Commit Graph

259 Commits

  • ci: fall back to local Bazel on forks without BuildBuddy key (#11359)
    ## Summary
    - detect whether BUILDBUDDY_API_KEY is present in Bazel CI
    - keep existing remote BuildBuddy path when key is available
    - add a local fallback path for fork PRs without secrets by clearing
    remote cache/executor/BES endpoints
    - document each fallback flag inline with links to Bazel docs
    
    ## Testing
    - ruby -e 'require "yaml";
    YAML.load_file(".github/workflows/bazel.yml"); puts "ok"'
    - verified Bazel docs/flag references used in workflow comments
  • Use thin LTO for alpha Rust release builds (#11348)
    We are looking to speed up build times for alpha releases, but we do not
    want to completely compromise on runtime performance by shipping debug
    builds. This PR changes our CI so that alpha releases build with
    `lto="thin"` instead of `lto="fat"`.
    
    Specifically, this change keeps `[profile.release] lto = "fat"` as the
    default in `Cargo.toml`, but overrides LTO in CI using
    `CARGO_PROFILE_RELEASE_LTO`:
    - `rust-release.yml`: use `thin` for `-alpha` tags, otherwise `fat`
    - `shell-tool-mcp.yml`: use `thin` for `-alpha` versions, otherwise
    `fat`
    
    Tradeoffs:
    - Alpha binaries may be somewhat larger and/or slightly slower than
    fat-LTO builds
    - LTO policy now lives in workflow logic for two pipelines, so
    consistency must be maintained across both files
    
    Note `CARGO_PROFILE_<name>_LTO` is documented on
    https://doc.rust-lang.org/cargo/reference/environment-variables.html#configuration-environment-variables.
  • # Use @openai/codex dist-tags for platform binaries instead of separate package names (#11339)
    https://github.com/openai/codex/pull/11318 introduced logic to publish
    platform artifacts as separate npm packages (for example,
    `@openai/codex-darwin-arm64`, `@openai/codex-linux-x64`, etc.). That
    requires provisioning and maintaining multiple package entries in npm,
    which we want to avoid.
    
    We still need to keep the package-size mitigation (platform-specific
    payloads), but we want that layout to live under a single npm package
    namespace (`@openai/codex`) using dist-tags.
    
    We also need to preserve pre-release workflows where users install
    `@openai/codex@alpha` and get platform-appropriate binaries.
    
    Additionally, we want GitHub Release assets to group Codex npm tarballs
    together, so platform tarballs should follow the same `codex-npm-*`
    filename prefix as the main Codex tarball.
    
    ## Release Strategy (New Scheme)
    
    We publish **one npm package name for Codex binaries** (`@openai/codex`)
    and use **dist-tags** to select platform-specific payloads. This avoids
    creating separate platform package names while keeping the package size
    split by platform.
    
    ### What gets published
    
    #### Mainline release (`x.y.z`)
    
    - `@openai/codex@latest` (meta package)
    - `@openai/codex@darwin-arm64`
    - `@openai/codex@darwin-x64`
    - `@openai/codex@linux-arm64`
    - `@openai/codex@linux-x64`
    - `@openai/codex@win32-arm64`
    - `@openai/codex@win32-x64`
    - `@openai/codex-responses-api-proxy@latest`
    - `@openai/codex-sdk@latest`
    
    #### Alpha release (`x.y.z-alpha.N`)
    
    - `@openai/codex@alpha` (meta package)
    - `@openai/codex@alpha-darwin-arm64`
    - `@openai/codex@alpha-darwin-x64`
    - `@openai/codex@alpha-linux-arm64`
    - `@openai/codex@alpha-linux-x64`
    - `@openai/codex@alpha-win32-arm64`
    - `@openai/codex@alpha-win32-x64`
    - `@openai/codex-responses-api-proxy@alpha`
    - `@openai/codex-sdk@alpha`
    
    As an example, the `package.json` for `@openai/codex@alpha` (using
    `0.99.0-alpha.17` as the `version`) would be:
    
    ```
    {
      "name": "@openai/codex",
      "version": "0.99.0-alpha.17",
      "license": "Apache-2.0",
      "bin": {
        "codex": "bin/codex.js"
      },
      "type": "module",
      "engines": {
        "node": ">=16"
      },
      "files": [
        "bin"
      ],
      "repository": {
        "type": "git",
        "url": "git+https://github.com/openai/codex.git",
        "directory": "codex-cli"
      },
      "packageManager": "pnpm@10.28.2+sha512.41872f037ad22f7348e3b1debbaf7e867cfd448f2726d9cf74c08f19507c31d2c8e7a11525b983febc2df640b5438dee6023ebb1f84ed43cc2d654d2bc326264",
      "optionalDependencies": {
        "@openai/codex-linux-x64": "npm:@openai/codex@0.99.0-alpha.17-linux-x64",
        "@openai/codex-linux-arm64": "npm:@openai/codex@0.99.0-alpha.17-linux-arm64",
        "@openai/codex-darwin-x64": "npm:@openai/codex@0.99.0-alpha.17-darwin-x64",
        "@openai/codex-darwin-arm64": "npm:@openai/codex@0.99.0-alpha.17-darwin-arm64",
        "@openai/codex-win32-x64": "npm:@openai/codex@0.99.0-alpha.17-win32-x64",
        "@openai/codex-win32-arm64": "npm:@openai/codex@0.99.0-alpha.17-win32-arm64"
      }
    }
    ```
    
    Note that the keys in `optionalDependencies` have "clean" names, but the
    values have the tag embedded.
    
