438 Commits

  • ci: stop running rust CI with --all-features (#16473)
    ## Why
    
    Now that workspace crate features have been removed and
    `.github/scripts/verify_cargo_workspace_manifests.py` hard-bans new
    ones, Rust CI should stop building and testing with `--all-features`.
    
    Keeping `--all-features` in CI no longer buys us meaningful coverage for
    `codex-rs`, but it still makes the workflow look like we rely on Cargo
    feature permutations that we are explicitly trying to eliminate. It also
    leaves stale examples in the repo that suggest `--all-features` is a
    normal or recommended way to run the workspace.
    
    ## What changed
    
    - removed `--all-features` from the Rust CI `cargo chef cook`, `cargo
    clippy`, and `cargo nextest` invocations in
    `.github/workflows/rust-ci-full.yml`
    - updated the `just test` guidance in `justfile` to reflect that
    workspace crate features are banned and there should be no need to add
    `--all-features`
    - updated the multiline command example and snapshot in
    `codex-rs/tui/src/history_cell.rs` to stop rendering `cargo test
    --all-features --quiet`
    - tightened the verifier docstring in
    `.github/scripts/verify_cargo_workspace_manifests.py` so it no longer
    talks about temporary remaining exceptions
    
    ## How tested
    
    - `python3 .github/scripts/verify_cargo_workspace_manifests.py`
    - `cargo test -p codex-tui`
  • ci: sync Bazel clippy lints and fix uncovered violations (#16351)
    ## Why
    
    Follow-up to #16345, the Bazel clippy rollout in #15955, and the cleanup
    pass in #16353.
    
    `cargo clippy` was enforcing the workspace deny-list from
    `codex-rs/Cargo.toml` because the member crates opt into `[lints]
    workspace = true`, but Bazel clippy was only using `rules_rust` plus
    `clippy.toml`. That left the Bazel lane vulnerable to drift:
    `clippy.toml` can tune lint behavior, but it cannot set
    allow/warn/deny/forbid levels.
    
    This PR now closes both sides of the follow-up. It keeps `.bazelrc` in
    sync with `[workspace.lints.clippy]`, and it fixes the real clippy
    violations that the newly-synced Windows Bazel lane surfaced once that
    deny-list started matching Cargo.
    
    ## What Changed
    
    - added `.github/scripts/verify_bazel_clippy_lints.py`, a Python check
    that parses `codex-rs/Cargo.toml` with `tomllib`, reads the Bazel
    `build:clippy` `clippy_flag` entries from `.bazelrc`, and reports
    missing, extra, or mismatched lint levels
    - ran that verifier from the lightweight `ci.yml` workflow so the sync
    check does not depend on a Rust toolchain being installed first
    - expanded the `.bazelrc` comment to explain the Cargo `workspace =
    true` linkage and why Bazel needs the deny-list duplicated explicitly
    - fixed the Windows-only `codex-windows-sandbox` violations that Bazel
    clippy reported after the sync, using the same style as #16353: inline
    `format!` args, method references instead of trivial closures, removed
    redundant clones, and replaced SID conversion `unwrap` and `expect`
    calls with proper errors
    - cleaned up the remaining cross-platform violations the Bazel lane
    exposed in `codex-backend-client` and `core_test_support`
    
    ## Testing
    
    Key new test introduced by this PR:
    
    `python3 .github/scripts/verify_bazel_clippy_lints.py`
  • ci: verify codex-rs Cargo manifests inherit workspace settings (#16353)
    ## Why
    
    Bazel clippy now catches lints that `cargo clippy` can still miss when a
    crate under `codex-rs` forgets to opt into workspace lints. The concrete
    example here was `codex-rs/app-server/tests/common/Cargo.toml`: Bazel
    flagged a clippy violation in `models_cache.rs`, but Cargo did not
    because that crate inherited workspace package metadata without
    declaring `[lints] workspace = true`.
    
    We already mirror the workspace clippy deny list into Bazel after
    [#15955](https://github.com/openai/codex/pull/15955), so we also need a
    repo-side check that keeps every `codex-rs` manifest opted into the same
    workspace settings.
    
    ## What changed
    
    - add `.github/scripts/verify_cargo_workspace_manifests.py`, which
    parses every `codex-rs/**/Cargo.toml` with `tomllib` and verifies:
      - `version.workspace = true`
      - `edition.workspace = true`
      - `license.workspace = true`
      - `[lints] workspace = true`
    - top-level crate names follow the `codex-*` / `codex-utils-*`
    conventions, with explicit exceptions for `windows-sandbox-rs` and
    `utils/path-utils`
    - run that script in `.github/workflows/ci.yml`
    - update the current outlier manifests so the check is enforceable
    immediately
    - fix the newly exposed clippy violations in the affected crates
    (`app-server/tests/common`, `file-search`, `feedback`,
    `shell-escalation`, and `debug-client`)
    
    
    
    
    
    
    ---
    [//]: # (BEGIN SAPLING FOOTER)
    Stack created with [Sapling](https://sapling-scm.com). Best reviewed
    with [ReviewStack](https://reviewstack.dev/openai/codex/pull/16353).
    * #16351
    * __->__ #16353
  • ci: run Windows argument-comment-lint via native Bazel (#16120)
    ## Why
    
    Follow-up to #16106.
    
    `argument-comment-lint` already runs as a native Bazel aspect on Linux
    and macOS, but Windows is still the long pole in `rust-ci`. To move
    Windows onto the same native Bazel lane, the toolchain split has to let
    exec-side helper binaries build in an MSVC environment while still
    linting repo crates as `windows-gnullvm`.
    
    Pushing the Windows lane onto the native Bazel path exposed a second
    round of Windows-only issues in the mixed exec-toolchain plumbing after
    the initial wrapper/target fixes landed.
    
    ## What Changed
    
    - keep the Windows lint lanes on the native Bazel/aspect path in
    `rust-ci.yml` and `rust-ci-full.yml`
    - add a dedicated `local_windows_msvc` platform for exec-side helper
    binaries while keeping `local_windows` as the `windows-gnullvm` target
    platform
    - patch `rules_rust` so `repository_set(...)` preserves explicit
    exec-platform constraints for the generated toolchains, keep the
    Windows-specific bootstrap/direct-link fixes needed for the nightly lint
    driver, and expose exec-side `rustc-dev` `.rlib`s to the MSVC sysroot
    - register the custom Windows nightly toolchain set with MSVC exec
    constraints while still exposing both `x86_64-pc-windows-msvc` and
    `x86_64-pc-windows-gnullvm` targets
    - enable `dev_components` on the custom Windows nightly repository set
    so the MSVC exec helper toolchain actually downloads the
    compiler-internal crates that `clippy_utils` needs
    - teach `run-argument-comment-lint-bazel.sh` to enumerate concrete
    Windows Rust rules, normalize the resulting labels, and skip explicitly
    requested incompatible targets instead of failing before the lint run
    starts
    - patch `rules_rust` build-script env propagation so exec-side
    `windows-msvc` helper crates drop forwarded MinGW include and linker
    search paths as whole flag/path pairs instead of emitting malformed
    `CFLAGS`, `CXXFLAGS`, and `LDFLAGS`
    - export the Windows VS/MSVC SDK environment in `setup-bazel-ci` and
    pass the relevant variables through `run-bazel-ci.sh` via `--action_env`
    / `--host_action_env` so Bazel build scripts can see the MSVC and UCRT
    headers on native Windows runs
    - add inline comments to the Windows `setup-bazel-ci` MSVC environment
    export step so it is easier to audit how `vswhere`, `VsDevCmd.bat`, and
    the filtered `GITHUB_ENV` export fit together
    - patch `aws-lc-sys` to skip its standalone `memcmp` probe under Bazel
    `windows-msvc` build-script environments, which avoids a Windows-native
    toolchain mismatch that blocked the lint lane before it reached the
    aspect execution
    - patch `aws-lc-sys` to prefer its bundled `prebuilt-nasm` objects for
    Bazel `windows-msvc` build-script runs, which avoids missing
    `generated-src/win-x86_64/*.asm` runfiles in the exec-side helper
    toolchain
    - annotate the Linux test-only callsites in `codex-rs/linux-sandbox` and
    `codex-rs/core` that the wider native lint coverage surfaced
    
    ## Patches
    
    This PR introduces a large patch stack because the Windows Bazel lint
    lane currently depends on behavior that upstream dependencies do not
    provide out of the box in the mixed `windows-gnullvm` target /
    `windows-msvc` exec-toolchain setup.
    
    - Most of the `rules_rust` patches look like upstream candidates rather
    than OpenAI-only policy. Preserving explicit exec-platform constraints,
    forwarding the right MSVC/UCRT environment into exec-side build scripts,
    exposing exec-side `rustc-dev` artifacts, and keeping the Windows
    bootstrap/linker behavior coherent all look like fixes to the Bazel/Rust
    integration layer itself.
    - The two `aws-lc-sys` patches are more tactical. They special-case
    Bazel `windows-msvc` build-script environments to avoid a `memcmp` probe
    mismatch and missing NASM runfiles. Those may be harder to upstream
    as-is because they rely on Bazel-specific detection instead of a general
    Cargo/build-script contract.
    - Short term, carrying these patches in-tree is reasonable because they
    unblock a real CI lane and are still narrow enough to audit. Long term,
    the goal should not be to keep growing a permanent local fork of either
    dependency.
    - My current expectation is that the `rules_rust` patches are less
    controversial and should be broken out into focused upstream proposals,
    while the `aws-lc-sys` patches are more likely to be temporary escape
    hatches unless that crate wants a more general hook for hermetic build
    systems.
    
    Suggested follow-up plan:
    
    1. Split the `rules_rust` deltas into upstream-sized PRs or issues with
    minimized repros.
    2. Revisit the `aws-lc-sys` patches during the next dependency bump and
    see whether they can be replaced by an upstream fix, a crate upgrade, or
    a cleaner opt-in mechanism.
    3. Treat each dependency update as a chance to delete patches one by one
    so the local patch set only contains still-needed deltas.
    
