mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
ae8a3be958
## Why
macOS BuildBuddy started failing before target analysis because the
Apple CDN object pinned in
[`MODULE.bazel`](https://github.com/openai/codex/blob/fce0f76d577b5070f1e2b4a2abaa8350acfc38ff/MODULE.bazel#L28-L36)
now returns `403 Forbidden`. The failure report that triggered this
change was this [BuildBuddy
invocation](https://app.buildbuddy.io/invocation/c57590e0-1bdb-4e19-a86f-74d4a7ded228).
This repo uses `@llvm//extensions:osx.bzl` via `osx.from_archive(...)`,
and that API does not discover a current SDK URL for us. It fetches
exactly the `urls`, `sha256`, and `strip_prefix` we pin. Once Apple
retires that `swcdn.apple.com` object, `@macos_sdk` stops resolving and
every downstream macOS build fails during external repository fetch.
This is the same basic failure mode we hit in
[b9fa08ec61](https://github.com/openai/codex/commit/b9fa08ec619c96617a9ae2041c9ddb02d2c02434):
the pin itself aged out.
## How I tracked it down
1. I started from the BuildBuddy error and copied the exact
`swcdn.apple.com/.../CLTools_macOSNMOS_SDK.pkg` URL from the failure.
2. I reproduced the issue outside CI by opening that URL directly in a
browser and by running `curl -I` against it locally. Both returned `403
Forbidden`, which ruled out BuildBuddy as the root cause.
3. I searched the repo for that URL and found it hardcoded in
`MODULE.bazel`.
4. I inspected the `llvm` Bzlmod `osx` extension implementation to
confirm that `osx.from_archive(...)` is just a literal fetch of the
pinned archive metadata. There is no automatic fallback or catalog
lookup behind it.
5. I queried Apple's software update catalogs to find the current
Command Line Tools package for macOS 26.x. The useful catalog was:
-
`https://swscan.apple.com/content/catalogs/others/index-26-15-14-13-12-10.16-10.15-10.14-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog.gz`
This is scriptable; it does not require opening a website in a browser.
The catalog is a gzip-compressed plist served over HTTP, so the workflow
is just:
1. fetch the catalog,
2. decompress it,
3. search or parse the plist for `CLTools_macOSNMOS_SDK.pkg` entries,
4. inspect the matching product metadata.
The quick shell version I used was:
```shell
curl -L <catalog-url> \
| gzip -dc \
| rg -n -C 6 'CLTools_macOSNMOS_SDK\.pkg|PostDate|English\.dist'
```
That is enough to surface the current product id, package URL, post
date, and the matching `.dist` file. If we want something less
grep-driven next time, the same catalog can be parsed structurally. For
example:
```python
import gzip
import plistlib
import urllib.request
url =
"https://swscan.apple.com/content/catalogs/others/index-26-15-14-13-12-10.16-10.15-10.14-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog.gz"
with urllib.request.urlopen(url) as resp:
catalog = plistlib.loads(gzip.decompress(resp.read()))
for product_id, product in catalog["Products"].items():
for package in product.get("Packages", []):
package_url = package.get("URL", "")
if package_url.endswith("CLTools_macOSNMOS_SDK.pkg"):
print(product_id)
print(product.get("PostDate"))
print(package_url)
print(product.get("Distributions", {}).get("English"))
```
In practice, `curl` was only the transport. The important part is that
the catalog itself is a machine-readable plist, so this can be
automated.
6. That catalog contains the newer `047-96692` Command Line Tools
release, and its distribution file identifies it as [Command Line Tools
for Xcode
26.4](https://swdist.apple.com/content/downloads/32/53/047-96692-A_OAHIHT53YB/ybtshxmrcju8m2qvw3w5elr4rajtg1x3y3/047-96692.English.dist).
7. I downloaded that package locally, computed its SHA-256, expanded it
with `pkgutil --expand-full`, and verified that it contains
`Payload/Library/Developer/CommandLineTools/SDKs/MacOSX26.4.sdk`, which
is the correct new `strip_prefix` for this pin.