    ### Important note
    
    **Note:** Because we never created the new platform package names on npm
    (for example,
    `@openai/codex-darwin-arm64`) since #11318 landed, there are no extra
    npm packages to clean up.
    
    ## What changed
    
    ### 1. Stage platform tarballs as `@openai/codex` with platform-specific
    versions
    
    File: `codex-cli/scripts/build_npm_package.py`
    
    - Added `CODEX_NPM_NAME = "@openai/codex"` and platform metadata
    `npm_tag` values:
    - `darwin-arm64`, `darwin-x64`, `linux-arm64`, `linux-x64`,
    `win32-arm64`, `win32-x64`
    - For platform package staging (`codex-<platform>` inputs), switched
    generated `package.json` from:
      - `name = @openai/codex-<platform>`
      to:
      - `name = @openai/codex`
    - Added `compute_platform_package_version(version, platform_tag)` so
    platform tarballs have unique
    versions (`<release-version>-<platform-tag>`), which is required because
    npm forbids re-publishing
      the same `name@version`.
    
    ### 2. Point meta package optional dependencies at dist-tags on
    `@openai/codex`
    
    File: `codex-cli/scripts/build_npm_package.py`
    
    - Updated `optionalDependencies` generation for the main `codex` package
    to use npm alias syntax:
    - key remains alias package name (for example,
    `@openai/codex-darwin-arm64`) so runtime lookup behavior is unchanged
      - value now resolves to `@openai/codex` by dist-tag
    - Stable releases emit tags like `npm:@openai/codex@darwin-arm64`.
    - Alpha releases (`x.y.z-alpha.N`) emit tags like
    `npm:@openai/codex@alpha-darwin-arm64`.
    
    ### 3. Publish with per-tarball dist-tags in release CI
    
    File: `.github/workflows/rust-release.yml`
    
    - Reworked npm publish logic to derive the publish tag per tarball
    filename:
      - platform tarballs publish with `<platform>` tags for stable releases
    - platform tarballs publish with `alpha-<platform>` tags for alpha
    releases
    - top-level tarballs (`codex`, `codex-responses-api-proxy`, `codex-sdk`)
    continue using
    the existing channel tag policy (`latest` implicit for stable, `alpha`
    for alpha)
    - Added fail-fast behavior for unexpected tarball names to avoid silent
    mispublishes.
    
    ### 4. Normalize Codex platform tarball filenames for GitHub Release
    grouping
    
    Files: `scripts/stage_npm_packages.py`,
    `.github/workflows/rust-release.yml`
    
    - Renamed staged platform tarball filenames from:
      - `codex-linux-<arch>-npm-<version>.tgz`
      - `codex-darwin-<arch>-npm-<version>.tgz`
      - `codex-win32-<arch>-npm-<version>.tgz`
    - To:
      - `codex-npm-linux-<arch>-<version>.tgz`
      - `codex-npm-darwin-<arch>-<version>.tgz`
      - `codex-npm-win32-<arch>-<version>.tgz`
    
    This keeps all Codex npm artifacts grouped under a common `codex-npm-`
    prefix in GitHub Releases.
    
    ### 5. Documentation update
    
    File: `codex-cli/scripts/README.md`
    
    - Updated staging docs to clarify that platform-native variants are
    published as dist-tagged
      `@openai/codex` artifacts rather than separate npm package names.
    
    ## Resulting behavior
    
    - Mainline release:
      - `@openai/codex@latest` resolves the meta package
    - meta package optional dependencies resolve
    `@openai/codex@<platform-tag>`
    - Alpha release:
      - users can continue installing `@openai/codex@alpha`
    - alpha meta package optional dependencies resolve
    `@openai/codex@alpha-<platform-tag>`
    - Release assets:
    - Codex npm tarballs share `codex-npm-` prefix for cleaner grouping in
    GitHub Releases
    
    This preserves platform-specific payload distribution while avoiding
    separate npm package names and
    improves release-asset discoverability.
    
