Commit Graph

298 Commits

  • Increase sdk workflow timeout to 15 minutes (#14252)
    - raise the sdk workflow job timeout from 10 to 15 minutes to reduce
    false cancellations near the current limit
    
    ---------
    
    Co-authored-by: Codex <noreply@openai.com>
  • Codex/winget auto update (#12943)
    Publish CLI releases to winget.
    
    Uses https://github.com/vedantmgoyal9/winget-releaser to greatly reduce
    boilerplate needed to create winget-pkgs manifets
  • chore(deps): bump actions/upload-artifact from 6 to 7 (#13207)
    Bumps
    [actions/upload-artifact](https://github.com/actions/upload-artifact)
    from 6 to 7.
    <details>
    <summary>Release notes</summary>
    <p><em>Sourced from <a
    href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's
    releases</a>.</em></p>
    <blockquote>
    <h2>v7.0.0</h2>
    <h2>v7 What's new</h2>
    <h3>Direct Uploads</h3>
    <p>Adds support for uploading single files directly (unzipped). Callers
    can set the new <code>archive</code> parameter to <code>false</code> to
    skip zipping the file during upload. Right now, we only support single
    files. The action will fail if the glob passed resolves to multiple
    files. The <code>name</code> parameter is also ignored with this
    setting. Instead, the name of the artifact will be the name of the
    uploaded file.</p>
    <h3>ESM</h3>
    <p>To support new versions of the <code>@actions/*</code> packages,
    we've upgraded the package to ESM.</p>
    <h2>What's Changed</h2>
    <ul>
    <li>Add proxy integration test by <a
    href="https://github.com/Link"><code>@​Link</code></a>- in <a
    href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li>
    <li>Upgrade the module to ESM and bump dependencies by <a
    href="https://github.com/danwkennedy"><code>@​danwkennedy</code></a> in
    <a
    href="https://redirect.github.com/actions/upload-artifact/pull/762">actions/upload-artifact#762</a></li>
    <li>Support direct file uploads by <a
    href="https://github.com/danwkennedy"><code>@​danwkennedy</code></a> in
    <a
    href="https://redirect.github.com/actions/upload-artifact/pull/764">actions/upload-artifact#764</a></li>
    </ul>
    <h2>New Contributors</h2>
    <ul>
    <li><a href="https://github.com/Link"><code>@​Link</code></a>- made
    their first contribution in <a
    href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li>
    </ul>
    <p><strong>Full Changelog</strong>: <a
    href="https://github.com/actions/upload-artifact/compare/v6...v7.0.0">https://github.com/actions/upload-artifact/compare/v6...v7.0.0</a></p>
    </blockquote>
    </details>
    <details>
    <summary>Commits</summary>
    <ul>
    <li><a
    href="https://github.com/actions/upload-artifact/commit/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f"><code>bbbca2d</code></a>
    Support direct file uploads (<a
    href="https://redirect.github.com/actions/upload-artifact/issues/764">#764</a>)</li>
    <li><a
    href="https://github.com/actions/upload-artifact/commit/589182c5a4cec8920b8c1bce3e2fab1c97a02296"><code>589182c</code></a>
    Upgrade the module to ESM and bump dependencies (<a
    href="https://redirect.github.com/actions/upload-artifact/issues/762">#762</a>)</li>
    <li><a
    href="https://github.com/actions/upload-artifact/commit/47309c993abb98030a35d55ef7ff34b7fa1074b5"><code>47309c9</code></a>
    Merge pull request <a
    href="https://redirect.github.com/actions/upload-artifact/issues/754">#754</a>
    from actions/Link-/add-proxy-integration-tests</li>
    <li><a
    href="https://github.com/actions/upload-artifact/commit/02a8460834e70dab0ce194c64360c59dc1475ef0"><code>02a8460</code></a>
    Add proxy integration test</li>
    <li>See full diff in <a
    href="https://github.com/actions/upload-artifact/compare/v6...v7">compare
    view</a></li>
    </ul>
    </details>
    <br />
    
    
    [![Dependabot compatibility
    score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/upload-artifact&package-manager=github_actions&previous-version=6&new-version=7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
    
    Dependabot will resolve any conflicts with this PR as long as you don't
    alter it yourself. You can also trigger a rebase manually by commenting
    `@dependabot rebase`.
    
    [//]: # (dependabot-automerge-start)
    [//]: # (dependabot-automerge-end)
    
    ---
    
    <details>
    <summary>Dependabot commands and options</summary>
    <br />
    
    You can trigger Dependabot actions by commenting on this PR:
    - `@dependabot rebase` will rebase this PR
    - `@dependabot recreate` will recreate this PR, overwriting any edits
    that have been made to it
    - `@dependabot show <dependency name> ignore conditions` will show all
    of the ignore conditions of the specified dependency
    - `@dependabot ignore this major version` will close this PR and stop
    Dependabot creating any more for this major version (unless you reopen
    the PR or upgrade to it yourself)
    - `@dependabot ignore this minor version` will close this PR and stop
    Dependabot creating any more for this minor version (unless you reopen
    the PR or upgrade to it yourself)
    - `@dependabot ignore this dependency` will close this PR and stop
    Dependabot creating any more for this dependency (unless you reopen the
    PR or upgrade to it yourself)
    
