sign binary - apple

check network
2026-04-20 06:21:42 +03:00 · 2026-01-20 22:40:50 -08:00 · 2026-01-20 21:47:29 -08:00
1 changed files with 367 additions and 352 deletions
--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -10,6 +10,7 @@ on:
  push:
    tags:
      - "rust-v*.*.*"
+  pull_request:

 concurrency:
  group: ${{ github.workflow }}
@@ -17,6 +18,7 @@ concurrency:

 jobs:
  tag-check:
+    if: ${{ github.event_name == 'push' }}
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
@@ -46,7 +48,6 @@ jobs:
          echo "::endgroup::"

  build:
-    needs: tag-check
    name: Build - ${{ matrix.runner }} - ${{ matrix.target }}
    runs-on: ${{ matrix.runner }}
    timeout-minutes: 60
@@ -65,18 +66,18 @@ jobs:
            target: aarch64-apple-darwin
          - runner: macos-15-xlarge
            target: x86_64-apple-darwin
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-gnu
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-gnu
-          - runner: windows-latest
-            target: x86_64-pc-windows-msvc
-          - runner: windows-11-arm
-            target: aarch64-pc-windows-msvc
+          # - runner: ubuntu-24.04
+          #   target: x86_64-unknown-linux-musl
+          # - runner: ubuntu-24.04
+          #   target: x86_64-unknown-linux-gnu
+          # - runner: ubuntu-24.04-arm
+          #   target: aarch64-unknown-linux-musl
+          # - runner: ubuntu-24.04-arm
+          #   target: aarch64-unknown-linux-gnu
+          # - runner: windows-latest
+          #   target: x86_64-pc-windows-msvc
+          # - runner: windows-11-arm
+          #   target: aarch64-pc-windows-msvc

    steps:
      - uses: actions/checkout@v6
@@ -109,24 +110,32 @@ jobs:
            cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy
          fi

-      - if: ${{ contains(matrix.target, 'linux') }}
-        name: Cosign Linux artifacts
-        uses: ./.github/actions/linux-code-sign
-        with:
-          target: ${{ matrix.target }}
-          artifacts-dir: ${{ github.workspace }}/codex-rs/target/${{ matrix.target }}/release
+      # - if: ${{ github.event_name == 'push' && contains(matrix.target, 'linux') }}
+      #   name: Cosign Linux artifacts
+      #   uses: ./.github/actions/linux-code-sign
+      #   with:
+      #     target: ${{ matrix.target }}
+      #     artifacts-dir: ${{ github.workspace }}/codex-rs/target/${{ matrix.target }}/release

-      - if: ${{ contains(matrix.target, 'windows') }}
-        name: Sign Windows binaries with Azure Trusted Signing
-        uses: ./.github/actions/windows-code-sign
-        with:
-          target: ${{ matrix.target }}
-          client-id: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_ID }}
-          tenant-id: ${{ secrets.AZURE_TRUSTED_SIGNING_TENANT_ID }}
-          subscription-id: ${{ secrets.AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID }}
-          endpoint: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
-          account-name: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
-          certificate-profile-name: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME }}
+      # - if: ${{ github.event_name == 'push' && contains(matrix.target, 'windows') }}
+      #   name: Sign Windows binaries with Azure Trusted Signing
+      #   uses: ./.github/actions/windows-code-sign
+      #   with:
+      #     target: ${{ matrix.target }}
+      #     client-id: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_ID }}
+      #     tenant-id: ${{ secrets.AZURE_TRUSTED_SIGNING_TENANT_ID }}
+      #     subscription-id: ${{ secrets.AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID }}
+      #     endpoint: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
+      #     account-name: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
+      #     certificate-profile-name: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME }}
+
+      - if: ${{ runner.os == 'macOS' }}
+        name: Check Apple Notary connectivity
+        shell: bash
+        run: |
+          set -e
+          nslookup appstoreconnect.apple.com
+          curl -Iv --connect-timeout 10 https://appstoreconnect.apple.com/

      - if: ${{ runner.os == 'macOS' }}
        name: MacOS code signing (binaries)
@@ -141,376 +150,382 @@ jobs:
          apple-notarization-key-id: ${{ secrets.APPLE_NOTARIZATION_KEY_ID }}
          apple-notarization-issuer-id: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}

