mirror of
https://github.com/openai/codex.git
synced 2026-05-23 12:34:25 +00:00
7cdeab33d1
## Summary Move the rusty_v8 artifact production into hermetic Bazel path and bump the `v8` crate to `147.4.0` The new flow builds V8 release artifacts from source for Darwin and Linux targets, publishes both the current release-compatible artifacts and sandbox-enabled variants, and keeps Cargo consumers on prebuilt binaries by continuing to feed the `v8` crate the archive and generated binding files it already expects. ## Why We need control over V8 build-time features without giving up prebuilt artifacts for downstream Cargo builds. Upstream `rusty_v8` already supports source-only features such as `v8_enable_sandbox`, but its normal prebuilt release assets do not cover every feature combination we need. Building the artifacts ourselves lets us enable settings such as the V8 sandbox and pointer compression at artifact build time, then publish those outputs so ordinary Cargo builds can still consume prebuilts instead of compiling V8 locally. This keeps the fast consumer experience of prebuilt `rusty_v8` archives while giving us a reproducible path to ship featureful variants that upstream does not currently publish for us. ## Implementation Notes The Bazel graph in this PR is not copied wholesale from `rusty_v8`; `rusty_v8`'s normal source build is still GN/Ninja-based. Instead, this change starts from upstream V8's Bazel rules and adapts them to Codex's hermetic toolchains and dependency layout. Where we intentionally follow `rusty_v8`, we mirror its existing artifact contract: - the same `v8` crate version and generated binding expectations - the same sandbox feature relationship, where sandboxing requires pointer compression - the same custom libc++ model expected by Cargo's default `use_custom_libcxx` feature - the same release-style archive plus `src_binding` outputs consumed by the `v8` crate To preserve that contract, the Bazel release path pins the libc++, libc++abi, and llvm-libc revisions used by `rusty_v8 v147.4.0`, builds release artifacts with `--config=rusty-v8-upstream-libcxx`, and folds the matching runtime objects into the final static archive. ## Windows Windows is annoyingly handled differently. Codex's current hermetic Bazel Windows C++ platform is `windows-gnullvm` / `x86_64-w64-windows-gnu`, while upstream `rusty_v8` publishes Windows prebuilts for `*-pc-windows-msvc`. Those are different ABIs, so the Bazel graph cannot truthfully reproduce the upstream MSVC artifacts until we add a real MSVC-targeting C++ toolchain. For now: - Windows MSVC consumers continue to use upstream `rusty_v8` release archives. - Windows GNU targets are built in-tree so they link against a matching GNU ABI. - The canary workflow separately exercises upstream `rusty_v8` source builds for MSVC sandbox artifacts, but MSVC is not yet part of the Bazel-produced release matrix. ## Validation This PR is technically self validating through CI. I have already published it as a release tag so the artifacts from this branch are published to https://github.com/openai/codex/releases/tag/rusty-v8-v147.4.0 CI for this PR should therefore consume our own release targets. I have also locally tested for linux and darwin. --------- Co-authored-by: Codex <noreply@openai.com>
314 lines
10 KiB
YAML
314 lines
10 KiB
YAML
name: rusty-v8-release
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- "rusty-v8-v*.*.*"
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}::${{ github.ref_name }}
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
metadata:
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
release_tag: ${{ steps.release_tag.outputs.release_tag }}
|
|
v8_version: ${{ steps.v8_version.outputs.version }}
|
|
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
|
|
with:
|
|
python-version: "3.12"
|
|
|
|
- name: Resolve exact v8 crate version
|
|
id: v8_version
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