    
    </details>
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    Co-authored-by: Eric Traut <etraut@openai.com>
  • chore(deps): bump actions/download-artifact from 7 to 8 (#13208)
    Bumps
    [actions/download-artifact](https://github.com/actions/download-artifact)
    from 7 to 8.
    <details>
    <summary>Release notes</summary>
    <p><em>Sourced from <a
    href="https://github.com/actions/download-artifact/releases">actions/download-artifact's
    releases</a>.</em></p>
    <blockquote>
    <h2>v8.0.0</h2>
    <h2>v8 - What's new</h2>
    <h3>Direct downloads</h3>
    <p>To support direct uploads in <code>actions/upload-artifact</code>,
    the action will no longer attempt to unzip all downloaded files.
    Instead, the action checks the <code>Content-Type</code> header ahead of
    unzipping and skips non-zipped files. Callers wishing to download a
    zipped file as-is can also set the new <code>skip-decompress</code>
    parameter to <code>false</code>.</p>
    <h3>Enforced checks (breaking)</h3>
    <p>A previous release introduced digest checks on the download. If a
    download hash didn't match the expected hash from the server, the action
    would log a warning. Callers can now configure the behavior on mismatch
    with the <code>digest-mismatch</code> parameter. To be secure by
    default, we are now defaulting the behavior to <code>error</code> which
    will fail the workflow run.</p>
    <h3>ESM</h3>
    <p>To support new versions of the @actions/* packages, we've upgraded
    the package to ESM.</p>
    <h2>What's Changed</h2>
    <ul>
    <li>Don't attempt to un-zip non-zipped downloads by <a
    href="https://github.com/danwkennedy"><code>@​danwkennedy</code></a> in
    <a
    href="https://redirect.github.com/actions/download-artifact/pull/460">actions/download-artifact#460</a></li>
    <li>Add a setting to specify what to do on hash mismatch and default it
    to <code>error</code> by <a
    href="https://github.com/danwkennedy"><code>@​danwkennedy</code></a> in
    <a
    href="https://redirect.github.com/actions/download-artifact/pull/461">actions/download-artifact#461</a></li>
    </ul>
    <p><strong>Full Changelog</strong>: <a
    href="https://github.com/actions/download-artifact/compare/v7...v8.0.0">https://github.com/actions/download-artifact/compare/v7...v8.0.0</a></p>
    </blockquote>
    </details>
    <details>
    <summary>Commits</summary>
    <ul>
    <li><a
    href="https://github.com/actions/download-artifact/commit/70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3"><code>70fc10c</code></a>
    Merge pull request <a
    href="https://redirect.github.com/actions/download-artifact/issues/461">#461</a>
    from actions/danwkennedy/digest-mismatch-behavior</li>
    <li><a
    href="https://github.com/actions/download-artifact/commit/f258da9a506b755b84a09a531814700b86ccfc62"><code>f258da9</code></a>
    Add change docs</li>
    <li><a
    href="https://github.com/actions/download-artifact/commit/ccc058e5fbb0bb2352213eaec3491e117cbc4a5c"><code>ccc058e</code></a>
    Fix linting issues</li>
    <li><a
    href="https://github.com/actions/download-artifact/commit/bd7976ba57ecea96e6f3df575eb922d11a12a9fd"><code>bd7976b</code></a>
    Add a setting to specify what to do on hash mismatch and default it to
    <code>error</code></li>
    <li><a
    href="https://github.com/actions/download-artifact/commit/ac21fcf45e0aaee541c0f7030558bdad38d77d6c"><code>ac21fcf</code></a>
    Merge pull request <a
    href="https://redirect.github.com/actions/download-artifact/issues/460">#460</a>
    from actions/danwkennedy/download-no-unzip</li>
    <li><a
    href="https://github.com/actions/download-artifact/commit/15999bff51058bc7c19b50ebbba518eaef7c26c0"><code>15999bf</code></a>
    Add note about package bumps</li>
    <li><a
    href="https://github.com/actions/download-artifact/commit/974686ed5098c7f9c9289ec946b9058e496a2561"><code>974686e</code></a>
    Bump the version to <code>v8</code> and add release notes</li>
    <li><a
    href="https://github.com/actions/download-artifact/commit/fbe48b1d2756394be4cd4358ed3bc1343b330e75"><code>fbe48b1</code></a>
    Update test names to make it clearer what they do</li>
    <li><a
    href="https://github.com/actions/download-artifact/commit/96bf374a614d4360e225874c3efd6893a3f285e7"><code>96bf374</code></a>
    One more test fix</li>
    <li><a
    href="https://github.com/actions/download-artifact/commit/b8c4819ef592cbe04fd93534534b38f853864332"><code>b8c4819</code></a>
    Fix skip decompress test</li>
    <li>Additional commits viewable in <a
    href="https://github.com/actions/download-artifact/compare/v7...v8">compare
    view</a></li>
    </ul>
    </details>
    <br />
    
    
    [![Dependabot compatibility
    score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/download-artifact&package-manager=github_actions&previous-version=7&new-version=8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
    
    Dependabot will resolve any conflicts with this PR as long as you don't
    alter it yourself. You can also trigger a rebase manually by commenting
    `@dependabot rebase`.
    
    [//]: # (dependabot-automerge-start)
    [//]: # (dependabot-automerge-end)
    
    ---
    
    <details>
    <summary>Dependabot commands and options</summary>
    <br />
    
    You can trigger Dependabot actions by commenting on this PR:
    - `@dependabot rebase` will rebase this PR
    - `@dependabot recreate` will recreate this PR, overwriting any edits
    that have been made to it
    - `@dependabot show <dependency name> ignore conditions` will show all
    of the ignore conditions of the specified dependency
    - `@dependabot ignore this major version` will close this PR and stop
    Dependabot creating any more for this major version (unless you reopen
    the PR or upgrade to it yourself)
    - `@dependabot ignore this minor version` will close this PR and stop
    Dependabot creating any more for this minor version (unless you reopen
    the PR or upgrade to it yourself)
    - `@dependabot ignore this dependency` will close this PR and stop
    Dependabot creating any more for this dependency (unless you reopen the
    PR or upgrade to it yourself)
    
    
    </details>
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • Require deduplicator success before commenting (#13399)
    Fixed recent regression in issue dedup action
  • Add Windows direct install script (#12741)
    ## Summary
    - add a direct install script for Windows at
    `scripts/install/install.ps1`
    - extend release staging so `install.ps1` is published alongside
    `install.sh`
    - install the Windows runtime payload (`codex.exe`, `rg.exe`, and helper
    binaries) from the existing platform npm package
    
    ## Dependencies
    - Depends on https://github.com/openai/codex/pull/12740
    
    ## Testing
    - Smoke-tested with powershell
  • fix: use https://git.savannah.gnu.org/git/bash instead of https://github.com/bolinfest/bash (#13057)
    Historically, we cloned the Bash repo from
    https://github.com/bminor/bash, but for whatever reason, it was removed
    at some point.
    
    I had a local clone of it, so I pushed it to
    https://github.com/bolinfest/bash so that we could continue running our
    CI job. I did this in https://github.com/openai/codex/pull/9563, and as
    you can see, I did not tamper with the commit hash we used as the basis
    of this build.
    
    Using a personal fork is not great, so this PR changes the CI job to use
    what appears to be considered the source of truth for Bash, which is
    https://git.savannah.gnu.org/git/bash.git.
    
    Though in testing this out, it appears this Git server does not support
    the combination of `git clone --depth 1
    https://git.savannah.gnu.org/git/bash` and `git fetch --depth 1 origin
    a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b`, as it fails with the
    following error:
    
    ```
    error: Server does not allow request for unadvertised object a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
    ```
    
    so unfortunately this means that we have to do a full clone instead of a
    shallow clone in our CI jobs, which will be a bit slower.
    
    Also updated `codex-rs/shell-escalation/README.md` to reflect this
    change.
  • Fix issue deduplication workflow for Codex issues (#13215)
    Fixes #13203
    
    Summary
    - split the duplicate-finding workflow into two jobs so we gather all
    issues first
    - add an open-issue fallback job that runs only when the full scan finds
    nothing
    - centralize final selection so `comment-on-issue` always sees the best
    dedupe output
  • fix: disable Bazel builds in CI on ubuntu-24.04-arm until we can stabilize them (#13055)
    The other three Bazel builds have experienced low flakiness in my
    experience whereas I find myself re-running the `ubuntu-24.04-arm` jobs
    often to shake out the flakes. Disabling for now.
  • Try fixing windows pipeline (#12848)
    # External (non-OpenAI) Pull Request Requirements
    
    Before opening this Pull Request, please read the dedicated
    "Contributing" markdown file or your PR may be closed:
    https://github.com/openai/codex/blob/main/docs/contributing.md
    
    If your PR conforms to our contribution guidelines, replace this text
    with a detailed and high quality description of your changes.
    
    Include a link to a bug report or enhancement request.
  • Add macOS and Linux direct install script (#12740)
    ## Summary
    - add a direct install script for macOS and Linux at
    `scripts/install/install.sh`
    - stage `install.sh` into `dist/` during release so it is published as a
    GitHub release asset
    - reuse the existing platform npm payload so the installer includes both
    `codex` and `rg`
    
    ## Testing
    - `bash -n scripts/install/install.sh`
    - local macOS `curl | sh` smoke test against a locally served copy of
    the script
  • tests(js_repl): stabilize CI runtime test execution (#12407)
    ## Summary
    
    Stabilize `js_repl` runtime test setup in CI and move tool-facing
    `js_repl` behavior coverage into integration tests.
    