-      - if: ${{ runner.os == 'macOS' }}
-        name: Build macOS dmg
-        shell: bash
-        run: |
-          set -euo pipefail
+      # - if: ${{ github.event_name == 'push' && runner.os == 'macOS' }}
+      #   name: Build macOS dmg
+      #   shell: bash
+      #   run: |
+      #     set -euo pipefail

-          target="${{ matrix.target }}"
-          release_dir="target/${target}/release"
-          dmg_root="${RUNNER_TEMP}/codex-dmg-root"
-          volname="Codex (${target})"
-          dmg_path="${release_dir}/codex-${target}.dmg"
+      #     target="${{ matrix.target }}"
+      #     release_dir="target/${target}/release"
+      #     dmg_root="${RUNNER_TEMP}/codex-dmg-root"
+      #     volname="Codex (${target})"
+      #     dmg_path="${release_dir}/codex-${target}.dmg"

-          # The previous "MacOS code signing (binaries)" step signs + notarizes the
-          # built artifacts in `${release_dir}`. This step packages *those same*
-          # signed binaries into a dmg.
-          codex_binary_path="${release_dir}/codex"
-          proxy_binary_path="${release_dir}/codex-responses-api-proxy"
+      #     # The previous "MacOS code signing (binaries)" step signs + notarizes the
+      #     # built artifacts in `${release_dir}`. This step packages *those same*
+      #     # signed binaries into a dmg.
+      #     codex_binary_path="${release_dir}/codex"
+      #     proxy_binary_path="${release_dir}/codex-responses-api-proxy"

-          rm -rf "$dmg_root"
-          mkdir -p "$dmg_root"
+      #     rm -rf "$dmg_root"
+      #     mkdir -p "$dmg_root"

-          if [[ ! -f "$codex_binary_path" ]]; then
-            echo "Binary $codex_binary_path not found"
-            exit 1
-          fi
-          if [[ ! -f "$proxy_binary_path" ]]; then
-            echo "Binary $proxy_binary_path not found"
-            exit 1
-          fi
+      #     if [[ ! -f "$codex_binary_path" ]]; then
+      #       echo "Binary $codex_binary_path not found"
+      #       exit 1
+      #     fi
+      #     if [[ ! -f "$proxy_binary_path" ]]; then
+      #       echo "Binary $proxy_binary_path not found"
+      #       exit 1
+      #     fi

-          ditto "$codex_binary_path" "${dmg_root}/codex"
-          ditto "$proxy_binary_path" "${dmg_root}/codex-responses-api-proxy"
+      #     ditto "$codex_binary_path" "${dmg_root}/codex"
+      #     ditto "$proxy_binary_path" "${dmg_root}/codex-responses-api-proxy"

-          rm -f "$dmg_path"
-          hdiutil create \
-            -volname "$volname" \
-            -srcfolder "$dmg_root" \
-            -format UDZO \
-            -ov \
-            "$dmg_path"
+      #     rm -f "$dmg_path"
+      #     hdiutil create \
+      #       -volname "$volname" \
+      #       -srcfolder "$dmg_root" \
+      #       -format UDZO \
+      #       -ov \
+      #       "$dmg_path"

-          if [[ ! -f "$dmg_path" ]]; then
-            echo "dmg $dmg_path not found after build"
-            exit 1
-          fi
+      #     if [[ ! -f "$dmg_path" ]]; then
+      #       echo "dmg $dmg_path not found after build"
+      #       exit 1
+      #     fi

-      - if: ${{ runner.os == 'macOS' }}
-        name: MacOS code signing (dmg)
-        uses: ./.github/actions/macos-code-sign
-        with:
-          target: ${{ matrix.target }}
-          sign-binaries: "false"
-          sign-dmg: "true"
-          apple-certificate: ${{ secrets.APPLE_CERTIFICATE_P12 }}
-          apple-certificate-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
-          apple-notarization-key-p8: ${{ secrets.APPLE_NOTARIZATION_KEY_P8 }}
-          apple-notarization-key-id: ${{ secrets.APPLE_NOTARIZATION_KEY_ID }}
-          apple-notarization-issuer-id: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}
+      # - if: ${{ github.event_name == 'push' && runner.os == 'macOS' }}
+      #   name: MacOS code signing (dmg)
+      #   uses: ./.github/actions/macos-code-sign
+      #   with:
+      #     target: ${{ matrix.target }}
+      #     sign-binaries: "false"
+      #     sign-dmg: "true"
+      #     apple-certificate: ${{ secrets.APPLE_CERTIFICATE_P12 }}
+      #     apple-certificate-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+      #     apple-notarization-key-p8: ${{ secrets.APPLE_NOTARIZATION_KEY_P8 }}
+      #     apple-notarization-key-id: ${{ secrets.APPLE_NOTARIZATION_KEY_ID }}
+      #     apple-notarization-issuer-id: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}

