mirror of
https://github.com/openai/codex.git
synced 2026-05-15 16:53:05 +00:00
302149d979
## Why The `release_mode=promote_signed` path intentionally skips the build jobs after signed macOS artifacts are staged, then runs the `release` job from the signed handoff. In the `rust-v0.131.0-alpha.19` promotion run, `release` succeeded but the npm, PyPI, and `latest-alpha-cli` follow-up jobs were skipped because their custom job `if:` expressions let GitHub Actions apply the implicit `success()` status check before reading `needs.release.outputs.*`. The unsigned build handoff does not need DotSlash manifests. Publishing unsigned DotSlash manifests creates release assets that can conflict with the later signed promotion, especially shared outputs such as `bwrap`, `codex-command-runner`, and `codex-windows-sandbox-setup`. ## What Changed - Stop publishing DotSlash manifests when `SIGN_MACOS == 'false'`. - Delete `.github/dotslash-unsigned-config.json`. - Gate post-release jobs with the `!cancelled()` status function plus an explicit `needs.release.result == 'success'` check before consulting release outputs. - Keep the existing publish eligibility rules for npm, PyPI, WinGet, and `latest-alpha-cli`. ## Verification - `rg -n "dotslash-unsigned-config|SIGN_MACOS == 'false'.*dotslash|unsigned-config" .github/workflows/rust-release.yml .github || true` - `git diff --check -- .github/workflows/rust-release.yml .github/dotslash-unsigned-config.json`