    This is a test/CI change only. No production `js_repl` behavior change
    is intended.
    
    ## Why
    
    - Bazel test sandboxes (especially on macOS) could resolve a different
    `node` than the one installed by `actions/setup-node`, which caused
    `js_repl` runtime/version failures.
    - `js_repl` runtime tests depend on platform-specific
    sandbox/test-harness behavior, so they need explicit gating in a
    base-stability commit.
    - Several tests in the `js_repl` unit test module were actually
    black-box/tool-level behavior tests and fit better in the integration
    suite.
    
    ## Changes
    
    - Add `actions/setup-node` to the Bazel and Rust `Tests` workflows,
    using the exact version pinned in the repo’s Node version file.
    - In Bazel (non-Windows), pass `CODEX_JS_REPL_NODE_PATH=$(which node)`
    into test env so `js_repl` uses the `actions/setup-node` runtime inside
    Bazel tests.
    - Add a new integration test suite for `js_repl` tool behavior and
    register it in the core integration test suite module.
    - Move black-box `js_repl` behavior tests into the integration suite
    (persistence/TLA, builtin tool invocation, recursive self-call
    rejection, `process` isolation, blocked builtin imports).
    - Keep white-box manager/kernel tests in the `js_repl` unit test module.
    - Gate `js_repl` runtime tests to run only on macOS and only when a
    usable Node runtime is available (skip on other platforms / missing Node
    in this commit).
    
    ## Impact
    
    - Reduces `js_repl` CI failures caused by Node resolution drift in
    Bazel.
    - Improves test organization by separating tool-facing behavior tests
    from white-box manager/kernel tests.
    - Keeps the base commit stable while expanding `js_repl` runtime
    coverage.
    
    
    #### [git stack](https://github.com/magus/git-stack-cli)
    -  `1` https://github.com/openai/codex/pull/12372
    - 👉 `2` https://github.com/openai/codex/pull/12407
    -  `3` https://github.com/openai/codex/pull/12185
    -  `4` https://github.com/openai/codex/pull/10673
  • add AWS_LC_SYS_NO_JITTER_ENTROPY=1 to release musl build step to unblock releases (#12720)
    linux musl build steps in `rust-release.yml` are [currently
    broken](https://github.com/openai/codex/actions/runs/22367312571)
    because of linking issues due to ubsan-calling types (`jitterentropy`)
    leaking into the build.
    
    add `AWS_LC_SYS_NO_JITTER_ENTROPY=1` to the musl build step to avoid
    linking those ubsan-calling types. this is a more temporary fix, we need
    to clean up ubsan usage upstream so they dont leak into release-build
    steps anyways.
    
    codex's more thorough explanation below:
    
    [pr 9859](https://github.com/openai/codex/pull/9859) added [MITM
    init](https://github.com/openai/codex/pull/9859/changes#diff-db782967007060c5520651633e1ea21681d64be21f2b791d3d84519860245b97R62-R68)
    in network-proxy, which wires in cert generation code (rcgen/rustls).
    this didnt bump/change dep versions, but it changed symbol reachability
    at link time.
    
    for musl builds, that made aws-lc-sys’s jitterentropy objects get pulled
    into the final link. those objects contain UBSan calls
    (__ubsan_handle_*). musl release linking is static (*-linux-musl-gcc,
    -nodefaultlibs) and does not link a musl UBSan runtime, so link fails
    with undefined __ubsan_*.
    
    before, our custom musl CI UBSan steps (install libubsan1, RUSTC_WRAPPER
    + LD_PRELOAD, partial flag scrubbing) masked some sanitizer issues.
    after this pr, more aws-lc code became link-reachable, and that band-aid
    wasn't enough.
  • refactor: delete exec-server and move execve wrapper into shell-escalation (#12632)
    ## Why
    
    We already plan to remove the shell-tool MCP path, and doing that
    cleanup first makes the follow-on `shell-escalation` work much simpler.
    
    This change removes the last remaining reason to keep
    `codex-rs/exec-server` around by moving the `codex-execve-wrapper`
    binary and shared shell test fixtures to the crates/tests that now own
    that functionality.
    
    ## What Changed
    
    ### Delete `codex-rs/exec-server`
    
    - Remove the `exec-server` crate, including the MCP server binary,
    MCP-specific modules, and its test support/test suite
    - Remove `exec-server` from the `codex-rs` workspace and update
    `Cargo.lock`
    
    ### Move `codex-execve-wrapper` into `codex-rs/shell-escalation`
    
    - Move the wrapper implementation into `shell-escalation`
    (`src/unix/execve_wrapper.rs`)
    - Add the `codex-execve-wrapper` binary entrypoint under
    `shell-escalation/src/bin/`
    - Update `shell-escalation` exports/module layout so the wrapper
    entrypoint is hosted there
    - Move the wrapper README content from `exec-server` to
    `shell-escalation/README.md`
    
    ### Move shared shell test fixtures to `app-server`
    
    - Move the DotSlash `bash`/`zsh` test fixtures from
    `exec-server/tests/suite/` to `app-server/tests/suite/`
    - Update `app-server` zsh-fork tests to reference the new fixture paths
    
    ### Keep `shell-tool-mcp` as a shell-assets package
    
    - Update `.github/workflows/shell-tool-mcp.yml` packaging so the npm
    artifact contains only patched Bash/Zsh payloads (no Rust binaries)
    - Update `shell-tool-mcp/package.json`, `shell-tool-mcp/src/index.ts`,
    and docs to reflect the shell-assets-only package shape
    - `shell-tool-mcp-ci.yml` does not need changes because it is already
    JS-only
    
    ## Verification
    
    - `cargo shear`
    - `cargo clippy -p codex-shell-escalation --tests`
    - `just clippy`
  • chore: better bazel test logs (#12576)
    ## Summary
    
    Improve Bazel CI failure diagnostics by printing the tail of each failed
    target’s test.log directly in the GitHub Actions output.
    
    Today, when a large Bazel test target fails (for example tests of
    `codex-core`), the workflow often only shows a target-level Exit 101
    plus a path to Bazel’s test.log. That makes it hard to see the actual
    failing Rust test and panic without digging into artifacts or
    reproducing locally.
    
    This change makes the workflow automatically surface that information
    inline.
    
      ## What Changed
    
    In .github/workflows/bazel.yml:
    
      - Capture Bazel console output via tee
      - Preserve the Bazel exit code when piping (PIPESTATUS[0])
      - On failure:
          - Parse failed Bazel test targets from FAIL: //... lines
          - Resolve Bazel test log directory via bazel info bazel-testlogs
          - Print tail -n 200 for each failed target’s test.log
          - Group each target’s output in GitHub Actions logs (::group::)
    
    ## Bonus
    Disable `experimental_remote_repo_contents_cache` to prevent "Permission
    Denied"
  • ci(bazel): install Node from node-version.txt in remote image (#12205)
    ## Summary
    Install Node in the Bazel remote execution image using the version
    pinned in `codex-rs/node-version.txt`.
    
    ## Why
    `js_repl` tests run under Bazel remote execution and require a modern
    Node runtime. Runner-level `setup-node` does not guarantee Node is
    available (or recent enough) inside the remote worker container.
    