The core debugging loop looked like this:
```shell
curl -I <stale swcdn URL>
rg 'swcdn\.apple\.com|osx\.from_archive' MODULE.bazel
curl -L <apple 26.x sucatalog> | gzip -dc | rg 'CLTools_macOSNMOS_SDK.pkg'
pkgutil --expand-full CLTools_macOSNMOS_SDK.pkg expanded
find expanded/Payload/Library/Developer/CommandLineTools/SDKs -maxdepth 1 -mindepth 1
```
## What changed
- Updated `MODULE.bazel` to point `osx.from_archive(...)` at the
currently live `047-96692` `CLTools_macOSNMOS_SDK.pkg` object.
- Updated the pinned `sha256` to match that package.
- Updated the `strip_prefix` from `MacOSX26.2.sdk` to `MacOSX26.4.sdk`.
## Verification
- `bazel --output_user_root="$(mktemp -d
/tmp/codex-bazel-sdk-fetch.XXXXXX)" build @macos_sdk//sysroot`
## Notes for next time
As long as we pin raw `swcdn.apple.com` objects, this will likely happen
again. When it does, the expected recovery path is:
1. Reproduce the `403` against the exact URL from CI.
2. Find the stale pin in `MODULE.bazel`.
3. Look up the current CLTools package in the relevant Apple software
update catalog for that macOS major version.
4. Download the replacement package and refresh both `sha256` and
`strip_prefix`.
5. Validate the new pin with a fresh `@macos_sdk` fetch, not just an
incremental Bazel build.
The important detail is that the non-`26` catalog did not surface the
macOS 26.x SDK package here; the `index-26-15-14-...` catalog was the
one that exposed the currently live replacement.
410 lines
12 KiB
Python
410 lines
12 KiB
Python
module(name = "codex")
|
|
|
|
bazel_dep(name = "bazel_skylib", version = "1.8.2")
|
|
bazel_dep(name = "platforms", version = "1.0.0")
|
|
bazel_dep(name = "llvm", version = "0.6.8")
|
|
# The upstream LLVM archive contains a few unix-only symlink entries and is
|
|
# missing a couple of MinGW compatibility archives that windows-gnullvm needs
|
|
# during extraction and linking, so patch it until upstream grows native support.
|
|
single_version_override(
|
|
module_name = "llvm",
|
|
patch_strip = 1,
|
|
patches = [
|
|
"//patches:llvm_windows_symlink_extract.patch",
|
|
],
|
|
)
|
|
# Abseil picks a MinGW pthread TLS path that does not match our hermetic
|
|
# windows-gnullvm toolchain; force it onto the portable C++11 thread-local path.
|
|
single_version_override(
|
|
module_name = "abseil-cpp",
|
|
patch_strip = 1,
|
|
patches = [
|
|
"//patches:abseil_windows_gnullvm_thread_identity.patch",
|
|
],
|
|
)
|
|
|
|
register_toolchains("@llvm//toolchain:all")
|
|
|
|
osx = use_extension("@llvm//extensions:osx.bzl", "osx")
|
|
osx.from_archive(
|
|
sha256 = "1bde70c0b1c2ab89ff454acbebf6741390d7b7eb149ca2a3ca24cc9203a408b7",
|
|
strip_prefix = "Payload/Library/Developer/CommandLineTools/SDKs/MacOSX26.4.sdk",
|
|
type = "pkg",
|
|
urls = [
|
|
"https://swcdn.apple.com/content/downloads/32/53/047-96692-A_OAHIHT53YB/ybtshxmrcju8m2qvw3w5elr4rajtg1x3y3/CLTools_macOSNMOS_SDK.pkg",
|
|
],
|
|
)
|
|
osx.frameworks(names = [
|
|
"ApplicationServices",
|
|
"AppKit",
|
|
"ColorSync",
|
|
"CoreFoundation",
|
|
"CoreGraphics",
|
|
"CoreServices",
|
|
"CoreText",
|
|
"AudioToolbox",
|
|
"CFNetwork",
|
|
"FontServices",
|
|
"AudioUnit",
|
|
"CoreAudio",
|
|
"CoreAudioTypes",
|
|
"Foundation",
|
|
"ImageIO",
|
|
"IOKit",
|
|
"Kernel",
|
|
"OSLog",
|
|
"Security",
|
|
"SystemConfiguration",
|
|
])
|
|
use_repo(osx, "macos_sdk")