-      - name: Stage artifacts
-        shell: bash
-        run: |
-          dest="dist/${{ matrix.target }}"
-          mkdir -p "$dest"
+      # - if: ${{ github.event_name == 'push' }}
+      #   name: Stage artifacts
+      #   shell: bash
+      #   run: |
+      #     dest="dist/${{ matrix.target }}"
+      #     mkdir -p "$dest"

-          if [[ "${{ matrix.runner }}" == windows* ]]; then
-            cp target/${{ matrix.target }}/release/codex.exe "$dest/codex-${{ matrix.target }}.exe"
-            cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$dest/codex-responses-api-proxy-${{ matrix.target }}.exe"
-            cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
-            cp target/${{ matrix.target }}/release/codex-command-runner.exe "$dest/codex-command-runner-${{ matrix.target }}.exe"
-          else
-            cp target/${{ matrix.target }}/release/codex "$dest/codex-${{ matrix.target }}"
-            cp target/${{ matrix.target }}/release/codex-responses-api-proxy "$dest/codex-responses-api-proxy-${{ matrix.target }}"
-          fi
+      #     if [[ "${{ matrix.runner }}" == windows* ]]; then
+      #       cp target/${{ matrix.target }}/release/codex.exe "$dest/codex-${{ matrix.target }}.exe"
+      #       cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$dest/codex-responses-api-proxy-${{ matrix.target }}.exe"
+      #       cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
+      #       cp target/${{ matrix.target }}/release/codex-command-runner.exe "$dest/codex-command-runner-${{ matrix.target }}.exe"
+      #     else
+      #       cp target/${{ matrix.target }}/release/codex "$dest/codex-${{ matrix.target }}"
+      #       cp target/${{ matrix.target }}/release/codex-responses-api-proxy "$dest/codex-responses-api-proxy-${{ matrix.target }}"
+      #     fi

-          if [[ "${{ matrix.target }}" == *linux* ]]; then
-            cp target/${{ matrix.target }}/release/codex.sigstore "$dest/codex-${{ matrix.target }}.sigstore"
-            cp target/${{ matrix.target }}/release/codex-responses-api-proxy.sigstore "$dest/codex-responses-api-proxy-${{ matrix.target }}.sigstore"
-          fi
+      #     if [[ "${{ matrix.target }}" == *linux* ]]; then
+      #       cp target/${{ matrix.target }}/release/codex.sigstore "$dest/codex-${{ matrix.target }}.sigstore"
+      #       cp target/${{ matrix.target }}/release/codex-responses-api-proxy.sigstore "$dest/codex-responses-api-proxy-${{ matrix.target }}.sigstore"
+      #     fi

-          if [[ "${{ matrix.target }}" == *apple-darwin ]]; then
-            cp target/${{ matrix.target }}/release/codex-${{ matrix.target }}.dmg "$dest/codex-${{ matrix.target }}.dmg"
-          fi
+      #     if [[ "${{ matrix.target }}" == *apple-darwin ]]; then
+      #       cp target/${{ matrix.target }}/release/codex-${{ matrix.target }}.dmg "$dest/codex-${{ matrix.target }}.dmg"
+      #     fi

-      - if: ${{ matrix.runner == 'windows-11-arm' }}
-        name: Install zstd
-        shell: powershell
-        run: choco install -y zstandard
+      # - if: ${{ github.event_name == 'push' && matrix.runner == 'windows-11-arm' }}
+      #   name: Install zstd
+      #   shell: powershell
+      #   run: choco install -y zstandard

