openai · cconger · May 5, 2026 · May 6, 2026 · May 6, 2026 · May 6, 2026
diff --git a/.bazelrc b/.bazelrc
@@ -193,5 +193,10 @@ common --@v8//:v8_enable_sandbox=True
 common:v8-release-compat --@v8//:v8_enable_pointer_compression=False
 common:v8-release-compat --@v8//:v8_enable_sandbox=False
 
+# Match rusty_v8's upstream GN release contract for published artifacts: every
+# target object uses Chromium's custom libc++ headers and the archive folds in
+# the matching runtime objects.
+common:rusty-v8-upstream-libcxx --@v8//:v8_use_rusty_v8_custom_libcxx=True
+
 # Optional per-user local overrides.
 try-import %workspace%/user.bazelrc
diff --git a/.codex/skills/update-v8-version/SKILL.md b/.codex/skills/update-v8-version/SKILL.md
@@ -0,0 +1,72 @@
+---
+name: update-v8-version
+description: Update Codex's pinned `v8` / `rusty_v8` versions, validate the release-candidate path, and investigate failed V8 canary or artifact builds. Use when asked to bump V8, update `rusty_v8` artifacts, prepare or validate a V8 release candidate, check `v8-canary`, or diagnose why a V8 version update no longer builds.
+---
+
+# Update V8 Version
+
+## Core Workflow
+
+1. Read `third_party/v8/README.md` and follow its version-bump sequence. Treat
+   that document as the release-process source of truth.
+2. Inspect and update the concrete repo surfaces that carry the pin:
+   - `codex-rs/Cargo.toml`
+   - `codex-rs/Cargo.lock`
+   - `MODULE.bazel`
+   - `third_party/v8/BUILD.bazel`
+   - `third_party/v8/README.md`
+   - the matching `third_party/v8/rusty_v8_<version>.sha256` manifest when the
+     remaining prebuilt inputs change
+3. Keep the existing checksum helpers in the loop:
+
+   ```bash
+   python3 .github/scripts/rusty_v8_bazel.py update-module-bazel
+   python3 .github/scripts/rusty_v8_bazel.py check-module-bazel
+   python3 -m unittest discover -s .github/scripts -p test_rusty_v8_bazel.py
+   ```
+
+4. Validate the release-candidate path before broadening the work:
+   - Prefer checking the `v8-canary` CI result for the candidate branch or PR
+     when one exists, using GitHub check tooling or `gh` as appropriate.
+   - If CI is unavailable or the user asked for a local-only check, run the
+     closest local validation that is practical for the changed surface and say
+     explicitly that it is a local substitute, not the full hosted canary.
+5. If the canary path passes, stop there. Summarize the result and encourage the
+   user to commit the candidate changes or proceed with the release flow they
+   requested. Do not publish tags, releases, or pushes unless the user asked.
+
+## Failure Path
+
+Enter this path only when the canary or local build path fails.
+
+1. Capture the failing target, workflow job, and first actionable error.
+2. Compare the currently pinned version with the target version at the relevant
+   upstream tag or SHA. Inspect both:
+   - `denoland/rusty_v8`
+   - upstream V8 source at the target Bazel-pinned version
+3. Track build-relevant deltas rather than broad source churn:
+   - generated binding layout changes
+   - archive or asset naming changes
+   - GN/Bazel target changes
+   - custom libc++ / libc++abi / llvm-libc inputs
+   - sandbox or pointer-compression feature relationships
+   - patch hunks in `patches/` that no longer apply or no longer match upstream
+4. Trace each failing delta back into Codex's build graph:
+   - `MODULE.bazel`
+   - `third_party/v8/BUILD.bazel`
+   - `.github/scripts/rusty_v8_bazel.py`
+   - `.github/workflows/v8-canary.yml`
+   - `.github/workflows/rusty-v8-release.yml`
+5. Update only the pieces required to restore the target version's build and
+   artifact contract. Keep patch explanations and doc changes close to the
+   affected files.
+6. Re-run the focused validation. If it becomes green, return to the normal
+   workflow and stop with a concise summary plus the remaining release step.
+
+## Reporting
+
+- Say whether validation came from hosted `v8-canary` or from a local
+  substitute.
+- Distinguish "version bump complete" from "release published".
+- When blocked, report the upstream delta that matters, the Codex file it hits,
+  and the next concrete fix to try.
diff --git a/.codex/skills/update-v8-version/agents/openai.yaml b/.codex/skills/update-v8-version/agents/openai.yaml
@@ -0,0 +1,4 @@
+interface:
+  display_name: "Update V8 Version"
+  short_description: "Guide V8 bumps and release validation"
+  default_prompt: "Use $update-v8-version to update Codex to a new v8 release and validate the release-candidate path."
diff --git a/.github/actions/setup-rusty-v8-musl/action.yml b/.github/actions/setup-rusty-v8-musl/action.yml
@@ -31,16 +31,14 @@ runs:
         archive_path="${binding_dir}/librusty_v8_release_${TARGET}.a.gz"
         binding_path="${binding_dir}/src_binding_release_${TARGET}.rs"
         checksums_path="${binding_dir}/rusty_v8_release_${TARGET}.sha256"
-        checksums_source="${GITHUB_WORKSPACE}/third_party/v8/rusty_v8_${version//./_}.sha256"
 
         mkdir -p "${binding_dir}"
         curl -fsSL "${base_url}/librusty_v8_release_${TARGET}.a.gz" -o "${archive_path}"
         curl -fsSL "${base_url}/src_binding_release_${TARGET}.rs" -o "${binding_path}"
-        grep -E "  (librusty_v8_release_${TARGET}[.]a[.]gz|src_binding_release_${TARGET}[.]rs)$" \
-          "${checksums_source}" > "${checksums_path}"
+        curl -fsSL "${base_url}/rusty_v8_release_${TARGET}.sha256" -o "${checksums_path}"
 
         if [[ "$(wc -l < "${checksums_path}")" -ne 2 ]]; then
-          echo "Expected exactly two checksums for ${TARGET} in ${checksums_source}" >&2
+          echo "Expected exactly two checksums for ${TARGET} in ${checksums_path}" >&2
           exit 1
         fi