|
|
|
|
# Needed to disable xcode...
|
|
bazel_dep(name = "apple_support", version = "2.1.0")
|
|
bazel_dep(name = "rules_cc", version = "0.2.16")
|
|
bazel_dep(name = "rules_platform", version = "0.1.0")
|
|
bazel_dep(name = "rules_rs", version = "0.0.43")
|
|
# `rules_rs` 0.0.43 does not model `windows-gnullvm` as a distinct Windows exec
|
|
# platform, so patch it until upstream grows that support for both x86_64 and
|
|
# aarch64.
|
|
single_version_override(
|
|
module_name = "rules_rs",
|
|
patch_strip = 1,
|
|
patches = [
|
|
"//patches:rules_rs_windows_gnullvm_exec.patch",
|
|
],
|
|
version = "0.0.43",
|
|
)
|
|
|
|
rules_rust = use_extension("@rules_rs//rs/experimental:rules_rust.bzl", "rules_rust")
|
|
# Build-script probe binaries inherit CFLAGS/CXXFLAGS from Bazel's C++
|
|
# toolchain. On `windows-gnullvm`, llvm-mingw does not ship
|
|
# `libssp_nonshared`, so strip the forwarded stack-protector flags there.
|
|
rules_rust.patch(
|
|
patches = [
|
|
"//patches:rules_rust_windows_gnullvm_build_script.patch",
|
|
],
|
|
strip = 1,
|
|
)
|
|
use_repo(rules_rust, "rules_rust")
|
|
|
|
nightly_rust = use_extension(
|
|
"@rules_rs//rs/experimental:rules_rust_reexported_extensions.bzl",
|
|
"rust",
|
|
)
|
|
nightly_rust.toolchain(
|
|
versions = ["nightly/2025-09-18"],
|
|
dev_components = True,
|
|
edition = "2024",
|
|
)
|
|
use_repo(nightly_rust, "rust_toolchains")
|
|
|
|
toolchains = use_extension("@rules_rs//rs/experimental/toolchains:module_extension.bzl", "toolchains")
|
|
toolchains.toolchain(
|
|
edition = "2024",
|
|
version = "1.93.0",
|
|
)
|
|
use_repo(toolchains, "default_rust_toolchains")
|
|
|
|
register_toolchains("@default_rust_toolchains//:all")
|
|
register_toolchains("@rust_toolchains//:all")
|
|
|
|
crate = use_extension("@rules_rs//rs:extensions.bzl", "crate")