    ## Validation notes
    
    - Verified staged `package.json` output for stable and alpha meta
    packages includes expected alias targets.
    - Verified staged platform package manifests are `name=@openai/codex`
    with unique platform-suffixed versions.
    - Verified publish tag derivation maps renamed platform tarballs to
    expected stable and alpha dist-tags.
  • fix: remove config.schema.json from tag check (#10980)
    Given that we have https://github.com/openai/codex/pull/10977, the
    existing "Verify config schema fixture" step seems unnecessary. Further,
    because it happens as part of the `tag-check` job (which is meant to be
    fast), it slows down the entire build process because it delays the more
    expensive steps from starting.
  • feat: enable premessage-deflate for websockets (#10966)
    note:
    unfortunately, tokio-tungstenite / tungstenite upgrade triggers some
    problems with linker of rama-tls-boring with openssl:
    ```
    error: linking with `/Users/apanasenko/Library/Caches/cargo-zigbuild/0.20.1/zigcc-x86_64-unknown-linux-musl-ff6a.sh` failed: exit status: 1
      |
      = note:  "/Users/apanasenko/Library/Caches/cargo-zigbuild/0.20.1/zigcc-x86_64-unknown-linux-musl-ff6a.sh" "-m64" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/self-contained/rcrt1.o" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/self-contained/crti.o" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/self-contained/crtbeginS.o" "<1 object files omitted>" "-Wl,--as-needed" "-Wl,-Bstatic" "/var/folders/kt/52y_g75x3ng8ktvk3rfwm6400000gp/T/rustcyGQdYm/{liblzma_sys-662a82316f96ec30,libbzip2_sys-bf78a2d58d5cbce6,liblibsqlite3_sys-6c004987fd67a36a,libtree_sitter_bash-220b99a97d331ab7,libtree_sitter-858f0a1dbfea58bd,libzstd_sys-6eb237deec748c5b,libring-2a87376483bf916f,libopenssl_sys-7c189e68b37fe2bb,liblibz_sys-4344eef4345520b1,librama_boring_sys-0414e98115015ee0}.rlib" "-lc++" "-lc++abi" "-lunwind" "-lc" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/libcompiler_builtins-*.rlib" "-L" "/var/folders/kt/52y_g75x3ng8ktvk3rfwm6400000gp/T/rustcyGQdYm/raw-dylibs" "-Wl,-Bdynamic" "-Wl,--eh-frame-hdr" "-Wl,-z,noexecstack" "-nostartfiles" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/libz-sys-ff5ea50d88c28ffb/out/lib" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/ring-bdec3dddc19f5a5e/out" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/openssl-sys-96e0870de3ca22bc/out/openssl-build/install/lib" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/zstd-sys-0cc37a5da1481740/out" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/tree-sitter-72d2418073317c0f/out" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/tree-sitter-bash-bfd293a9f333ce6a/out" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/libsqlite3-sys-b78b2cfb81a330fc/out" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/bzip2-sys-69a145cc859ef275/out/lib" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/lzma-sys-07e92d0b6baa6fd4/out" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/build/crypto/" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/build/ssl/" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/build/" "-L" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/build" "-L" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/self-contained" "-L" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib" "-o" "/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/deps/codex_network_proxy-d08268b863517761" "-Wl,--gc-sections" "-static-pie" "-Wl,-z,relro,-z,now" "-Wl,-O1" "-Wl,--strip-all" "-nodefaultlibs" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/self-contained/crtendS.o" "<sysroot>/lib/rustlib/x86_64-unknown-linux-musl/lib/self-contained/crtn.o"
      = note: some arguments are omitted. use `--verbose` to show all linker arguments
      = note: warning: ignoring deprecated linker optimization setting '1'
              warning: unable to open library directory '/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/build/crypto/': FileNotFound
              ld.lld: error: duplicate symbol: SSL_export_keying_material
              >>> defined at ssl_lib.c:3816 (ssl/ssl_lib.c:3816)
              >>>            libssl-lib-ssl_lib.o:(SSL_export_keying_material) in archive /var/folders/kt/52y_g75x3ng8ktvk3rfwm6400000gp/T/rustcyGQdYm/libopenssl_sys-7c189e68b37fe2bb.rlib
              >>> defined at t1_enc.cc:205 (/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/boringssl/ssl/t1_enc.cc:205)
              >>>            t1_enc.cc.o:(.text.SSL_export_keying_material+0x0) in archive /var/folders/kt/52y_g75x3ng8ktvk3rfwm6400000gp/T/rustcyGQdYm/librama_boring_sys-0414e98115015ee0.rlib
    
              ld.lld: error: duplicate symbol: d2i_ASN1_TIME
              >>> defined at a_time.c:27 (crypto/asn1/a_time.c:27)
              >>>            libcrypto-lib-a_time.o:(d2i_ASN1_TIME) in archive /var/folders/kt/52y_g75x3ng8ktvk3rfwm6400000gp/T/rustcyGQdYm/libopenssl_sys-7c189e68b37fe2bb.rlib
              >>> defined at a_time.cc:34 (/Users/apanasenko/code/codex/codex-rs/target/x86_64-unknown-linux-musl/release/build/rama-boring-sys-0bc2dfbf669addc4/out/boringssl/crypto/asn1/a_time.cc:34)
              >>>            a_time.cc.o:(.text.d2i_ASN1_TIME+0x0) in archive /var/folders/kt/52y_g75x3ng8ktvk3rfwm6400000gp/T/rustcyGQdYm/librama_boring_sys-0414e98115015ee0.rlib
    ``` 
    
    that force me to migrate away from rama-tls-boring to rama-tls-rustls
    and pin `ring` for rustls.
  • feat(linux-sandbox): add bwrap support (#9938)
    ## Summary
    This PR introduces a gated Bubblewrap (bwrap) Linux sandbox path. The
    curent Linux sandbox path relies on in-process restrictions (including
    Landlock). Bubblewrap gives us a more uniform filesystem isolation
    model, especially explicit writable roots with the option to make some
    directories read-only and granular network controls.
    
    This is behind a feature flag so we can validate behavior safely before
    making it the default.
    
