Conversation
This was referenced May 5, 2026
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 95686245c8
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment on lines
+48
to
+53
| "bwrap": BinaryComponent( | ||
| artifact_prefix="bwrap", | ||
| dest_dir="codex-resources", | ||
| binary_basename="bwrap", | ||
| targets=LINUX_TARGETS, | ||
| ), |
Contributor
There was a problem hiding this comment.
When install_native_deps.py is run without --component (the documented prerequisite before invoking build_npm_package.py directly), this new bwrap component is not installed because the default component list below still only includes codex, the Windows helpers, and rg. After this commit the Linux npm packages require bwrap, so the default/direct packaging path now leaves vendor/<linux>/codex-resources/bwrap absent and build_npm_package.py --package codex-linux-* fails unless the caller happens to know to pass --component bwrap.
Useful? React with 👍 / 👎.
Collaborator
Author
There was a problem hiding this comment.
[codex] Addressed in b9bd244: the default native install set now includes bwrap, and the --component help text documents that default.
bolinfest
force-pushed
the
pr21257
branch
2 times, most recently
from
581dfce to
f301b2d
Compare
viyatb-oai
approved these changes
May 5, 2026
bolinfest
force-pushed
the
pr21256
branch
2 times, most recently
from
236dec2 to
14c1da7
Compare
bolinfest
added a commit
that referenced
this pull request
May 6, 2026
**Summary** - Add `codex-bwrap`, a standalone `bwrap` binary built from the existing vendored bubblewrap sources. - Remove the linked vendored bwrap path from `codex-linux-sandbox`; runtime now prefers system `bwrap` and falls back to bundled `codex-resources/bwrap`. - Add bundled SHA-256 verification with missing/all-zero digest as the dev-mode skip value, then exec the verified file through `/proc/self/fd`. - Keep `launcher.rs` focused on choosing and dispatching the preferred launcher. Bundled lookup, digest verification, and bundled exec now live in `linux-sandbox/src/bundled_bwrap.rs`; Bazel runfiles lookup lives in `linux-sandbox/src/bazel_bwrap.rs`; shared argv/fd exec helpers live in `linux-sandbox/src/exec_util.rs`. - Teach Bazel tests to surface the Bazel-built `//codex-rs/bwrap:bwrap` through `CARGO_BIN_EXE_bwrap`; `codex-linux-sandbox` only honors that fallback in debug Bazel runfiles environments so release/user runtime lookup stays tied to `codex-resources/bwrap`. - Allow `codex-exec-server` filesystem helpers to preserve just the Bazel bwrap/runfiles variables they need in debug Bazel builds, since those helpers intentionally rebuild a small environment before spawning `codex-linux-sandbox`. - Verify the Bazel bwrap target in Linux release CI with a build-only check. Running `bwrap --version` is too strong for GitHub runners because bubblewrap still attempts namespace setup there. **Verification** - Latest update: `cargo test -p codex-linux-sandbox` - Latest update: `just fix -p codex-linux-sandbox` - `cargo check --target x86_64-unknown-linux-gnu -p codex-linux-sandbox` could not run locally because this macOS machine does not have `x86_64-linux-gnu-gcc`; GitHub Linux Bazel CI is expected to cover the Linux-only modules. - Earlier in this PR: `cargo test -p codex-bwrap` - Earlier in this PR: `cargo test -p codex-exec-server` - Earlier in this PR: `cargo check --release -p codex-exec-server` - Earlier in this PR: `just fix -p codex-linux-sandbox -p codex-exec-server` - Earlier in this PR: `bazel test --nobuild //codex-rs/linux-sandbox:linux-sandbox-all-test //codex-rs/core:core-all-test //codex-rs/exec-server:exec-server-file_system-test //codex-rs/app-server:app-server-all-test` (analysis completed; Bazel then refuses to run tests under `--nobuild`) - Earlier in this PR: `bazel build --nobuild //codex-rs/bwrap:bwrap` - Prior to this update: `just bazel-lock-update`, `just bazel-lock-check`, and YAML parse check for `.github/workflows/bazel.yml` --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/21255). * #21257 * #21256 * __->__ #21255
bolinfest
added a commit
that referenced
this pull request
May 6, 2026
**Summary** - Build Linux `bwrap` before the main release binaries. - Export the release `bwrap` SHA-256 as `CODEX_BWRAP_SHA256` so the Codex binary can verify the bundled fallback. - Sign, stage, and upload `bwrap` alongside the primary Linux release artifacts. **Verification** - YAML parse check for `.github/workflows/rust-release.yml` --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/21256). * #21257 * __->__ #21256
bolinfest
force-pushed
the
pr21257
branch
2 times, most recently
from
f08db3b to
b9bd244
Compare
bolinfest
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
#21255 made
codex-linux-sandboxfall back to a bundled standalonebwrapwhen no suitable systembwrapis available, and #21256 publishes that standalone binary from the Rust release workflow. This PR wires the Linux npm/install paths to actually consume that artifact so Linux npm packages do not ship without the sandbox fallback binary.It also makes
bwrapa first-class Linux release asset inrust-release.yml: the Linux primary bundle builds it beforecodexsoCODEX_BWRAP_SHA256can still be burned into the CLI, then includesbwrapin the normal binary list so signing, staging, compression, and DotSlash publishing follow the same path ascodexandcodex-responses-api-proxy.What Changed
bwrapnative component forcodex-linux-x64andcodex-linux-arm64npm packages.install_native_deps.pyto install the Linux-onlybwrapartifact intovendor/<target>/codex-resources/bwrap, including the default no---componentinstall path.codex-resources/bwrapin standalone installs on Linux.--allow-missing-native-componentescape hatch for CI jobs that intentionally reuse older release artifacts that predate standalonebwrap.bwrapin the Linux primaryrust-release.ymlbinary list and publish a Linux-onlybwrapDotSlash output from.github/dotslash-config.json.Verification
bash -n scripts/install/install.shbwrap.github/workflows/ci.ymland.github/workflows/rust-release.yml.github/dotslash-config.json