build(linux-sandbox): always compile vendored bubblewrap on Linux; remove CODEX_BWRAP_ENABLE_FFI (#11498)

## Summary This PR removes the temporary `CODEX_BWRAP_ENABLE_FFI` flag and makes Linux builds always compile vendored bubblewrap support for `codex-linux-sandbox`. ## Changes - Removed `CODEX_BWRAP_ENABLE_FFI` gating from `codex-rs/linux-sandbox/build.rs`. - Linux builds now fail fast if vendored bubblewrap compilation fails (instead of warning and continuing). - Updated fallback/help text in `codex-rs/linux-sandbox/src/vendored_bwrap.rs` to remove references to `CODEX_BWRAP_ENABLE_FFI`. - Removed `CODEX_BWRAP_ENABLE_FFI` env wiring from: - `.github/workflows/rust-ci.yml` - `.github/workflows/bazel.yml` - `.github/workflows/rust-release.yml` --------- Co-authored-by: David Zbarsky <zbarsky@openai.com>
2026-04-29 00:55:38 +00:00 · 2026-02-11 21:30:41 -08:00
parent c40c508d4e
commit 923f931121
13 changed files with 153 additions and 37 deletions
--- a/codex-rs/linux-sandbox/src/vendored_bwrap.rs
+++ b/codex-rs/linux-sandbox/src/vendored_bwrap.rs
@@ -1,8 +1,7 @@
 //! Build-time bubblewrap entrypoint.
 //!
-//! This module is intentionally behind a build-time opt-in. When enabled, the
-//! build script compiles bubblewrap's C sources and exposes a `bwrap_main`
-//! symbol that we can call via FFI.
+//! On Linux targets, the build script compiles bubblewrap's C sources and
+//! exposes a `bwrap_main` symbol that we can call via FFI.

 #[cfg(vendored_bwrap_available)]
 mod imp {
@@ -51,15 +50,12 @@ mod imp {
    /// Panics with a clear error when the build-time bwrap path is not enabled.
    pub(crate) fn run_vendored_bwrap_main(_argv: &[String]) -> libc::c_int {
        panic!(
-            "build-time bubblewrap is not available in this build.\n\
-Rebuild codex-linux-sandbox on Linux with CODEX_BWRAP_ENABLE_FFI=1.\n\
-Example:\n\
- cd codex-rs && CODEX_BWRAP_ENABLE_FFI=1 cargo build -p codex-linux-sandbox\n\
-If this crate was already built without it, run:\n\
- cargo clean -p codex-linux-sandbox\n\
-Notes:\n\
- libcap headers must be available via pkg-config\n\
- bubblewrap sources expected at codex-rs/vendor/bubblewrap (default)"
+            r#"build-time bubblewrap is not available in this build.
+codex-linux-sandbox should always compile vendored bubblewrap on Linux targets.
+Notes:
+- ensure the target OS is Linux
+- libcap headers must be available via pkg-config
+- bubblewrap sources expected at codex-rs/vendor/bubblewrap (default)"#
        );
    }