    ## Verification
    
    - `./.github/scripts/run-argument-comment-lint-bazel.sh
    --config=argument-comment-lint --keep_going`
    - `RUNNER_OS=Windows
    ./.github/scripts/run-argument-comment-lint-bazel.sh --nobuild
    --config=argument-comment-lint --platforms=//:local_windows
    --keep_going`
    - `cargo test -p codex-linux-sandbox`
    - `cargo test -p codex-core shell_snapshot_tests`
    - `just argument-comment-lint`
    
    ## References
    
    - #16106
  • fix: close Bazel argument-comment-lint CI gaps (#16253)
    ## Why
    
    The Bazel-backed `argument-comment-lint` CI path had two gaps:
    
    - Bazel wildcard target expansion skipped inline unit-test crates from
    `src/` modules because the generated `*-unit-tests-bin` `rust_test`
    targets are tagged `manual`.
    - `argument-comment-mismatch` was still only a warning in the Bazel and
    packaged-wrapper entrypoints, so a typoed `/*param_name*/` comment could
    still pass CI even when the lint detected it.
    
    That left CI blind to real linux-sandbox examples, including the missing
    `/*local_port*/` comment in
    `codex-rs/linux-sandbox/src/proxy_routing.rs` and typoed argument
    comments in `codex-rs/linux-sandbox/src/landlock.rs`.
    
    ## What Changed
    
    - Added `tools/argument-comment-lint/list-bazel-targets.sh` so Bazel
    lint runs cover `//codex-rs/...` plus the manual `rust_test`
    `*-unit-tests-bin` targets.
    - Updated `just argument-comment-lint`, `rust-ci.yml`, and
    `rust-ci-full.yml` to use that helper.
    - Promoted both `argument-comment-mismatch` and
    `uncommented-anonymous-literal-argument` to errors in every strict
    entrypoint:
      - `tools/argument-comment-lint/lint_aspect.bzl`
      - `tools/argument-comment-lint/src/bin/argument-comment-lint.rs`
      - `tools/argument-comment-lint/wrapper_common.py`
    - Added wrapper/bin coverage for the stricter lint flags and documented
    the behavior in `tools/argument-comment-lint/README.md`.
    - Fixed the now-covered callsites in
    `codex-rs/linux-sandbox/src/proxy_routing.rs`,
    `codex-rs/linux-sandbox/src/landlock.rs`, and
    `codex-rs/core/src/shell_snapshot_tests.rs`.
    
    This keeps the Bazel target expansion narrow while making the Bazel and
    prebuilt-linter paths enforce the same strict lint set.
    
    ## Verification
    
    - `python3 -m unittest discover -s tools/argument-comment-lint -p
    'test_*.py'`
    - `cargo +nightly-2025-09-18 test --manifest-path
    tools/argument-comment-lint/Cargo.toml`
    - `just argument-comment-lint`
  • ci: use BuildBuddy for rust-ci-full non-Windows argument-comment-lint (#16136)
    ## Why
    
    PR #16130 fixed the Windows `argument-comment-lint` regression in
    `rust-ci-full`, but the next `main` runs still left the Linux and macOS
    lint legs timing out.
    
    In [run
    23695263729](https://github.com/openai/codex/actions/runs/23695263729),
    both non-Windows `argument-comment-lint` jobs were cancelled almost
    exactly 30 minutes after they started. The remaining workflow difference
    versus `rust-ci.yml` was that `rust-ci-full` did not pass
    `BUILDBUDDY_API_KEY` into the non-Windows Bazel lint step, so
    `run-bazel-ci.sh` fell back to local Bazel configuration instead of
    using the faster remote-backed path available on `main`.
    
    ## What changed
    
    - passed `BUILDBUDDY_API_KEY` to the non-Windows `rust-ci-full`
    `argument-comment-lint` Bazel step
    - left the Windows packaged-wrapper path from #16130 unchanged
    - kept the change scoped to `rust-ci-full.yml`
    
    ## Test plan
    
    - loaded `.github/workflows/rust-ci-full.yml` and
    `.github/workflows/rust-ci.yml` with `python3` + `yaml.safe_load(...)`
    - inspected run `23695263729` and confirmed `Argument comment lint -
    Linux` and `Argument comment lint - macOS` were cancelled about 30
    minutes after start
    - verified the updated `rust-ci-full` step now matches the non-Windows
    secret wiring already present in `rust-ci.yml`
    
    ## References
    
    - #16130
    - #16106
  • ci: keep rust-ci-full Windows argument-comment-lint on packaged wrapper (#16130)
    ## Why
    
    PR #16106 switched `rust-ci-full` over to the native Bazel-backed
    `argument-comment-lint` path on all three platforms.
    
    That works on Linux and macOS, but the Windows leg in `rust-ci-full` now
    fails before linting starts: Bazel dies while building `rules_rust`'s
    `process_wrapper` tool, so `main` reports an `argument-comment-lint`
    failure even though no Rust lint finding was produced.
    
    Until native Windows Bazel linting is repaired, `rust-ci-full` should
    keep the same Windows split that `rust-ci.yml` already uses.
    
    ## What changed
    
    - restored the Windows-only nightly `argument-comment-lint` toolchain
    setup in `rust-ci-full`
    - limited the Bazel-backed lint step in `rust-ci-full` to non-Windows
    runners
    - routed the Windows runner back through
    `tools/argument-comment-lint/run-prebuilt-linter.py`
    - left the Linux and macOS `rust-ci-full` behavior unchanged
    
    ## Test plan
    
    - loaded `.github/workflows/rust-ci-full.yml` and
    `.github/workflows/rust-ci.yml` with `python3` + `yaml.safe_load(...)`
    - inspected failing Actions run `23692864849`, especially job
    `69023229311`, to confirm the Windows failure occurs in Bazel
    `process_wrapper` setup before lint output is emitted
    
    ## References
    
    - #16106
  • build: migrate argument-comment-lint to a native Bazel aspect (#16106)
    ## Why
    
    `argument-comment-lint` had become a PR bottleneck because the repo-wide
    lane was still effectively running a `cargo dylint`-style flow across
    the workspace instead of reusing Bazel's Rust dependency graph. That
    kept the lint enforced, but it threw away the main benefit of moving
    this job under Bazel in the first place: metadata reuse and cacheable
    per-target analysis in the same shape as Clippy.
    
    This change moves the repo-wide lint onto a native Bazel Rust aspect so
    Linux and macOS can lint `codex-rs` without rebuilding the world
    crate-by-crate through the wrapper path.
    
    ## What Changed
    
    - add a nightly Rust toolchain with `rustc-dev` for Bazel and a
    dedicated crate-universe repo for `tools/argument-comment-lint`
    - add `tools/argument-comment-lint/driver.rs` and
    `tools/argument-comment-lint/lint_aspect.bzl` so Bazel can run the lint
    as a custom `rustc_driver`
    - switch repo-wide `just argument-comment-lint` and the Linux/macOS
    `rust-ci` lanes to `bazel build --config=argument-comment-lint
    //codex-rs/...`
    - keep the Python/DotSlash wrappers as the package-scoped fallback path
    and as the current Windows CI path
    - gate the Dylint entrypoint behind a `bazel_native` feature so the
    Bazel-native library avoids the `dylint_*` packaging stack
    - update the aspect runtime environment so the driver can locate
    `rustc_driver` correctly under remote execution
    - keep the dedicated `tools/argument-comment-lint` package tests and
    wrapper unit tests in CI so the source and packaged entrypoints remain
    covered
    
    ## Verification
    
    - `python3 -m unittest discover -s tools/argument-comment-lint -p
    'test_*.py'`
    - `cargo test` in `tools/argument-comment-lint`
    - `bazel build
    //tools/argument-comment-lint:argument-comment-lint-driver
    --@rules_rust//rust/toolchain/channel=nightly`
    - `bazel build --config=argument-comment-lint
    //codex-rs/utils/path-utils:all`
    - `bazel build --config=argument-comment-lint
    //codex-rs/rollout:rollout`
    
    
    
    
    
    
    
    ---
    [//]: # (BEGIN SAPLING FOOTER)
    Stack created with [Sapling](https://sapling-scm.com). Best reviewed
    with [ReviewStack](https://reviewstack.dev/openai/codex/pull/16106).
    * #16120
    * __->__ #16106
  • ci: split fast PR Rust CI from full post-merge Cargo CI (#16072)
    ## Summary
    
    Split the old all-in-one `rust-ci.yml` into:
    
    - a PR-time Cargo workflow in `rust-ci.yml`
    - a full post-merge Cargo workflow in `rust-ci-full.yml`
    
    This keeps the PR path focused on fast Cargo-native hygiene plus the
    Bazel `build` / `test` / `clippy` coverage in `bazel.yml`, while moving
    the heavyweight Cargo-native matrix to `main`.
    
    ## Why
    
    `bazel.yml` is now the main Rust verification workflow for pull
    requests. It already covers the Bazel build, test, and clippy signal we
    care about pre-merge, and it also runs on pushes to `main` to re-verify
    the merged tree and help keep the BuildBuddy caches warm.
    
    What was still missing was a clean split for the Cargo-native checks
    that Bazel does not replace yet. The old `rust-ci.yml` mixed together:
    
    - fast hygiene checks such as `cargo fmt --check` and `cargo shear`
    - `argument-comment-lint`
    - the full Cargo clippy / nextest / release-build matrix
    
    That made every PR pay for the full Cargo matrix even though most of
    that coverage is better treated as post-merge verification. The goal of
    this change is to leave PRs with the checks we still want before merge,
    while moving the heavier Cargo-native matrix off the review path.
    
    ## What Changed
    
    - Renamed the old heavyweight workflow to `rust-ci-full.yml` and limited
    it to `push` on `main` plus `workflow_dispatch`.
    - Added a new PR-only `rust-ci.yml` that runs:
      - changed-path detection
      - `cargo fmt --check`
      - `cargo shear`
      - `argument-comment-lint` on Linux, macOS, and Windows
    - `tools/argument-comment-lint` package tests when the lint itself or
    its workflow wiring changes
    - Kept the PR workflow's gatherer as the single required Cargo-native
    status so branch protection can stay simple.
    - Added `.github/workflows/README.md` to document the intended split
    between `bazel.yml`, `rust-ci.yml`, and `rust-ci-full.yml`.
    - Preserved the recent Windows `argument-comment-lint` behavior from
    `e02fd6e1d3` in `rust-ci-full.yml`, and mirrored cross-platform lint
    coverage into the PR workflow.
    