    - Added temporary rollout flag:
      - `features.use_linux_sandbox_bwrap`
    - Preserved existing default path when the flag is off.
    - In Bubblewrap mode:
    - Added internal retry without /proc when /proc mount is not permitted
    by the host/container.
  • Updated bug and feature templates (#10453)
    The current bug template uses CLI-specific instructions for getting the
    version.
    
    The current feature template doesn't ask the user to provide the Codex
    variant (surface) they are using.
    
    This PR addresses these problems.
  • chore: remove deprecated mcp-types crate (#10357)
    https://github.com/openai/codex/pull/10349 migrated us off of
    `mcp-types`, so this PR deletes the code.
    
    ---
    [//]: # (BEGIN SAPLING FOOTER)
    Stack created with [Sapling](https://sapling-scm.com). Best reviewed
    with [ReviewStack](https://reviewstack.dev/openai/codex/pull/10357).
    * __->__ #10357
    * #10349
    * #10356
  • Fix minor typos in comments and documentation (#10287)
    ## Summary
    
    I have read the contribution guidelines.  
    All changes in this PR are limited to text corrections and do not modify
    any business logic, runtime behavior, or user-facing functionality.
    
    ## Details
    
    This PR fixes several minor typos, including:
    
    - `create` -> `crate`
    - `analagous` -> `analogous`
    - `apply-patch` -> `apply_patch`
    - `codecs` -> `codex`
    - ` '/" ` -> ` '/' `
    - `Respesent` -> `Represent`
  • fix: unify npm publish call across shell-tool-mcp.yml and rust-release.yml (#10182)
    We are seeing flakiness in the `npm publish` step for
    https://www.npmjs.com/package/@openai/codex-shell-tool-mcp, so this is a
    shot in the dark for a fix:
    
    https://github.com/openai/codex/actions/runs/21490679301/job/61913765060
    
    Note this removes `actions/checkout@v6` and `pnpm/action-setup@v4`
    steps, which I believe are superflous for the `npm publish` call.
  • chore: unify log queries (#10152)
    Unify log queries to only have SQLX code in the runtime and use it for
    both the log client and for tests
  • fix: remove references to corepack (#10138)
    Currently, our `npm publish` logic is failing.
    
    There were a number of things that were merged recently that seemed to
    contribute to this situation, though I think we have fixed most of them,
    but this one stands out:
    
    https://github.com/openai/codex/pull/10115
    
    As best I can tell, we tried to fix the pnpm version to a specific hash,
    but we did not do it consistently (though `shell-tool-mcp/package.json`
    had it specified twice...), so for this PR, I ran:
    
    ```
    $ git ls-files | grep package.json
    codex-cli/package.json
    codex-rs/responses-api-proxy/npm/package.json
    package.json
    sdk/typescript/package.json
    shell-tool-mcp/package.json
    ```
    
    and ensured that all of them now have this line:
    
    ```json
      "packageManager": "pnpm@10.28.2+sha512.41872f037ad22f7348e3b1debbaf7e867cfd448f2726d9cf74c08f19507c31d2c8e7a11525b983febc2df640b5438dee6023ebb1f84ed43cc2d654d2bc326264"
    ```
    
    I also went and deleted all of the `corepack` stuff that was added by
    https://github.com/openai/codex/pull/10115.
    
    If someone can explain why we need it and verify it does not break `npm
    publish`, then we can bring it back.
  • fix(ci) missing package.json for shell-mcp-tool (#10135)
    ## Summary
    This _should_ be the final place to fix.
  • update the ci pnpm workflow for shell-tool-mcp to use corepack for pnpm versioning (#10115)
    This updates the CI workflows for shell-tool-mcp to use the pnpm version
    from package.json and print it in the build for verification.
    
    I have read the CLA Document and I hereby sign the CLA
  • fix(ci) fix shell-tool-mcp version v2 (#10101)
    ## summary
    we had a merge conflict from the linux musl fix, let's get this squared
    away.
  • Update shell-tool-mcp.yml (#10095)
    ## Summary
    #10004 broke the builds for shell-tool-mcp.yml - we need to copy over
    the build configuration from there.
    
    ## Testing
    - [x] builds
  • Upgrade to rust 1.93 (#10080)
    I needed to upgrade bazel one to get gnullvm artifacts and then noticed
    monorepo had drifted forward. They should move in lockstep. Also 1.93
    already shipped so we can try that instead.
  • Update shell-tool-mcp.yml (#10092)
    ## Summary
    Remove pnpm version so we rely on package.json instead, and fix the
    mismatch due to https://github.com/openai/codex/pull/9992
  • feat: sqlite 1 (#10004)
    Add a `.sqlite` database to be used to store rollout metatdata (and
    later logs)
    This PR is phase 1:
    * Add the database and the required infrastructure
    * Add a backfill of the database
    * Persist the newly created rollout both in files and in the DB
    * When we need to get metadata or a rollout, consider the `JSONL` as the
    source of truth but compare the results with the DB and show any errors
  • ensure codex bundle zip is created in dist/ (#9934)
    cd-ing into the tmp bundle directory was putting the .zip in the wrong
    place
  • feat: introducing a network sandbox proxy (#8442)
    This add a new crate, `codex-network-proxy`, a local network proxy
    service used by Codex to enforce fine-grained network policy (domain
    allow/deny) and to surface blocked network events for interactive
    approvals.
    
