mirror of
https://github.com/openai/codex.git
synced 2026-05-23 12:34:25 +00:00
0b4f86095c
## Why The Python and TypeScript SDKs launch the native Codex runtime directly, so they need to consume the same package artifact shape that release jobs now produce. The runtime wheel should be built from the canonical Codex package archive rather than reconstructing a parallel layout from loose binaries. ## What Changed - Stage `openai-codex-cli-bin` by extracting `codex-package-<target>.tar.gz` into `src/codex_cli_bin` and validating the expected package layout. - Update release workflows to pass the generated package archive into `stage-runtime` instead of the temporary package directory. - Update Python runtime setup to download `codex-package-*.tar.gz` release assets directly. - Expose Python runtime helpers for the bundled package directory and `codex-path`, and prepend that path when `openai_codex` launches the installed runtime without duplicating Windows `Path`/`PATH` keys. - Teach the TypeScript SDK to resolve package-layout optional dependencies while keeping the existing npm fallback layout, and preserve the existing Windows path variable casing when prepending `codex-path`. ## Test Plan - `python3 -m py_compile sdk/python/scripts/update_sdk_artifacts.py sdk/python/_runtime_setup.py sdk/python/src/openai_codex/client.py sdk/python-runtime/src/codex_cli_bin/__init__.py` - `uv run --frozen --project sdk/python --extra dev ruff check sdk/python/scripts/update_sdk_artifacts.py sdk/python/_runtime_setup.py sdk/python/src/openai_codex/client.py sdk/python/tests/test_artifact_workflow_and_binaries.py sdk/python-runtime/src/codex_cli_bin/__init__.py` - `uv run --frozen --project sdk/python --extra dev pytest sdk/python/tests/test_artifact_workflow_and_binaries.py` - `pnpm eslint src/exec.ts tests/exec.test.ts` - `pnpm test --runInBand tests/exec.test.ts`
343 lines
13 KiB
YAML
343 lines
13 KiB
YAML
name: rust-release-windows
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
release-lto:
|
|
required: true
|
|
type: string
|
|
secrets:
|
|
AZURE_TRUSTED_SIGNING_CLIENT_ID:
|
|
required: true
|
|
AZURE_TRUSTED_SIGNING_TENANT_ID:
|
|
required: true
|
|
AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID:
|
|
required: true
|
|
AZURE_TRUSTED_SIGNING_ENDPOINT:
|
|
required: true
|
|
AZURE_TRUSTED_SIGNING_ACCOUNT_NAME:
|
|
required: true
|
|
AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME:
|
|
required: true
|
|
|
|
jobs:
|
|
build-windows-binaries:
|
|
name: Build Windows binaries - ${{ matrix.runner }} - ${{ matrix.target }} - ${{ matrix.bundle }}