-      - name: Compress artifacts
-        shell: bash
-        run: |
-          # Path that contains the uncompressed binaries for the current
-          # ${{ matrix.target }}
-          dest="dist/${{ matrix.target }}"
+      # - if: ${{ github.event_name == 'push' }}
+      #   name: Compress artifacts
+      #   shell: bash
+      #   run: |
+      #     # Path that contains the uncompressed binaries for the current
+      #     # ${{ matrix.target }}
+      #     dest="dist/${{ matrix.target }}"

-          # We want to ship the raw Windows executables in the GitHub Release
-          # in addition to the compressed archives. Keep the originals for
-          # Windows targets; remove them elsewhere to limit the number of
-          # artifacts that end up in the GitHub Release.
-          keep_originals=false
-          if [[ "${{ matrix.runner }}" == windows* ]]; then
-            keep_originals=true
-          fi
+      #     # We want to ship the raw Windows executables in the GitHub Release
+      #     # in addition to the compressed archives. Keep the originals for
+      #     # Windows targets; remove them elsewhere to limit the number of
+      #     # artifacts that end up in the GitHub Release.
+      #     keep_originals=false
+      #     if [[ "${{ matrix.runner }}" == windows* ]]; then
+      #       keep_originals=true
+      #     fi

-          # For compatibility with environments that lack the `zstd` tool we
-          # additionally create a `.tar.gz` for all platforms and `.zip` for
-          # Windows alongside every single binary that we publish. The end result is:
-          #   codex-<target>.zst          (existing)
-          #   codex-<target>.tar.gz       (new)
-          #   codex-<target>.zip          (only for Windows)
+      #     # For compatibility with environments that lack the `zstd` tool we
+      #     # additionally create a `.tar.gz` for all platforms and `.zip` for
+      #     # Windows alongside every single binary that we publish. The end result is:
+      #     #   codex-<target>.zst          (existing)
+      #     #   codex-<target>.tar.gz       (new)
+      #     #   codex-<target>.zip          (only for Windows)

-          # 1. Produce a .tar.gz for every file in the directory *before* we
-          #    run `zstd --rm`, because that flag deletes the original files.
-          for f in "$dest"/*; do
-            base="$(basename "$f")"
-            # Skip files that are already archives (shouldn't happen, but be
-            # safe).
-            if [[ "$base" == *.tar.gz || "$base" == *.zip || "$base" == *.dmg ]]; then
-              continue
-            fi
+      #     # 1. Produce a .tar.gz for every file in the directory *before* we
+      #     #    run `zstd --rm`, because that flag deletes the original files.
+      #     for f in "$dest"/*; do
+      #       base="$(basename "$f")"
+      #       # Skip files that are already archives (shouldn't happen, but be
+      #       # safe).
+      #       if [[ "$base" == *.tar.gz || "$base" == *.zip || "$base" == *.dmg ]]; then
+      #         continue
+      #       fi

-            # Don't try to compress signature bundles.
-            if [[ "$base" == *.sigstore ]]; then
-              continue
-            fi
+      #       # Don't try to compress signature bundles.
+      #       if [[ "$base" == *.sigstore ]]; then
+      #         continue
+      #       fi

-            # Create per-binary tar.gz
-            tar -C "$dest" -czf "$dest/${base}.tar.gz" "$base"
+      #       # Create per-binary tar.gz
+      #       tar -C "$dest" -czf "$dest/${base}.tar.gz" "$base"

-            # Create zip archive for Windows binaries
-            # Must run from inside the dest dir so 7z won't
-            # embed the directory path inside the zip.
-            if [[ "${{ matrix.runner }}" == windows* ]]; then
-              (cd "$dest" && 7z a "${base}.zip" "$base")
-            fi
+      #       # Create zip archive for Windows binaries
+      #       # Must run from inside the dest dir so 7z won't
+      #       # embed the directory path inside the zip.
+      #       if [[ "${{ matrix.runner }}" == windows* ]]; then
+      #         (cd "$dest" && 7z a "${base}.zip" "$base")
+      #       fi

