f48be015d6
## Why
The Windows release job installed DotSlash successfully, but package
archive creation still failed while writing `codex-package-*.tar.zst`.
The Python archiver used `shutil.which("zstd")`, which does not reliably
find the extensionless DotSlash manifest at `.github/workflows/zstd`
from native Windows Python.
That left release packaging dependent on a command named exactly `zstd`
being discoverable on `PATH`, even though the repository already carries
a DotSlash wrapper for Windows runners.
## What changed
- Add `resolve_zstd_command()` to prefer a real `zstd` binary when
present.
- Fall back to invoking `dotslash .github/workflows/zstd` when `zstd` is
not on `PATH`.
- Keep the error explicit when neither `zstd` nor the DotSlash fallback
is available.
- Add unit coverage for direct `zstd`, DotSlash fallback, and
missing-tool error paths.
## Verification
- `python3 -m unittest discover -s scripts/codex_package -p 'test_*.py'`
- `python3 -m py_compile scripts/codex_package/*.py`
Codex package builder
This package contains the implementation behind scripts/build_codex_package.py.
The top-level script is the stable executable entry point; these modules keep the
package-building logic split by responsibility.
The builder creates a canonical Codex package directory:
.
├── codex-package.json
├── bin
│ └── <entrypoint>[.exe]
├── codex-resources
│ ├── bwrap # Linux only
│ ├── codex-command-runner.exe # Windows only
│ └── codex-windows-sandbox-setup.exe # Windows only
└── codex-path
└── rg[.exe]
The package directory is the primary artifact. Archive formats such as
.tar.gz, .tar.zst, and .zip are serializations of that directory.
If --target is omitted, the builder uses the release target for the current
host platform. On Linux, that default is a musl target to match Codex release
artifacts; pass a GNU Linux target explicitly for native glibc local builds. If
--package-dir is omitted, the builder creates a new temporary directory and
prints its path after the package is built.
The --variant flag selects the package entrypoint. Supported variants are
codex and codex-app-server. The version field in codex-package.json is
read from [workspace.package].version in codex-rs/Cargo.toml.
Source-built artifacts
Artifacts built from this repository are always built by the package builder in
one grouped cargo build command per package when they are needed:
- all targets: the selected entrypoint, unless
--entrypoint-binis provided - Linux targets:
bwrap - Windows targets:
codex-command-runnerandcodex-windows-sandbox-setup
The default cargo profile is dev-small because local iteration should favor
fast, small builds. Release jobs should pass --cargo-profile release and an
explicit target. Release jobs that already built and signed/notarized the
entrypoint should pass --entrypoint-bin so the package contains that exact
binary instead of rebuilding it.
rg is not built from this repository, so the builder fetches it from the
DotSlash manifest at codex-cli/bin/rg. Downloaded archives are cached under
$TMPDIR/codex-package/<target>-rg and are reused only after the recorded size
and SHA-256 digest have been verified. Pass --rg-bin to use a local ripgrep
executable instead.