|
|
crate.from_cargo(
|
|
cargo_lock = "//codex-rs:Cargo.lock",
|
|
cargo_toml = "//codex-rs:Cargo.toml",
|
|
platform_triples = [
|
|
"aarch64-unknown-linux-gnu",
|
|
"aarch64-unknown-linux-musl",
|
|
"aarch64-apple-darwin",
|
|
# Keep both Windows ABIs in the generated Cargo metadata: the V8
|
|
# experiment still consumes release assets that only exist under the
|
|
# MSVC names while targeting the GNU toolchain.
|
|
"aarch64-pc-windows-msvc",
|
|
"aarch64-pc-windows-gnullvm",
|
|
"x86_64-unknown-linux-gnu",
|
|
"x86_64-unknown-linux-musl",
|
|
"x86_64-apple-darwin",
|
|
"x86_64-pc-windows-msvc",
|
|
"x86_64-pc-windows-gnullvm",
|
|
],
|
|
use_experimental_platforms = True,
|
|
)
|
|
crate.from_cargo(
|
|
name = "argument_comment_lint_crates",
|
|
cargo_lock = "//tools/argument-comment-lint:Cargo.lock",
|
|
cargo_toml = "//tools/argument-comment-lint:Cargo.toml",
|
|
platform_triples = [
|
|
"aarch64-unknown-linux-gnu",
|
|
"aarch64-unknown-linux-musl",
|
|
"aarch64-apple-darwin",
|
|
"aarch64-pc-windows-msvc",
|
|
"aarch64-pc-windows-gnullvm",
|
|
"x86_64-unknown-linux-gnu",
|
|
"x86_64-unknown-linux-musl",
|
|
"x86_64-apple-darwin",
|
|
"x86_64-pc-windows-msvc",
|
|
"x86_64-pc-windows-gnullvm",
|
|
],
|
|
use_experimental_platforms = True,
|
|
)
|
|
|
|
bazel_dep(name = "zstd", version = "1.5.7")
|
|
|
|
crate.annotation(
|
|
crate = "zstd-sys",
|
|
gen_build_script = "off",
|
|
deps = ["@zstd"],
|
|
)
|
|
crate.annotation(
|
|
build_script_env = {
|
|
"AWS_LC_SYS_NO_JITTER_ENTROPY": "1",
|
|
},
|
|
crate = "aws-lc-sys",
|
|
patch_args = ["-p1"],
|
|
patches = [
|
|
"//patches:aws-lc-sys_memcmp_check.patch",
|
|
],
|
|
)
|
|
|
|
crate.annotation(
|
|
# The build script only validates embedded source/version metadata.
|
|
crate = "rustc_apfloat",
|
|
gen_build_script = "off",
|
|
)
|
|
|
|
inject_repo(crate, "zstd")
|
|
use_repo(crate, "argument_comment_lint_crates")
|
|
|
|
bazel_dep(name = "bzip2", version = "1.0.8.bcr.3")
|
|
|
|
crate.annotation(
|
|
crate = "bzip2-sys",
|
|
gen_build_script = "off",
|
|
deps = ["@bzip2//:bz2"],
|
|
)
|
|
|
|
inject_repo(crate, "bzip2")
|
|
|
|
bazel_dep(name = "zlib", version = "1.3.1.bcr.8")
|
|
|
|
crate.annotation(
|
|
crate = "libz-sys",
|
|
gen_build_script = "off",
|
|
deps = ["@zlib"],
|
|
)
|
|
|
|
inject_repo(crate, "zlib")
|
|
|
|
# TODO(zbarsky): Enable annotation after fixing windows arm64 builds.
|
|
crate.annotation(
|
|
crate = "lzma-sys",
|
|
gen_build_script = "on",
|
|
)
|
|
|
|
bazel_dep(name = "openssl", version = "3.5.4.bcr.0")
|
|
|
|
crate.annotation(
|
|
build_script_data = [
|
|
"@openssl//:gen_dir",
|
|
],
|
|
build_script_env = {
|
|
"OPENSSL_DIR": "$(execpath @openssl//:gen_dir)",
|
|
"OPENSSL_NO_VENDOR": "1",
|
|
"OPENSSL_STATIC": "1",
|
|
},
|
|
crate = "openssl-sys",
|
|
data = ["@openssl//:gen_dir"],
|
|
gen_build_script = "on",
|
|
)
|
|
|
|
inject_repo(crate, "openssl")
|
|
|
|
crate.annotation(
|
|
crate = "runfiles",
|
|
workspace_cargo_toml = "rust/runfiles/Cargo.toml",
|
|
)
|
|
|
|
http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
|
|
http_file = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_file")
|
|
new_local_repository = use_repo_rule("@bazel_tools//tools/build_defs/repo:local.bzl", "new_local_repository")
|
|
|
|
new_local_repository(
|
|
name = "v8_targets",
|
|
build_file = "//third_party/v8:BUILD.bazel",
|
|
path = "third_party/v8",
|
|
)
|
|
|
|
crate.annotation(
|
|
build_script_data = [
|
|
"@v8_targets//:rusty_v8_archive_for_target",
|
|
"@v8_targets//:rusty_v8_binding_for_target",
|
|
],
|
|
build_script_env = {
|
|
"RUSTY_V8_ARCHIVE": "$(execpath @v8_targets//:rusty_v8_archive_for_target)",
|
|
"RUSTY_V8_SRC_BINDING_PATH": "$(execpath @v8_targets//:rusty_v8_binding_for_target)",
|
|
},
|
|
crate = "v8",
|
|
gen_build_script = "on",
|
|
patch_args = ["-p1"],
|
|
patches = [
|
|
"//patches:rusty_v8_prebuilt_out_dir.patch",
|
|
],
|
|
)
|
|
|
|
inject_repo(crate, "v8_targets")
|
|
|
|
llvm = use_extension("@llvm//extensions:llvm.bzl", "llvm")
|
|
use_repo(llvm, "llvm-project")