    ## What changed
    - Updated `.github/workflows/Dockerfile.bazel` to install Node from
    official tarballs at image build time.
    - Added `xz-utils` for extracting `.tar.xz` archives.
    - Copied `codex-rs/node-version.txt` into the image build context and
    used it as the single source of truth for Node version.
    - Added architecture mapping for multi-arch builds:
      - `amd64 -> x64`
      - `arm64 -> arm64`
    - Verified install during image build with:
      - `node --version`
      - `npm --version`
    
    ## Impact
    - Bazel remote workers should now have the required Node version
    available for `js_repl` tests.
    - Keeps Node version synchronized with repo policy via
    `codex-rs/node-version.txt`.
    
    ## Testing
    - Verified Dockerfile changes and build steps locally (build-time
    commands are deterministic and fail fast on unsupported arch/version
    fetch issues).
    
    ## Follow-up
    - Rebuild and publish the Bazel runner image for both `linux/amd64` and
    `linux/arm64`.
    - Update image digests in `rbe.bzl` to roll out this runtime update in
    CI.
    
    
    #### [git stack](https://github.com/magus/git-stack-cli)
    -  `1` https://github.com/openai/codex/pull/12300
    -  `2` https://github.com/openai/codex/pull/12275
    - 👉 `3` https://github.com/openai/codex/pull/12205
    -  `4` https://github.com/openai/codex/pull/12185
    -  `5` https://github.com/openai/codex/pull/10673
  • fix(linux-sandbox): mount /dev in bwrap sandbox (#12081)
    ## Summary
    - Updates the Linux bubblewrap sandbox args to mount a minimal `/dev`
    using `--dev /dev` instead of only binding `/dev/null`. tools needing
    entropy (git, crypto libs, etc.) can fail.
    
    - Changed mount order so `--dev /dev` is added before writable-root
    `--bind` mounts, preserving writable `/dev/*` submounts like `/dev/shm`
    
    ## Why
    Fixes sandboxed command failures when reading `/dev/urandom` (and
    similar standard device-node access).
    
    
    Fixes https://github.com/openai/codex/issues/12056
  • fix(ci) Fix shell-tool-mcp.yml (#11969)
    ## Summary
    We're seeing failures for shell-tool-mcp.yml during git checkouts. This
    is a quick attempt to unblock releases - we should revisit this build
    pipeline since we've hit a number of errors.
  • bazel: enforce MODULE.bazel.lock sync with Cargo.lock (#11790)
    ## Why this change
    
    When Cargo dependencies change, it is easy to end up with an unexpected
    local diff in
    `MODULE.bazel.lock` after running Bazel. That creates noisy working
    copies and pushes lockfile fixes
    later in the cycle. This change addresses that pain point directly.
    
    ## What this change enforces
    
    The expected invariant is: after dependency updates, `MODULE.bazel.lock`
    is already in sync with
    Cargo resolution. In practice, running `bazel mod deps` should not
    mutate the lockfile in a clean
    state. If it does, the dependency update is incomplete.
    
    ## How this is enforced
    
    This change adds a single lockfile check script that snapshots
    `MODULE.bazel.lock`, runs
    `bazel mod deps`, and fails if the file changes. The same check is wired
    into local workflow
    commands (`just bazel-lock-update` and `just bazel-lock-check`) and into
    Bazel CI (Linux x86_64 job)
    so drift is caught early and consistently. The developer documentation
    is updated in
    `codex-rs/docs/bazel.md` and `AGENTS.md` to make the expected flow
    explicit.
    
    `MODULE.bazel.lock` is also refreshed in this PR to match the current
    Cargo dependency resolution.
    
    ## Expected developer workflow
    
    After changing `Cargo.toml` or `Cargo.lock`, run `just
    bazel-lock-update`, then run
    `just bazel-lock-check`, and include any resulting `MODULE.bazel.lock`
    update in the same change.
    
    ## Testing
    
    Ran `just bazel-lock-check` locally.
  • Improve GitHub issue deduplication reliability by introducing a stage… (#11769)
    …d two-pass Codex search strategy with deterministic fallback behavior,
    and remove an obsolete prompt file that was no longer used.
    
    ### Changes
    - Updated `workflows/issue-deduplicator.yml`:
    - Added richer issue input fields (`state`, `updatedAt`, `labels`) for
    model context.
      - Added two candidate pools:
        - `codex-existing-issues-all.json` (`--state all`)
        - `codex-existing-issues-open.json` (`--state open`)
    - Added body truncation during JSON preparation to reduce prompt noise.
      - Added **Pass 1** Codex run over all issues.
      - Added normalization/validation step for Pass 1 output:
        - tolerant JSON parsing
        - self-issue filtering
        - deduplication
        - cap to 5 results
    - Added **Pass 2 fallback** Codex run over open issues only, triggered
    only when Pass 1 has no usable matches.
    - Added normalization/validation step for Pass 2 output (same
    filtering/dedup/cap behavior).
      - Added final deterministic selector:
        - prefer pass 2 if it finds matches
        - otherwise use pass 1
        - otherwise return no matches
      - Added observability logs:
        - pool sizes
        - per-pass parse/match status
        - final pass selected and final duplicate count
      - Kept public issue-comment format unchanged.
    - Added comment documenting that prompt text now lives inline in
    workflow.
    
    - Deleted obsolete file:
      - `/prompts/issue-deduplicator.txt`
    
    ### Behavior Impact
    - Better duplicate recall when broad search fails by retrying against
    active issues only.
    - More deterministic/noise-resistant output handling.
    - No change to workflow trigger conditions, permissions, or issue
    comment structure.
  • fix(shell-tool-mcp) build dependencies (#11709)
    ## Summary
    Based on our most recent [release
    attempt](https://github.com/openai/codex/actions/runs/21980518940/job/63501739210)
    we are not building the shell-tool-mcp job correctly. This one is
    outside my expertise, but seems mostly reasonable.
    
    ## Testing
     - [x] We really need dry runs of these
  • fix(ci) lock rust toolchain at 1.93.0 to unblock (#11703)
    ## Summary
    CI is broken on main because our CI toolchain is trying to run 1.93.1
    while our rust toolchain is locked at 1.93.0. I'm sure it's likely safe
    to upgrade, but let's keep things stable for now.
    
    ## Testing
    - [x] CI should hopefully pass
  • feat(shell-tool-mcp): add patched zsh build pipeline (#11668)
    ## Summary
    - add `shell-tool-mcp/patches/zsh-exec-wrapper.patch` against upstream
    zsh `77045ef899e53b9598bebc5a41db93a548a40ca6`
    - add `zsh-linux` and `zsh-darwin` jobs to
    `.github/workflows/shell-tool-mcp.yml`
    - stage zsh binaries under `artifacts/vendor/<target>/zsh/<variant>/zsh`
    - include zsh artifact jobs in `package.needs`
    - mark staged zsh binaries executable during packaging
    
    ## Notes
    - zsh source is cloned from `https://git.code.sf.net/p/zsh/code`
    - workflow pins zsh commit `77045ef899e53b9598bebc5a41db93a548a40ca6`
    - zsh build runs `./Util/preconfig` before `./configure`
    
    ## Validation
    - parsed workflow YAML locally (`yaml-ok`)
    - validated zsh patch applies cleanly with `git apply --check` on a
    fresh zsh clone
  • rust-release: exclude cargo-timing.html from release assets (#11564)
    ## Why
    The `release` job in `.github/workflows/rust-release.yml` uploads
    `files: dist/**` via `softprops/action-gh-release`. The downloaded
    timing artifacts include multiple files with the same basename,
    `cargo-timing.html` (one per target), which causes release asset
    collisions/races and can fail with GitHub release-assets API `404 Not
    Found` errors.
    