    - New crate: `codex-rs/network-proxy/` (`codex-network-proxy` binary +
    library)
    - Core capabilities:
      - HTTP proxy support (including CONNECT tunneling)
      - SOCKS5 proxy support (in the later PR)
    - policy evaluation (allowed/denied domain lists; denylist wins;
    wildcard support)
      - small admin API for polling/reload/mode changes
    - optional MITM support for HTTPS CONNECT to enforce “limited mode”
    method restrictions (later PR)
    
    Will follow up integration with codex in subsequent PRs.
    
    ## Testing
    
    - `cd codex-rs && cargo build -p codex-network-proxy`
    - `cd codex-rs && cargo run -p codex-network-proxy -- proxy`
  • bundle sandbox helper binaries in main zip, for winget. (#9707)
    Winget uses the main codex.exe value as its target.
    The elevated sandbox requires these two binaries to live next to
    codex.exe
  • Upgrade GitHub Actions for Node 24 compatibility (#9722)
    ## Summary
    
    Upgrade GitHub Actions to their latest versions to ensure compatibility
    with Node 24, as Node 20 will reach end-of-life in April 2026.
    
    ## Changes
    
    | Action | Old Version(s) | New Version | Release | Files |
    |--------|---------------|-------------|---------|-------|
    | `actions/cache` |
    [`v4`](https://github.com/actions/cache/releases/tag/v4) |
    [`v5`](https://github.com/actions/cache/releases/tag/v5) |
    [Release](https://github.com/actions/cache/releases/tag/v5) | bazel.yml
    |
    
    ## Context
    
    Per [GitHub's
    announcement](https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/),
    Node 20 is being deprecated and runners will begin using Node 24 by
    default starting March 4th, 2026.
    
    ### Why this matters
    
    - **Node 20 EOL**: April 2026
    - **Node 24 default**: March 4th, 2026
    - **Action**: Update to latest action versions that support Node 24
    
    ### Security Note
    
    Actions that were previously pinned to commit SHAs remain pinned to SHAs
    (updated to the latest release SHA) to maintain the security benefits of
    immutable references.
    
    ### Testing
    
    These changes only affect CI/CD workflow configurations and should not
    impact application functionality. The workflows should be tested by
    running them on a branch before merging.
    
    Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com>
  • feat: publish config schema on release (#9572)
    Follow up to #8956; publish schema on new release to stable URL.
    
    Also canonicalize schema (sort keys) when writing. This avoids reliance
    on default `schema_rs` behavior and makes the schema easier to read.
  • chore: upgrade to Rust 1.92.0 (#8860)
    **Summary**
    - Upgrade Rust toolchain used by CI to 1.92.0.
    - Address new clippy `derivable_impls` warnings by deriving `Default`
    for enums across protocol, core, backend openapi models, and
    windows-sandbox setup.
    - Tidy up related test/config behavior (originator header handling, env
    override cleanup) and remove a now-unused assignment in TUI/TUI2 render
    layout.
    
    **Testing**
    - `just fmt`
    - `just fix -p codex-tui`
    - `just fix -p codex-tui2`
    - `just fix -p codex-windows-sandbox`
    - `cargo test -p codex-tui`
    - `cargo test -p codex-tui2`
    - `cargo test -p codex-windows-sandbox`
    - `cargo test -p codex-core --test all`
    - `cargo test -p codex-app-server --test all`
    - `cargo test -p codex-mcp-server --test all`
    - `cargo test --all-features`
  • fix: increase timeout for release builds from 30 to 60 minutes (#9242)
    Windows builds have been tripping the 30 minute timeout. For sure, we
    need to improve this, but as a quick fix, let's just increase the
    timeout.
    
    Perhaps we should switch to `lto = "thin"` for release builds, at least
    for Windows:
    
    
    https://github.com/openai/codex/blob/3728db11b87cb8490bcf6bf2cdf0e13dcfb0c28b/codex-rs/Cargo.toml#L288
    
    See https://doc.rust-lang.org/cargo/reference/profiles.html#lto for
    details.
  • upgrade runners in rust-ci.yml to use the larger runners (#9106)
    Upgrades runners in rust-ci.yaml to larger runners
    
    ubuntu-24.04 (x64 and arm64) -> custom 16 core ubuntu 24.04 runners
    macos-14 -> mac0s-15-xlarge
    [TODO] windows (x64 and arm64) -> custom 16 core windows runners
  • fix: include AGENTS.md as repo root marker for integration tests (#9010)
    As explained in `codex-rs/core/BUILD.bazel`, including the repo's own
    `AGENTS.md` is a hack to get some tests passing. We should fix this
    properly, but I wanted to put stake in the ground ASAP to get `just
    bazel-remote-test` working and then add a job to `bazel.yml` to ensure
    it keeps working.
  • feat: add support for building with Bazel (#8875)
    This PR configures Codex CLI so it can be built with
    [Bazel](https://bazel.build) in addition to Cargo. The `.bazelrc`
    includes configuration so that remote builds can be done using
    [BuildBuddy](https://www.buildbuddy.io).
    