-            # Also create .zst (existing behaviour) *and* remove the original
-            # uncompressed binary to keep the directory small.
-            zstd_args=(-T0 -19)
-            if [[ "${keep_originals}" == false ]]; then
-              zstd_args+=(--rm)
-            fi
-            zstd "${zstd_args[@]}" "$dest/$base"
-          done
+      #       # Also create .zst (existing behaviour) *and* remove the original
+      #       # uncompressed binary to keep the directory small.
+      #       zstd_args=(-T0 -19)
+      #       if [[ "${keep_originals}" == false ]]; then
+      #         zstd_args+=(--rm)
+      #       fi
+      #       zstd "${zstd_args[@]}" "$dest/$base"
+      #     done

-      - uses: actions/upload-artifact@v6
-        with:
-          name: ${{ matrix.target }}
-          # Upload the per-binary .zst files as well as the new .tar.gz
-          # equivalents we generated in the previous step.
-          path: |
-            codex-rs/dist/${{ matrix.target }}/*
+      # - if: ${{ github.event_name == 'push' }}
+      #   uses: actions/upload-artifact@v6
+      #   with:
+      #     name: ${{ matrix.target }}
+      #     # Upload the per-binary .zst files as well as the new .tar.gz
+      #     # equivalents we generated in the previous step.
+      #     path: |
+      #       codex-rs/dist/${{ matrix.target }}/*

-  shell-tool-mcp:
-    name: shell-tool-mcp
-    needs: tag-check
-    uses: ./.github/workflows/shell-tool-mcp.yml
-    with:
-      release-tag: ${{ github.ref_name }}
-      publish: true
-    secrets: inherit
+  # shell-tool-mcp:
+  #   name: shell-tool-mcp
+  #   if: ${{ github.event_name == 'push' }}
+  #   needs: tag-check
+  #   uses: ./.github/workflows/shell-tool-mcp.yml
+  #   with:
+  #     release-tag: ${{ github.ref_name }}
+  #     publish: true
+  #   secrets: inherit

-  release:
-    needs:
-      - build
-      - shell-tool-mcp
-    name: release
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      actions: read
-    outputs:
-      version: ${{ steps.release_name.outputs.name }}
-      tag: ${{ github.ref_name }}
-      should_publish_npm: ${{ steps.npm_publish_settings.outputs.should_publish }}
-      npm_tag: ${{ steps.npm_publish_settings.outputs.npm_tag }}
+  # release:
+  #   needs:
+  #     - build
+  #     - shell-tool-mcp
+  #   name: release
+  #   if: ${{ github.event_name == 'push' }}
+  #   runs-on: ubuntu-latest
+  #   permissions:
+  #     contents: write
+  #     actions: read
+  #   outputs:
+  #     version: ${{ steps.release_name.outputs.name }}
+  #     tag: ${{ github.ref_name }}
+  #     should_publish_npm: ${{ steps.npm_publish_settings.outputs.should_publish }}
+  #     npm_tag: ${{ steps.npm_publish_settings.outputs.npm_tag }}

-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
+  #   steps:
+  #     - name: Checkout repository
+  #       uses: actions/checkout@v6

-      - name: Generate release notes from tag commit message
-        id: release_notes
-        shell: bash
-        run: |
-          set -euo pipefail
+  #     - name: Generate release notes from tag commit message
+  #       id: release_notes
+  #       shell: bash
+  #       run: |
+  #         set -euo pipefail

-          # On tag pushes, GITHUB_SHA may be a tag object for annotated tags;
-          # peel it to the underlying commit.
-          commit="$(git rev-parse "${GITHUB_SHA}^{commit}")"
-          notes_path="${RUNNER_TEMP}/release-notes.md"
+  #         # On tag pushes, GITHUB_SHA may be a tag object for annotated tags;
+  #         # peel it to the underlying commit.
+  #         commit="$(git rev-parse "${GITHUB_SHA}^{commit}")"
+  #         notes_path="${RUNNER_TEMP}/release-notes.md"

-          # Use the commit message for the commit the tag points at (not the
-          # annotated tag message).
-          git log -1 --format=%B "${commit}" > "${notes_path}"
-          # Ensure trailing newline so GitHub's markdown renderer doesn't
-          # occasionally run the last line into subsequent content.
-          echo >> "${notes_path}"
+  #         # Use the commit message for the commit the tag points at (not the
+  #         # annotated tag message).
+  #         git log -1 --format=%B "${commit}" > "${notes_path}"
+  #         # Ensure trailing newline so GitHub's markdown renderer doesn't
+  #         # occasionally run the last line into subsequent content.
+  #         echo >> "${notes_path}"