|
|
runs-on: ${{ matrix.runs_on }}
|
|
# Windows release builds can exceed an hour on fat-LTO mainline releases,
|
|
# so keep the timeout aligned with the top-level release build headroom.
|
|
timeout-minutes: 90
|
|
permissions:
|
|
contents: read
|
|
defaults:
|
|
run:
|
|
working-directory: codex-rs
|
|
env:
|
|
CARGO_PROFILE_RELEASE_LTO: ${{ inputs.release-lto }}
|
|
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- runner: windows-x64
|
|
target: x86_64-pc-windows-msvc
|
|
bundle: primary
|
|
binaries: "codex codex-responses-api-proxy"
|
|
runs_on:
|
|
group: codex-runners
|
|
labels: codex-windows-x64
|
|
- runner: windows-arm64
|
|
target: aarch64-pc-windows-msvc
|
|
bundle: primary
|
|
binaries: "codex codex-responses-api-proxy"
|
|
runs_on:
|
|
group: codex-runners
|
|
labels: codex-windows-arm64
|
|
- runner: windows-x64
|
|
target: x86_64-pc-windows-msvc
|
|
bundle: helpers
|
|
binaries: "codex-windows-sandbox-setup codex-command-runner"
|
|
runs_on:
|
|
group: codex-runners
|
|
labels: codex-windows-x64
|
|
- runner: windows-arm64
|
|
target: aarch64-pc-windows-msvc
|
|
bundle: helpers
|
|
binaries: "codex-windows-sandbox-setup codex-command-runner"
|
|
runs_on:
|
|
group: codex-runners
|
|
labels: codex-windows-arm64
|
|
- runner: windows-x64
|
|
target: x86_64-pc-windows-msvc
|
|
bundle: app-server
|
|
binaries: "codex-app-server"
|
|
runs_on:
|
|
group: codex-runners
|
|
labels: codex-windows-x64
|
|
- runner: windows-arm64
|
|
target: aarch64-pc-windows-msvc
|
|
bundle: app-server
|
|
binaries: "codex-app-server"
|
|
runs_on:
|
|
group: codex-runners
|
|
labels: codex-windows-arm64
|
|
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
- name: Print runner specs (Windows)
|
|
shell: powershell
|
|
run: |
|
|
$computer = Get-CimInstance Win32_ComputerSystem
|
|
$cpu = Get-CimInstance Win32_Processor | Select-Object -First 1
|
|
$ramGiB = [math]::Round($computer.TotalPhysicalMemory / 1GB, 1)
|
|
Write-Host "Runner: $env:RUNNER_NAME"
|
|
Write-Host "OS: $([System.Environment]::OSVersion.VersionString)"
|
|
Write-Host "CPU: $($cpu.Name)"
|
|
Write-Host "Logical CPUs: $($computer.NumberOfLogicalProcessors)"
|
|
Write-Host "Physical CPUs: $($computer.NumberOfProcessors)"
|
|
Write-Host "Total RAM: $ramGiB GiB"
|
|
Write-Host "Disk usage:"
|
|
Get-PSDrive -PSProvider FileSystem | Format-Table -AutoSize Name, @{Name='Size(GB)';Expression={[math]::Round(($_.Used + $_.Free) / 1GB, 1)}}, @{Name='Free(GB)';Expression={[math]::Round($_.Free / 1GB, 1)}}
|
|
- uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
|
|
with:
|
|
targets: ${{ matrix.target }}
|
|
|
|
- name: Cargo build (Windows binaries)
|
|
shell: bash
|
|
run: |
|
|
build_args=()
|
|
for binary in ${{ matrix.binaries }}; do
|
|
build_args+=(--bin "$binary")
|
|
done
|
|
cargo build --target ${{ matrix.target }} --release --timings "${build_args[@]}"
|
|
|
|
- name: Upload Cargo timings
|
|
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
|
|
with:
|
|
name: cargo-timings-rust-release-windows-${{ matrix.target }}-${{ matrix.bundle }}
|
|
path: codex-rs/target/**/cargo-timings/cargo-timing.html
|
|
if-no-files-found: warn
|
|
|
|
- name: Stage Windows binaries
|
|
shell: bash
|
|
run: |
|
|
output_dir="target/${{ matrix.target }}/release/staged-${{ matrix.bundle }}"
|
|
mkdir -p "$output_dir"
|
|
for binary in ${{ matrix.binaries }}; do
|
|
cp "target/${{ matrix.target }}/release/${binary}.exe" "$output_dir/${binary}.exe"
|
|
done
|
|
|
|
- name: Upload Windows binaries
|
|
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
|
|
with:
|
|
name: windows-binaries-${{ matrix.target }}-${{ matrix.bundle }}
|
|
path: |
|
|
codex-rs/target/${{ matrix.target }}/release/staged-${{ matrix.bundle }}/*
|
|
|
|
build-windows:
|
|
needs:
|
|
- build-windows-binaries
|
|
name: Build - ${{ matrix.runner }} - ${{ matrix.target }}
|
|
runs-on: ${{ matrix.runs_on }}
|
|
timeout-minutes: 90
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
defaults:
|
|
run:
|
|
working-directory: codex-rs
|
|
env:
|
|
WINDOWS_BINARIES: "codex codex-responses-api-proxy codex-windows-sandbox-setup codex-command-runner codex-app-server"
|
|
