clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-05-16 01:02:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
fcc3a3f6caec8886b388ffc0bfa56d60d242ca3f
codex/.github/workflows
History
Michael Bolin fcc3a3f6ca ci: support signed macOS release promotion 
## Why

`rust-release.yml` can create unsigned macOS artifacts for external signing, but there was no signed resume path after those artifacts returned from a secure enclave. Release operators need a way to reuse the first run artifacts, ingest signed macOS binaries and DMGs, and continue the normal signed release path without rebuilding every platform or treating handoff assets as final release assets.

## What Changed

- Add explicit manual `release_mode` values for `build_unsigned` and `promote_signed` while keeping `sign_macos` as a deprecated compatibility input.
- Add promote inputs for `unsigned_run_id`, `signed_macos_asset`, and optional `signed_macos_sha256`.
- Add a `stage-signed-macos` job that downloads the signed handoff asset from the GitHub Release, verifies signed binaries and stapled DMGs, repacks normal macOS release artifacts, and builds macOS Python runtime wheels.
- Teach the release job to download Part 1 artifacts from the unsigned run, discard unsigned macOS staging artifacts, re-upload promoted Linux and Windows artifacts for npm staging, and then run the signed release tail.
- Clean up unsigned and signed handoff release assets after successful promotion.

## Verification

- Parsed `.github/workflows/rust-release.yml` with Ruby YAML loading.

No developers.openai.com documentation update is needed.
2026-05-14 17:48:52 -07:00
..
bazel.yml
Shard Bazel Windows tests across jobs (#22408)
2026-05-13 12:46:51 -07:00
blob-size-policy.yml
ci: check out PR head commits in workflows (#21835)
2026-05-08 15:14:33 -07:00
cargo-deny.yml
ci: check out PR head commits in workflows (#21835)
2026-05-08 15:14:33 -07:00
ci.yml
ci: check out PR head commits in workflows (#21835)
2026-05-08 15:14:33 -07:00
cla.yml
[codex] Pin GitHub Actions workflow references (#15828)
2026-03-27 23:00:05 +00:00
close-stale-contributor-prs.yml
[codex] Fully qualify hash-pins in GitHub Actions (#21436)
2026-05-07 14:31:20 -07:00
codespell.yml
ci: check out PR head commits in workflows (#21835)
2026-05-08 15:14:33 -07:00
Dockerfile.bazel
Remove js_repl feature (#19410)
2026-04-24 17:49:29 -07:00
issue-deduplicator.yml
[codex] Address some more GHA hygiene issues (#21622)
2026-05-08 10:19:27 -07:00
README.md
ci: align Bazel repo cache and Windows clippy target handling (#16740)
2026-04-03 20:18:33 -07:00
rust-ci-full.yml
Enable --deny-warnings for cargo shear (#21616)
2026-05-08 20:29:00 +00:00
rust-ci.yml
ci: check out PR head commits in workflows (#21835)
2026-05-08 15:14:33 -07:00
rust-release-argument-comment-lint.yml
[codex] Address some more GHA hygiene issues (#21622)
2026-05-08 10:19:27 -07:00
rust-release-prepare.yml
make rust-release-prepare use env secret (#22702)
2026-05-14 21:45:53 +00:00
rust-release-windows.yml
[1/8] Pin Python SDK runtime dependency (#21891)
2026-05-12 00:42:26 +03:00
rust-release-zsh.yml
[codex] Address some more GHA hygiene issues (#21622)
2026-05-08 10:19:27 -07:00
rust-release.yml
ci: support signed macOS release promotion
2026-05-14 17:48:52 -07:00
rusty-v8-release.yml
[codex] Address some more GHA hygiene issues (#21622)
2026-05-08 10:19:27 -07:00
sdk.yml
[8/8] Add Python SDK Ruff formatting (#22021)
2026-05-12 01:10:29 +03:00
v8-canary.yml
ci: check out PR head commits in workflows (#21835)
2026-05-08 15:14:33 -07:00
zstd
ci(windows): use DotSlash for zstd in rust-release-windows (#11542)
2026-02-11 20:57:11 -08:00

README.md

Workflow Strategy

The workflows in this directory are split so that pull requests get fast, review-friendly signal while main still gets the full cross-platform verification pass.

Pull Requests

  • bazel.yml is the main pre-merge verification path for Rust code. It runs Bazel test and Bazel clippy on the supported Bazel targets, including the generated Rust test binaries needed to lint inline #[cfg(test)] code.
  • rust-ci.yml keeps the Cargo-native PR checks intentionally small:
    • cargo fmt --check
    • cargo shear
    • argument-comment-lint on Linux, macOS, and Windows
    • tools/argument-comment-lint package tests when the lint or its workflow wiring changes

Post-Merge On main

  • bazel.yml also runs on pushes to main. This re-verifies the merged Bazel path and helps keep the BuildBuddy caches warm.
  • rust-ci-full.yml is the full Cargo-native verification workflow. It keeps the heavier checks off the PR path while still validating them after merge:
    • the full Cargo clippy matrix
    • the full Cargo nextest matrix
    • release-profile Cargo builds
    • cross-platform argument-comment-lint
    • Linux remote-env tests

Rule Of Thumb

  • If a build/test/clippy check can be expressed in Bazel, prefer putting the PR-time version in bazel.yml.
  • Keep rust-ci.yml fast enough that it usually does not dominate PR latency.
  • Reserve rust-ci-full.yml for heavyweight Cargo-native coverage that Bazel does not replace yet.
Reference in New Issue View Git Blame Copy Permalink