mirror of
https://github.com/openai/codex.git
synced 2026-05-14 00:02:33 +00:00
8bea5d231a
This does two things: - We use `persist-credentials: false` everywhere now. This is unfortunately not the default in GitHub Actions, but it prevents `actions/checkout` from dropping `secrets.GITHUB_TOKEN` onto disk. - We interpose (some) template expansions through environment variables. I've limited this to contexts that have non-fixed values; contexts that are fixed (like `*.result`) are not dangerous to expand directly inline (but maybe we should clean those up in the future for consistency anyways). This is a medium-risk change in terms of CI breakage: I did a scan for usage of `git push` and other commands that implicitly use the persisted credential, but couldn't find any. Even still, some implicit usages of the persisted credentials may be lurking. Please ping ww@ if any issues arise.
80 lines
2.9 KiB
YAML
80 lines
2.9 KiB
YAML
name: ci
|
|
|
|
on:
|
|
pull_request: {}
|
|
push: { branches: [main] }
|
|
|
|
jobs:
|
|
build-test:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
env:
|
|
NODE_OPTIONS: --max-old-space-size=4096
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Verify codex-rs Cargo manifests inherit workspace settings
|
|
run: python3 .github/scripts/verify_cargo_workspace_manifests.py
|
|
|
|
- name: Verify codex-tui does not import codex-core directly
|
|
run: python3 .github/scripts/verify_tui_core_boundary.py
|
|
|
|
- name: Verify Bazel clippy flags match Cargo workspace lints
|
|
run: python3 .github/scripts/verify_bazel_clippy_lints.py
|
|
|
|
- name: Setup pnpm
|
|
uses: pnpm/action-setup@a8198c4bff370c8506180b035930dea56dbd5288 # v5
|
|
with:
|
|
run_install: false
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
|
|
with:
|
|
node-version: 22
|
|
|
|
- name: Install dependencies
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
# stage_npm_packages.py requires DotSlash when staging releases.
|
|
- uses: facebook/install-dotslash@1e4e7b3e07eaca387acb98f1d4720e0bee8dbb6a # v2
|
|
|
|
- name: Stage npm package
|
|
id: stage_npm_package
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
run: |
|
|
set -euo pipefail
|
|
# Use a recent successful rust-release run that published the full
|
|
# cross-platform native payload required by the npm package layout.
|
|
# Passing the workflow URL directly avoids relying on old rust-v*
|
|
# branches remaining discoverable via `gh run list --branch ...`.
|
|
CODEX_VERSION=0.125.0
|
|
WORKFLOW_URL="https://github.com/openai/codex/actions/runs/24901475298"
|
|
OUTPUT_DIR="${RUNNER_TEMP}"
|
|
# This reused workflow predates the standalone bwrap artifact.
|
|
python3 ./scripts/stage_npm_packages.py \
|
|
--release-version "$CODEX_VERSION" \
|
|
--workflow-url "$WORKFLOW_URL" \
|
|
--package codex \
|
|
--allow-missing-native-component bwrap \
|
|
--output-dir "$OUTPUT_DIR"
|
|
PACK_OUTPUT="${OUTPUT_DIR}/codex-npm-${CODEX_VERSION}.tgz"
|
|
echo "pack_output=$PACK_OUTPUT" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Upload staged npm package artifact
|
|
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
|
|
with:
|
|
name: codex-npm-staging
|
|
path: ${{ steps.stage_npm_package.outputs.pack_output }}
|
|
|
|
- name: Ensure root README.md contains only ASCII and certain Unicode code points
|
|
run: ./scripts/asciicheck.py README.md
|
|
- name: Check root README ToC
|
|
run: python3 scripts/readme_toc.py README.md
|
|
|
|
- name: Prettier (run `pnpm run format:fix` to fix)
|
|
run: pnpm run format
|