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- runner: windows-x64
|
|
target: x86_64-pc-windows-msvc
|
|
runs_on:
|
|
group: codex-runners
|
|
labels: codex-windows-x64
|
|
- runner: windows-arm64
|
|
target: aarch64-pc-windows-msvc
|
|
runs_on:
|
|
group: codex-runners
|
|
labels: codex-windows-arm64
|
|
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Download prebuilt Windows primary binaries
|
|
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
|
|
with:
|
|
name: windows-binaries-${{ matrix.target }}-primary
|
|
path: codex-rs/target/${{ matrix.target }}/release
|
|
|
|
- name: Download prebuilt Windows helper binaries
|
|
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
|
|
with:
|
|
name: windows-binaries-${{ matrix.target }}-helpers
|
|
path: codex-rs/target/${{ matrix.target }}/release
|
|
|
|
- name: Download prebuilt Windows app-server binary
|
|
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
|
|
with:
|
|
name: windows-binaries-${{ matrix.target }}-app-server
|
|
path: codex-rs/target/${{ matrix.target }}/release
|
|
|
|
- name: Verify binaries
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
for binary in ${WINDOWS_BINARIES}; do
|
|
ls -lh "target/${{ matrix.target }}/release/${binary}.exe"
|
|
done
|
|
|
|
- name: Sign Windows binaries with Azure Trusted Signing
|
|
uses: ./.github/actions/windows-code-sign
|
|
with:
|
|
target: ${{ matrix.target }}
|
|
binaries: ${{ env.WINDOWS_BINARIES }}
|
|
client-id: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_ID }}
|
|
tenant-id: ${{ secrets.AZURE_TRUSTED_SIGNING_TENANT_ID }}
|
|
subscription-id: ${{ secrets.AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID }}
|
|
endpoint: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
|
|
account-name: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
|
|
certificate-profile-name: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME }}
|
|
|
|
- name: Stage artifacts
|
|
shell: bash
|
|
run: |
|
|
dest="dist/${{ matrix.target }}"
|
|
mkdir -p "$dest"
|
|
|
|
for binary in ${WINDOWS_BINARIES}; do
|
|
cp "target/${{ matrix.target }}/release/${binary}.exe" \
|
|
"$dest/${binary}-${{ matrix.target }}.exe"
|
|
done
|
|
|
|
- name: Install DotSlash
|
|
uses: facebook/install-dotslash@1e4e7b3e07eaca387acb98f1d4720e0bee8dbb6a # v2
|
|
|
|
- name: Build Codex package archives
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
for bundle in primary app-server; do
|
|
bash "${GITHUB_WORKSPACE}/.github/scripts/build-codex-package-archive.sh" \
|
|
--target "${{ matrix.target }}" \
|
|
--bundle "$bundle" \
|
|
--entrypoint-dir "target/${{ matrix.target }}/release" \
|
|
--archive-dir "dist/${{ matrix.target }}"
|
|
done
|
|
|
|
- name: Build Python runtime wheel
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
case "${{ matrix.target }}" in
|
|
aarch64-pc-windows-msvc)
|
|
platform_tag="win_arm64"
|
|
;;
|
|
x86_64-pc-windows-msvc)
|
|
platform_tag="win_amd64"
|
|
;;
|
|
*)
|
|
echo "No Python runtime wheel platform tag for ${{ matrix.target }}"
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
python -m venv "${RUNNER_TEMP}/python-runtime-build-venv"
|
|
"${RUNNER_TEMP}/python-runtime-build-venv/Scripts/python.exe" -m pip install build
|
|
|
|
stage_dir="${RUNNER_TEMP}/openai-codex-cli-bin-${{ matrix.target }}"
|
|
wheel_dir="${GITHUB_WORKSPACE}/python-runtime-dist/${{ matrix.target }}"
|
|
python "${GITHUB_WORKSPACE}/sdk/python/scripts/update_sdk_artifacts.py" \
|
|
stage-runtime \
|
|
"$stage_dir" \
|
|
"dist/${{ matrix.target }}/codex-package-${{ matrix.target }}.tar.gz" \
|
|
--codex-version "${GITHUB_REF_NAME}" \
|
|
--platform-tag "$platform_tag"
|
|
"${RUNNER_TEMP}/python-runtime-build-venv/Scripts/python.exe" -m build --wheel --outdir "$wheel_dir" "$stage_dir"
|
|
|
|
- name: Upload Python runtime wheel
|
|
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
|
|
with:
|
|
name: python-runtime-wheel-${{ matrix.target }}
|
|
path: python-runtime-dist/${{ matrix.target }}/*.whl
|
|
if-no-files-found: error
|
|
|
|
- name: Compress artifacts
|
|
shell: bash
|
|
run: |
|
|
# Path that contains the uncompressed binaries for the current
|
|
# ${{ matrix.target }}
|
|
dest="dist/${{ matrix.target }}"
