Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b3654a194d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment on lines
+310
to
+311
| f"npm:{CODEX_NPM_NAME}@" | ||
| f"{compute_platform_dist_tag(version, CODEX_PLATFORM_PACKAGES[platform_package]['npm_tag'])}" |
Contributor
There was a problem hiding this comment.
stage_sources now emits optionalDependencies as npm:@openai/codex@<dist-tag> instead of a concrete version, and those tags are repointed on every release (.github/workflows/rust-release.yml publishes platform tarballs with fixed tags like linux-x64 / alpha-linux-x64). Since dist-tags are mutable, installing an older pinned meta package (for example @openai/codex@1.2.3) after a newer release will pull newer platform binaries, which breaks reproducible installs and can mismatch launcher/binary versions.
Useful? React with 👍 / 👎.
jif-oai
approved these changes
Feb 10, 2026
| CODEX_SDK_ROOT = REPO_ROOT / "sdk" / "typescript" | ||
| CODEX_NPM_NAME = "@openai/codex" | ||
|
|
||
| # `npm_name` is the local optional-dependency alias consumed by `bin/codex.js`. |
Collaborator
There was a problem hiding this comment.
Shouldn't we drop it then/
Collaborator
Author
There was a problem hiding this comment.
I think this is accurate. In the PR body, I added the package.json we should expect. As we can see npm_name here is the key in "optionalDependencies", the naming of which codex.js depends on here:
Lines 16 to 21 in a364dd8
And that will be the subdirectory under node_modules where things should be found, I believe?
| return f"alpha-{platform_tag}" if is_alpha_release(version) else platform_tag | ||
|
|
||
|
|
||
| def compute_platform_package_version(version: str, platform_tag: str) -> str: |
| return re.match(r"^[0-9]+\.[0-9]+\.[0-9]+-alpha\.[0-9]+$", version) is not None | ||
|
|
||
|
|
||
| def compute_platform_dist_tag(version: str, platform_tag: str) -> str: |
…rate package names #11318 introduced logic to publish platform artifacts as separate npm packages (for example, `@openai/codex-darwin-arm64`, `@openai/codex-linux-x64`, etc.). That requires provisioning and maintaining multiple package entries in npm, which would be nice to avoid. We still need to keep the package-size mitigation (platform-specific payloads), but we want that layout to live under a single npm package namespace (`@openai/codex`) using dist-tags. We also need to preserve pre-release workflows where users install `@openai/codex@alpha` and get platform-appropriate binaries. ## Release Strategy (New Scheme) We publish **one npm package name for Codex binaries** (`@openai/codex`) and use **dist-tags** to select platform-specific payloads. This avoids creating separate platform package names while keeping the package size split by platform. ### What gets published #### Mainline release (`x.y.z`) - `@openai/codex@latest` (meta package) - `@openai/codex@darwin-arm64` - `@openai/codex@darwin-x64` - `@openai/codex@linux-arm64` - `@openai/codex@linux-x64` - `@openai/codex@win32-arm64` - `@openai/codex@win32-x64` - `@openai/codex-responses-api-proxy@latest` - `@openai/codex-sdk@latest` #### Alpha release (`x.y.z-alpha.N`) - `@openai/codex@alpha` (meta package) - `@openai/codex@alpha-darwin-arm64` - `@openai/codex@alpha-darwin-x64` - `@openai/codex@alpha-linux-arm64` - `@openai/codex@alpha-linux-x64` - `@openai/codex@alpha-win32-arm64` - `@openai/codex@alpha-win32-x64` - `@openai/codex-responses-api-proxy@alpha` - `@openai/codex-sdk@alpha` ### Important note **Note:** Because we never created the new packages on npm for, e.g., `@openai/codex-darwin-arm64`, since #11318 was merged, there are no npm packages to "clean up" as a result of this change. ## What changed ### 1. Stage platform tarballs as `@openai/codex` with platform-specific versions File: `codex-cli/scripts/build_npm_package.py` - Added `CODEX_NPM_NAME = "@openai/codex"` and platform metadata `npm_tag` values: - `darwin-arm64`, `darwin-x64`, `linux-arm64`, `linux-x64`, `win32-arm64`, `win32-x64` - For platform package staging (`codex-<platform>` inputs), switched generated `package.json` from: - `name = @openai/codex-<platform>` to: - `name = @openai/codex` - Added `compute_platform_package_version(version, platform_tag)` to make platform tarball versions unique (`<release-version>-<platform-tag>`), because npm does not allow publishing the same `name@version` repeatedly for multiple platform artifacts. ### 2. Point meta package optional dependencies at dist-tags on `@openai/codex` File: `codex-cli/scripts/build_npm_package.py` - Updated `optionalDependencies` generation for the main `codex` package to use npm alias syntax: - key remains alias package name (e.g. `@openai/codex-darwin-arm64`), preserving runtime lookup behavior - value now resolves to `@openai/codex` by dist-tag - Stable releases now emit: - `npm:@openai/codex@darwin-arm64`, etc. - Alpha releases (`x.y.z-alpha.N`) now emit: - `npm:@openai/codex@alpha-darwin-arm64`, etc. ### 3. Publish with per-tarball dist-tags in release CI File: `.github/workflows/rust-release.yml` - Reworked npm publish step to derive publish tag per tarball filename: - platform tarballs publish with `<platform>` tags for stable releases - platform tarballs publish with `alpha-<platform>` tags for alpha releases - top-level tarballs (`codex`, `codex-responses-api-proxy`, `codex-sdk`) continue using the release tag policy (`latest` implicit for stable, `alpha` for alpha) - Added fail-fast