    ## What Changed
    - Updated the existing cleanup step before `Create GitHub Release` to
    remove all `cargo-timing.html` files from `dist/`.
    - Removed any now-empty directories after deleting those timing files.
    
    Relevant change:
    -
    https://github.com/openai/codex/blob/daba003d32f299579e9b89240aa8ebdc9f161424/.github/workflows/rust-release.yml#L423
    
    ## Verification
    - Confirmed from failing release logs that multiple `cargo-timing.html`
    files were being included in `dist/**` and that the release step failed
    while operating on duplicate-named assets.
    - Verified the workflow now deletes those files before the release
    upload step, so `cargo-timing.html` is no longer part of the release
    asset set.
  • Fix linux-musl release link failures caused by glibc-only libcap artifacts (#11556)
    Problem:
    The `aarch64-unknown-linux-musl` release build was failing at link time
    with
    `/usr/bin/ld: cannot find -lcap` while building binaries that
    transitively pull
    in `codex-linux-sandbox`.
    
    Why this is the right fix:
    `codex-linux-sandbox` compiles vendored bubblewrap and links `libcap`.
    In the
    musl jobs, we were installing distro `libcap-dev`, which provides
    host/glibc
    artifacts. That is not a valid source of target-compatible static libcap
    for
    musl cross-linking, so the fix is to produce a target-compatible libcap
    inside
    the musl tool bootstrap and point pkg-config at it.
    
    This also closes the CI coverage gap that allowed this to slip through:
    the
    `rust-ci.yml` matrix did not exercise `aarch64-unknown-linux-musl` in
    `release`
    mode. Adding that target/profile combination to CI is the right
    regression
    barrier for this class of failure.
    
    What changed:
    - Updated `.github/scripts/install-musl-build-tools.sh` to install
    tooling
      needed to fetch/build libcap sources (`curl`, `xz-utils`, certs).
    - Added deterministic libcap bootstrap in the musl tool root:
      - download `libcap-2.75` from kernel.org
      - verify SHA256
      - build with the target musl compiler (`*-linux-musl-gcc`)
      - stage `libcap.a` and headers under the target tool root
      - generate a target-scoped `libcap.pc`
    - Exported target `PKG_CONFIG_PATH` so builds resolve the staged musl
    libcap
      instead of host pkg-config/lib paths.
    - Updated `.github/workflows/rust-ci.yml` to add a `release` matrix
    entry for
      `aarch64-unknown-linux-musl` on the ARM runner.
    - Updated `.github/workflows/rust-ci.yml` to set
    `CARGO_PROFILE_RELEASE_LTO=thin` for `release` matrix entries (and keep
    `fat`
    for non-release entries), matching the release-build tradeoff already
    used in
      `rust-release.yml` while reducing CI runtime.
    
    Verification:
    - Reproduced the original failure in CI-like containers:
      - `aarch64-unknown-linux-musl` failed with `cannot find -lcap`.
    - Verified the underlying mismatch by forcing host libcap into the link:
      - link then failed with glibc-specific unresolved symbols
        (`__isoc23_*`, `__*_chk`), confirming host libcap was unsuitable.
    - Verified the fix in CI-like containers after this change:
    - `cargo build -p codex-linux-sandbox --target
    aarch64-unknown-linux-musl --release` -> pass
    - `cargo build -p codex-linux-sandbox --target x86_64-unknown-linux-musl
    --release` -> pass
    - Triggered `rust-ci` on this branch and confirmed the new job appears:
    - `Lint/Build — ubuntu-24.04-arm - aarch64-unknown-linux-musl (release)`
  • ci: capture cargo timings in Rust CI and release workflows (#11543)
    ## Why
    We want actionable build-hotspot data from CI so we can tune Rust
    workflow performance (for example, target coverage, cache behavior, and
    job shape) based on actual compile-time bottlenecks.
    
    `cargo` timing reports are lightweight and provide a direct way to
    inspect where compilation time is spent.
    
    ## What Changed
    - Updated `.github/workflows/rust-release.yml` to run `cargo build` with
    `--timings` and upload `target/**/cargo-timings/cargo-timing.html`.
    - Updated `.github/workflows/rust-release-windows.yml` to run `cargo
    build` with `--timings` and upload
    `target/**/cargo-timings/cargo-timing.html`.
    - Updated `.github/workflows/rust-ci.yml` to:
      - run `cargo clippy` with `--timings`
      - run `cargo nextest run` with `--timings` (stable-compatible)
    - upload `target/**/cargo-timings/cargo-timing.html` artifacts for both
    the clippy and nextest jobs
    
    Artifacts are matrix-scoped via artifact names so timings can be
    compared per target/profile.
    
    ## Verification
    - Confirmed the net diff is limited to:
      - `.github/workflows/rust-ci.yml`
      - `.github/workflows/rust-release.yml`
      - `.github/workflows/rust-release-windows.yml`
    - Verified timing uploads are added immediately after the corresponding
    timed commands in each workflow.
    - Confirmed stable Cargo accepts plain `--timings` for the compile phase
    (`cargo test --no-run --timings`) and generates
    `target/cargo-timings/cargo-timing.html`.
    - Ran VS Code diagnostics on modified workflow files; no new diagnostics
    were introduced by these changes.
  • build(linux-sandbox): always compile vendored bubblewrap on Linux; remove CODEX_BWRAP_ENABLE_FFI (#11498)
    ## Summary
    This PR removes the temporary `CODEX_BWRAP_ENABLE_FFI` flag and makes
    Linux builds always compile vendored bubblewrap support for
    `codex-linux-sandbox`.
    
    ## Changes
    - Removed `CODEX_BWRAP_ENABLE_FFI` gating from
    `codex-rs/linux-sandbox/build.rs`.
    - Linux builds now fail fast if vendored bubblewrap compilation fails
    (instead of warning and continuing).
    - Updated fallback/help text in
    `codex-rs/linux-sandbox/src/vendored_bwrap.rs` to remove references to
    `CODEX_BWRAP_ENABLE_FFI`.
    - Removed `CODEX_BWRAP_ENABLE_FFI` env wiring from:
      - `.github/workflows/rust-ci.yml`
      - `.github/workflows/bazel.yml`
      - `.github/workflows/rust-release.yml`
    
    ---------
    
    Co-authored-by: David Zbarsky <zbarsky@openai.com>
  • ci(windows): use DotSlash for zstd in rust-release-windows (#11542)
    ## Why
    Installing `zstd` via Chocolatey in
    `.github/workflows/rust-release-windows.yml` has been taking about a
    minute on Windows release runs. This adds avoidable latency to each
    release job.
    
    Using DotSlash removes that package-manager install step and pins the
    exact binary we use for compression.
    
    ## What Changed
    - Added `.github/workflows/zstd`, a DotSlash wrapper that fetches
    `zstd-v1.5.7-win64.zip` with pinned size and digest.
    - Updated `.github/workflows/rust-release-windows.yml` to:
      - install DotSlash via `facebook/install-dotslash@v2`
    - replace `zstd -T0 -19 ...` with
    `${GITHUB_WORKSPACE}/.github/workflows/zstd -T0 -19 ...`
    - `windows-aarch64` uses the same win64 upstream zstd artifact because
    upstream releases currently publish `win32` and `win64` binaries.
    
