Files
Michael Bolin 891f1f4c85 release: publish standalone zsh artifacts (#30114)
## Why

The patched zsh artifacts rarely change, but
`.github/workflows/rust-release-zsh.yml` currently runs as part of every
Rust release. Rebuilding the same four binaries for each Codex version
wastes release capacity and ties an independently versioned runtime
dependency to the main release cadence.

This establishes the producer side of a build-once flow. The existing
Rust release workflow remains unchanged until the first standalone
artifact release has been published and the checked-in DotSlash
manifests can be updated with its URLs and checksums.

## What changed

- Run the zsh release workflow for protected `codex-zsh-vX.Y.Z` tags
instead of as a reusable workflow.
- Validate the semantic release tag before starting the platform builds.
- Publish the four zsh archives to a GitHub prerelease so the release
never becomes the repository latest release.
- Publish the generated `codex-zsh` DotSlash manifest alongside the
archives.
- Document how to publish the next artifact version after changing the
pinned zsh commit or patch.

## Tag protection

An active repository tag ruleset named `codex-zsh-v*.*.*` targets
`refs/tags/codex-zsh-v*.*.*`. It restricts tag creation, updates,
deletion, and non-fast-forward changes; requires linear history; and
limits bypass to the configured repository role.

This was verified with:

```shell
gh api repos/openai/codex/rulesets/18140982
```

The response reported `"enforcement":"active"`, the expected tag
condition, and the `creation`, `update`, `deletion`, `non_fast_forward`,
and `required_linear_history` rules.

## Rollout

After this lands, publish the first `codex-zsh-vX.Y.Z` release. A
follow-up can then update the checked-in DotSlash manifests and remove
the zsh rebuild from `.github/workflows/rust-release.yml`.



---
[//]: # (BEGIN SAPLING FOOTER)
Stack created with [Sapling](https://sapling-scm.com). Best reviewed
with [ReviewStack](https://reviewstack.dev/openai/codex/pull/30114).
* #30116
* __->__ #30114
2026-06-25 13:56:08 -07:00

35 lines
1.6 KiB
Markdown

# codex-shell-escalation
This crate contains the Unix shell-escalation protocol implementation and the
`codex-execve-wrapper` executable.
`codex-execve-wrapper` receives the arguments to an intercepted `execve(2)` call and delegates the
decision to the shell-escalation protocol over a shared file descriptor (specified by the
`CODEX_ESCALATE_SOCKET` environment variable). The server on the other side replies with one of:
- `Run`: `codex-execve-wrapper` should invoke `execve(2)` on itself to run the original command
within the sandboxed shell.
- `Escalate`: forward the file descriptors of the current process so the command can be run
faithfully outside the sandbox. When the process completes, the server forwards the exit code
back to `codex-execve-wrapper`.
- `Deny`: the server has declared the proposed command to be forbidden, so
`codex-execve-wrapper` prints an error to `stderr` and exits with `1`.
## Patched zsh
We carry a small patch to `Src/exec.c` (see `patches/zsh-exec-wrapper.patch`) that adds support for `EXEC_WRAPPER`. The patch applies to `77045ef899e53b9598bebc5a41db93a548a40ca6` from https://git.code.sf.net/p/zsh/code. To rebuild manually:
```bash
git clone https://git.code.sf.net/p/zsh/code
git checkout 77045ef899e53b9598bebc5a41db93a548a40ca6
git apply /path/to/patches/zsh-exec-wrapper.patch
./Util/preconfig
./configure
make -j"$(nproc)"
```
Release artifacts are built by `.github/workflows/rust-release-zsh.yml` when a
`codex-zsh-vX.Y.Z` tag is pushed. When the zsh commit or patch changes, publish
the next version tag and update the checked-in DotSlash manifests to use the new
release.