openai/codex)
+- [OpenAI Platform](https://platform.openai.com/)
+- [OpenAI API Keys](https://platform.openai.com/api-keys)