mirror of
https://github.com/openai/codex.git
synced 2026-05-21 11:42:55 +00:00
7cdeab33d1
## Summary Move the rusty_v8 artifact production into hermetic Bazel path and bump the `v8` crate to `147.4.0` The new flow builds V8 release artifacts from source for Darwin and Linux targets, publishes both the current release-compatible artifacts and sandbox-enabled variants, and keeps Cargo consumers on prebuilt binaries by continuing to feed the `v8` crate the archive and generated binding files it already expects. ## Why We need control over V8 build-time features without giving up prebuilt artifacts for downstream Cargo builds. Upstream `rusty_v8` already supports source-only features such as `v8_enable_sandbox`, but its normal prebuilt release assets do not cover every feature combination we need. Building the artifacts ourselves lets us enable settings such as the V8 sandbox and pointer compression at artifact build time, then publish those outputs so ordinary Cargo builds can still consume prebuilts instead of compiling V8 locally. This keeps the fast consumer experience of prebuilt `rusty_v8` archives while giving us a reproducible path to ship featureful variants that upstream does not currently publish for us. ## Implementation Notes The Bazel graph in this PR is not copied wholesale from `rusty_v8`; `rusty_v8`'s normal source build is still GN/Ninja-based. Instead, this change starts from upstream V8's Bazel rules and adapts them to Codex's hermetic toolchains and dependency layout. Where we intentionally follow `rusty_v8`, we mirror its existing artifact contract: - the same `v8` crate version and generated binding expectations - the same sandbox feature relationship, where sandboxing requires pointer compression - the same custom libc++ model expected by Cargo's default `use_custom_libcxx` feature - the same release-style archive plus `src_binding` outputs consumed by the `v8` crate To preserve that contract, the Bazel release path pins the libc++, libc++abi, and llvm-libc revisions used by `rusty_v8 v147.4.0`, builds release artifacts with `--config=rusty-v8-upstream-libcxx`, and folds the matching runtime objects into the final static archive. ## Windows Windows is annoyingly handled differently. Codex's current hermetic Bazel Windows C++ platform is `windows-gnullvm` / `x86_64-w64-windows-gnu`, while upstream `rusty_v8` publishes Windows prebuilts for `*-pc-windows-msvc`. Those are different ABIs, so the Bazel graph cannot truthfully reproduce the upstream MSVC artifacts until we add a real MSVC-targeting C++ toolchain. For now: - Windows MSVC consumers continue to use upstream `rusty_v8` release archives. - Windows GNU targets are built in-tree so they link against a matching GNU ABI. - The canary workflow separately exercises upstream `rusty_v8` source builds for MSVC sandbox artifacts, but MSVC is not yet part of the Bazel-produced release matrix. ## Validation This PR is technically self validating through CI. I have already published it as a release tag so the artifacts from this branch are published to https://github.com/openai/codex/releases/tag/rusty-v8-v147.4.0 CI for this PR should therefore consume our own release targets. I have also locally tested for linux and darwin. --------- Co-authored-by: Codex <noreply@openai.com>
203 lines
11 KiB
Plaintext
203 lines
11 KiB
Plaintext
common --repo_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1
|
|
common --repo_env=BAZEL_NO_APPLE_CPP_TOOLCHAIN=1
|
|
# Dummy xcode config so we don't need to build xcode_locator in repo rule.
|
|
common --xcode_version_config=//:disable_xcode
|
|
|
|
common --disk_cache=~/.cache/bazel-disk-cache
|
|
common --repo_contents_cache=~/.cache/bazel-repo-contents-cache
|
|
common --repository_cache=~/.cache/bazel-repo-cache
|
|
common --remote_cache_compression
|
|
startup --experimental_remote_repo_contents_cache
|
|
|
|
common --experimental_platform_in_output_dir
|
|
|
|
# Runfiles strategy rationale: codex-rs/utils/cargo-bin/README.md
|
|
common --noenable_runfiles
|
|
|
|
common --enable_platform_specific_config
|
|
common:linux --host_platform=//:local_linux
|
|
common:windows --host_platform=//:local_windows
|
|
common --@rules_cc//cc/toolchains/args/archiver_flags:use_libtool_on_macos=False
|
|
common --@llvm//config:experimental_stub_libgcc_s
|
|
|
|
# TODO(zbarsky): rules_rust doesn't implement this flag properly with remote exec...
|
|
# common --@rules_rust//rust/settings:pipelined_compilation
|
|
|
|
common --incompatible_strict_action_env
|
|
# Not ideal, but We need to allow dotslash to be found
|
|
common:linux --test_env=PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
|
|
common:macos --test_env=PATH=/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