-          echo "path=${notes_path}" >> "${GITHUB_OUTPUT}"
+  #         echo "path=${notes_path}" >> "${GITHUB_OUTPUT}"

-      - uses: actions/download-artifact@v7
-        with:
-          path: dist
+  #     - uses: actions/download-artifact@v7
+  #       with:
+  #         path: dist

-      - name: List
-        run: ls -R dist/
+  #     - name: List
+  #       run: ls -R dist/

-      # This is a temporary fix: we should modify shell-tool-mcp.yml so these
-      # files do not end up in dist/ in the first place.
-      - name: Delete entries from dist/ that should not go in the release
-        run: |
-          rm -rf dist/shell-tool-mcp*
+  #     # This is a temporary fix: we should modify shell-tool-mcp.yml so these
+  #     # files do not end up in dist/ in the first place.
+  #     - name: Delete entries from dist/ that should not go in the release
+  #       run: |
+  #         rm -rf dist/shell-tool-mcp*

-          ls -R dist/
+  #         ls -R dist/

-      - name: Define release name
-        id: release_name
-        run: |
-          # Extract the version from the tag name, which is in the format
-          # "rust-v0.1.0".
-          version="${GITHUB_REF_NAME#rust-v}"
-          echo "name=${version}" >> $GITHUB_OUTPUT
+  #     - name: Define release name
+  #       id: release_name
+  #       run: |
+  #         # Extract the version from the tag name, which is in the format
+  #         # "rust-v0.1.0".
+  #         version="${GITHUB_REF_NAME#rust-v}"
+  #         echo "name=${version}" >> $GITHUB_OUTPUT

-      - name: Determine npm publish settings
-        id: npm_publish_settings
-        env:
-          VERSION: ${{ steps.release_name.outputs.name }}
-        run: |
-          set -euo pipefail
-          version="${VERSION}"
+  #     - name: Determine npm publish settings
+  #       id: npm_publish_settings
+  #       env:
+  #         VERSION: ${{ steps.release_name.outputs.name }}
+  #       run: |
+  #         set -euo pipefail
+  #         version="${VERSION}"

-          if [[ "${version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            echo "should_publish=true" >> "$GITHUB_OUTPUT"
-            echo "npm_tag=" >> "$GITHUB_OUTPUT"
-          elif [[ "${version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+-alpha\.[0-9]+$ ]]; then
-            echo "should_publish=true" >> "$GITHUB_OUTPUT"
-            echo "npm_tag=alpha" >> "$GITHUB_OUTPUT"
-          else
-            echo "should_publish=false" >> "$GITHUB_OUTPUT"
-            echo "npm_tag=" >> "$GITHUB_OUTPUT"
-          fi
+  #         if [[ "${version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+  #           echo "should_publish=true" >> "$GITHUB_OUTPUT"
+  #           echo "npm_tag=" >> "$GITHUB_OUTPUT"
+  #         elif [[ "${version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+-alpha\.[0-9]+$ ]]; then
+  #           echo "should_publish=true" >> "$GITHUB_OUTPUT"
+  #           echo "npm_tag=alpha" >> "$GITHUB_OUTPUT"
+  #         else
+  #           echo "should_publish=false" >> "$GITHUB_OUTPUT"
+  #           echo "npm_tag=" >> "$GITHUB_OUTPUT"
+  #         fi

-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          run_install: false
+  #     - name: Setup pnpm
+  #       uses: pnpm/action-setup@v4
+  #       with:
+  #         run_install: false

-      - name: Setup Node.js for npm packaging
-        uses: actions/setup-node@v6
-        with:
-          node-version: 22
+  #     - name: Setup Node.js for npm packaging
+  #       uses: actions/setup-node@v6
+  #       with:
+  #         node-version: 22

-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+  #     - name: Install dependencies
+  #       run: pnpm install --frozen-lockfile