    ## Verification
    - Verified the workflow now resolves the DotSlash file from
    `${GITHUB_WORKSPACE}` while the job runs with `working-directory:
    codex-rs`.
    - Ran VS Code diagnostics on changed files:
      - `.github/workflows/rust-release-windows.yml`
      - `.github/workflows/zstd`
  • ci: remove actions/cache from rust release workflows (#11540)
    ## Why
    
    `rust-release` cache restore has had very low practical value, while
    cache save consistently costs significant time (usually adding ~3
    minutes to the critical path of a release workflow).
    
    From successful release-tag runs with cache steps (`289` runs total):
    - Alpha tags: cache download averaged ~5s/run, cache upload averaged
    ~230s/run.
    - Stable tags: cache download averaged ~5s/run, cache upload averaged
    ~227s/run.
    - Windows release builds specifically: download ~2s/run vs upload
    ~169-170s/run.
    
    Hard step-level signal from the same successful release-tag runs:
    - Cache restore (`Run actions/cache`): `2,314` steps, total `1,515s`
    (~0.65s/step).
    - `95.3%` of restore steps finished in `<=1s`; `99.7%` finished in
    `<=2s`; `0` steps took `>=10s`.
    - Cache save (`Post Run actions/cache`): `2,314` steps, total `66,295s`
    (~28.65s/step).
    
    Run-level framing:
    - Download total was `<=10s` in `288/289` runs (`99.7%`).
    - Upload total was `>=120s` in `285/289` runs (`98.6%`).
    
    The net effect is that release jobs are spending time uploading caches
    that are rarely useful for subsequent runs.
    
    ## What Changed
    
    - Removed the `actions/cache@v5` step from
    `.github/workflows/rust-release.yml`.
    - Removed the `actions/cache@v5` step from
    `.github/workflows/rust-release-windows.yml`.
    - Left build, signing, packaging, and publishing flow unchanged.
    
    ## Validation
    
    - Queried historical `rust-release` run/job step timing and compared
    cache download vs upload for alpha and stable release tags.
    - Spot-checked release logs and observed repeated `Cache not found ...`
    followed by `Cache saved ...` patterns.
  • fix: add --test_verbose_timeout_warnings to bazel.yml (#11522)
    This is in response to seeing this on BuildBuddy:
    
    > There were tests whose specified size is too big. Use the
    --test_verbose_timeout_warnings command line option to see which ones
    these are.
  • feat: try to fix bugs I saw in the wild in the resource parsing logic (#11513)
    I gave Codex the following bug report about the logic to report the
    host's resources introduced in
    https://github.com/openai/codex/pull/11488 and this PR is its proposed
    fix.
    
    The fix seems like an escaping issue, mostly.
    
    ---
    
    The logic to print out the runner specs has an awk error on Mac:
    
    ```
    Runner: GitHub Actions 1014936475
    OS: macOS 15.7.3
    Hardware model: VirtualMac2,1
    CPU architecture: arm64
    Logical CPUs: 5
    Physical CPUs: 5
    awk: syntax error at source line 1
     context is
    	{printf >>>  \ <<< "%.1f GiB\\n\", $1 / 1024 / 1024 / 1024}
    awk: illegal statement at source line 1
    Total RAM: 
    Disk usage:
    Filesystem      Size    Used   Avail Capacity iused ifree %iused  Mounted on
    /dev/disk3s5   320Gi   237Gi    64Gi    79%    2.0M  671M    0%   /System/Volumes/Data
    ```
    
    as well as Linux:
    
    ```
    Runner: GitHub Actions 1014936469
    OS: Linux runnervmwffz4 6.11.0-1018-azure #18~24.04.1-Ubuntu SMP Sat Jun 28 04:46:03 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
    awk: cmd. line:1: /Model name/ {gsub(/^[ \t]+/,\"\",$2); print $2; exit}
    awk: cmd. line:1:                              ^ backslash not last character on line
    CPU model: 
    Logical CPUs: 4
    awk: cmd. line:1: /MemTotal/ {printf \"%.1f GiB\\n\", $2 / 1024 / 1024}
    awk: cmd. line:1:                    ^ backslash not last character on line
    Total RAM: 
    Disk usage:
    Filesystem      Size  Used Avail Use% Mounted on
    /dev/root        72G   50G   22G  70% /
    ```
  • feat: build windows support binaries in parallel (#11500)
    Windows release builds were compiling and linking four release binaries
    on a single runner, which slowed the release pipeline. The
    Windows-specific logic also made `rust-release.yml` harder to read and
    maintain.
    
    ## What Changed
    
    - Extracted Windows release logic into a reusable workflow at
    `.github/workflows/rust-release-windows.yml`.
    - Updated `.github/workflows/rust-release.yml` to call the reusable
    Windows workflow via `workflow_call`.
    - Parallelized Windows binary builds with one 4-entry matrix over two
    targets (`x86_64-pc-windows-msvc`, `aarch64-pc-windows-msvc`) and two
    bundles (`primary`, `helpers`).
    - Kept signing centralized per target by downloading both prebuilt
    bundles and signing all four executables together.
    - Preserved final release artifact behavior and filtered intermediate
    `windows-binaries*` artifacts out of the published release asset set.
  • feat: use more powerful machines for building Windows releases (#11488)
    Windows release builds in `.github/workflows/rust-release.yml` were
    still using GitHub-hosted `windows-latest` and `windows-11-arm` runners.
    This change aligns release builds with the faster dedicated Codex runner
    pool already used in CI, and adds machine-spec logging at startup so
    runner capacity (CPU/RAM/disk) is visible in build logs.
    
    ## What Changed
    
    - Updated the `build` job to support matrix entries that provide a full
    `runs_on` object:
      - `runs-on: ${{ matrix.runs_on || matrix.runner }}`
    - Switched Windows release matrix entries to Codex runners:
      - `windows-latest` -> `windows-x64` with:
        - `group: codex-runners`
        - `labels: codex-windows-x64`
      - `windows-11-arm` -> `windows-arm64` with:
        - `group: codex-runners`
        - `labels: codex-windows-arm64`
    - Updated the ARM-specific zstd install condition to match the new
    runner id:
      - `matrix.runner == 'windows-arm64'`
    - Added early platform-specific runner diagnostics steps
    (Linux/macOS/Windows) that print OS, CPU, logical CPU count, total RAM,
    and disk usage.
  • feat: remove "cargo check individual crates" from CI (#11475)
    I think this check has outlived its usefulness. It is often one of the
    last CI jobs to finish when we put up a PR, so this should save us some
    time.
  • ci: fall back to local Bazel on forks without BuildBuddy key (#11359)
    ## Summary
    - detect whether BUILDBUDDY_API_KEY is present in Bazel CI
    - keep existing remote BuildBuddy path when key is available
    - add a local fallback path for fork PRs without secrets by clearing
    remote cache/executor/BES endpoints
    - document each fallback flag inline with links to Bazel docs
    
    ## Testing
    - ruby -e 'require "yaml";
    YAML.load_file(".github/workflows/bazel.yml"); puts "ok"'
    - verified Bazel docs/flag references used in workflow comments
  • Use thin LTO for alpha Rust release builds (#11348)
    We are looking to speed up build times for alpha releases, but we do not
    want to completely compromise on runtime performance by shipping debug
    builds. This PR changes our CI so that alpha releases build with
    `lto="thin"` instead of `lto="fat"`.
    