    A few details are deliberate:
    
    - The PR workflow still keeps the Linux lint lane on the
    default-targets-only invocation for now, while macOS and Windows use the
    broader released-linter path.
    - This PR does not change `bazel.yml`; it changes the Cargo-native
    workflow around the existing Bazel PR path.
    
    ## Testing
    
    - Rebasing this change onto `main` after `e02fd6e1d3`
    - `ruby -e 'require "yaml"; %w[.github/workflows/rust-ci.yml
    .github/workflows/rust-ci-full.yml .github/workflows/bazel.yml].each {
    |f| YAML.load_file(f) }'`
  • fix: clean up remaining Windows argument-comment-lint violations (#16071)
    ## Why
    
    The initial `argument-comment-lint` rollout left Windows on
    default-target coverage because there were still Windows-only callsites
    failing under `--all-targets`. This follow-up cleans up those remaining
    Windows-specific violations so the Windows CI lane can enforce the same
    stricter coverage, leaving Linux as the remaining platform-specific
    follow-up.
    
    ## What changed
    
    - switched the Windows `rust-ci` argument-comment-lint step back to the
    default wrapper invocation so it runs full-target coverage again
    - added the required `/*param_name*/` annotations at Windows-gated
    literal callsites in:
      - `codex-rs/windows-sandbox-rs/src/lib.rs`
      - `codex-rs/windows-sandbox-rs/src/elevated_impl.rs`
      - `codex-rs/tui_app_server/src/multi_agents.rs`
      - `codex-rs/network-proxy/src/proxy.rs`
    
    ## Validation
    
    - Windows `argument comment lint` CI on this PR
  • ci: run Bazel clippy on Windows gnullvm (#16067)
    ## Why
    
    We want more of the pre-merge Rust signal to come from `bazel.yml`,
    especially on Windows. The Bazel test workflow already exercises
    `x86_64-pc-windows-gnullvm`, but the Bazel clippy job still only ran on
    Linux x64 and macOS arm64. That left a gap where Windows-only Bazel lint
    breakages could slip through until the Cargo-based workflow ran.
    
    This change keeps the fix narrow. Rather than expanding the Bazel clippy
    target set or changing the shared setup logic, it extends the existing
    clippy matrix to the same Windows GNU toolchain that the Bazel test job
    already uses.
    
    ## What Changed
    
    - add `windows-latest` / `x86_64-pc-windows-gnullvm` to the `clippy` job
    matrix in `.github/workflows/bazel.yml`
    - update the nearby workflow comment to explain that the goal is to get
    Bazel-native Windows lint coverage on the same toolchain as the Bazel
    test lane
    - leave the Bazel clippy scope unchanged at `//codex-rs/...
    -//codex-rs/v8-poc:all`
    
    ## Verification
    
    - parsed `.github/workflows/bazel.yml` successfully with Ruby
    `YAML.load_file`
  • bazel: enable the full Windows gnullvm CI path (#15952)
    ## Why
    
    This PR is the current, consolidated follow-up to the earlier Windows
    Bazel attempt in #11229. The goal is no longer just to get a tiny
    Windows smoke job limping along: it is to make the ordinary Bazel CI
    path usable on `windows-latest` for `x86_64-pc-windows-gnullvm`, with
    the same broad `//...` test shape that macOS and Linux already use.
    
    The earlier smoke-list version of this work was useful as a foothold,
    but it was not a good long-term landing point. Windows Bazel kept
    surfacing real issues outside that allowlist:
    
    - GitHub's Windows runner exposed runfiles-manifest bugs such as
    `FINDSTR: Cannot open D:MANIFEST`, which broke Bazel test launchers even
    when the manifest file existed.
    - `rules_rs`, `rules_rust`, LLVM extraction, and Abseil still needed
    `windows-gnullvm`-specific fixes for our hermetic toolchain.
    - the V8 path needed more work than just turning the Windows matrix
    entry back on: `rusty_v8` does not ship Windows GNU artifacts in the
    same shape we need, and Bazel's in-tree V8 build needed a set of Windows
    GNU portability fixes.
    
    Windows performance pressure also pushed this toward a full solution
    instead of a permanent smoke suite. During this investigation we hit
    targets such as `//codex-rs/shell-command:shell-command-unit-tests` that
    were much more expensive on Windows because they repeatedly spawn real
    PowerShell parsers (see #16057 for one concrete example of that
    pressure). That made it much more valuable to get the real Windows Bazel
    path working than to keep iterating on a narrowly curated subset.
    
    The net result is that this PR now aims for the same CI contract on
    Windows that we already expect elsewhere: keep standalone
    `//third_party/v8:all` out of the ordinary Bazel lane, but allow V8
    consumers under `//codex-rs/...` to build and test transitively through
    `//...`.
    
    ## What Changed
    
    ### CI and workflow wiring
    
    - re-enable the `windows-latest` / `x86_64-pc-windows-gnullvm` Bazel
    matrix entry in `.github/workflows/bazel.yml`
    - move the Windows Bazel output root to `D:\b` and enable `git config
    --global core.longpaths true` in
    `.github/actions/setup-bazel-ci/action.yml`
    - keep the ordinary Bazel target set on Windows aligned with macOS and
    Linux by running `//...` while excluding only standalone
    `//third_party/v8:all` targets from the normal lane
    
    ### Toolchain and module support for `windows-gnullvm`
    
    - patch `rules_rs` so `windows-gnullvm` is modeled as a distinct Windows
    exec/toolchain platform instead of collapsing into the generic Windows
    shape
    - patch `rules_rust` build-script environment handling so llvm-mingw
    build-script probes do not inherit unsupported `-fstack-protector*`
    flags
    - patch the LLVM module archive so it extracts cleanly on Windows and
    provides the MinGW libraries this toolchain needs
    - patch Abseil so its thread-local identity path matches the hermetic
    `windows-gnullvm` toolchain instead of taking an incompatible MinGW
    pthread path
    - keep both MSVC and GNU Windows targets in the generated Cargo metadata
    because the current V8 release-asset story still uses MSVC-shaped names
    in some places while the Bazel build targets the GNU ABI
    
    ### Windows test-launch and binary-behavior fixes
    
    - update `workspace_root_test_launcher.bat.tpl` to read the runfiles
    manifest directly instead of shelling out to `findstr`, which was the
    source of the `D:MANIFEST` failures on the GitHub Windows runner
    - thread a larger Windows GNU stack reserve through `defs.bzl` so
    Bazel-built binaries that pull in V8 behave correctly both under normal
    builds and under `bazel test`
    - remove the no-longer-needed Windows bootstrap sh-toolchain override
    from `.bazelrc`
    
    ### V8 / `rusty_v8` Windows GNU support
    
    - export and apply the new Windows GNU patch set from
    `patches/BUILD.bazel` / `MODULE.bazel`
    - patch the V8 module/rules/source layers so the in-tree V8 build can
    produce Windows GNU archives under Bazel
    - teach `third_party/v8/BUILD.bazel` to build Windows GNU static
    archives in-tree instead of aliasing them to the MSVC prebuilts
    - reuse the Linux release binding for the experimental Windows GNU path
    where `rusty_v8` does not currently publish a Windows GNU binding
    artifact
    
    ## Testing
    
    - the primary end-to-end validation for this work is the `Bazel`
    workflow plus `v8-canary`, since the hard parts are Windows-specific and
    depend on real GitHub runner behavior
    - before consolidation back onto this PR, the same net change passed the
    full Bazel matrix in [run
    23675590471](https://github.com/openai/codex/actions/runs/23675590471)
    and passed `v8-canary` in [run
    23675590453](https://github.com/openai/codex/actions/runs/23675590453)
    - those successful runs included the `windows-latest` /
    `x86_64-pc-windows-gnullvm` Bazel job with the ordinary `//...` path,
    not the earlier Windows smoke allowlist
    
    ---
    [//]: # (BEGIN SAPLING FOOTER)
    Stack created with [Sapling](https://sapling-scm.com). Best reviewed
    with [ReviewStack](https://reviewstack.dev/openai/codex/pull/15952).
    * #16067
    * __->__ #15952
  • refactor: rewrite argument-comment lint wrappers in Python (#16063)
    ## Why
    
    The `argument-comment-lint` entrypoints had grown into two shell
    wrappers with duplicated parsing, environment setup, and Cargo
    forwarding logic. The recent `--` separator regression was a good
    example of the problem: the behavior was subtle, easy to break, and hard
    to verify.
    
    This change rewrites those wrappers in Python so the control flow is
    easier to follow, the shared behavior lives in one place, and the tricky
    argument/defaulting paths have direct test coverage.
    
    ## What changed
    
    - replaced `tools/argument-comment-lint/run.sh` and
    `tools/argument-comment-lint/run-prebuilt-linter.sh` with Python
    entrypoints: `run.py` and `run-prebuilt-linter.py`
    - moved shared wrapper behavior into
    `tools/argument-comment-lint/wrapper_common.py`, including:
      - splitting lint args from forwarded Cargo args after `--`
    - defaulting repo runs to `--manifest-path codex-rs/Cargo.toml
    --workspace --no-deps`
    - defaulting non-`--fix` runs to `--all-targets` unless the caller
    explicitly narrows the target set
      - setting repo defaults for `DYLINT_RUSTFLAGS` and `CARGO_INCREMENTAL`
    - kept the prebuilt wrapper thin: it still just resolves the packaged
    DotSlash entrypoint, keeps `rustup` shims first on `PATH`, infers
    `RUSTUP_HOME` when needed, and then launches the packaged `cargo-dylint`
    path
    - updated `justfile`, `rust-ci.yml`, and
    `tools/argument-comment-lint/README.md` to use the Python entrypoints
    - updated `rust-ci` so the package job runs Python syntax checks plus
    the new wrapper unit tests, and the OS-specific lint jobs invoke the
    wrappers through an explicit Python interpreter
    
    This is a follow-up to #16054: it keeps the current lint semantics while
    making the wrapper logic maintainable enough to iterate on safely.
    
