clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-04-27 16:15:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
8623dfb4e459566792de0f0a9d920b5c3b0d094e
codex/third_party/v8
History
viyatb-oai d9a385ac8c fix: pin inputs (#17471) 
## Summary
- Pin Rust git patch dependencies to immutable revisions and make
cargo-deny reject unknown git and registry sources unless explicitly
allowlisted.
- Add checked-in SHA-256 coverage for the current rusty_v8 release
assets, wire those hashes into Bazel, and verify CI override downloads
before use.
- Add rusty_v8 MODULE.bazel update/check tooling plus a Bazel CI guard
so future V8 bumps cannot drift from the checked-in checksum manifest.
- Pin release/lint cargo installs and all external GitHub Actions refs
to immutable inputs.

## Future V8 bump flow
Run these after updating the resolved `v8` crate version and checksum
manifest:

```bash
python3 .github/scripts/rusty_v8_bazel.py update-module-bazel
python3 .github/scripts/rusty_v8_bazel.py check-module-bazel
```

The update command rewrites the matching `rusty_v8_<crate_version>`
`http_file` SHA-256 values in `MODULE.bazel` from
`third_party/v8/rusty_v8_<crate_version>.sha256`. The check command is
also wired into Bazel CI to block drift.

## Notes
- This intentionally excludes RustSec dependency upgrades and
bubblewrap-related changes per request.
- The branch was rebased onto the latest origin/main before opening the
PR.

## Validation
- cargo fetch --locked
- cargo deny check advisories
- cargo deny check
- cargo deny check sources
- python3 .github/scripts/rusty_v8_bazel.py check-module-bazel
- python3 .github/scripts/rusty_v8_bazel.py update-module-bazel
- python3 -m unittest discover -s .github/scripts -p
'test_rusty_v8_bazel.py'
- python3 -m py_compile .github/scripts/rusty_v8_bazel.py
.github/scripts/rusty_v8_module_bazel.py
.github/scripts/test_rusty_v8_bazel.py
- repo-wide GitHub Actions `uses:` audit: all external action refs are
pinned to 40-character SHAs
- yq eval on touched workflows and local actions
- git diff --check
- just bazel-lock-check

## Hash verification
- Confirmed `MODULE.bazel` hashes match
`third_party/v8/rusty_v8_146_4_0.sha256`.
- Confirmed GitHub release asset digests for denoland/rusty_v8
`v146.4.0` and openai/codex `rusty-v8-v146.4.0` match the checked-in
hashes.
- Streamed and SHA-256 hashed all 10 `MODULE.bazel` rusty_v8 asset URLs
locally; every downloaded byte stream matched both `MODULE.bazel` and
the checked-in manifest.

## Pin verification
- Confirmed signing-action pins match the peeled commits for their tag
comments: `sigstore/cosign-installer@v3.7.0`, `azure/login@v2`, and
`azure/trusted-signing-action@v0`.
- Pinned the remaining tag-based action refs in Bazel CI/setup:
`actions/setup-node@v6`, `facebook/install-dotslash@v2`,
`bazelbuild/setup-bazelisk@v3`, and `actions/cache/restore@v5`.
- Normalized all `bazelbuild/setup-bazelisk@v3` refs to the peeled
commit behind the annotated tag.
- Audited Cargo git dependencies: every manifest git dependency uses
`rev` only, every `Cargo.lock` git source has `?rev=<sha>#<same-sha>`,
and `cargo deny check sources` passes with `required-git-spec = "rev"`.
- Shallow-fetched each distinct git dependency repo at its pinned SHA
and verified Git reports each object as a commit.
2026-04-14 01:45:41 +00:00
..
BUILD.bazel
bazel: enable the full Windows gnullvm CI path (#15952)
2026-03-27 20:37:03 -07:00
README.md
fix: pin inputs (#17471)
2026-04-14 01:45:41 +00:00
rusty_v8_146_4_0.sha256
fix: pin inputs (#17471)
2026-04-14 01:45:41 +00:00
v8_crate.BUILD.bazel
V8 Bazel Build (#15021)
2026-03-19 18:05:23 -07:00

README.md

rusty_v8 Consumer Artifacts

This directory wires the v8 crate to exact-version Bazel inputs. Bazel consumer builds use:

  • upstream denoland/rusty_v8 release archives on Windows
  • source-built V8 archives on Darwin, GNU Linux, and musl Linux
  • openai/codex release assets for published musl release pairs

Cargo builds still use prebuilt rusty_v8 archives by default. Only Bazel overrides RUSTY_V8_ARCHIVE/RUSTY_V8_SRC_BINDING_PATH in MODULE.bazel to select source-built local archives for its consumer builds.

Current pinned versions:

  • Rust crate: v8 = =146.4.0
  • Embedded upstream V8 source for musl release builds: 14.6.202.9

When bumping the Rust crate version, keep the checked-in checksum manifest and MODULE.bazel in sync:

python3 .github/scripts/rusty_v8_bazel.py update-module-bazel
python3 .github/scripts/rusty_v8_bazel.py check-module-bazel

The commands read third_party/v8/rusty_v8_<crate_version>.sha256 by default and validate every matching rusty_v8_<crate_version> http_file entry. CI runs the check command to block checksum drift.

The consumer-facing selectors are:

  • //third_party/v8:rusty_v8_archive_for_target
  • //third_party/v8:rusty_v8_binding_for_target

Musl release assets are expected at the tag:

  • rusty-v8-v<crate_version>

with these raw asset names:

  • librusty_v8_release_<target>.a.gz
  • src_binding_release_<target>.rs

The dedicated publishing workflow is .github/workflows/rusty-v8-release.yml. It builds musl release pairs from source and keeps the release artifacts as the statically linked form:

  • //third_party/v8:rusty_v8_release_pair_x86_64_unknown_linux_musl
  • //third_party/v8:rusty_v8_release_pair_aarch64_unknown_linux_musl

Cargo musl builds use RUSTY_V8_ARCHIVE plus a downloaded RUSTY_V8_SRC_BINDING_PATH to point at those openai/codex release assets directly. We do not use RUSTY_V8_MIRROR for musl because the upstream v8 crate hardcodes a v<crate_version> tag layout, while our musl artifacts are published under rusty-v8-v<crate_version>.

Do not mix artifacts across crate versions. The archive and binding must match the exact resolved v8 crate version in codex-rs/Cargo.lock.

Reference in New Issue View Git Blame Copy Permalink