    If you are familiar with Bazel, things should work as you expect, e.g.,
    run `bazel test //... --keep-going` to run all the tests in the repo,
    but we have also added some new aliases in the `justfile` for
    convenience:
    
    - `just bazel-test` to run tests locally
    - `just bazel-remote-test` to run tests remotely (currently, the remote
    build is for x86_64 Linux regardless of your host platform). Note we are
    currently seeing the following test failures in the remote build, so we
    still need to figure out what is happening here:
    
    ```
    failures:
        suite::compact::manual_compact_twice_preserves_latest_user_messages
        suite::compact_resume_fork::compact_resume_after_second_compaction_preserves_history
        suite::compact_resume_fork::compact_resume_and_fork_preserve_model_history_view
    ```
    
    - `just build-for-release` to build release binaries for all
    platforms/architectures remotely
    
    To setup remote execution:
    - [Create a buildbuddy account](https://app.buildbuddy.io/) (OpenAI
    employees should also request org access at
    https://openai.buildbuddy.io/join/ with their `@openai.com` email
    address.)
    - [Copy your API key](https://app.buildbuddy.io/docs/setup/) to
    `~/.bazelrc` (add the line `build
    --remote_header=x-buildbuddy-api-key=YOUR_KEY`)
    - Use `--config=remote` in your `bazel` invocations (or add `common
    --config=remote` to your `~/.bazelrc`, or use the `just` commands)
    
    ## CI
    
    In terms of CI, this PR introduces `.github/workflows/bazel.yml`, which
    uses Bazel to run the tests _locally_ on Mac and Linux GitHub runners
    (we are working on supporting Windows, but that is not ready yet). Note
    that the failures we are seeing in `just bazel-remote-test` do not occur
    on these GitHub CI jobs, so everything in `.github/workflows/bazel.yml`
    is green right now.
    
    The `bazel.yml` uses extra config in `.github/workflows/ci.bazelrc` so
    that macOS CI jobs build _remotely_ on Linux hosts (using the
    `docker://docker.io/mbolin491/codex-bazel` Docker image declared in the
    root `BUILD.bazel`) using cross-compilation to build the macOS
    artifacts. Then these artifacts are downloaded locally to GitHub's macOS
    runner so the tests can be executed natively. This is the relevant
    config that enables this:
    
    ```
    common:macos --config=remote
    common:macos --strategy=remote
    common:macos --strategy=TestRunner=darwin-sandbox,local
    ```
    
    Because of the remote caching benefits we get from BuildBuddy, these new
    CI jobs can be extremely fast! For example, consider these two jobs that
    ran all the tests on Linux x86_64:
    
    - Bazel 1m37s
    https://github.com/openai/codex/actions/runs/20861063212/job/59940545209?pr=8875
    - Cargo 9m20s
    https://github.com/openai/codex/actions/runs/20861063192/job/59940559592?pr=8875
    
    For now, we will continue to run both the Bazel and Cargo jobs for PRs,
    but once we add support for Windows and running Clippy, we should be
    able to cutover to using Bazel exclusively for PRs, which should still
    speed things up considerably. We will probably continue to run the Cargo
    jobs post-merge for commits that land on `main` as a sanity check.
    
    Release builds will also continue to be done by Cargo for now.
    
    Earlier attempt at this PR: https://github.com/openai/codex/pull/8832
    Earlier attempt to add support for Buck2, now abandoned:
    https://github.com/openai/codex/pull/8504
    
    ---------
    
    Co-authored-by: David Zbarsky <dzbarsky@gmail.com>
    Co-authored-by: Michael Bolin <mbolin@openai.com>
  • fix: populate the release notes when the release is created (#8799)
    Use the contents of the commit message from the commit associated with
    the tag (that contains the version bump) as the release notes by writing
    them to a file and then specifying the file as the `body_path` of
    `softprops/action-gh-release@v2`.
  • ci: prevent workflows from running on forks (#8629)
    ## Summary
    
    Forked repositories inherit GitHub Actions workflows including scheduled
    ones. This causes:
    
    1. **Wasted Actions minutes** - Scheduled workflows run on forks even
    though they will fail
    2. **Failed runs** - Workflows requiring `CODEX_OPENAI_API_KEY` fail
    immediately on forks
    3. **Noise** - Fork owners see failed workflow runs they didn't trigger
    
    This PR adds `if: github.repository == 'openai/codex'` guards to
    workflows that should only run on the upstream repository.
    
    ### Affected workflows
    
    | Workflow | Trigger | Issue |
    |----------|---------|-------|
    | `rust-release-prepare` | `schedule: */4 hours` | Runs 6x/day on every
    fork |
    | `close-stale-contributor-prs` | `schedule: daily` | Runs daily on
    every fork |
    | `issue-deduplicator` | `issues: opened` | Requires
    `CODEX_OPENAI_API_KEY` |
    | `issue-labeler` | `issues: opened` | Requires `CODEX_OPENAI_API_KEY` |
    
    ### Note
    
    `cla.yml` already has this guard (`github.repository_owner ==
    'openai'`), so it was not modified.
    