    ## Validation
    
    - `python3 -m py_compile tools/argument-comment-lint/wrapper_common.py
    tools/argument-comment-lint/run.py
    tools/argument-comment-lint/run-prebuilt-linter.py
    tools/argument-comment-lint/test_wrapper_common.py`
    - `python3 -m unittest discover -s tools/argument-comment-lint -p
    'test_*.py'`
    - `python3 ./tools/argument-comment-lint/run-prebuilt-linter.py -p
    codex-terminal-detection -- --lib`
    - `python3 ./tools/argument-comment-lint/run.py -p
    codex-terminal-detection -- --lib`
  • chore: clean up argument-comment lint and roll out all-target CI on macOS (#16054)
    ## Why
    
    `argument-comment-lint` was green in CI even though the repo still had
    many uncommented literal arguments. The main gap was target coverage:
    the repo wrapper did not force Cargo to inspect test-only call sites, so
    examples like the `latest_session_lookup_params(true, ...)` tests in
    `codex-rs/tui_app_server/src/lib.rs` never entered the blocking CI path.
    
    This change cleans up the existing backlog, makes the default repo lint
    path cover all Cargo targets, and starts rolling that stricter CI
    enforcement out on the platform where it is currently validated.
    
    ## What changed
    
    - mechanically fixed existing `argument-comment-lint` violations across
    the `codex-rs` workspace, including tests, examples, and benches
    - updated `tools/argument-comment-lint/run-prebuilt-linter.sh` and
    `tools/argument-comment-lint/run.sh` so non-`--fix` runs default to
    `--all-targets` unless the caller explicitly narrows the target set
    - fixed both wrappers so forwarded cargo arguments after `--` are
    preserved with a single separator
    - documented the new default behavior in
    `tools/argument-comment-lint/README.md`
    - updated `rust-ci` so the macOS lint lane keeps the plain wrapper
    invocation and therefore enforces `--all-targets`, while Linux and
    Windows temporarily pass `-- --lib --bins`
    
    That temporary CI split keeps the stricter all-targets check where it is
    already cleaned up, while leaving room to finish the remaining Linux-
    and Windows-specific target-gated cleanup before enabling
    `--all-targets` on those runners. The Linux and Windows failures on the
    intermediate revision were caused by the wrapper forwarding bug, not by
    additional lint findings in those lanes.
    
    ## Validation
    
    - `bash -n tools/argument-comment-lint/run.sh`
    - `bash -n tools/argument-comment-lint/run-prebuilt-linter.sh`
    - shell-level wrapper forwarding check for `-- --lib --bins`
    - shell-level wrapper forwarding check for `-- --tests`
    - `just argument-comment-lint`
    - `cargo test` in `tools/argument-comment-lint`
    - `cargo test -p codex-terminal-detection`
    
    ## Follow-up
    
    - Clean up remaining Linux-only target-gated callsites, then switch the
    Linux lint lane back to the plain wrapper invocation.
    - Clean up remaining Windows-only target-gated callsites, then switch
    the Windows lint lane back to the plain wrapper invocation.
  • ci: run SDK tests with a Bazel-built codex (#16046)
    ## Why
    
    Before this change, the SDK CI job built `codex` with Cargo before
    running the TypeScript package tests. That step has been getting more
    expensive as the Rust workspace grows, while the repo already has a
    Bazel-backed build path for the CLI.
    
    The SDK tests also need a normal executable path they can spawn
    repeatedly. Moving the job to Bazel exposed an extra CI detail: a plain
    `bazel-bin/...` lookup is not reliable under the Linux config because
    top-level outputs may stay remote and the wrapper emits status lines
    around `cquery` output.
    
    ## What Changed
    
    - taught `sdk/typescript/tests/testCodex.ts` to honor `CODEX_EXEC_PATH`
    before falling back to the local Cargo-style `target/debug/codex` path
    - added `--remote-download-toplevel` to
    `.github/scripts/run-bazel-ci.sh` so workflows can force Bazel to
    materialize top-level outputs on disk after a build
    - switched `.github/workflows/sdk.yml` from `cargo build --bin codex` to
    the shared Bazel CI setup and `//codex-rs/cli:codex` build target
    - changed the SDK workflow to resolve the built CLI with wrapper-backed
    `cquery --output=files`, stage the binary into
    `${GITHUB_WORKSPACE}/.tmp/sdk-ci/codex`, and point the SDK tests at that
    path via `CODEX_EXEC_PATH`
    - kept the warm-up step before Jest and the Bazel repository-cache save
    step
    
    ## Verification
    
    - `bash -n .github/scripts/run-bazel-ci.sh`
    - `./.github/scripts/run-bazel-ci.sh -- cquery --output=files --
    //codex-rs/cli:codex | grep -E '^(/|bazel-out/)' | tail -n 1`
    - `./.github/scripts/run-bazel-ci.sh --remote-download-toplevel -- build
    --build_metadata=TAG_job=sdk -- //codex-rs/cli:codex`
    - `CODEX_EXEC_PATH="$PWD/.tmp/sdk-ci/codex" pnpm --dir sdk/typescript
    test --runInBand`
    - `pnpm --dir sdk/typescript lint`
  • [codex] Pin GitHub Actions workflow references (#15828)
    Pin floating external GitHub Actions workflow refs to immutable SHAs.
    
    Why are we doing this? Please see the rationale doc:
    https://docs.google.com/document/d/1qOURCNx2zszQ0uWx7Fj5ERu4jpiYjxLVWBWgKa2wTsA/edit?tab=t.0
    
    Did this break you? Please roll back and let hintz@ know
  • ci: add Bazel clippy workflow for codex-rs (#15955)
    ## Why
    `bazel.yml` already builds and tests the Bazel graph, but `rust-ci.yml`
    still runs `cargo clippy` separately. This PR starts the transition to a
    Bazel-backed lint lane for `codex-rs` so we can eventually replace the
    duplicate Rust build, test, and lint work with Bazel while explicitly
    keeping the V8 Bazel path out of scope for now.
    
    To make that lane practical, the workflow also needs to look like the
    Bazel job we already trust. That means sharing the common Bazel setup
    and invocation logic instead of hand-copying it, and covering the arm64
    macOS path in addition to Linux.
    
    Landing the workflow green also required fixing the first lint findings
    that Bazel surfaced and adding the matching local entrypoint.
    
    ## What changed
    - add a reusable `build:clippy` config to `.bazelrc` and export
    `codex-rs/clippy.toml` from `codex-rs/BUILD.bazel` so Bazel can run the
    repository's existing Clippy policy
    - add `just bazel-clippy` so the local developer entrypoint matches the
    new CI lane
    - extend `.github/workflows/bazel.yml` with a dedicated Bazel clippy job
    for `codex-rs`, scoped to `//codex-rs/... -//codex-rs/v8-poc:all`
    - run that clippy job on Linux x64 and arm64 macOS
    - factor the shared Bazel workflow setup into
    `.github/actions/setup-bazel-ci/action.yml` and the shared Bazel
    invocation logic into `.github/scripts/run-bazel-ci.sh` so the clippy
    and build/test jobs stay aligned
    - fix the first Bazel-clippy findings needed to keep the lane green,
    including the cross-target `cmsghdr::cmsg_len` normalization in
    `codex-rs/shell-escalation/src/unix/socket.rs` and the no-`voice-input`
    dead-code warnings in `codex-rs/tui` and `codex-rs/tui_app_server`
    
    ## Verification
    - `just bazel-clippy`
    - `RUNNER_OS=macOS ./.github/scripts/run-bazel-ci.sh -- build
    --config=clippy --build_metadata=COMMIT_SHA=local-check
    --build_metadata=TAG_job=clippy -- //codex-rs/...
    -//codex-rs/v8-poc:all`
    - `bazel build --config=clippy
    //codex-rs/shell-escalation:shell-escalation`
    - `CARGO_TARGET_DIR=/tmp/codex4-shell-escalation-test cargo test -p
    codex-shell-escalation`
    - `ruby -e 'require "yaml";
    YAML.load_file(".github/workflows/bazel.yml");
    YAML.load_file(".github/actions/setup-bazel-ci/action.yml")'`
    
    ## Notes
    - `CARGO_TARGET_DIR=/tmp/codex4-tui-app-server-test cargo test -p
    codex-tui-app-server` still hits existing guardian-approvals test and
    snapshot failures unrelated to this PR's Bazel-clippy changes.
    
    Related: #15954
  • fix: increase timeout for rust-ci to 45 minutes for now (#15948)
    https://github.com/openai/codex/pull/15478 raised the timeout to 35
    minutes for `windows-arm64` only, though I just hit 35 minutes on
    https://github.com/openai/codex/actions/runs/23628986591/job/68826740108?pr=15944,
    so let's just increase it to 45 minutes. As noted, I'm hoping that we
    can bring it back down once we no longer have two copies of the `tui`
    crate.
  • bazel: re-organize bazelrc (#15522)
    Replaced ci.bazelrc and v8-ci.bazelrc by custom configs inside the main
    .bazelrc file. As a result, github workflows setup is simplified down to
    a single '--config=<foo>' flag usage.
    
    Moved the build metadata flags to config=ci.
    Added custom tags metadata to help differentiate invocations based on
    workflow (bazel vs v8) and os (linux/macos/windows).
    
    Enabled users to override the default values in .bazelrc by using a
    user.bazelrc file locally.
    Added user.bazelrc to gitignore.
  • Preserve bazel repository cache in github actions (#14495)
    Highlights:
    
    - Trimmed down to just the repository cache for faster upload / download
    - Made the cache key only include files that affect external
    dependencies (since that's what the repository cache caches) -
    MODULE.bazel, codex-rs/Cargo.lock, codex-rs/Cargo.toml
    - Split the caching action in to explicit restore / save steps (similar
    to your rust CI) which allows us to skip uploads on cache hit, and not
    fail the build if upload fails
    
    This should get rid of 842 network fetches that are happening on every
    Bazel CI run, while also reducing the Github flakiness @bolinfest
    reported. Uploading should be faster (since we're not caching many small
    files), and will only happen when MODULE.bazel or Cargo.lock /
    Cargo.toml files change.
    