    Specifically, this change keeps `[profile.release] lto = "fat"` as the
    default in `Cargo.toml`, but overrides LTO in CI using
    `CARGO_PROFILE_RELEASE_LTO`:
    - `rust-release.yml`: use `thin` for `-alpha` tags, otherwise `fat`
    - `shell-tool-mcp.yml`: use `thin` for `-alpha` versions, otherwise
    `fat`
    
    Tradeoffs:
    - Alpha binaries may be somewhat larger and/or slightly slower than
    fat-LTO builds
    - LTO policy now lives in workflow logic for two pipelines, so
    consistency must be maintained across both files
    
    Note `CARGO_PROFILE_<name>_LTO` is documented on
    https://doc.rust-lang.org/cargo/reference/environment-variables.html#configuration-environment-variables.
  • # Use @openai/codex dist-tags for platform binaries instead of separate package names (#11339)
    https://github.com/openai/codex/pull/11318 introduced logic to publish
    platform artifacts as separate npm packages (for example,
    `@openai/codex-darwin-arm64`, `@openai/codex-linux-x64`, etc.). That
    requires provisioning and maintaining multiple package entries in npm,
    which we want to avoid.
    
    We still need to keep the package-size mitigation (platform-specific
    payloads), but we want that layout to live under a single npm package
    namespace (`@openai/codex`) using dist-tags.
    
    We also need to preserve pre-release workflows where users install
    `@openai/codex@alpha` and get platform-appropriate binaries.
    
    Additionally, we want GitHub Release assets to group Codex npm tarballs
    together, so platform tarballs should follow the same `codex-npm-*`
    filename prefix as the main Codex tarball.
    
    ## Release Strategy (New Scheme)
    
    We publish **one npm package name for Codex binaries** (`@openai/codex`)
    and use **dist-tags** to select platform-specific payloads. This avoids
    creating separate platform package names while keeping the package size
    split by platform.
    
    ### What gets published
    
    #### Mainline release (`x.y.z`)
    
    - `@openai/codex@latest` (meta package)
    - `@openai/codex@darwin-arm64`
    - `@openai/codex@darwin-x64`
    - `@openai/codex@linux-arm64`
    - `@openai/codex@linux-x64`
    - `@openai/codex@win32-arm64`
    - `@openai/codex@win32-x64`
    - `@openai/codex-responses-api-proxy@latest`
    - `@openai/codex-sdk@latest`
    
    #### Alpha release (`x.y.z-alpha.N`)
    
    - `@openai/codex@alpha` (meta package)
    - `@openai/codex@alpha-darwin-arm64`
    - `@openai/codex@alpha-darwin-x64`
    - `@openai/codex@alpha-linux-arm64`
    - `@openai/codex@alpha-linux-x64`
    - `@openai/codex@alpha-win32-arm64`
    - `@openai/codex@alpha-win32-x64`
    - `@openai/codex-responses-api-proxy@alpha`
    - `@openai/codex-sdk@alpha`
    
    As an example, the `package.json` for `@openai/codex@alpha` (using
    `0.99.0-alpha.17` as the `version`) would be:
    
    ```
    {
      "name": "@openai/codex",
      "version": "0.99.0-alpha.17",
      "license": "Apache-2.0",
      "bin": {
        "codex": "bin/codex.js"
      },
      "type": "module",
      "engines": {
        "node": ">=16"
      },
      "files": [
        "bin"
      ],
      "repository": {
        "type": "git",
        "url": "git+https://github.com/openai/codex.git",
        "directory": "codex-cli"
      },
      "packageManager": "pnpm@10.28.2+sha512.41872f037ad22f7348e3b1debbaf7e867cfd448f2726d9cf74c08f19507c31d2c8e7a11525b983febc2df640b5438dee6023ebb1f84ed43cc2d654d2bc326264",
      "optionalDependencies": {
        "@openai/codex-linux-x64": "npm:@openai/codex@0.99.0-alpha.17-linux-x64",
        "@openai/codex-linux-arm64": "npm:@openai/codex@0.99.0-alpha.17-linux-arm64",
        "@openai/codex-darwin-x64": "npm:@openai/codex@0.99.0-alpha.17-darwin-x64",
        "@openai/codex-darwin-arm64": "npm:@openai/codex@0.99.0-alpha.17-darwin-arm64",
        "@openai/codex-win32-x64": "npm:@openai/codex@0.99.0-alpha.17-win32-x64",
        "@openai/codex-win32-arm64": "npm:@openai/codex@0.99.0-alpha.17-win32-arm64"
      }
    }
    ```
    
    Note that the keys in `optionalDependencies` have "clean" names, but the
    values have the tag embedded.
    
    ### Important note
    
    **Note:** Because we never created the new platform package names on npm
    (for example,
    `@openai/codex-darwin-arm64`) since #11318 landed, there are no extra
    npm packages to clean up.
    
    ## What changed
    
    ### 1. Stage platform tarballs as `@openai/codex` with platform-specific
    versions
    
    File: `codex-cli/scripts/build_npm_package.py`
    
    - Added `CODEX_NPM_NAME = "@openai/codex"` and platform metadata
    `npm_tag` values:
    - `darwin-arm64`, `darwin-x64`, `linux-arm64`, `linux-x64`,
    `win32-arm64`, `win32-x64`
    - For platform package staging (`codex-<platform>` inputs), switched
    generated `package.json` from:
      - `name = @openai/codex-<platform>`
      to:
      - `name = @openai/codex`
    - Added `compute_platform_package_version(version, platform_tag)` so
    platform tarballs have unique
    versions (`<release-version>-<platform-tag>`), which is required because
    npm forbids re-publishing
      the same `name@version`.
    
    ### 2. Point meta package optional dependencies at dist-tags on
    `@openai/codex`
    
    File: `codex-cli/scripts/build_npm_package.py`
    
    - Updated `optionalDependencies` generation for the main `codex` package
    to use npm alias syntax:
    - key remains alias package name (for example,
    `@openai/codex-darwin-arm64`) so runtime lookup behavior is unchanged
      - value now resolves to `@openai/codex` by dist-tag
    - Stable releases emit tags like `npm:@openai/codex@darwin-arm64`.
    - Alpha releases (`x.y.z-alpha.N`) emit tags like
    `npm:@openai/codex@alpha-darwin-arm64`.
    
    ### 3. Publish with per-tarball dist-tags in release CI
    
    File: `.github/workflows/rust-release.yml`
    
    - Reworked npm publish logic to derive the publish tag per tarball
    filename:
      - platform tarballs publish with `<platform>` tags for stable releases
    - platform tarballs publish with `alpha-<platform>` tags for alpha
    releases
    - top-level tarballs (`codex`, `codex-responses-api-proxy`, `codex-sdk`)
    continue using
    the existing channel tag policy (`latest` implicit for stable, `alpha`
    for alpha)
    - Added fail-fast behavior for unexpected tarball names to avoid silent
    mispublishes.
    
