chore: upgrade codex to 0.130 + fix "Bad file descriptor" on bwrap #201
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| sync: | |
| name: Sync Upstream | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Sync upstream Codex crates | |
| run: ./scripts/sync.sh | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: upstream | |
| path: upstream/ | |
| retention-days: 1 | |
| deny: | |
| name: Cargo Deny | |
| needs: sync | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: upstream | |
| path: upstream/ | |
| - uses: EmbarkStudios/cargo-deny-action@v2 | |
| fmt: | |
| name: Format | |
| needs: sync | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: upstream | |
| path: upstream/ | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: rustfmt | |
| - run: cargo fmt --check | |
| clippy: | |
| name: Clippy | |
| needs: sync | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: upstream | |
| path: upstream/ | |
| - name: Install system deps | |
| run: sudo apt-get update && sudo apt-get install -y libcap-dev | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: clippy | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Clippy (workspace, excluding upstream) | |
| run: > | |
| cargo clippy --workspace | |
| --exclude codex-sandboxing | |
| --exclude codex-linux-sandbox | |
| --exclude codex-windows-sandbox | |
| --exclude codex-process-hardening | |
| --exclude codex-protocol | |
| --exclude codex-execpolicy | |
| --exclude codex-utils-absolute-path | |
| --exclude codex-utils-cache | |
| --exclude codex-utils-home-dir | |
| --exclude codex-utils-image | |
| --exclude codex-utils-pty | |
| --exclude codex-utils-string | |
| --exclude codex-utils-template | |
| --exclude codex-network-proxy | |
| --exclude codex-utils-rustls-provider | |
| -- -D warnings -A clippy::result_large_err | |
| test-macos: | |
| name: Test (macOS) | |
| needs: sync | |
| runs-on: macos-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: upstream | |
| path: upstream/ | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Build release binary | |
| run: cargo build --release -p zerobox | |
| - name: Rust unit tests | |
| run: cargo test --workspace --lib | |
| - name: Rust E2E sandbox tests | |
| env: | |
| ZEROBOX_EXEC: ./target/release/zerobox | |
| run: cargo test -p zerobox --test integration | |
| test-linux: | |
| name: Test (Linux) | |
| needs: sync | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: upstream | |
| path: upstream/ | |
| - name: Install system deps | |
| run: sudo apt-get update && sudo apt-get install -y bubblewrap libcap-dev | |
| - name: Enable unprivileged user namespaces (required by bubblewrap) | |
| run: | | |
| # Required for bubblewrap to work on Linux CI runners. | |
| sudo sysctl -w kernel.unprivileged_userns_clone=1 | |
| # Ubuntu 24.04+ can additionally gate unprivileged user namespaces | |
| # behind AppArmor. | |
| if sudo sysctl -a 2>/dev/null | grep -q '^kernel.apparmor_restrict_unprivileged_userns'; then | |
| sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 | |
| fi | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Build release binary | |
| run: cargo build --release -p zerobox | |
| - name: Rust unit tests | |
| run: cargo test --workspace --lib | |
| - name: Rust E2E sandbox tests | |
| env: | |
| ZEROBOX_EXEC: ./target/release/zerobox | |
| run: cargo test -p zerobox --test integration | |
| sdk: | |
| name: SDK (${{ matrix.os }}) | |
| needs: sync | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: macos-latest | |
| - os: ubuntu-latest | |
| system-deps: bubblewrap libcap-dev | |
| enable-userns: true | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: upstream | |
| path: upstream/ | |
| - name: Install system deps | |
| if: matrix.system-deps | |
| run: sudo apt-get update && sudo apt-get install -y ${{ matrix.system-deps }} | |
| - name: Enable unprivileged user namespaces (required by bubblewrap) | |
| if: matrix.enable-userns | |
| run: | | |
| sudo sysctl -w kernel.unprivileged_userns_clone=1 | |
| if sudo sysctl -a 2>/dev/null | grep -q '^kernel.apparmor_restrict_unprivileged_userns'; then | |
| sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 | |
| fi | |
| - uses: pnpm/action-setup@v4 | |
| with: | |
| version: 10 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "22" | |
| cache: pnpm | |
| - run: pnpm install | |
| - name: Build SDK | |
| run: pnpm --filter zerobox run build | |
| - name: Lint | |
| run: pnpm --filter zerobox run lint | |
| - name: Format | |
| run: pnpm --filter zerobox run format | |
| - name: Typecheck | |
| run: pnpm --filter zerobox run typecheck | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Build zerobox binary | |
| run: cargo build --release -p zerobox | |
| - name: SDK tests | |
| env: | |
| ZEROBOX_BIN: ${{ github.workspace }}/target/release/zerobox | |
| run: pnpm --filter zerobox run test | |
| sdk-py: | |
| name: SDK Python (${{ matrix.os }}) | |
| needs: sync | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: macos-latest | |
| - os: ubuntu-latest | |
| system-deps: bubblewrap libcap-dev | |
| enable-userns: true | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: upstream | |
| path: upstream/ | |
| - name: Install system deps | |
| if: matrix.system-deps | |
| run: sudo apt-get update && sudo apt-get install -y ${{ matrix.system-deps }} | |
| - name: Enable unprivileged user namespaces (required by bubblewrap) | |
| if: matrix.enable-userns | |
| run: | | |
| sudo sysctl -w kernel.unprivileged_userns_clone=1 | |
| if sudo sysctl -a 2>/dev/null | grep -q '^kernel.apparmor_restrict_unprivileged_userns'; then | |
| sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 | |
| fi | |
| - uses: astral-sh/setup-uv@v5 | |
| - run: uv python install 3.9 3.12 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Build zerobox binary | |
| run: cargo build --release -p zerobox | |
| - name: Lint + type-check + test (3.9) | |
| working-directory: sdks/python | |
| env: | |
| ZEROBOX_BIN: ${{ github.workspace }}/target/release/zerobox | |
| run: | | |
| uv sync --python 3.9 | |
| uv run ruff check src tests | |
| uv run ruff format --check src tests | |
| uv run mypy src | |
| uv run pytest | |
| - name: Test (3.12) | |
| working-directory: sdks/python | |
| env: | |
| ZEROBOX_BIN: ${{ github.workspace }}/target/release/zerobox | |
| run: | | |
| uv sync --python 3.12 | |
| uv run pytest | |
| ci: | |
| name: CI | |
| if: always() | |
| needs: [deny, fmt, clippy, test-macos, test-linux, sdk, sdk-py] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check results | |
| run: | | |
| results="${{ join(needs.*.result, ' ') }}" | |
| for r in $results; do | |
| if [ "$r" != "success" ]; then | |
| exit 1 | |
| fi | |
| done |