1 Commits

  • [codex] Split Python runtime release workflow (#26226)
    ## Why
    
    Python SDK releases pin an exact `openai-codex-cli-bin` version, so all
    eight platform runtime wheels must be available on PyPI before the SDK
    package is built and published. PyPI does not support reusable workflows
    as Trusted Publishers, which means OIDC-backed publishing must run from
    each top-level release workflow.
    
    ## What changed
    
    - add reusable `python-runtime-build.yml` to prepare and upload all
    eight runtime wheels without publishing
    - add top-level `python-runtime-release.yml` for manual runtime
    publication before updating an SDK pin
    - have `python-sdk-release.yml` publish and verify the prepared runtime
    wheels from its own top-level trusted job before building the SDK
    - verify PyPI exposes exactly the expected eight runtime wheels before
    either release workflow continues
    
    ## PyPI configuration
    
    - keep the trusted publisher for
    `.github/workflows/python-sdk-release.yml` with environment `pypi`
    - add a trusted publisher for
    `.github/workflows/python-runtime-release.yml` with environment `pypi`
    - no trusted publisher is needed for
    `.github/workflows/python-runtime-build.yml`
    
    ## Validation
    
    - parsed all three workflow YAML files
    - validated all embedded shell blocks with `bash -n`
    - no local tests run; relying on online CI