mirror of https://github.com/openai/codex.git synced 2026-05-22 20:14:17 +00:00

Files

Michael Bolin 80c4a978f8 release: package prebuilt resource binaries (#23759 )

## Why

Release packaging should be a staging step once release binaries have
already been built and signed. The Windows release job was downloading
and signing `codex-command-runner.exe` and
`codex-windows-sandbox-setup.exe`, but `scripts/build_codex_package.py`
still rebuilt those helpers while creating the package archives.

That makes the package step slower and, more importantly, risks putting
helper binaries in the archive that were produced after the signing
step. Linux had the same shape for package resources: `bwrap` could be
rebuilt by the package builder instead of being passed in as a prebuilt
release artifact.

This builds on #23752, which fixes `.tar.zst` creation when Windows
runners rely on the repository DotSlash `zstd` wrapper.

## What changed

- Add explicit prebuilt resource inputs to the Codex package builder:
  - `--bwrap-bin`
  - `--codex-command-runner-bin`
  - `--codex-windows-sandbox-setup-bin`
- Make `.github/scripts/build-codex-package-archive.sh` pass resource
binaries from the release output directory when they are already
present.
- Build Linux `bwrap` for app-server release jobs too, so app-server
package creation does not invoke Cargo just to supply the package
resource.
- Keep macOS package creation as a no-Cargo path when `--entrypoint-bin`
is provided, since macOS packages have no resource binaries.
- Add unit coverage showing prebuilt macOS, Linux, and Windows package
inputs result in no source-built binaries.

## Verification

- `python3 -m unittest discover -s scripts/codex_package -p 'test_*.py'`
- `python3 -m py_compile scripts/codex_package/*.py`
- `bash -n .github/scripts/build-codex-package-archive.sh`
- Dry-ran Linux and Windows package builds with fake prebuilt resources
and a nonexistent Cargo path to verify the package builder did not
invoke Cargo.


---
[//]: # (BEGIN SAPLING FOOTER)
Stack created with [Sapling](https://sapling-scm.com). Best reviewed
with [ReviewStack](https://reviewstack.dev/openai/codex/pull/23759).
* #23760
* __->__ #23759

2026-05-20 14:51:46 -07:00

__init__.py

build: add Codex package builder (#23513 )

2026-05-19 19:54:03 +00:00

archive.py

release: use DotSlash zstd for package archives (#23752 )

2026-05-20 14:28:11 -07:00

cargo.py

release: package prebuilt resource binaries (#23759 )

2026-05-20 14:51:46 -07:00

cli.py

release: package prebuilt resource binaries (#23759 )

2026-05-20 14:51:46 -07:00

layout.py

build: package prebuilt Codex entrypoints (#23586 )

2026-05-19 22:10:03 -07:00

README.md

release: package prebuilt resource binaries (#23759 )

2026-05-20 14:51:46 -07:00

ripgrep.py

build: fetch rg for Codex packages (#23526 )

2026-05-19 15:52:17 -07:00

targets.py

build: package prebuilt Codex entrypoints (#23586 )

2026-05-19 22:10:03 -07:00

test_archive.py

release: package prebuilt resource binaries (#23759 )

2026-05-20 14:51:46 -07:00

test_cargo.py

release: package prebuilt resource binaries (#23759 )

2026-05-20 14:51:46 -07:00

version.py

build: package prebuilt Codex entrypoints (#23586 )

2026-05-19 22:10:03 -07:00

README.md

Codex package builder

This package contains the implementation behind scripts/build_codex_package.py. The top-level script is the stable executable entry point; these modules keep the package-building logic split by responsibility.

The builder creates a canonical Codex package directory:

.
├── codex-package.json
├── bin
│   └── <entrypoint>[.exe]
├── codex-resources
│   ├── bwrap                             # Linux only
│   ├── codex-command-runner.exe          # Windows only
│   └── codex-windows-sandbox-setup.exe   # Windows only
└── codex-path
    └── rg[.exe]

The package directory is the primary artifact. Archive formats such as .tar.gz, .tar.zst, and .zip are serializations of that directory.

If --target is omitted, the builder uses the release target for the current host platform. On Linux, that default is a musl target to match Codex release artifacts; pass a GNU Linux target explicitly for native glibc local builds. If --package-dir is omitted, the builder creates a new temporary directory and prints its path after the package is built.

The --variant flag selects the package entrypoint. Supported variants are codex and codex-app-server. The version field in codex-package.json is read from [workspace.package].version in codex-rs/Cargo.toml.

Source-built artifacts

Artifacts built from this repository are built by the package builder in one grouped cargo build command per package when they are needed and no prebuilt override was provided:

all targets: the selected entrypoint, unless --entrypoint-bin is provided
Linux targets: bwrap, unless --bwrap-bin is provided
Windows targets: codex-command-runner and codex-windows-sandbox-setup, unless the corresponding prebuilt helper flags are provided

The default cargo profile is dev-small because local iteration should favor fast, small builds. Release jobs should pass --cargo-profile release and an explicit target. Release jobs that already built and signed/notarized the entrypoint should pass --entrypoint-bin so the package contains that exact binary instead of rebuilding it.

Release jobs that already built package resource binaries should also pass the corresponding resource flags: --bwrap-bin for Linux packages, and --codex-command-runner-bin plus --codex-windows-sandbox-setup-bin for Windows packages. This keeps package archive creation as a pure staging step after signing instead of rebuilding resources.

rg is not built from this repository, so the builder fetches it from the DotSlash manifest at codex-cli/bin/rg. Downloaded archives are cached under $TMPDIR/codex-package/<target>-rg and are reused only after the recorded size and SHA-256 digest have been verified. Pass --rg-bin to use a local ripgrep executable instead.