-      # stage_npm_packages.py requires DotSlash when staging releases.
-      - uses: facebook/install-dotslash@v2
-      - name: Stage npm packages
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          ./scripts/stage_npm_packages.py \
-            --release-version "${{ steps.release_name.outputs.name }}" \
-            --package codex \
-            --package codex-responses-api-proxy \
-            --package codex-sdk
+  #     # stage_npm_packages.py requires DotSlash when staging releases.
+  #     - uses: facebook/install-dotslash@v2
+  #     - name: Stage npm packages
+  #       env:
+  #         GH_TOKEN: ${{ github.token }}
+  #       run: |
+  #         ./scripts/stage_npm_packages.py \
+  #           --release-version "${{ steps.release_name.outputs.name }}" \
+  #           --package codex \
+  #           --package codex-responses-api-proxy \
+  #           --package codex-sdk

-      - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
-        with:
-          name: ${{ steps.release_name.outputs.name }}
-          tag_name: ${{ github.ref_name }}
-          body_path: ${{ steps.release_notes.outputs.path }}
-          files: dist/**
-          # Mark as prerelease only when the version has a suffix after x.y.z
-          # (e.g. -alpha, -beta). Otherwise publish a normal release.
-          prerelease: ${{ contains(steps.release_name.outputs.name, '-') }}
+  #     - name: Create GitHub Release
+  #       uses: softprops/action-gh-release@v2
+  #       with:
+  #         name: ${{ steps.release_name.outputs.name }}
+  #         tag_name: ${{ github.ref_name }}
+  #         body_path: ${{ steps.release_notes.outputs.path }}
+  #         files: dist/**
+  #         # Mark as prerelease only when the version has a suffix after x.y.z
+  #         # (e.g. -alpha, -beta). Otherwise publish a normal release.
+  #         prerelease: ${{ contains(steps.release_name.outputs.name, '-') }}

-      - uses: facebook/dotslash-publish-release@v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag: ${{ github.ref_name }}
-          config: .github/dotslash-config.json
+  #     - uses: facebook/dotslash-publish-release@v2
+  #       env:
+  #         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  #       with:
+  #         tag: ${{ github.ref_name }}
+  #         config: .github/dotslash-config.json

-  # Publish to npm using OIDC authentication.
-  # July 31, 2025: https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/
-  # npm docs: https://docs.npmjs.com/trusted-publishers
-  publish-npm:
-    # Publish to npm for stable releases and alpha pre-releases with numeric suffixes.
-    if: ${{ needs.release.outputs.should_publish_npm == 'true' }}
-    name: publish-npm
-    needs: release
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write # Required for OIDC
-      contents: read
+  # # Publish to npm using OIDC authentication.
+  # # July 31, 2025: https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/
+  # # npm docs: https://docs.npmjs.com/trusted-publishers
+  # publish-npm:
+  #   # Publish to npm for stable releases and alpha pre-releases with numeric suffixes.
+  #   if: ${{ github.event_name == 'push' && needs.release.outputs.should_publish_npm == 'true' }}
+  #   name: publish-npm
+  #   needs: release
+  #   runs-on: ubuntu-latest
+  #   permissions:
+  #     id-token: write # Required for OIDC
+  #     contents: read

-    steps:
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: 22
-          registry-url: "https://registry.npmjs.org"
-          scope: "@openai"
+  #   steps:
+  #     - name: Setup Node.js
+  #       uses: actions/setup-node@v6
+  #       with:
+  #         node-version: 22
+  #         registry-url: "https://registry.npmjs.org"
+  #         scope: "@openai"

-      # Trusted publishing requires npm CLI version 11.5.1 or later.
-      - name: Update npm
-        run: npm install -g npm@latest
+  #     # Trusted publishing requires npm CLI version 11.5.1 or later.
+  #     - name: Update npm
+  #       run: npm install -g npm@latest