|
|
|
|
# Pass through some env vars Windows needs to use powershell?
|
|
common:windows --test_env=SYSTEMROOT
|
|
common:windows --test_env=COMSPEC
|
|
common:windows --test_env=WINDIR
|
|
# Rust's libtest harness runs test bodies on std-spawned threads. The default
|
|
# 2 MiB stack can be too small for large async test futures on Windows CI; see
|
|
# https://github.com/openai/codex/pull/19067 for the motivating failure.
|
|
common --test_env=RUST_MIN_STACK=8388608 # 8 MiB
|
|
|
|
common --test_output=errors
|
|
common --bes_results_url=https://app.buildbuddy.io/invocation/
|
|
common --bes_backend=grpcs://remote.buildbuddy.io
|
|
common --remote_cache=grpcs://remote.buildbuddy.io
|
|
common --remote_download_toplevel
|
|
common --nobuild_runfile_links
|
|
common --remote_timeout=3600
|
|
common --noexperimental_throttle_remote_action_building
|
|
common --experimental_remote_execution_keepalive
|
|
common --grpc_keepalive_time=30s
|
|
common --experimental_remote_downloader=grpcs://remote.buildbuddy.io
|
|
|
|
# This limits both in-flight executions and concurrent downloads. Even with high number
|
|
# of jobs execution will still be limited by CPU cores, so this just pays a bit of
|
|
# memory in exchange for higher download concurrency.
|
|
common --jobs=30
|
|
|
|
common:remote --extra_execution_platforms=//:rbe
|
|
common:remote --remote_executor=grpcs://remote.buildbuddy.io
|
|
common:remote --jobs=800
|
|
# TODO(team): Evaluate if this actually helps, zbarsky is not sure, everything seems bottlenecked on `core` either way.
|
|
# Enable pipelined compilation since we are not bound by local CPU count.
|
|
#common:remote --@rules_rust//rust/settings:pipelined_compilation
|
|
|
|
# GitHub Actions CI configs.
|
|
common:ci --remote_download_minimal
|
|
common:ci --keep_going
|
|
common:ci --verbose_failures
|
|
common:ci --build_metadata=REPO_URL=https://github.com/openai/codex.git
|
|
common:ci --build_metadata=ROLE=CI
|
|
common:ci --build_metadata=VISIBILITY=PUBLIC
|
|
# rules_rust derives debug level from Bazel toolchain/compilation-mode settings,
|
|
# not Cargo profiles. Keep CI Rust actions explicit and lean.
|
|
common:ci --@rules_rust//rust/settings:extra_rustc_flag=-Cdebuginfo=0
|
|
common:ci --@rules_rust//rust/settings:extra_exec_rustc_flag=-Cdebuginfo=0
|
|
|
|
# Disable disk cache in CI since we have a remote one and aren't using persistent workers.
|
|
common:ci --disk_cache=
|
|
|
|
# Shared config for the main Bazel CI workflow.
|
|
common:ci-bazel --config=ci
|
|
common:ci-bazel --build_metadata=TAG_workflow=bazel
|
|
# Bazel CI cross-compiles in several legs, and the V8-backed code-mode tests
|
|
# are not stable in that setup yet. Keep running the rest of the Rust
|
|
# integration suites through the workspace-root launcher.
|
|
common:ci-bazel --test_env=CODEX_BAZEL_TEST_SKIP_FILTERS=suite::code_mode::