|
|
repo_root=$PWD
|
|
|
|
# For compatibility with environments that lack the `zstd` tool we
|
|
# additionally create a `.tar.gz` and `.zip` for every Windows binary.
|
|
# The end result is:
|
|
# codex-<target>.zst
|
|
# codex-<target>.tar.gz
|
|
# codex-<target>.zip
|
|
for f in "$dest"/*; do
|
|
base="$(basename "$f")"
|
|
# Skip files that are already archives (shouldn't happen, but be
|
|
# safe).
|
|
if [[ "$base" == *.tar.gz || "$base" == *.tar.zst || "$base" == *.zip || "$base" == *.dmg ]]; then
|
|
continue
|
|
fi
|
|
|
|
# Don't try to compress signature bundles.
|
|
if [[ "$base" == *.sigstore ]]; then
|
|
continue
|
|
fi
|
|
|
|
# Create per-binary tar.gz
|
|
tar -C "$dest" -czf "$dest/${base}.tar.gz" "$base"
|
|
|
|
# Create zip archive for Windows binaries.
|
|
# Must run from inside the dest dir so 7z won't embed the
|
|
# directory path inside the zip.
|
|
if [[ "$base" == "codex-${{ matrix.target }}.exe" ]]; then
|
|
# Bundle the sandbox helper binaries into the main codex zip so
|
|
# WinGet installs include the required helpers next to codex.exe.
|
|
# Fall back to the single-binary zip if the helpers are missing
|
|
# to avoid breaking releases.
|
|
bundle_dir="$(mktemp -d)"
|
|
runner_src="$dest/codex-command-runner-${{ matrix.target }}.exe"
|
|
setup_src="$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
|
|
if [[ -f "$runner_src" && -f "$setup_src" ]]; then
|
|
cp "$dest/$base" "$bundle_dir/$base"
|
|
cp "$runner_src" "$bundle_dir/codex-command-runner.exe"
|
|
cp "$setup_src" "$bundle_dir/codex-windows-sandbox-setup.exe"
|
|
# Use an absolute path so bundle zips land in the real dist
|
|
# dir even when 7z runs from a temp directory.
|
|
(cd "$bundle_dir" && 7z a "$repo_root/$dest/${base}.zip" .)
|
|
else
|
|
echo "warning: missing sandbox binaries; falling back to single-binary zip"
|
|
echo "warning: expected $runner_src and $setup_src"
|
|
(cd "$dest" && 7z a "${base}.zip" "$base")
|
|
fi
|
|
rm -rf "$bundle_dir"
|
|
else
|
|
(cd "$dest" && 7z a "${base}.zip" "$base")
|
|
fi
|
|
|
|
# Keep raw executables and produce .zst alongside them.
|
|
"${GITHUB_WORKSPACE}/.github/workflows/zstd" -T0 -19 "$dest/$base"
|
|
done
|
|
|
|
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
|
|
with:
|
|
name: ${{ matrix.target }}
|
|
path: |
|
|
codex-rs/dist/${{ matrix.target }}/*
|