-      - name: Download npm tarballs from release
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          set -euo pipefail
-          version="${{ needs.release.outputs.version }}"
-          tag="${{ needs.release.outputs.tag }}"
-          mkdir -p dist/npm
-          gh release download "$tag" \
-            --repo "${GITHUB_REPOSITORY}" \
-            --pattern "codex-npm-${version}.tgz" \
-            --dir dist/npm
-          gh release download "$tag" \
-            --repo "${GITHUB_REPOSITORY}" \
-            --pattern "codex-responses-api-proxy-npm-${version}.tgz" \
-            --dir dist/npm
-          gh release download "$tag" \
-            --repo "${GITHUB_REPOSITORY}" \
-            --pattern "codex-sdk-npm-${version}.tgz" \
-            --dir dist/npm
+  #     - name: Download npm tarballs from release
+  #       env:
+  #         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  #       run: |
+  #         set -euo pipefail
+  #         version="${{ needs.release.outputs.version }}"
+  #         tag="${{ needs.release.outputs.tag }}"
+  #         mkdir -p dist/npm
+  #         gh release download "$tag" \
+  #           --repo "${GITHUB_REPOSITORY}" \
+  #           --pattern "codex-npm-${version}.tgz" \
+  #           --dir dist/npm
+  #         gh release download "$tag" \
+  #           --repo "${GITHUB_REPOSITORY}" \
+  #           --pattern "codex-responses-api-proxy-npm-${version}.tgz" \
+  #           --dir dist/npm
+  #         gh release download "$tag" \
+  #           --repo "${GITHUB_REPOSITORY}" \
+  #           --pattern "codex-sdk-npm-${version}.tgz" \
+  #           --dir dist/npm

-      # No NODE_AUTH_TOKEN needed because we use OIDC.
-      - name: Publish to npm
-        env:
-          VERSION: ${{ needs.release.outputs.version }}
-          NPM_TAG: ${{ needs.release.outputs.npm_tag }}
-        run: |
-          set -euo pipefail
-          tag_args=()
-          if [[ -n "${NPM_TAG}" ]]; then
-            tag_args+=(--tag "${NPM_TAG}")
-          fi
+  #     # No NODE_AUTH_TOKEN needed because we use OIDC.
+  #     - name: Publish to npm
+  #       env:
+  #         VERSION: ${{ needs.release.outputs.version }}
+  #         NPM_TAG: ${{ needs.release.outputs.npm_tag }}
+  #       run: |
+  #         set -euo pipefail
+  #         tag_args=()
+  #         if [[ -n "${NPM_TAG}" ]]; then
+  #           tag_args+=(--tag "${NPM_TAG}")
+  #         fi

-          tarballs=(
-            "codex-npm-${VERSION}.tgz"
-            "codex-responses-api-proxy-npm-${VERSION}.tgz"
-            "codex-sdk-npm-${VERSION}.tgz"
-          )
+  #         tarballs=(
+  #           "codex-npm-${VERSION}.tgz"
+  #           "codex-responses-api-proxy-npm-${VERSION}.tgz"
+  #           "codex-sdk-npm-${VERSION}.tgz"
+  #         )

-          for tarball in "${tarballs[@]}"; do
-            npm publish "${GITHUB_WORKSPACE}/dist/npm/${tarball}" "${tag_args[@]}"
-          done
+  #         for tarball in "${tarballs[@]}"; do
+  #           npm publish "${GITHUB_WORKSPACE}/dist/npm/${tarball}" "${tag_args[@]}"
+  #         done

-  update-branch:
-    name: Update latest-alpha-cli branch
-    permissions:
-      contents: write
-    needs: release
-    runs-on: ubuntu-latest
+  # update-branch:
+  #   name: Update latest-alpha-cli branch
+  #   if: ${{ github.event_name == 'push' }}
+  #   permissions:
+  #     contents: write
+  #   needs: release
+  #   runs-on: ubuntu-latest

-    steps:
-      - name: Update latest-alpha-cli branch
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          set -euo pipefail
-          gh api \
-            repos/${GITHUB_REPOSITORY}/git/refs/heads/latest-alpha-cli \
-            -X PATCH \
-            -f sha="${GITHUB_SHA}" \
-            -F force=true
+  #   steps:
+  #     - name: Update latest-alpha-cli branch
+  #       env:
+  #         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  #       run: |
+  #         set -euo pipefail
+  #         gh api \
+  #           repos/${GITHUB_REPOSITORY}/git/refs/heads/latest-alpha-cli \
+  #           -X PATCH \
+  #           -f sha="${GITHUB_SHA}" \
+  #           -F force=true
Author	SHA1	Message	Date
shijie-openai	72adedb27e	sign binary - apple	2026-01-20 22:40:50 -08:00
shijie-openai	390ab168b4	check network	2026-01-20 21:47:29 -08:00