behavior for unexpected tarball names to avoid silent mispublishes. ### 4. Documentation update File: `codex-cli/scripts/README.md` - Updated release staging description to reflect that platform-native variants are published as dist-tagged `@openai/codex` artifacts rather than separate npm package names. ## Resulting behavior - Mainline release: - `@openai/codex@latest` resolves meta package - meta package optional deps reference `@openai/codex@<platform-tag>` - Alpha release: - users can continue installing `@openai/codex@alpha` - alpha meta package optional deps reference `@openai/codex@alpha-<platform-tag>` This preserves platform-specific payload distribution while eliminating the need to manage a separate npm package per platform. ## Validation notes - Verified staged `package.json` output for stable and alpha meta packages includes expected alias targets. - Verified staged platform package manifests are `name=@openai/codex` with unique platform-suffixed versions. - Verified release publish tag derivation logic maps tarball names to expected stable and alpha platform tags.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
#11318 introduced logic to publish platform artifacts as separate npm packages (for example,
@openai/codex-darwin-arm64,@openai/codex-linux-x64, etc.). That requires provisioning and maintaining multiple package entries in npm, which we want to avoid.We still need to keep the package-size mitigation (platform-specific payloads), but we want that layout to live under a single npm package namespace (
@openai/codex) using dist-tags.We also need to preserve pre-release workflows where users install
@openai/codex@alphaand get platform-appropriate binaries.Additionally, we want GitHub Release assets to group Codex npm tarballs together, so platform tarballs should follow the same
codex-npm-*filename prefix as the main Codex tarball.Release Strategy (New Scheme)
We publish one npm package name for Codex binaries (
@openai/codex) and use dist-tags to select platform-specific payloads. This avoids creating separate platform package names while keeping the package size split by platform.What gets published
Mainline release (
x.y.z)@openai/codex@latest(meta package)@openai/codex@darwin-arm64@openai/codex@darwin-x64@openai/codex@linux-arm64@openai/codex@linux-x64@openai/codex@win32-arm64@openai/codex@win32-x64@openai/codex-responses-api-proxy@latest@openai/codex-sdk@latestAlpha release (
x.y.z-alpha.N)@openai/codex@alpha(meta package)@openai/codex@alpha-darwin-arm64@openai/codex@alpha-darwin-x64@openai/codex@alpha-linux-arm64@openai/codex@alpha-linux-x64@openai/codex@alpha-win32-arm64@openai/codex@alpha-win32-x64@openai/codex-responses-api-proxy@alpha@openai/codex-sdk@alphaAs an example, the
package.jsonfor@openai/codex@alpha(using0.99.0-alpha.17as theversion) would be:Note that the keys in
optionalDependencieshave "clean" names, but the values have the tag embedded.Important note
Note: Because we never created the new platform package names on npm (for example,
@openai/codex-darwin-arm64) since #11318 landed, there are no extra npm packages to clean up.What changed
1. Stage platform tarballs as
@openai/codexwith platform-specific versionsFile:
codex-cli/scripts/build_npm_package.pyCODEX_NPM_NAME = "@openai/codex"and platform metadatanpm_tagvalues:darwin-arm64,darwin-x64,linux-arm64,linux-x64,win32-arm64,win32-x64codex-<platform>inputs), switched generatedpackage.jsonfrom:name = @openai/codex-<platform>to:
name = @openai/codexcompute_platform_package_version(version, platform_tag)so platform tarballs have uniqueversions (
<release-version>-<platform-tag>), which is required because npm forbids re-publishingthe same
name@version.2. Point meta package optional dependencies at dist-tags on
@openai/codexFile:
codex-cli/scripts/build_npm_package.pyoptionalDependenciesgeneration for the maincodexpackage to use npm alias syntax:@openai/codex-darwin-arm64) so runtime lookup behavior is unchanged@openai/codexby dist-tagnpm:@openai/codex@darwin-arm64.x.y.z-alpha.N) emit tags likenpm:@openai/codex@alpha-darwin-arm64.3. Publish with per-tarball dist-tags in release CI
File:
.github/workflows/rust-release.yml<platform>tags for stable releasesalpha-<platform>tags for alpha releasescodex,codex-responses-api-proxy,codex-sdk) continue usingthe existing channel tag policy (
latestimplicit for stable,alphafor alpha)4. Normalize Codex platform tarball filenames for GitHub Release grouping
Files:
scripts/stage_npm_packages.py,.github/workflows/rust-release.ymlcodex-linux-<arch>-npm-<version>.tgzcodex-darwin-<arch>-npm-<version>.tgzcodex-win32-<arch>-npm-<version>.tgzcodex-npm-linux-<arch>-<version>.tgzcodex-npm-darwin-<arch>-<version>.tgzcodex-npm-win32-<arch>-<version>.tgzThis keeps all Codex npm artifacts grouped under a common
codex-npm-prefix in GitHub Releases.5. Documentation update
File:
codex-cli/scripts/README.md@openai/codexartifacts rather than separate npm package names.Resulting behavior
@openai/codex@latestresolves the meta package@openai/codex@<platform-tag>@openai/codex@alpha@openai/codex@alpha-<platform-tag>codex-npm-prefix for cleaner grouping in GitHub ReleasesThis preserves platform-specific payload distribution while avoiding separate npm package names and
improves release-asset discoverability.
Validation notes
package.jsonoutput for stable and alpha meta packages includes expected alias targets.name=@openai/codexwith unique platform-suffixed versions.