release: publish standalone bwrap artifacts (#21256)

**Summary** - Build Linux `bwrap` before the main release binaries. - Export the release `bwrap` SHA-256 as `CODEX_BWRAP_SHA256` so the Codex binary can verify the bundled fallback. - Sign, stage, and upload `bwrap` alongside the primary Linux release artifacts. **Verification** - YAML parse check for `.github/workflows/rust-release.yml` --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/21256). * #21257 * __->__ #21256
2026-05-23 20:44:50 +00:00 · 2026-05-05 17:15:46 -07:00
parent 26f355b67b
commit 3ec18a2c0a
1 changed files with 25 additions and 1 deletions
--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -255,6 +255,24 @@ jobs:
        with:
          target: ${{ matrix.target }}

+      - if: ${{ contains(matrix.target, 'linux') }}
+        name: Build bwrap and export digest
+        shell: bash
+        run: |
+          set -euo pipefail
+          target="${{ matrix.target }}"
+          cargo build --target "$target" --release --timings --bin bwrap
+
+          bwrap_path="target/${target}/release/bwrap"
+          if [[ ! -f "$bwrap_path" ]]; then
+            echo "bwrap binary ${bwrap_path} not found"
+            exit 1
+          fi
+
+          digest="$(sha256sum "$bwrap_path" | awk '{print $1}')"
+          echo "CODEX_BWRAP_SHA256=${digest}" >> "$GITHUB_ENV"
+          echo "Built bwrap ${bwrap_path} with sha256:${digest}"
+
      - name: Cargo build
        shell: bash
        run: |
@@ -278,7 +296,7 @@ jobs:
        with:
          target: ${{ matrix.target }}
          artifacts-dir: ${{ github.workspace }}/codex-rs/target/${{ matrix.target }}/release
-          binaries: ${{ matrix.binaries }}
+          binaries: ${{ matrix.binaries }} bwrap

      - if: ${{ runner.os == 'macOS' }}
        name: MacOS code signing (binaries)
@@ -361,6 +379,12 @@ jobs:
            fi
          done

+          if [[ "${{ matrix.target }}" == *linux* && "${{ matrix.bundle }}" == "primary" ]]; then
+            cp "target/${{ matrix.target }}/release/bwrap" "$dest/bwrap-${{ matrix.target }}"
+            cp "target/${{ matrix.target }}/release/bwrap.sigstore" \
+              "$dest/bwrap-${{ matrix.target }}.sigstore"
+          fi
+
          if [[ "${{ matrix.build_dmg }}" == "true" ]]; then
            cp target/${{ matrix.target }}/release/codex-${{ matrix.target }}.dmg "$dest/codex-${{ matrix.target }}.dmg"
          fi