mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
1d9c9c9f33
## Why `just bazel-clippy` ran target discovery with `--noexperimental_remote_repo_contents_cache`, then ran the build with the workspace default `--experimental_remote_repo_contents_cache`. Bazel therefore killed and restarted its server on each transition, slowing repeated commands and discarding the in-memory analysis cache. An audit found the same class of startup-option variation in several CI command sequences. ## What changed - Keep local lint target-discovery queries on the workspace-default Bazel server, while making CI target discovery explicitly use the CI startup options. - Normalize GitHub Actions launches through the BuildBuddy wrapper to share `BAZEL_OUTPUT_USER_ROOT` and `--noexperimental_remote_repo_contents_cache`. - Route the CI lockfile check and Windows test-shard query through the same startup configuration. - Document the startup-option invariant and add wrapper regression coverage. ## Validation - Confirmed consecutive local clippy target-discovery runs retained the same Bazel server PID.
189 lines
6.6 KiB
Python
Executable File
189 lines
6.6 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
|
|
import json
|
|
import os
|
|
import subprocess
|
|
import sys
|
|
from collections.abc import Mapping
|
|
from collections.abc import Sequence
|
|
from pathlib import Path
|
|
|
|
|
|
OPENAI_REPOSITORY = "openai/codex"
|
|
# Remote configurations select cache/BES/download endpoints. Their -rbe forms
|
|
# also select the matching remote executor endpoint.
|
|
GENERIC_REMOTE_CONFIG = "buildbuddy-generic"
|
|
OPENAI_REMOTE_CONFIG = "buildbuddy-openai"
|
|
# These CI configurations require remote build execution. The wrapper supplies
|
|
# an RBE configuration, which also includes the common `remote` settings.
|
|
REMOTE_EXECUTION_CONFIGS = {
|
|
"--config=ci-linux",
|
|
"--config=ci-macos",
|
|
"--config=ci-v8",
|
|
"--config=ci-windows-cross",
|
|
}
|
|
# Honor either explicit setting so the wrapper never overrides the caller's
|
|
# choice when it supplies the CI default below.
|
|
REMOTE_REPO_CONTENTS_CACHE_STARTUP_OPTIONS = {
|
|
"--experimental_remote_repo_contents_cache",
|
|
"--noexperimental_remote_repo_contents_cache",
|
|
}
|
|
|
|
|
|
def startup_args(args: Sequence[str], env: Mapping[str, str]) -> list[str]:
|
|
"""Return shared startup options that are missing from a Bazel invocation.
|
|
|
|
Bazel startup options must precede the command, and changing them restarts
|
|
the server and discards its analysis cache. GitHub Actions invokes Bazel
|
|
through several helpers, so normalize their startup options here while
|
|
preserving any explicit choice made by the caller.
|
|
"""
|
|
command_idx = next(
|
|
(idx for idx, arg in enumerate(args) if not arg.startswith("-")),
|
|
len(args),
|
|
)
|
|
configured_startup_args = args[:command_idx]
|
|
injected_args = []
|
|
|
|
output_user_root = env.get("BAZEL_OUTPUT_USER_ROOT")
|
|
if output_user_root and not any(
|
|
arg.startswith("--output_user_root=") for arg in configured_startup_args
|
|
):
|
|
injected_args.append(f"--output_user_root={output_user_root}")
|
|
|
|
if env.get("GITHUB_ACTIONS") == "true" and not any(
|
|
arg in REMOTE_REPO_CONTENTS_CACHE_STARTUP_OPTIONS
|
|
for arg in configured_startup_args
|
|
):
|
|
# Work around Bazel 9 overlay materialization failures seen in CI. This
|
|
# disables only the startup-level repo contents cache; keyed runs still
|
|
# use BuildBuddy.
|
|
injected_args.append("--noexperimental_remote_repo_contents_cache")
|
|
|
|
return injected_args
|
|
|
|
|
|
# Only authenticated workflow runs executing trusted upstream code may use the
|
|
# OpenAI BuildBuddy host. A pull request event without proof that its head is
|
|
# in the upstream repository fails closed to the generic host.
|
|
def is_trusted_upstream_run(env: Mapping[str, str]) -> bool:
|
|
# `GITHUB_REPOSITORY` is easy to set locally. Requiring GitHub's workflow
|
|
# marker prevents a local command from opting itself into the OpenAI host.
|
|
if (
|
|
env.get("GITHUB_ACTIONS") != "true"
|
|
or env.get("GITHUB_REPOSITORY") != OPENAI_REPOSITORY
|
|
):
