chore(agents): bump codex to 0.133.0#88
Open
github-actions[bot] wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated bump for
codexto version0.133.0.linux/x86_640.130.0d06019ab9c35d281b78dc2ebb2ae55c2bb97ea11bf7f452bafe390eddb0034eflinux/aarch640.130.0268bfe8cf8154940fea256df75cd441c54a0c71e6c8ccd45ab3f76ff28ba1413CI downloaded each artifact from the URL above and recorded the
SHA-256 shown here.
How to verify the SHA-256s
Upstream publishes per-asset digests on the GitHub release page:
https://github.com/openai/codex/releases/tag/rust-v0.133.0
Spot-check from the CLI:
gh release view rust-v0.133.0 --repo openai/codex --json assets \ --jq '.assets[] | select(.name | test("^codex-(x86_64|aarch64)-unknown-linux-musl\\.tar\\.gz$")) | "\(.name) \(.digest)"'Each printed
sha256:…must match the row above for the corresponding arch.Why this needs a human
Once merged, the hashes above lock these binaries in place — every
future build aborts unless the download matches byte-for-byte. CI
just computed them from a single fetch against upstream, so merging
without spot-checking trusts whatever upstream served at that one
moment. The cross-check above is what catches a CDN-edge tamper or
an upstream-account compromise before it propagates into our
images. A surprise version jump (off-schedule, several releases at
once, pre-release tag) is its own signal worth a second look.