    In my testing, it [took 3s to save the repository
    cache](https://github.com/siggisim/codex/actions/runs/23014186143/job/66832859781).
  • fix: keep zsh-fork release assets after removing shell-tool-mcp (#15644)
    ## Why
    
    `shell-tool-mcp` and the Bash fork are no longer needed, but the patched
    zsh fork is still relevant for shell escalation and for the
    DotSlash-backed zsh-fork integration tests.
    
    Deleting the old `shell-tool-mcp` workflow also deleted the only
    pipeline that rebuilt those patched zsh binaries. This keeps the package
    removal, while preserving a small release path that can be reused
    whenever `codex-rs/shell-escalation/patches/zsh-exec-wrapper.patch`
    changes.
    
    ## What changed
    
    - removed the `shell-tool-mcp` workspace package, its npm
    packaging/release jobs, the Bash test fixture, and the remaining
    Bash-specific compatibility wiring
    - deleted the old `.github/workflows/shell-tool-mcp.yml` and
    `.github/workflows/shell-tool-mcp-ci.yml` workflows now that their
    responsibilities have been replaced or removed
    - kept the zsh patch under
    `codex-rs/shell-escalation/patches/zsh-exec-wrapper.patch` and updated
    the `codex-rs/shell-escalation` docs/code to describe the zsh-based flow
    directly
    - added `.github/workflows/rust-release-zsh.yml` to build only the three
    zsh binaries that `codex-rs/app-server/tests/suite/zsh` needs today:
      - `aarch64-apple-darwin` on `macos-15`
      - `x86_64-unknown-linux-musl` on `ubuntu-24.04`
      - `aarch64-unknown-linux-musl` on `ubuntu-24.04`
    - extracted the shared zsh build/smoke-test/stage logic into
    `.github/scripts/build-zsh-release-artifact.sh`, made that helper
    directly executable, and now invoke it directly from the workflow so the
    Linux and macOS jobs only keep the OS-specific setup in YAML
    - wired those standalone `codex-zsh-*.tar.gz` assets into
    `rust-release.yml` and added `.github/dotslash-zsh-config.json` so
    releases also publish a `codex-zsh` DotSlash file
    - updated the checked-in `codex-rs/app-server/tests/suite/zsh` fixture
    comments to explain that new releases come from the standalone zsh
    assets, while the checked-in fixture remains pinned to the latest
    historical release until a newer zsh artifact is published
    - tightened a couple of follow-on cleanups in
    `codex-rs/shell-escalation`: the `ExecParams::command` comment now
    describes the shell `-c`/`-lc` string more clearly, and the README now
    points at the same `git.code.sf.net` zsh source URL that the workflow
    uses
    
    ## Testing
    
    - `cargo test -p codex-shell-escalation`
    - `just argument-comment-lint`
    - `bash -n .github/scripts/build-zsh-release-artifact.sh`
    - attempted `cargo test -p codex-core`; unrelated existing failures
    remain, but the touched `tools::runtimes::shell::unix_escalation::*`
    coverage passed during that run
  • Bump vedantmgoyal9/winget-releaser from 19e706d4c9121098010096f9c495a70a7518b30f to 7bd472be23763def6e16bd06cc8b1cdfab0e2fd5 (#14777)
    Bumps
    [vedantmgoyal9/winget-releaser](https://github.com/vedantmgoyal9/winget-releaser)
    from 19e706d4c9121098010096f9c495a70a7518b30f to
    7bd472be23763def6e16bd06cc8b1cdfab0e2fd5.
    <details>
    <summary>Commits</summary>
    <ul>
    <li><a
    href="https://github.com/vedantmgoyal9/winget-releaser/commit/7bd472be23763def6e16bd06cc8b1cdfab0e2fd5"><code>7bd472b</code></a>
    docs: add description to inputs (<a
    href="https://redirect.github.com/vedantmgoyal9/winget-releaser/issues/335">#335</a>)</li>
    <li><a
    href="https://github.com/vedantmgoyal9/winget-releaser/commit/a43926ed822e5a076ac8a81e0a794915cbad51d1"><code>a43926e</code></a>
    fix: cargo command not found in <code>ubuntu-slim</code> runner (<a
    href="https://redirect.github.com/vedantmgoyal9/winget-releaser/issues/334">#334</a>)</li>
    <li>See full diff in <a
    href="https://github.com/vedantmgoyal9/winget-releaser/compare/19e706d4c9121098010096f9c495a70a7518b30f...7bd472be23763def6e16bd06cc8b1cdfab0e2fd5">compare
    view</a></li>
    </ul>
    </details>
    <br />
    
    
    Dependabot will resolve any conflicts with this PR as long as you don't
    alter it yourself. You can also trigger a rebase manually by commenting
    `@dependabot rebase`.
    
    [//]: # (dependabot-automerge-start)
    [//]: # (dependabot-automerge-end)
    
    ---
    
    <details>
    <summary>Dependabot commands and options</summary>
    <br />
    
    You can trigger Dependabot actions by commenting on this PR:
    - `@dependabot rebase` will rebase this PR
    - `@dependabot recreate` will recreate this PR, overwriting any edits
    that have been made to it
    - `@dependabot show <dependency name> ignore conditions` will show all
    of the ignore conditions of the specified dependency
    - `@dependabot ignore this major version` will close this PR and stop
    Dependabot creating any more for this major version (unless you reopen
    the PR or upgrade to it yourself)
    - `@dependabot ignore this minor version` will close this PR and stop
    Dependabot creating any more for this minor version (unless you reopen
    the PR or upgrade to it yourself)
    - `@dependabot ignore this dependency` will close this PR and stop
    Dependabot creating any more for this dependency (unless you reopen the
    PR or upgrade to it yourself)
    
    
    </details>
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • chore(deps): bump pnpm/action-setup from 4 to 5 (#15484)
    Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 4
    to 5.
    <details>
    <summary>Release notes</summary>
    <p><em>Sourced from <a
    href="https://github.com/pnpm/action-setup/releases">pnpm/action-setup's
    releases</a>.</em></p>
    <blockquote>
    <h2>v5.0.0</h2>
    <p>Updated the action to use Node.js 24.</p>
    <h2>v4.4.0</h2>
    <p>Updated the action to use Node.js 24.</p>
    <h2>v4.3.0</h2>
    <h2>What's Changed</h2>
    <ul>
    <li>docs: fix the run_install example in the Readme by <a
    href="https://github.com/dreyks"><code>@​dreyks</code></a> in <a
    href="https://redirect.github.com/pnpm/action-setup/pull/175">pnpm/action-setup#175</a></li>
    <li>chore: remove unused <code>@types/node-fetch</code> dependency by <a
    href="https://github.com/silverwind"><code>@​silverwind</code></a> in <a
    href="https://redirect.github.com/pnpm/action-setup/pull/186">pnpm/action-setup#186</a></li>
    <li>Clarify that package_json_file is relative to GITHUB_WORKSPACE by <a
    href="https://github.com/chris-martin"><code>@​chris-martin</code></a>
    in <a
    href="https://redirect.github.com/pnpm/action-setup/pull/184">pnpm/action-setup#184</a></li>
    <li>feat: store caching by <a
    href="https://github.com/jrmajor"><code>@​jrmajor</code></a> in <a
    href="https://redirect.github.com/pnpm/action-setup/pull/188">pnpm/action-setup#188</a></li>
    <li>refactor: remove star imports by <a
    href="https://github.com/KSXGitHub"><code>@​KSXGitHub</code></a> in <a
    href="https://redirect.github.com/pnpm/action-setup/pull/196">pnpm/action-setup#196</a></li>
    <li>fix(ci): exclude macos by <a
    href="https://github.com/KSXGitHub"><code>@​KSXGitHub</code></a> in <a
    href="https://redirect.github.com/pnpm/action-setup/pull/197">pnpm/action-setup#197</a></li>
    </ul>
    <h2>New Contributors</h2>
    <ul>
    <li><a href="https://github.com/dreyks"><code>@​dreyks</code></a> made
    their first contribution in <a
    href="https://redirect.github.com/pnpm/action-setup/pull/175">pnpm/action-setup#175</a></li>
    <li><a
    href="https://github.com/silverwind"><code>@​silverwind</code></a> made
    their first contribution in <a
    href="https://redirect.github.com/pnpm/action-setup/pull/186">pnpm/action-setup#186</a></li>
    <li><a
    href="https://github.com/chris-martin"><code>@​chris-martin</code></a>
    made their first contribution in <a
    href="https://redirect.github.com/pnpm/action-setup/pull/184">pnpm/action-setup#184</a></li>
    <li><a href="https://github.com/jrmajor"><code>@​jrmajor</code></a> made
    their first contribution in <a
    href="https://redirect.github.com/pnpm/action-setup/pull/188">pnpm/action-setup#188</a></li>
    <li><a
    href="https://github.com/Boosted-Bonobo"><code>@​Boosted-Bonobo</code></a>
    made their first contribution in <a
    href="https://redirect.github.com/pnpm/action-setup/pull/199">pnpm/action-setup#199</a></li>
    </ul>
    <p><strong>Full Changelog</strong>: <a
    href="https://github.com/pnpm/action-setup/compare/v4.2.0...v4.3.0">https://github.com/pnpm/action-setup/compare/v4.2.0...v4.3.0</a></p>
    <h2>v4.2.0</h2>
    <p>When there's a <code>.npmrc</code> file at the root of the
    repository, pnpm will be fetched from the registry that is specified in
    that <code>.npmrc</code> file <a
    href="https://redirect.github.com/pnpm/action-setup/pull/179">#179</a></p>
    <h2>v4.1.0</h2>
    <p>Add support for <code>package.yaml</code> <a
    href="https://redirect.github.com/pnpm/action-setup/pull/156">#156</a>.</p>
    </blockquote>
    </details>
    <details>
    <summary>Commits</summary>
    <ul>
    <li>See full diff in <a
    href="https://github.com/pnpm/action-setup/compare/v4...v5">compare
    view</a></li>
    </ul>
    </details>
    <br />
    
    
    [![Dependabot compatibility
    score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pnpm/action-setup&package-manager=github_actions&previous-version=4&new-version=5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
    
    Dependabot will resolve any conflicts with this PR as long as you don't
    alter it yourself. You can also trigger a rebase manually by commenting
    `@dependabot rebase`.
    