|
|
return False
|
|
# Non-PR workflow runs in `openai/codex` execute upstream refs, so they are
|
|
# trusted. Fork code reaches these workflows only through pull requests.
|
|
if env.get("GITHUB_EVENT_NAME") != "pull_request":
|
|
return True
|
|
|
|
event_path = env.get("GITHUB_EVENT_PATH")
|
|
if not event_path:
|
|
return False
|
|
try:
|
|
event = json.loads(Path(event_path).read_text(encoding="utf-8"))
|
|
except (OSError, json.JSONDecodeError):
|
|
return False
|
|
|
|
try:
|
|
return event["pull_request"]["head"]["repo"]["fork"] is False
|
|
except (KeyError, TypeError):
|
|
return False
|
|
|
|
|
|
def uses_openai_host(env: Mapping[str, str]) -> bool:
|
|
return bool(env.get("BUILDBUDDY_API_KEY")) and is_trusted_upstream_run(env)
|
|
|
|
|
|
def uses_remote_execution(args: Sequence[str]) -> bool:
|
|
try:
|
|
separator_idx = args.index("--")
|
|
except ValueError:
|
|
separator_idx = len(args)
|
|
return any(arg in REMOTE_EXECUTION_CONFIGS for arg in args[:separator_idx])
|
|
|
|
|
|
def remote_config(args: Sequence[str], env: Mapping[str, str]) -> str | None:
|
|
if not env.get("BUILDBUDDY_API_KEY"):
|
|
return None
|
|
|
|
config = OPENAI_REMOTE_CONFIG if uses_openai_host(env) else GENERIC_REMOTE_CONFIG
|
|
if uses_remote_execution(args):
|
|
config += "-rbe"
|
|
return config
|
|
|
|
|
|
def bazel_args_without_remote_execution(args: Sequence[str]) -> list[str]:
|
|
# Remote CI configs require BuildBuddy credentials. Removing them preserves
|
|
# the local fallback used for fork pull requests.
|
|
try:
|
|
separator_idx = args.index("--")
|
|
except ValueError:
|
|
separator_idx = len(args)
|
|
return [
|
|
*(arg for arg in args[:separator_idx] if arg not in REMOTE_EXECUTION_CONFIGS),
|
|
*args[separator_idx:],
|
|
]
|
|
|
|
|
|
def bazel_args_with_remote_config(
|
|
args: Sequence[str], env: Mapping[str, str]
|
|
) -> list[str]:
|
|
config = remote_config(args, env)
|
|
if config is None:
|
|
return bazel_args_without_remote_execution(args)
|
|
|
|
# `remote_config()` returns a configuration only when this key is present.
|
|
api_key = env["BUILDBUDDY_API_KEY"]
|
|
remote_args = [
|
|
f"--config={config}",
|
|
f"--remote_header=x-buildbuddy-api-key={api_key}",
|
|
]
|
|
|
|
# Insert immediately after the Bazel command. This keeps wrapper-added
|
|
# options out of positional payloads and lets later CI configs override
|
|
# shared RBE defaults such as the Windows cross-compilation exec platforms.
|
|
insertion_idx = next(
|
|
(idx + 1 for idx, arg in enumerate(args) if not arg.startswith("-")),
|
|
len(args),
|
|
)
|
|
return [*args[:insertion_idx], *remote_args, *args[insertion_idx:]]
|
|
|
|
|
|
def bazel_command(*args: str, env: Mapping[str, str] | None = None) -> list[str]:
|
|
env = os.environ if env is None else env
|
|
bazel = env.get("CODEX_BAZEL_BIN", "bazel")
|
|
return [bazel, *startup_args(args, env), *bazel_args_with_remote_config(args, env)]
|
|
|
|
|
|
def main() -> None:
|
|
config = remote_config(sys.argv[1:], os.environ)
|
|
if config is None:
|
|
print(
|
|
"BuildBuddy key unavailable; using local Bazel configuration.",
|
|
file=sys.stderr,
|
|
)
|
|
else:
|
|
host_description = (
|
|
"OpenAI tenant" if uses_openai_host(os.environ) else "generic"
|
|
)
|
|
print(
|
|
f"Using {host_description} BuildBuddy configuration: {config}.",
|
|
file=sys.stderr,
|
|
)
|
|
|
|
command = bazel_command(*sys.argv[1:])
|
|
if os.name == "nt":
|
|
# Windows CRT exec can split arguments containing spaces and lose the
|
|
# eventual child exit status. Wait for Bazel and propagate its status.
|
|
result = subprocess.run(command, check=False)
|
|
raise SystemExit(result.returncode)
|
|
|
|
os.execvp(command[0], command)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|