version="$(python3 .github/scripts/rusty_v8_bazel.py resolved-v8-crate-version)"
|
|
echo "version=${version}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Resolve release tag
|
|
id: release_tag
|
|
env:
|
|
GITHUB_REF_NAME: ${{ github.ref_name }}
|
|
V8_VERSION: ${{ steps.v8_version.outputs.version }}
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
expected_release_tag="rusty-v8-v${V8_VERSION}"
|
|
release_tag="${GITHUB_REF_NAME}"
|
|
if [[ "${release_tag}" != "${expected_release_tag}" ]]; then
|
|
echo "Tag ${release_tag} does not match expected release tag ${expected_release_tag}." >&2
|
|
exit 1
|
|
fi
|
|
|
|
echo "release_tag=${release_tag}" >> "$GITHUB_OUTPUT"
|
|
|
|
build:
|
|
name: Build ${{ matrix.variant }} ${{ matrix.target }}
|
|
needs: metadata
|
|
runs-on: ${{ matrix.runner }}
|
|
permissions:
|
|
contents: read
|
|
actions: read
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- runner: ubuntu-24.04
|
|
bazel_config: ci-v8
|
|
platform: linux_amd64
|
|
sandbox: false
|
|
target: x86_64-unknown-linux-gnu
|
|
variant: release
|
|
- runner: ubuntu-24.04
|
|
bazel_config: ci-v8
|
|
platform: linux_amd64
|
|
sandbox: true
|
|
target: x86_64-unknown-linux-gnu
|
|
variant: ptrcomp-sandbox
|
|
- runner: ubuntu-24.04-arm
|
|
bazel_config: ci-v8
|
|
platform: linux_arm64
|
|
sandbox: false
|
|
target: aarch64-unknown-linux-gnu
|
|
variant: release
|
|
- runner: ubuntu-24.04-arm
|
|
bazel_config: ci-v8
|
|
platform: linux_arm64
|
|
sandbox: true
|
|
target: aarch64-unknown-linux-gnu
|
|
variant: ptrcomp-sandbox
|
|
- runner: macos-15-xlarge
|
|
bazel_config: ci-macos
|
|
platform: macos_amd64
|
|
sandbox: false
|
|
target: x86_64-apple-darwin
|
|
variant: release
|
|
- runner: macos-15-xlarge
|
|
bazel_config: ci-macos
|
|
platform: macos_amd64
|
|
sandbox: true
|
|
target: x86_64-apple-darwin
|
|
variant: ptrcomp-sandbox
|
|
- runner: macos-15-xlarge
|
|
bazel_config: ci-macos
|
|
platform: macos_arm64
|
|
sandbox: false
|
|
target: aarch64-apple-darwin
|
|
variant: release
|
|
- runner: macos-15-xlarge
|
|
bazel_config: ci-macos
|
|
platform: macos_arm64
|
|
sandbox: true
|
|
target: aarch64-apple-darwin
|
|
variant: ptrcomp-sandbox
|
|
- runner: ubuntu-24.04
|
|
bazel_config: ci-v8
|
|
platform: linux_amd64_musl
|
|
sandbox: false
|
|
target: x86_64-unknown-linux-musl
|
|
variant: release
|
|
- runner: ubuntu-24.04-arm
|
|
bazel_config: ci-v8
|
|
platform: linux_arm64_musl
|
|
sandbox: false
|
|
target: aarch64-unknown-linux-musl
|
|
variant: release
|
|
- runner: ubuntu-24.04
|
|
bazel_config: ci-v8
|
|
platform: linux_amd64_musl
|
|
sandbox: true
|
|
target: x86_64-unknown-linux-musl
|
|
variant: ptrcomp-sandbox
|
|
- runner: ubuntu-24.04-arm
|
|
bazel_config: ci-v8
|
|
platform: linux_arm64_musl
|
|
sandbox: true
|
|
target: aarch64-unknown-linux-musl
|
|
variant: ptrcomp-sandbox
|
|
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Set up Bazel
|
|
uses: ./.github/actions/setup-bazel-ci
|
|
with:
|
|
target: ${{ matrix.target }}
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
|
|
with:
|
|
python-version: "3.12"
|
|
|
|
- name: Set up Rust toolchain for Cargo smoke
|
|
uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
|
|
with:
|
|
toolchain: "1.93.0"
|
|
|
|
- name: Build Bazel V8 release pair
|
|
env:
|
|
BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
|
|
PLATFORM: ${{ matrix.platform }}
|
|
SANDBOX: ${{ matrix.sandbox }}
|
|
TARGET: ${{ matrix.target }}
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
target_suffix="${TARGET//-/_}"
|
|
pair_kind="release_pair"
|
|
if [[ "${SANDBOX}" == "true" ]]; then
|
|
pair_kind="sandbox_release_pair"
|
|
fi
|
|
pair_target="//third_party/v8:rusty_v8_${pair_kind}_${target_suffix}"
|
|
|
|
bazel_args=(
|
|
build
|
|
-c
|
|
opt
|
|
"--platforms=@llvm//platforms:${PLATFORM}"
|
|
--config=rusty-v8-upstream-libcxx
|
|
"${pair_target}"
|
|
--build_metadata=COMMIT_SHA=$(git rev-parse HEAD)