    [//]: # (dependabot-automerge-start)
    [//]: # (dependabot-automerge-end)
    
    ---
    
    <details>
    <summary>Dependabot commands and options</summary>
    <br />
    
    You can trigger Dependabot actions by commenting on this PR:
    - `@dependabot rebase` will rebase this PR
    - `@dependabot recreate` will recreate this PR, overwriting any edits
    that have been made to it
    - `@dependabot show <dependency name> ignore conditions` will show all
    of the ignore conditions of the specified dependency
    - `@dependabot ignore this major version` will close this PR and stop
    Dependabot creating any more for this major version (unless you reopen
    the PR or upgrade to it yourself)
    - `@dependabot ignore this minor version` will close this PR and stop
    Dependabot creating any more for this minor version (unless you reopen
    the PR or upgrade to it yourself)
    - `@dependabot ignore this dependency` will close this PR and stop
    Dependabot creating any more for this dependency (unless you reopen the
    PR or upgrade to it yourself)
    
    
    </details>
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • [codex-cli][app-server] Update self-serve business usage limit copy in error returned (#15478)
    ## Summary
    - update the self-serve business usage-based limit message to direct
    users to their admin for additional credits
    - add a focused unit test for the self_serve_business_usage_based plan
    branch
    
    Added also: 
    
    If you are at a rate limit but you still have credits, codex cli would
    tell you to switch the model. We shouldnt do this if you have credits so
    fixed this.
    
    ## Test
    - launched the source-built CLI and verified the updated message is
    shown for the self-serve business usage-based plan
    
    ![Test
    screenshot](https://raw.githubusercontent.com/openai/codex/5cc3c013ef17ac5c66dfd9395c0d3c4837602231/docs/images/self-serve-business-usage-limit.png)
  • Add v8-poc consumer of our new built v8 (#15203)
    This adds a dummy v8-poc project that in Cargo links against our
    prebuilt binaries and the ones provided by rusty_v8 for non musl
    platforms. This demonstrates that we can successfully link and use v8 on
    all platforms that we want to target.
    
    In bazel things are slightly more complicated. Since the libraries as
    published have libc++ linked in already we end up with a lot of double
    linked symbols if we try to use them in bazel land. Instead we fall back
    to building rusty_v8 and v8 from source (cached of course) on the
    platforms we ship to.
    
    There is likely some compatibility drift in the windows bazel builder
    that we'll need to reconcile before we can re-enable them. I'm happy to
    be on the hook to unwind that.
  • Add remote env CI matrix and integration test (#14869)
    `CODEX_TEST_REMOTE_ENV` will make `test_codex` start the executor
    "remotely" (inside a docker container) turning any integration test into
    remote test.
  • Use released DotSlash package for argument-comment lint (#15199)
    ## Why
    The argument-comment lint now has a packaged DotSlash artifact from
    [#15198](https://github.com/openai/codex/pull/15198), so the normal repo
    lint path should use that released payload instead of rebuilding the
    lint from source every time.
    
    That keeps `just clippy` and CI aligned with the shipped artifact while
    preserving a separate source-build path for people actively hacking on
    the lint crate.
    
    The current alpha package also exposed two integration wrinkles that the
    repo-side prebuilt wrapper needs to smooth over:
    - the bundled Dylint library filename includes the host triple, for
    example `@nightly-2025-09-18-aarch64-apple-darwin`, and Dylint derives
    `RUSTUP_TOOLCHAIN` from that filename
    - on Windows, Dylint's driver path also expects `RUSTUP_HOME` to be
    present in the environment
    
    Without those adjustments, the prebuilt CI jobs fail during `cargo
    metadata` or driver setup. This change makes the checked-in prebuilt
    wrapper normalize the packaged library name to the plain
    `nightly-2025-09-18` channel before invoking `cargo-dylint`, and it
    teaches both the wrapper and the packaged runner source to infer
    `RUSTUP_HOME` from `rustup show home` when the environment does not
    already provide it.
    
    After the prebuilt Windows lint job started running successfully, it
    also surfaced a handful of existing anonymous literal callsites in
    `windows-sandbox-rs`. This PR now annotates those callsites so the new
    cross-platform lint job is green on the current tree.
    
    ## What Changed
    - checked in the current
    `tools/argument-comment-lint/argument-comment-lint` DotSlash manifest
    - kept `tools/argument-comment-lint/run.sh` as the source-build wrapper
    for lint development
    - added `tools/argument-comment-lint/run-prebuilt-linter.sh` as the
    normal enforcement path, using the checked-in DotSlash package and
    bundled `cargo-dylint`
    - updated `just clippy` and `just argument-comment-lint` to use the
    prebuilt wrapper
    - split `.github/workflows/rust-ci.yml` so source-package checks live in
    a dedicated `argument_comment_lint_package` job, while the released lint
    runs in an `argument_comment_lint_prebuilt` matrix on Linux, macOS, and
    Windows
    - kept the pinned `nightly-2025-09-18` toolchain install in the prebuilt
    CI matrix, since the prebuilt package still relies on rustup-provided
    toolchain components
    - updated `tools/argument-comment-lint/run-prebuilt-linter.sh` to
    normalize host-qualified nightly library filenames, keep the `rustup`
    shim directory ahead of direct toolchain `cargo` binaries, and export
    `RUSTUP_HOME` when needed for Windows Dylint driver setup
    - updated `tools/argument-comment-lint/src/bin/argument-comment-lint.rs`
    so future published DotSlash artifacts apply the same nightly-filename
    normalization and `RUSTUP_HOME` inference internally
    - fixed the remaining Windows lint violations in
    `codex-rs/windows-sandbox-rs` by adding the required `/*param*/`
    comments at the reported callsites
    - documented the checked-in DotSlash file, wrapper split, archive
    layout, nightly prerequisite, and Windows `RUSTUP_HOME` requirement in
    `tools/argument-comment-lint/README.md`
  • V8 Bazel Build (#15021)
    Alternative approach, we use rusty_v8 for all platforms that its
    predefined, but lets build from source a musl v8 version with bazel for
    x86 and aarch64 only. We would need to release this on github and then
    use the release.
  • Add exec-server exec RPC implementation (#15090)
    Stacked PR 2/3, based on the stub PR.
    
    Adds the exec RPC implementation and process/event flow in exec-server
    only.
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • Publish runnable DotSlash package for argument-comment lint (#15198)
    ## Why
    
    To date, the argument-comment linter introduced in
    https://github.com/openai/codex/pull/14651 had to be built from source
    to run, which can be a bit slow (both for local dev and when it is run
    in CI). Because of the potential slowness, I did not wire it up to run
    as part of `just clippy` or anything like that. As a result, I have seen
    a number of occasions where folks put up PRs that violate the lint, see
    it fail in CI, and then have to put up their PR again.
    
    The goal of this PR is to pre-build a runnable version of the linter and
    then make it available via a DotSlash file. Once it is available, I will
    update `just clippy` and other touchpoints to make it a natural part of
    the dev cycle so lint violations should get flagged _before_ putting up
    a PR for review.
    
    To get things started, we will build the DotSlash file as part of an
    alpha release. Though I don't expect the linter to change often, so I'll
    probably change this to only build as part of mainline releases once we
    have a working DotSlash file. (Ultimately, we should probably move the
    linter into its own repo so it can have its own release cycle.)
    
    ## What Changed
    - add a reusable `rust-release-argument-comment-lint.yml` workflow that
    builds host-specific archives for macOS arm64, Linux arm64/x64, and
    Windows x64
    - wire `rust-release.yml` to publish the `argument-comment-lint`
    DotSlash manifest on all releases for now, including alpha tags
    - package a runnable layout instead of a bare library
    
    The Unix archive layout is:
    
    ```text
    argument-comment-lint/
      bin/
        argument-comment-lint
        cargo-dylint
      lib/
        libargument_comment_lint@nightly-2025-09-18-<target>.dylib|so
    ```
    
    On Windows the same layout is published as a `.zip`, with `.exe` and
    `.dll` filenames instead.
    
    DotSlash resolves the package entrypoint to
    `argument-comment-lint/bin/argument-comment-lint`. That runner finds the
    sibling bundled `cargo-dylint` binary plus the single packaged Dylint
    library under `lib/`, then invokes `cargo-dylint dylint --lib-path
    <that-library>` with the repo's default lint settings.
  • fix: try to fix "Stage npm package" step in ci.yml (#15092)
    Fix the CI job by updating it to use artifacts from a more recent
    release (`0.115.0`) instead of the existing one (`0.74.0`).
    
    This step in our CI job on PRs started failing today:
    
    
    https://github.com/openai/codex/blob/334164a6f714c171bb9f6440c7d3cd04ec04d295/.github/workflows/ci.yml#L33-L47
    
    I believe it's because this test verifies that the "package npm" script
    works, but we want it to be fast and not wait for binaries to be built,
    so it uses a GitHub workflow that's already done. Because it was using a
    GitHub workflow associated with `0.74.0`, it seems likely that
    workflow's history has been reaped, so we need to use a newer one.
  • Pin setup-zig GitHub Action to immutable SHA (#14858)
    ### Motivation
    - Pinning the action to an immutable commit SHA reduces the risk of
    arbitrary code execution in runners with repository access and secrets.
    
    ### Description
    - Replaced `uses: mlugg/setup-zig@v2` with `uses:
    mlugg/setup-zig@d1434d0886 # v2` in three
    workflow files.
    - Updated the following files: ` .github/workflows/rust-ci.yml`, `
    .github/workflows/rust-release.yml`, and `
    .github/workflows/shell-tool-mcp.yml` to reference the immutable SHA
    while preserving the original `v2` intent in a trailing comment.
    
    ### Testing
    - No automated tests were run because this is a workflow-only change and
    does not affect repository source code, so CI validation will occur on
    the next workflow execution.
    