    ## Test plan
    
    - [ ] Verify workflows still run correctly on `openai/codex`
    - [ ] Verify workflows are skipped on forks (can check via Actions tab
    on any fork)
  • Replaced user documentation with links to developers docs site (#8662)
    This eliminates redundant user documentation and allows us to focus our
    documentation investments.
    
    I left tombstone files for most of the existing ".md" docs files to
    avoid broken links. These now contain brief links to the developers docs
    site.
  • chore(deps): bump peter-evans/create-pull-request from 7 to 8 (#8410)
    Bumps
    [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request)
    from 7 to 8.
    <details>
    <summary>Release notes</summary>
    <p><em>Sourced from <a
    href="https://github.com/peter-evans/create-pull-request/releases">peter-evans/create-pull-request's
    releases</a>.</em></p>
    <blockquote>
    <h2>Create Pull Request v8.0.0</h2>
    <h2>What's new in v8</h2>
    <ul>
    <li>Requires <a
    href="https://github.com/actions/runner/releases/tag/v2.327.1">Actions
    Runner v2.327.1</a> or later if you are using a self-hosted runner for
    Node 24 support.</li>
    </ul>
    <h2>What's Changed</h2>
    <ul>
    <li>chore: Update checkout action version to v6 by <a
    href="https://github.com/yonas"><code>@​yonas</code></a> in <a
    href="https://redirect.github.com/peter-evans/create-pull-request/pull/4258">peter-evans/create-pull-request#4258</a></li>
    <li>Update actions/checkout references to <a
    href="https://github.com/v6"><code>@​v6</code></a> in docs by <a
    href="https://github.com/Copilot"><code>@​Copilot</code></a> in <a
    href="https://redirect.github.com/peter-evans/create-pull-request/pull/4259">peter-evans/create-pull-request#4259</a></li>
    <li>feat: v8 by <a
    href="https://github.com/peter-evans"><code>@​peter-evans</code></a> in
    <a
    href="https://redirect.github.com/peter-evans/create-pull-request/pull/4260">peter-evans/create-pull-request#4260</a></li>
    </ul>
    <h2>New Contributors</h2>
    <ul>
    <li><a href="https://github.com/yonas"><code>@​yonas</code></a> made
    their first contribution in <a
    href="https://redirect.github.com/peter-evans/create-pull-request/pull/4258">peter-evans/create-pull-request#4258</a></li>
    <li><a href="https://github.com/Copilot"><code>@​Copilot</code></a> made
    their first contribution in <a
    href="https://redirect.github.com/peter-evans/create-pull-request/pull/4259">peter-evans/create-pull-request#4259</a></li>
    </ul>
    <p><strong>Full Changelog</strong>: <a
    href="https://github.com/peter-evans/create-pull-request/compare/v7.0.11...v8.0.0">https://github.com/peter-evans/create-pull-request/compare/v7.0.11...v8.0.0</a></p>
    <h2>Create Pull Request v7.0.11</h2>
    <h2>What's Changed</h2>
    <ul>
    <li>fix: restrict remote prune to self-hosted runners by <a
    href="https://github.com/peter-evans"><code>@​peter-evans</code></a> in
    <a
    href="https://redirect.github.com/peter-evans/create-pull-request/pull/4250">peter-evans/create-pull-request#4250</a></li>
    </ul>
    <p><strong>Full Changelog</strong>: <a
    href="https://github.com/peter-evans/create-pull-request/compare/v7.0.10...v7.0.11">https://github.com/peter-evans/create-pull-request/compare/v7.0.10...v7.0.11</a></p>
    <h2>Create Pull Request v7.0.10</h2>
    <p>⚙️ Fixes an issue where updating a pull request failed when targeting
    a forked repository with the same owner as its parent.</p>
    <h2>What's Changed</h2>
    <ul>
    <li>build(deps): bump the github-actions group with 2 updates by <a
    href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
    in <a
    href="https://redirect.github.com/peter-evans/create-pull-request/pull/4235">peter-evans/create-pull-request#4235</a></li>
    <li>build(deps-dev): bump prettier from 3.6.2 to 3.7.3 in the npm group
    by <a
    href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
    in <a
    href="https://redirect.github.com/peter-evans/create-pull-request/pull/4240">peter-evans/create-pull-request#4240</a></li>
    <li>fix: provider list pulls fallback for multi fork same owner by <a
    href="https://github.com/peter-evans"><code>@​peter-evans</code></a> in
    <a
    href="https://redirect.github.com/peter-evans/create-pull-request/pull/4245">peter-evans/create-pull-request#4245</a></li>
    </ul>
    <h2>New Contributors</h2>
    <ul>
    <li><a href="https://github.com/obnyis"><code>@​obnyis</code></a> made
    their first contribution in <a
    href="https://redirect.github.com/peter-evans/create-pull-request/pull/4064">peter-evans/create-pull-request#4064</a></li>
    </ul>
    <p><strong>Full Changelog</strong>: <a
    href="https://github.com/peter-evans/create-pull-request/compare/v7.0.9...v7.0.10">https://github.com/peter-evans/create-pull-request/compare/v7.0.9...v7.0.10</a></p>
    <h2>Create Pull Request v7.0.9</h2>
    <p>⚙️ Fixes an <a
    href="https://redirect.github.com/peter-evans/create-pull-request/issues/4228">incompatibility</a>
    with the recently released <code>actions/checkout@v6</code>.</p>
    <h2>What's Changed</h2>
    <ul>
    <li>~70 dependency updates by <a
    href="https://github.com/dependabot"><code>@​dependabot</code></a></li>
    <li>docs: fix workaround description about <code>ready_for_review</code>
    by <a href="https://github.com/ybiquitous"><code>@​ybiquitous</code></a>
    in <a
    href="https://redirect.github.com/peter-evans/create-pull-request/pull/3939">peter-evans/create-pull-request#3939</a></li>
    <li>Docs: <code>add-paths</code> default behavior by <a
    href="https://github.com/joeflack4"><code>@​joeflack4</code></a> in <a
    href="https://redirect.github.com/peter-evans/create-pull-request/pull/3928">peter-evans/create-pull-request#3928</a></li>
    <li>docs: update to create-github-app-token v2 by <a
    href="https://github.com/Goooler"><code>@​Goooler</code></a> in <a
    href="https://redirect.github.com/peter-evans/create-pull-request/pull/4063">peter-evans/create-pull-request#4063</a></li>
    <li>Fix compatibility with actions/checkout@v6 by <a
    href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
    href="https://redirect.github.com/peter-evans/create-pull-request/pull/4230">peter-evans/create-pull-request#4230</a></li>
    </ul>
    <h2>New Contributors</h2>
    <ul>
    <li><a href="https://github.com/joeflack4"><code>@​joeflack4</code></a>
    made their first contribution in <a
    href="https://redirect.github.com/peter-evans/create-pull-request/pull/3928">peter-evans/create-pull-request#3928</a></li>
    <li><a href="https://github.com/Goooler"><code>@​Goooler</code></a> made
    their first contribution in <a
    href="https://redirect.github.com/peter-evans/create-pull-request/pull/4063">peter-evans/create-pull-request#4063</a></li>
    <li><a
    href="https://github.com/ericsciple"><code>@​ericsciple</code></a> made
    their first contribution in <a
    href="https://redirect.github.com/peter-evans/create-pull-request/pull/4230">peter-evans/create-pull-request#4230</a></li>
    </ul>
    <!-- raw HTML omitted -->
    </blockquote>
    <p>... (truncated)</p>
    </details>
    <details>
    <summary>Commits</summary>
    <ul>
    <li><a
    href="https://github.com/peter-evans/create-pull-request/commit/98357b18bf14b5342f975ff684046ec3b2a07725"><code>98357b1</code></a>
    feat: v8 (<a
    href="https://redirect.github.com/peter-evans/create-pull-request/issues/4260">#4260</a>)</li>
    <li><a
    href="https://github.com/peter-evans/create-pull-request/commit/41c0e4b7899a4a0922bf899d64c5f25738cfe356"><code>41c0e4b</code></a>
    Update actions/checkout references to <a
    href="https://github.com/v6"><code>@​v6</code></a> in docs (<a
    href="https://redirect.github.com/peter-evans/create-pull-request/issues/4259">#4259</a>)</li>
    <li><a
    href="https://github.com/peter-evans/create-pull-request/commit/994332de4c8124517167807167073cf397678768"><code>994332d</code></a>
    chore: Update checkout action version to v6 (<a
    href="https://redirect.github.com/peter-evans/create-pull-request/issues/4258">#4258</a>)</li>
    <li>See full diff in <a
    href="https://github.com/peter-evans/create-pull-request/compare/v7...v8">compare
    view</a></li>
    </ul>
    </details>
    <br />
    