|
|
)
|
|
if [[ "${SANDBOX}" != "true" ]]; then
|
|
bazel_args+=(--config=v8-release-compat)
|
|
fi
|
|
|
|
bazel \
|
|
--noexperimental_remote_repo_contents_cache \
|
|
"${bazel_args[@]}" \
|
|
"--config=${{ matrix.bazel_config }}" \
|
|
"--remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}"
|
|
|
|
- name: Stage release pair
|
|
env:
|
|
BAZEL_CONFIG: ${{ matrix.bazel_config }}
|
|
BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
|
|
PLATFORM: ${{ matrix.platform }}
|
|
SANDBOX: ${{ matrix.sandbox }}
|
|
TARGET: ${{ matrix.target }}
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
stage_args=(
|
|
--platform "${PLATFORM}"
|
|
--target "${TARGET}"
|
|
--compilation-mode opt
|
|
--output-dir "dist/${TARGET}"
|
|
--bazel-config "${BAZEL_CONFIG}"
|
|
)
|
|
if [[ "${SANDBOX}" == "true" ]]; then
|
|
stage_args+=(--sandbox)
|
|
else
|
|
stage_args+=(--bazel-config v8-release-compat)
|
|
fi
|
|
|
|
python3 .github/scripts/rusty_v8_bazel.py stage-release-pair "${stage_args[@]}"
|
|
|
|
- name: Smoke test staged artifact with Cargo
|
|
env:
|
|
SANDBOX: ${{ matrix.sandbox }}
|
|
TARGET: ${{ matrix.target }}
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
host_arch="$(uname -m)"
|
|
case "${TARGET}:${host_arch}" in
|
|
x86_64-apple-darwin:x86_64|aarch64-apple-darwin:arm64|x86_64-unknown-linux-gnu:x86_64|aarch64-unknown-linux-gnu:aarch64)
|
|
;;
|
|
*)
|
|
echo "Skipping non-native Cargo smoke for ${TARGET} on ${host_arch}."
|
|
exit 0
|
|
;;
|
|
esac
|
|
|
|
archive="$(find "dist/${TARGET}" -maxdepth 1 -type f -name 'librusty_v8_*.a.gz' -print -quit)"
|
|
binding="$(find "dist/${TARGET}" -maxdepth 1 -type f -name 'src_binding_*.rs' -print -quit)"
|
|
if [[ -z "${archive}" || -z "${binding}" ]]; then
|
|
echo "Missing staged archive or binding for ${TARGET}." >&2
|
|
exit 1
|
|
fi
|
|
|
|
cargo_args=(test -p codex-v8-poc)
|
|
if [[ "${SANDBOX}" == "true" ]]; then
|
|
cargo_args+=(--features sandbox)
|
|
fi
|
|
|
|
(
|
|
cd codex-rs
|
|
CARGO_TARGET_DIR="${RUNNER_TEMP}/rusty-v8-cargo-smoke-${TARGET}-${SANDBOX}" \
|
|
RUSTY_V8_ARCHIVE="${GITHUB_WORKSPACE}/${archive}" \
|
|
RUSTY_V8_SRC_BINDING_PATH="${GITHUB_WORKSPACE}/${binding}" \
|
|
cargo "${cargo_args[@]}"
|
|
)
|
|
|
|
- name: Upload staged artifacts
|
|
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
|
|
with:
|
|
name: rusty-v8-${{ needs.metadata.outputs.v8_version }}-${{ matrix.variant }}-${{ matrix.target }}
|
|
path: dist/${{ matrix.target }}/*
|
|
|
|
publish-release:
|
|
needs:
|
|
- metadata
|
|
- build
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: write
|
|
actions: read
|
|
|
|
steps:
|
|
- name: Check whether release already exists
|
|
id: release
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
RELEASE_TAG: ${{ needs.metadata.outputs.release_tag }}
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
if gh release view "${RELEASE_TAG}" --repo "${GITHUB_REPOSITORY}" > /dev/null 2>&1; then
|
|
echo "exists=true" >> "${GITHUB_OUTPUT}"
|
|
else
|
|
echo "exists=false" >> "${GITHUB_OUTPUT}"
|
|
fi
|
|
|
|
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
|
|
with:
|
|
path: dist
|
|
|
|
- name: Create GitHub Release
|
|
if: ${{ steps.release.outputs.exists != 'true' }}
|
|
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
|
|
with:
|
|
tag_name: ${{ needs.metadata.outputs.release_tag }}
|
|
name: ${{ needs.metadata.outputs.release_tag }}
|
|
files: dist/**
|
|
# Keep V8 artifact releases out of Codex's normal "latest release" channel.
|
|
prerelease: true
|
|
|
|
- name: Amend existing GitHub Release
|
|
if: ${{ steps.release.outputs.exists == 'true' }}
|
|
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
|
|
with:
|
|
tag_name: ${{ needs.metadata.outputs.release_tag }}
|
|
name: ${{ needs.metadata.outputs.release_tag }}
|
|
files: dist/**
|
|
overwrite_files: true
|
|
# Keep V8 artifact releases out of Codex's normal "latest release" channel.
|
|
prerelease: true
|