|
|
|
|
# Shared config for Bazel-backed Rust linting.
|
|
build:clippy --aspects=@rules_rust//rust:defs.bzl%rust_clippy_aspect
|
|
build:clippy --output_groups=+clippy_checks
|
|
build:clippy --@rules_rust//rust/settings:clippy.toml=//codex-rs:clippy.toml
|
|
# Keep this deny-list in sync with `codex-rs/Cargo.toml` `[workspace.lints.clippy]`.
|
|
# Cargo applies those lint levels to member crates that opt into `[lints] workspace = true`
|
|
# in their own `Cargo.toml`, but `rules_rust` Bazel clippy does not read Cargo lint levels.
|
|
# `clippy.toml` can configure lint behavior, but it cannot set allow/warn/deny/forbid levels.
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=-Dwarnings
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::await_holding_invalid_type
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::await_holding_lock
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::expect_used
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::identity_op
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_clamp
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_filter
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_find
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_flatten
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_map
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_memcpy
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_non_exhaustive
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_ok_or
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_range_contains
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_retain
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_strip
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_try_fold
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_unwrap_or
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::needless_borrow
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::needless_borrowed_reference
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::needless_collect
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::needless_late_init
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::needless_option_as_deref
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::needless_question_mark
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::needless_update
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::redundant_clone
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::redundant_closure
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::redundant_closure_for_method_calls
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::redundant_static_lifetimes
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::trivially_copy_pass_by_ref
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::uninlined_format_args
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::unnecessary_filter_map
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::unnecessary_lazy_evaluations
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::unnecessary_sort_by
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::unnecessary_to_owned
|
|
build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::unwrap_used
|
|
|
|
# Shared config for Bazel-backed argument-comment-lint.
|
|
build:argument-comment-lint --aspects=//tools/argument-comment-lint:lint_aspect.bzl%rust_argument_comment_lint_aspect
|
|
build:argument-comment-lint --output_groups=argument_comment_lint_checks
|
|
build:argument-comment-lint --@rules_rust//rust/toolchain/channel=nightly
|
|
|
|
# Rearrange caches on Windows so they're on the same volume as the checkout.
|
|
common:ci-windows --config=ci-bazel
|
|
common:ci-windows --build_metadata=TAG_os=windows
|
|
common:ci-windows --repo_contents_cache=D:/a/.cache/bazel-repo-contents-cache
|
|
|
|
# We prefer to run the build actions entirely remotely so we can dial up the concurrency.
|
|
# We have platform-specific tests, so we want to execute the tests on all platforms using the strongest sandboxing available on each platform.
|
|
|
|
# On linux, we can do a full remote build/test, by targeting the right (x86/arm) runners, so we have coverage of both.
|
|
# Linux crossbuilds don't work until we untangle the libc constraint mess.
|
|
common:ci-linux --config=ci-bazel
|
|
common:ci-linux --build_metadata=TAG_os=linux
|
|
common:ci-linux --config=remote
|
|
common:ci-linux --strategy=remote
|
|
common:ci-linux --platforms=//:rbe
|
|
|
|
# On mac, we can run all the build actions remotely but test actions locally.
|
|
common:ci-macos --config=ci-bazel
|
|
common:ci-macos --build_metadata=TAG_os=macos
|
|
common:ci-macos --config=remote
|
|
common:ci-macos --strategy=remote
|
|
common:ci-macos --strategy=TestRunner=darwin-sandbox,local
|
|
|
|
# On Windows, use Linux remote execution for build actions but keep test actions
|
|
# on the Windows runner so Bazel's normal test sharding and flaky-test retries
|
|
# still run against Windows binaries.
|
|
common:ci-windows-cross --config=ci-windows
|
|
common:ci-windows-cross --build_metadata=TAG_windows_cross_compile=true
|
|
common:ci-windows-cross --config=remote
|
|
common:ci-windows-cross --host_platform=//:rbe
|
|
common:ci-windows-cross --strategy=remote
|
|
common:ci-windows-cross --strategy=TestRunner=local
|
|
common:ci-windows-cross --local_test_jobs=4
|
|
common:ci-windows-cross --test_env=RUST_TEST_THREADS=1
|
|
# Native Windows CI still covers the PowerShell tests. The cross-built gnullvm
|
|
# binaries currently hang in PowerShell AST parser tests when those binaries are
|
|
# run on the Windows runner.
|
|
common:ci-windows-cross --test_env=CODEX_BAZEL_TEST_SKIP_FILTERS=suite::code_mode::,powershell
|
|
common:ci-windows-cross --platforms=//:windows_x86_64_gnullvm
|
|
common:ci-windows-cross --extra_execution_platforms=//:rbe,//:windows_x86_64_msvc
|
|
common:ci-windows-cross --extra_toolchains=//:windows_gnullvm_tests_on_msvc_host_toolchain
|
|
|
|
# Linux-only V8 CI config.
|
|
common:ci-v8 --config=ci
|
|
common:ci-v8 --build_metadata=TAG_workflow=v8
|
|
common:ci-v8 --build_metadata=TAG_os=linux
|
|
common:ci-v8 --config=remote
|
|
common:ci-v8 --strategy=remote
|
|
|
|
# Source-built Bazel V8 artifacts use the in-process sandbox by default. This
|
|
# does not affect Cargo's default prebuilt rusty_v8 path.
|
|
common --@v8//:v8_enable_pointer_compression=True
|
|
common --@v8//:v8_enable_sandbox=True
|
|
|
|
# Keep currently published rusty_v8 release artifacts non-sandboxed until the
|
|
# artifact migration ships matching Rust feature selection for Cargo consumers.
|
|
common:v8-release-compat --@v8//:v8_enable_pointer_compression=False
|
|
common:v8-release-compat --@v8//:v8_enable_sandbox=False
|
|
|
|
# Match rusty_v8's upstream GN release contract for published artifacts: every
|
|
# target object uses Chromium's custom libc++ headers and the archive folds in
|
|
# the matching runtime objects.
|
|
common:rusty-v8-upstream-libcxx --@v8//:v8_use_rusty_v8_custom_libcxx=True
|
|
|
|
# Optional per-user local overrides.
|
|
try-import %workspace%/user.bazelrc
|