|
|
|
|
crate.annotation(
|
|
# Provide the hermetic SDK path so the build script doesn't try to invoke an unhermetic `xcrun --show-sdk-path`.
|
|
build_script_data = [
|
|
"@macos_sdk//sysroot",
|
|
],
|
|
build_script_env = {
|
|
"BINDGEN_EXTRA_CLANG_ARGS": "-Xclang -internal-isystem -Xclang $(location @llvm//:builtin_resource_dir)/include",
|
|
"COREAUDIO_SDK_PATH": "$(location @macos_sdk//sysroot)",
|
|
"LIBCLANG_PATH": "$(location @llvm-project//clang:libclang_interface_output)",
|
|
},
|
|
build_script_tools = [
|
|
"@llvm-project//clang:libclang_interface_output",
|
|
"@llvm//:builtin_resource_dir",
|
|
],
|
|
crate = "coreaudio-sys",
|
|
gen_build_script = "on",
|
|
)
|
|
|
|
inject_repo(crate, "llvm", "llvm-project", "macos_sdk")
|
|
|
|
# Fix readme inclusions
|
|
crate.annotation(
|
|
crate = "windows-link",
|
|
patch_args = ["-p1"],
|
|
patches = [
|
|
"//patches:windows-link.patch",
|
|
],
|
|
)
|
|
|
|
bazel_dep(name = "alsa_lib", version = "1.2.9.bcr.4")
|
|
|
|
crate.annotation(
|
|
crate = "alsa-sys",
|
|
gen_build_script = "off",
|
|
deps = ["@alsa_lib"],
|
|
)
|
|
|
|
inject_repo(crate, "alsa_lib")
|
|
|
|
bazel_dep(name = "v8", version = "14.6.202.9")
|
|
archive_override(
|
|
module_name = "v8",
|
|
integrity = "sha256-JphDwLAzsd9KvgRZ7eQvNtPU6qGd3XjFt/a/1QITAJU=",
|
|
patch_strip = 3,
|
|
patches = [
|
|
"//patches:v8_module_deps.patch",
|
|
"//patches:v8_bazel_rules.patch",
|
|
"//patches:v8_source_portability.patch",
|
|
],
|
|
strip_prefix = "v8-14.6.202.9",
|
|
urls = ["https://github.com/v8/v8/archive/refs/tags/14.6.202.9.tar.gz"],
|
|
)
|
|
|
|
http_archive(
|
|
name = "v8_crate_146_4_0",
|
|
build_file = "//third_party/v8:v8_crate.BUILD.bazel",
|
|
sha256 = "d97bcac5cdc5a195a4813f1855a6bc658f240452aac36caa12fd6c6f16026ab1",
|
|
strip_prefix = "v8-146.4.0",
|
|
type = "tar.gz",
|
|
urls = ["https://static.crates.io/crates/v8/v8-146.4.0.crate"],
|
|
)
|
|
|
|
http_file(
|
|
name = "rusty_v8_146_4_0_aarch64_apple_darwin_archive",
|
|
downloaded_file_path = "librusty_v8_release_aarch64-apple-darwin.a.gz",
|
|
urls = [
|
|
"https://github.com/denoland/rusty_v8/releases/download/v146.4.0/librusty_v8_release_aarch64-apple-darwin.a.gz",
|
|
],
|
|
)
|
|
|
|
http_file(
|
|
name = "rusty_v8_146_4_0_aarch64_unknown_linux_gnu_archive",
|
|
downloaded_file_path = "librusty_v8_release_aarch64-unknown-linux-gnu.a.gz",
|
|
urls = [
|
|
"https://github.com/denoland/rusty_v8/releases/download/v146.4.0/librusty_v8_release_aarch64-unknown-linux-gnu.a.gz",
|
|
],
|
|
)
|
|
|
|
http_file(
|
|
name = "rusty_v8_146_4_0_aarch64_pc_windows_msvc_archive",
|
|