    
    [![Dependabot compatibility
    score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=peter-evans/create-pull-request&package-manager=github_actions&previous-version=7&new-version=8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
    
    Dependabot will resolve any conflicts with this PR as long as you don't
    alter it yourself. You can also trigger a rebase manually by commenting
    `@dependabot rebase`.
    
    [//]: # (dependabot-automerge-start)
    [//]: # (dependabot-automerge-end)
    
    ---
    
    <details>
    <summary>Dependabot commands and options</summary>
    <br />
    
    You can trigger Dependabot actions by commenting on this PR:
    - `@dependabot rebase` will rebase this PR
    - `@dependabot recreate` will recreate this PR, overwriting any edits
    that have been made to it
    - `@dependabot merge` will merge this PR after your CI passes on it
    - `@dependabot squash and merge` will squash and merge this PR after
    your CI passes on it
    - `@dependabot cancel merge` will cancel a previously requested merge
    and block automerging
    - `@dependabot reopen` will reopen this PR if it is closed
    - `@dependabot close` will close this PR and stop Dependabot recreating
    it. You can achieve the same result by closing it manually
    - `@dependabot show <dependency name> ignore conditions` will show all
    of the ignore conditions of the specified dependency
    - `@dependabot ignore this major version` will close this PR and stop
    Dependabot creating any more for this major version (unless you reopen
    the PR or upgrade to it yourself)
    - `@dependabot ignore this minor version` will close this PR and stop
    Dependabot creating any more for this minor version (unless you reopen
    the PR or upgrade to it yourself)
    - `@dependabot ignore this dependency` will close this PR and stop
    Dependabot creating any more for this dependency (unless you reopen the
    PR or upgrade to it yourself)
    
    
    </details>
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>