    ------
    [Codex
    Task](https://chatgpt.com/codex/tasks/task_i_69763f570234832d9c67b1b66a27c78d)
  • fix: tighten up shell arg quoting in GitHub workflows (#14864)
    Inspired by the work done over in
    https://github.com/openai/codex-action/pull/74, this tightens up our use
    of GitHub expressions as shell/environment variables.
  • Apply argument comment lint across codex-rs (#14652)
    ## Why
    
    Once the repo-local lint exists, `codex-rs` needs to follow the
    checked-in convention and CI needs to keep it from drifting. This commit
    applies the fallback `/*param*/` style consistently across existing
    positional literal call sites without changing those APIs.
    
    The longer-term preference is still to avoid APIs that require comments
    by choosing clearer parameter types and call shapes. This PR is
    intentionally the mechanical follow-through for the places where the
    existing signatures stay in place.
    
    After rebasing onto newer `main`, the rollout also had to cover newly
    introduced `tui_app_server` call sites. That made it clear the first cut
    of the CI job was too expensive for the common path: it was spending
    almost as much time installing `cargo-dylint` and re-testing the lint
    crate as a representative test job spends running product tests. The CI
    update keeps the full workspace enforcement but trims that extra
    overhead from ordinary `codex-rs` PRs.
    
    ## What changed
    
    - keep a dedicated `argument_comment_lint` job in `rust-ci`
    - mechanically annotate remaining opaque positional literals across
    `codex-rs` with exact `/*param*/` comments, including the rebased
    `tui_app_server` call sites that now fall under the lint
    - keep the checked-in style aligned with the lint policy by using
    `/*param*/` and leaving string and char literals uncommented
    - cache `cargo-dylint`, `dylint-link`, and the relevant Cargo
    registry/git metadata in the lint job
    - split changed-path detection so the lint crate's own `cargo test` step
    runs only when `tools/argument-comment-lint/*` or `rust-ci.yml` changes
    - continue to run the repo wrapper over the `codex-rs` workspace, so
    product-code enforcement is unchanged
    
    Most of the code changes in this commit are intentionally mechanical
    comment rewrites or insertions driven by the lint itself.
    
    ## Verification
    
    - `./tools/argument-comment-lint/run.sh --workspace`
    - `cargo test -p codex-tui-app-server -p codex-tui`
    - parsed `.github/workflows/rust-ci.yml` locally with PyYAML
    
    ---
    
    * -> #14652
    * #14651
  • check for large binaries in CI (#14382)
    Prevent binaries >500KB from being committed. And maintain an allowlist
    if we need to bypass on a case-by-case basis.
    
    I checked the currently tracked binary-like assets in the repo. There
    are only 5 obvious committed binaries by extension/MIME type:
    - `.github/codex-cli-splash.png`: `838,131` bytes, about `818 KiB`
    - `codex-rs/vendor/bubblewrap/bubblewrap.jpg`: `40,239` bytes, about `39
    KiB`
    -
    `codex-rs/skills/src/assets/samples/skill-creator/assets/skill-creator.png`:
    `1,563` bytes
    - `codex-rs/skills/src/assets/samples/openai-docs/assets/openai.png`:
    `1,429` bytes
    -
    `codex-rs/skills/src/assets/samples/skill-installer/assets/skill-installer.png`:
    `1,086` bytes
    
    So `500 KB` looks like a good default for this repo. It would only trip
    on one existing intentional asset, which keeps the allowlist small and
    the policy easy to understand.
    
    Here's a smoke-test from a throwaway branch that tries to commit a large
    binary:
    https://github.com/openai/codex/actions/runs/22971558828/job/66689330435?pr=14383
  • Increase sdk workflow timeout to 15 minutes (#14252)
    - raise the sdk workflow job timeout from 10 to 15 minutes to reduce
    false cancellations near the current limit
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • Codex/winget auto update (#12943)
    Publish CLI releases to winget.
    
    Uses https://github.com/vedantmgoyal9/winget-releaser to greatly reduce
    boilerplate needed to create winget-pkgs manifets
  • chore(deps): bump actions/upload-artifact from 6 to 7 (#13207)
    Bumps
    [actions/upload-artifact](https://github.com/actions/upload-artifact)
    from 6 to 7.
    <details>
    <summary>Release notes</summary>
    <p><em>Sourced from <a
    href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's
    releases</a>.</em></p>
    <blockquote>
    <h2>v7.0.0</h2>
    <h2>v7 What's new</h2>
    <h3>Direct Uploads</h3>
    <p>Adds support for uploading single files directly (unzipped). Callers
    can set the new <code>archive</code> parameter to <code>false</code> to
    skip zipping the file during upload. Right now, we only support single
    files. The action will fail if the glob passed resolves to multiple
    files. The <code>name</code> parameter is also ignored with this
    setting. Instead, the name of the artifact will be the name of the
    uploaded file.</p>
    <h3>ESM</h3>
    <p>To support new versions of the <code>@actions/*</code> packages,
    we've upgraded the package to ESM.</p>
    <h2>What's Changed</h2>
    <ul>
    <li>Add proxy integration test by <a
    href="https://github.com/Link"><code>@​Link</code></a>- in <a
    href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li>
    <li>Upgrade the module to ESM and bump dependencies by <a
    href="https://github.com/danwkennedy"><code>@​danwkennedy</code></a> in
    <a
    href="https://redirect.github.com/actions/upload-artifact/pull/762">actions/upload-artifact#762</a></li>
    <li>Support direct file uploads by <a
    href="https://github.com/danwkennedy"><code>@​danwkennedy</code></a> in
    <a
    href="https://redirect.github.com/actions/upload-artifact/pull/764">actions/upload-artifact#764</a></li>
    </ul>
    <h2>New Contributors</h2>
    <ul>
    <li><a href="https://github.com/Link"><code>@​Link</code></a>- made
    their first contribution in <a
    href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li>
    </ul>
    <p><strong>Full Changelog</strong>: <a
    href="https://github.com/actions/upload-artifact/compare/v6...v7.0.0">https://github.com/actions/upload-artifact/compare/v6...v7.0.0</a></p>
    </blockquote>
    </details>
    <details>
    <summary>Commits</summary>
    <ul>
    <li><a
    href="https://github.com/actions/upload-artifact/commit/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f"><code>bbbca2d</code></a>
    Support direct file uploads (<a
    href="https://redirect.github.com/actions/upload-artifact/issues/764">#764</a>)</li>
    <li><a
    href="https://github.com/actions/upload-artifact/commit/589182c5a4cec8920b8c1bce3e2fab1c97a02296"><code>589182c</code></a>
    Upgrade the module to ESM and bump dependencies (<a
    href="https://redirect.github.com/actions/upload-artifact/issues/762">#762</a>)</li>
    <li><a
    href="https://github.com/actions/upload-artifact/commit/47309c993abb98030a35d55ef7ff34b7fa1074b5"><code>47309c9</code></a>
    Merge pull request <a
    href="https://redirect.github.com/actions/upload-artifact/issues/754">#754</a>
    from actions/Link-/add-proxy-integration-tests</li>
    <li><a
    href="https://github.com/actions/upload-artifact/commit/02a8460834e70dab0ce194c64360c59dc1475ef0"><code>02a8460</code></a>
    Add proxy integration test</li>
    <li>See full diff in <a
    href="https://github.com/actions/upload-artifact/compare/v6...v7">compare
    view</a></li>
    </ul>
    </details>
    <br />
    
    
    [![Dependabot compatibility
    score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/upload-artifact&package-manager=github_actions&previous-version=6&new-version=7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
    
    Dependabot will resolve any conflicts with this PR as long as you don't
    alter it yourself. You can also trigger a rebase manually by commenting
    `@dependabot rebase`.
    
    [//]: # (dependabot-automerge-start)
    [//]: # (dependabot-automerge-end)
    
    ---
    
    <details>
    <summary>Dependabot commands and options</summary>
    <br />
    
    You can trigger Dependabot actions by commenting on this PR:
    - `@dependabot rebase` will rebase this PR
    - `@dependabot recreate` will recreate this PR, overwriting any edits
    that have been made to it
    - `@dependabot show <dependency name> ignore conditions` will show all
    of the ignore conditions of the specified dependency
    - `@dependabot ignore this major version` will close this PR and stop
    Dependabot creating any more for this major version (unless you reopen
    the PR or upgrade to it yourself)
    - `@dependabot ignore this minor version` will close this PR and stop
    Dependabot creating any more for this minor version (unless you reopen
    the PR or upgrade to it yourself)
    - `@dependabot ignore this dependency` will close this PR and stop
    Dependabot creating any more for this dependency (unless you reopen the
    PR or upgrade to it yourself)
    