    ### 4. Normalize Codex platform tarball filenames for GitHub Release
    grouping
    
    Files: `scripts/stage_npm_packages.py`,
    `.github/workflows/rust-release.yml`
    
    - Renamed staged platform tarball filenames from:
      - `codex-linux-<arch>-npm-<version>.tgz`
      - `codex-darwin-<arch>-npm-<version>.tgz`
      - `codex-win32-<arch>-npm-<version>.tgz`
    - To:
      - `codex-npm-linux-<arch>-<version>.tgz`
      - `codex-npm-darwin-<arch>-<version>.tgz`
      - `codex-npm-win32-<arch>-<version>.tgz`
    
    This keeps all Codex npm artifacts grouped under a common `codex-npm-`
    prefix in GitHub Releases.
    
    ### 5. Documentation update
    
    File: `codex-cli/scripts/README.md`
    
    - Updated staging docs to clarify that platform-native variants are
    published as dist-tagged
      `@openai/codex` artifacts rather than separate npm package names.
    
    ## Resulting behavior
    
    - Mainline release:
      - `@openai/codex@latest` resolves the meta package
    - meta package optional dependencies resolve
    `@openai/codex@<platform-tag>`
    - Alpha release:
      - users can continue installing `@openai/codex@alpha`
    - alpha meta package optional dependencies resolve
    `@openai/codex@alpha-<platform-tag>`
    - Release assets:
    - Codex npm tarballs share `codex-npm-` prefix for cleaner grouping in
    GitHub Releases
    
    This preserves platform-specific payload distribution while avoiding
    separate npm package names and
    improves release-asset discoverability.
    
    ## Validation notes
    
    - Verified staged `package.json` output for stable and alpha meta
    packages includes expected alias targets.
    - Verified staged platform package manifests are `name=@openai/codex`
    with unique platform-suffixed versions.
    - Verified publish tag derivation maps renamed platform tarballs to
    expected stable and alpha dist-tags.
  • fix: remove config.schema.json from tag check (#10980)
    Given that we have https://github.com/openai/codex/pull/10977, the
    existing "Verify config schema fixture" step seems unnecessary. Further,
    because it happens as part of the `tag-check` job (which is meant to be
    fast), it slows down the entire build process because it delays the more
    expensive steps from starting.
  • feat: enable premessage-deflate for websockets (#10966)
    note:
    unfortunately, tokio-tungstenite / tungstenite upgrade triggers some
    problems with linker of rama-tls-boring with openssl:
    ```
    error: linking with `/Users/apanasenko/Library/Caches/cargo-zigbuild/0.20.1/zigcc-x86_64-unknown-linux-musl-ff6a.sh` failed: exit status: 1
      |
      = note:  "/Users/apanasenko/Library/Caches/cargo-zigbuild/0.20.1/zigcc-x86_64-unknown-linux-musl-ff6a.sh" "-m64" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/self-contained/rcrt1.o" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/self-contained/crti.o" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/self-contained/crtbeginS.o" "<1 object files omitted>" "-Wl,--as-needed" "-Wl,-Bstatic" "/var/folders/kt/52y_g75x3ng8ktvk3rfwm6400000gp/T/rustcyGQdYm/{liblzma_sys-662a82316f96ec30,libbzip2_sys-bf78a2d58d5cbce6,liblibsqlite3_sys-6c004987fd67a36a,libtree_sitter_bash-220b99a97d331ab7,libtree_sitter-858f0a1dbfea58bd,libzstd_sys-6eb237deec748c5b,libring-2a87376483bf916f,libopenssl_sys-7c189e68b37fe2bb,liblibz_sys-4344eef4345520b1,librama_boring_sys-0414e98115015ee0}.rlib" "-lc++" "-lc++abi" "-lunwind" "-lc" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/libcompiler_builtins-*.rlib" "-L" "/var/folders/kt/52y_g75x3ng8ktvk3rfwm6400000gp/T/rustcyGQdYm/raw-dylibs" "-Wl,-Bdynamic" "-Wl,--eh-frame-hdr" "-Wl,-z,noexecstack" "-nostartfiles" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/libz-sys-ff5ea50d88c28ffb/out/lib" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/ring-bdec3dddc19f5a5e/out" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/openssl-sys-96e0870de3ca22bc/out/openssl-build/install/lib" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/zstd-sys-0cc37a5da1481740/out" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/tree-sitter-72d2418073317c0f/out" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/tree-sitter-bash-bfd293a9f333ce6a/out" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/libsqlite3-sys-b78b2cfb81a330fc/out" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/bzip2-sys-69a145cc859ef275/out/lib" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/lzma-sys-07e92d0b6baa6fd4/out" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/build/crypto/" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/build/ssl/" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/build/" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/build" "-L" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/self-contained" "-L" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib" "-o" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/deps/codex_network_proxy-d08268b863517761" "-Wl,--gc-sections" "-static-pie" "-Wl,-z,relro,-z,now" "-Wl,-O1" "-Wl,--strip-all" "-nodefaultlibs" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/self-contained/crtendS.o" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/self-contained/crtn.o"
      = note: some arguments are omitted. use `--verbose` to show all linker arguments
      = note: warning: ignoring deprecated linker optimization setting '1'
              warning: unable to open library directory '/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/build/crypto/': FileNotFound
              ld.lld: error: duplicate symbol: SSL_export_keying_material
              >>> defined at ssl_lib.c:3816 (ssl/ssl_lib.c:3816)
              >>>            libssl-lib-ssl_lib.o:(SSL_export_keying_material) in archive /var/folders/kt/52y_g75x3ng8ktvk3rfwm6400000gp/T/rustcyGQdYm/libopenssl_sys-7c189e68b37fe2bb.rlib
              >>> defined at t1_enc.cc:205 (/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/boringssl/ssl/t1_enc.cc:205)
              >>>            t1_enc.cc.o:(.text.SSL_export_keying_material+0x0) in archive /var/folders/kt/52y_g75x3ng8ktvk3rfwm6400000gp/T/rustcyGQdYm/librama_boring_sys-0414e98115015ee0.rlib
    
              ld.lld: error: duplicate symbol: d2i_ASN1_TIME
              >>> defined at a_time.c:27 (crypto/asn1/a_time.c:27)
              >>>            libcrypto-lib-a_time.o:(d2i_ASN1_TIME) in archive /var/folders/kt/52y_g75x3ng8ktvk3rfwm6400000gp/T/rustcyGQdYm/libopenssl_sys-7c189e68b37fe2bb.rlib
              >>> defined at a_time.cc:34 (/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/boringssl/crypto/asn1/a_time.cc:34)
              >>>            a_time.cc.o:(.text.d2i_ASN1_TIME+0x0) in archive /var/folders/kt/52y_g75x3ng8ktvk3rfwm6400000gp/T/rustcyGQdYm/librama_boring_sys-0414e98115015ee0.rlib
    ``` 
    
    that force me to migrate away from rama-tls-boring to rama-tls-rustls
    and pin `ring` for rustls.
  • feat(linux-sandbox): add bwrap support (#9938)
    ## Summary
    This PR introduces a gated Bubblewrap (bwrap) Linux sandbox path. The
    curent Linux sandbox path relies on in-process restrictions (including
    Landlock). Bubblewrap gives us a more uniform filesystem isolation
    model, especially explicit writable roots with the option to make some
    directories read-only and granular network controls.
    
    This is behind a feature flag so we can validate behavior safely before
    making it the default.
    
    - Added temporary rollout flag:
      - `features.use_linux_sandbox_bwrap`
    - Preserved existing default path when the flag is off.
    - In Bubblewrap mode:
    - Added internal retry without /proc when /proc mount is not permitted
    by the host/container.