downloaded_file_path = "rusty_v8_release_aarch64-pc-windows-msvc.lib.gz",
|
|
urls = [
|
|
"https://github.com/denoland/rusty_v8/releases/download/v146.4.0/rusty_v8_release_aarch64-pc-windows-msvc.lib.gz",
|
|
],
|
|
)
|
|
|
|
http_file(
|
|
name = "rusty_v8_146_4_0_x86_64_apple_darwin_archive",
|
|
downloaded_file_path = "librusty_v8_release_x86_64-apple-darwin.a.gz",
|
|
urls = [
|
|
"https://github.com/denoland/rusty_v8/releases/download/v146.4.0/librusty_v8_release_x86_64-apple-darwin.a.gz",
|
|
],
|
|
)
|
|
|
|
http_file(
|
|
name = "rusty_v8_146_4_0_x86_64_unknown_linux_gnu_archive",
|
|
downloaded_file_path = "librusty_v8_release_x86_64-unknown-linux-gnu.a.gz",
|
|
urls = [
|
|
"https://github.com/denoland/rusty_v8/releases/download/v146.4.0/librusty_v8_release_x86_64-unknown-linux-gnu.a.gz",
|
|
],
|
|
)
|
|
|
|
http_file(
|
|
name = "rusty_v8_146_4_0_x86_64_pc_windows_msvc_archive",
|
|
downloaded_file_path = "rusty_v8_release_x86_64-pc-windows-msvc.lib.gz",
|
|
urls = [
|
|
"https://github.com/denoland/rusty_v8/releases/download/v146.4.0/rusty_v8_release_x86_64-pc-windows-msvc.lib.gz",
|
|
],
|
|
)
|
|
|
|
http_file(
|
|
name = "rusty_v8_146_4_0_aarch64_unknown_linux_musl_archive",
|
|
downloaded_file_path = "librusty_v8_release_aarch64-unknown-linux-musl.a.gz",
|
|
urls = [
|
|
"https://github.com/openai/codex/releases/download/rusty-v8-v146.4.0/librusty_v8_release_aarch64-unknown-linux-musl.a.gz",
|
|
],
|
|
)
|
|
|
|
http_file(
|
|
name = "rusty_v8_146_4_0_aarch64_unknown_linux_musl_binding",
|
|
downloaded_file_path = "src_binding_release_aarch64-unknown-linux-musl.rs",
|
|
urls = [
|
|
"https://github.com/openai/codex/releases/download/rusty-v8-v146.4.0/src_binding_release_aarch64-unknown-linux-musl.rs",
|
|
],
|
|
)
|
|
|
|
http_file(
|
|
name = "rusty_v8_146_4_0_x86_64_unknown_linux_musl_archive",
|
|
downloaded_file_path = "librusty_v8_release_x86_64-unknown-linux-musl.a.gz",
|
|
urls = [
|
|
"https://github.com/openai/codex/releases/download/rusty-v8-v146.4.0/librusty_v8_release_x86_64-unknown-linux-musl.a.gz",
|
|
],
|
|
)
|
|
|
|
http_file(
|
|
name = "rusty_v8_146_4_0_x86_64_unknown_linux_musl_binding",
|
|
downloaded_file_path = "src_binding_release_x86_64-unknown-linux-musl.rs",
|
|
urls = [
|
|
"https://github.com/openai/codex/releases/download/rusty-v8-v146.4.0/src_binding_release_x86_64-unknown-linux-musl.rs",
|
|
],
|
|
)
|
|
|
|
use_repo(crate, "crates")
|
|
|
|
bazel_dep(name = "libcap", version = "2.27.bcr.1")
|
|
|
|
rbe_platform_repository = use_repo_rule("//:rbe.bzl", "rbe_platform_repository")
|
|
|
|
rbe_platform_repository(
|
|
name = "rbe_platform",
|
|
)
|