    
    </details>
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    Co-authored-by: Eric Traut <etraut@openai.com>
  • chore(deps): bump actions/download-artifact from 7 to 8 (#13208)
    Bumps
    [actions/download-artifact](https://github.com/actions/download-artifact)
    from 7 to 8.
    <details>
    <summary>Release notes</summary>
    <p><em>Sourced from <a
    href="https://github.com/actions/download-artifact/releases">actions/download-artifact's
    releases</a>.</em></p>
    <blockquote>
    <h2>v8.0.0</h2>
    <h2>v8 - What's new</h2>
    <h3>Direct downloads</h3>
    <p>To support direct uploads in <code>actions/upload-artifact</code>,
    the action will no longer attempt to unzip all downloaded files.
    Instead, the action checks the <code>Content-Type</code> header ahead of
    unzipping and skips non-zipped files. Callers wishing to download a
    zipped file as-is can also set the new <code>skip-decompress</code>
    parameter to <code>false</code>.</p>
    <h3>Enforced checks (breaking)</h3>
    <p>A previous release introduced digest checks on the download. If a
    download hash didn't match the expected hash from the server, the action
    would log a warning. Callers can now configure the behavior on mismatch
    with the <code>digest-mismatch</code> parameter. To be secure by
    default, we are now defaulting the behavior to <code>error</code> which
    will fail the workflow run.</p>
    <h3>ESM</h3>
    <p>To support new versions of the @actions/* packages, we've upgraded
    the package to ESM.</p>
    <h2>What's Changed</h2>
    <ul>
    <li>Don't attempt to un-zip non-zipped downloads by <a
    href="https://github.com/danwkennedy"><code>@​danwkennedy</code></a> in
    <a
    href="https://redirect.github.com/actions/download-artifact/pull/460">actions/download-artifact#460</a></li>
    <li>Add a setting to specify what to do on hash mismatch and default it
    to <code>error</code> by <a
    href="https://github.com/danwkennedy"><code>@​danwkennedy</code></a> in
    <a
    href="https://redirect.github.com/actions/download-artifact/pull/461">actions/download-artifact#461</a></li>
    </ul>
    <p><strong>Full Changelog</strong>: <a
    href="https://github.com/actions/download-artifact/compare/v7...v8.0.0">https://github.com/actions/download-artifact/compare/v7...v8.0.0</a></p>
    </blockquote>
    </details>
    <details>
    <summary>Commits</summary>
    <ul>
    <li><a
    href="https://github.com/actions/download-artifact/commit/70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3"><code>70fc10c</code></a>
    Merge pull request <a
    href="https://redirect.github.com/actions/download-artifact/issues/461">#461</a>
    from actions/danwkennedy/digest-mismatch-behavior</li>
    <li><a
    href="https://github.com/actions/download-artifact/commit/f258da9a506b755b84a09a531814700b86ccfc62"><code>f258da9</code></a>
    Add change docs</li>
    <li><a
    href="https://github.com/actions/download-artifact/commit/ccc058e5fbb0bb2352213eaec3491e117cbc4a5c"><code>ccc058e</code></a>
    Fix linting issues</li>
    <li><a
    href="https://github.com/actions/download-artifact/commit/bd7976ba57ecea96e6f3df575eb922d11a12a9fd"><code>bd7976b</code></a>
    Add a setting to specify what to do on hash mismatch and default it to
    <code>error</code></li>
    <li><a
    href="https://github.com/actions/download-artifact/commit/ac21fcf45e0aaee541c0f7030558bdad38d77d6c"><code>ac21fcf</code></a>
    Merge pull request <a
    href="https://redirect.github.com/actions/download-artifact/issues/460">#460</a>
    from actions/danwkennedy/download-no-unzip</li>
    <li><a
    href="https://github.com/actions/download-artifact/commit/15999bff51058bc7c19b50ebbba518eaef7c26c0"><code>15999bf</code></a>
    Add note about package bumps</li>
    <li><a
    href="https://github.com/actions/download-artifact/commit/974686ed5098c7f9c9289ec946b9058e496a2561"><code>974686e</code></a>
    Bump the version to <code>v8</code> and add release notes</li>
    <li><a
    href="https://github.com/actions/download-artifact/commit/fbe48b1d2756394be4cd4358ed3bc1343b330e75"><code>fbe48b1</code></a>
    Update test names to make it clearer what they do</li>
    <li><a
    href="https://github.com/actions/download-artifact/commit/96bf374a614d4360e225874c3efd6893a3f285e7"><code>96bf374</code></a>
    One more test fix</li>
    <li><a
    href="https://github.com/actions/download-artifact/commit/b8c4819ef592cbe04fd93534534b38f853864332"><code>b8c4819</code></a>
    Fix skip decompress test</li>
    <li>Additional commits viewable in <a
    href="https://github.com/actions/download-artifact/compare/v7...v8">compare
    view</a></li>
    </ul>
    </details>
    <br />
    
    
    [![Dependabot compatibility
    score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/download-artifact&package-manager=github_actions&previous-version=7&new-version=8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
    
    Dependabot will resolve any conflicts with this PR as long as you don't
    alter it yourself. You can also trigger a rebase manually by commenting
    `@dependabot rebase`.
    
    [//]: # (dependabot-automerge-start)
    [//]: # (dependabot-automerge-end)
    
    ---
    
    <details>
    <summary>Dependabot commands and options</summary>
    <br />
    
    You can trigger Dependabot actions by commenting on this PR:
    - `@dependabot rebase` will rebase this PR
    - `@dependabot recreate` will recreate this PR, overwriting any edits
    that have been made to it
    - `@dependabot show <dependency name> ignore conditions` will show all
    of the ignore conditions of the specified dependency
    - `@dependabot ignore this major version` will close this PR and stop
    Dependabot creating any more for this major version (unless you reopen
    the PR or upgrade to it yourself)
    - `@dependabot ignore this minor version` will close this PR and stop
    Dependabot creating any more for this minor version (unless you reopen
    the PR or upgrade to it yourself)
    - `@dependabot ignore this dependency` will close this PR and stop
    Dependabot creating any more for this dependency (unless you reopen the
    PR or upgrade to it yourself)
    
    
    </details>
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • Require deduplicator success before commenting (#13399)
    Fixed recent regression in issue dedup action
  • Add Windows direct install script (#12741)
    ## Summary
    - add a direct install script for Windows at
    `scripts/install/install.ps1`
    - extend release staging so `install.ps1` is published alongside
    `install.sh`
    - install the Windows runtime payload (`codex.exe`, `rg.exe`, and helper
    binaries) from the existing platform npm package
    
    ## Dependencies
    - Depends on https://github.com/openai/codex/pull/12740
    
    ## Testing
    - Smoke-tested with powershell
  • fix: use https://git.savannah.gnu.org/git/bash instead of https://github.com/bolinfest/bash (#13057)
    Historically, we cloned the Bash repo from
    https://github.com/bminor/bash, but for whatever reason, it was removed
    at some point.
    
    I had a local clone of it, so I pushed it to
    https://github.com/bolinfest/bash so that we could continue running our
    CI job. I did this in https://github.com/openai/codex/pull/9563, and as
    you can see, I did not tamper with the commit hash we used as the basis
    of this build.
    
    Using a personal fork is not great, so this PR changes the CI job to use
    what appears to be considered the source of truth for Bash, which is
    https://git.savannah.gnu.org/git/bash.git.
    
    Though in testing this out, it appears this Git server does not support
    the combination of `git clone --depth 1
    https://git.savannah.gnu.org/git/bash` and `git fetch --depth 1 origin
    a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b`, as it fails with the
    following error:
    
    ```
    error: Server does not allow request for unadvertised object a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
    ```
    
    so unfortunately this means that we have to do a full clone instead of a
    shallow clone in our CI jobs, which will be a bit slower.
    
    Also updated `codex-rs/shell-escalation/README.md` to reflect this
    change.
  • Fix issue deduplication workflow for Codex issues (#13215)
    Fixes #13203
    
    Summary
    - split the duplicate-finding workflow into two jobs so we gather all
    issues first
    - add an open-issue fallback job that runs only when the full scan finds
    nothing
    - centralize final selection so `comment-on-issue` always sees the best
    dedupe output
  • fix: disable Bazel builds in CI on ubuntu-24.04-arm until we can stabilize them (#13055)
    The other three Bazel builds have experienced low flakiness in my
    experience whereas I find myself re-running the `ubuntu-24.04-arm` jobs
    often to shake out the flakes. Disabling for now.
  • Try fixing windows pipeline (#12848)
    # External (non-OpenAI) Pull Request Requirements
    
    Before opening this Pull Request, please read the dedicated
    "Contributing" markdown file or your PR may be closed:
    https://github.com/openai/codex/blob/main/docs/contributing.md
    
    If your PR conforms to our contribution guidelines, replace this text
    with a detailed and high quality description of your changes.
    
    Include a link to a bug report or enhancement request.
  • Add macOS and Linux direct install script (#12740)
    ## Summary
    - add a direct install script for macOS and Linux at
    `scripts/install/install.sh`
    - stage `install.sh` into `dist/` during release so it is published as a
    GitHub release asset
    - reuse the existing platform npm payload so the installer includes both
    `codex` and `rg`
    
    ## Testing
    - `bash -n scripts/install/install.sh`
    - local macOS `curl | sh` smoke test against a locally served copy of
    the script
  • tests(js_repl): stabilize CI runtime test execution (#12407)
    ## Summary
    
    Stabilize `js_repl` runtime test setup in CI and move tool-facing
    `js_repl` behavior coverage into integration tests.
    
    This is a test/CI change only. No production `js_repl` behavior change
    is intended.
    
    ## Why
    
    - Bazel test sandboxes (especially on macOS) could resolve a different
    `node` than the one installed by `actions/setup-node`, which caused
    `js_repl` runtime/version failures.
    - `js_repl` runtime tests depend on platform-specific
    sandbox/test-harness behavior, so they need explicit gating in a
    base-stability commit.
    - Several tests in the `js_repl` unit test module were actually
    black-box/tool-level behavior tests and fit better in the integration
    suite.
    
    ## Changes
    
    - Add `actions/setup-node` to the Bazel and Rust `Tests` workflows,
    using the exact version pinned in the repo’s Node version file.
    - In Bazel (non-Windows), pass `CODEX_JS_REPL_NODE_PATH=$(which node)`
    into test env so `js_repl` uses the `actions/setup-node` runtime inside
    Bazel tests.
    - Add a new integration test suite for `js_repl` tool behavior and
    register it in the core integration test suite module.
    - Move black-box `js_repl` behavior tests into the integration suite
    (persistence/TLA, builtin tool invocation, recursive self-call
    rejection, `process` isolation, blocked builtin imports).
    - Keep white-box manager/kernel tests in the `js_repl` unit test module.
    - Gate `js_repl` runtime tests to run only on macOS and only when a
    usable Node runtime is available (skip on other platforms / missing Node
    in this commit).
    
    ## Impact
    
    - Reduces `js_repl` CI failures caused by Node resolution drift in
    Bazel.
    - Improves test organization by separating tool-facing behavior tests
    from white-box manager/kernel tests.
    - Keeps the base commit stable while expanding `js_repl` runtime
    coverage.
    
    
    #### [git stack](https://github.com/magus/git-stack-cli)
    -  `1` https://github.com/openai/codex/pull/12372
    - 👉 `2` https://github.com/openai/codex/pull/12407
    -  `3` https://github.com/openai/codex/pull/12185
    -  `4` https://github.com/openai/codex/pull/10673