ci: discover opt Python path dynamically + sync upstream

[gounthar]

Summary

Two changes in one branch:

Fix: RISE runner Python path

The scheduled build was failing with:

sudo: /opt/python-3.12/bin/python3: command not found

The runner image no longer has Python 3.12 at /opt/python-3.12/bin/python3. Replace the hardcoded path with a find call that locates whatever Python version is present under /opt/. If no opt Python is found, the step is skipped gracefully — maturin still builds for the explicit --python 3.14 interpreter via uvx.

Sync: upstream main (openai/tiktoken@dcb3928)

Merges one upstream commit: [codex] Pin GitHub Actions workflow references (#515), which pins action SHAs in build_wheels.yml for supply-chain security.

Test plan

• Scheduled build reaches the uvx maturin build step without erroring on the Python path.
• Wheel is produced and uploaded as artifact.

Fixes: https://github.com/gounthar/tiktoken/actions/runs/24948658542

Summary by CodeRabbit

• Chores
  • Enhanced RISC-V64 build stability through dynamic Python interpreter path discovery at runtime, improving flexibility and robustness of the build process
  • Strengthened build reproducibility and consistency by pinning GitHub Actions to specific commit versions across wheel building, package distribution, and artifact management workflows

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Warning

Rate limit exceeded

@gounthar has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 10 minutes and 21 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 10 minutes and 21 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 09211f83-adbe-4f80-a9bc-c2b97a893776

📥 Commits

Reviewing files that changed from the base of the PR and between adf49e8 and 9c9a2e9.

📒 Files selected for processing (1)

• .github/workflows/build-riscv64.yml

📝 Walkthrough

Walkthrough

The pull request updates two GitHub Actions workflows. The riscv64 build workflow is modified to dynamically discover the Python interpreter path at runtime and conditionally install cffi, replacing a hardcoded reference. The wheel build workflow pins multiple GitHub Actions to specific commit SHAs for reproducibility instead of using floating version tags.

Changes

Cohort / File(s)	Summary
RISC-V64 Build Workflow .github/workflows/build-riscv64.yml	Dynamically discovers /opt/.../python3 interpreter path at runtime and conditionally installs cffi via pip, replacing hardcoded /opt/python-3.12/bin/python3 reference.
Wheel Build Workflow .github/workflows/build_wheels.yml	Pins actions/checkout, actions/setup-python, pypa/cibuildwheel, and actions/upload-artifact to specific commit SHAs across wheel build and sdist jobs for reproducibility and security.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• Add riscv64 wheel build workflow #1: Modifies the same .github/workflows/build-riscv64.yml workflow with related changes to the riscv64 wheel build steps.
• fix: install cffi into opt Python before maturin build #7: Addresses the same cffi installation issue for the RISC-V64 build, establishing the foundation for this dynamic path discovery approach.

Poem

🐰 With actions pinned and paths now found,
Our workflows dance on firmer ground!
No hardcoded paths to lead astray,
Just dynamic grace to light the way~ ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses both main changes: dynamic Python path discovery for the RISE runner fix and syncing upstream changes that pin GitHub Actions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/rise-runner-python-path

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates CI workflows to be more robust and secure by (1) making the RISC-V64 build resilient to runner image Python layout changes and (2) syncing an upstream change that pins GitHub Actions references to specific SHAs.

Changes:

• Pin actions/* and pypa/cibuildwheel workflow references to commit SHAs in the wheels build workflow.
• Replace the hardcoded /opt/python-3.12/bin/python3 path in the RISC-V64 workflow with dynamic discovery under /opt.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
.github/workflows/build_wheels.yml	Pins action references to SHAs; updates artifact merge step reference.
.github/workflows/build-riscv64.yml	Dynamically discovers an /opt Python interpreter before installing cffi on the RISC-V64 runner.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[gounthar]

Confirmed. build_sdist has no matrix, so both ${{ matrix.os }} and ${{ strategy.job-index }} expand to empty strings — the artifact ends up named cibw-wheels--. This came in via upstream sync, not this branch. Filed a follow-up issue to fix it.

[gounthar]

The entire OPT_PYTHON block has been removed in the latest commit. Since maturin build runs under uvx --python 3.14, there's no interpreter auto-discovery — the opt-Python cffi install was never exercised. The nondeterminism concern is now moot.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/build-riscv64.yml (2)

21-21: Inconsistent pinning policy across the two workflows.

This PR pins external actions to commit SHAs in build_wheels.yml, but build-riscv64.yml still uses floating tags (actions/checkout@v4, astral-sh/setup-uv@v7, actions/upload-artifact@v4, actions/download-artifact@v4). For the supply-chain rationale stated in the PR description to apply uniformly, consider pinning these here as well in a follow-up — otherwise this workflow remains a soft target for action-tag hijacking.

Also applies to: 33-33, 63-63, 80-80

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-riscv64.yml at line 21, The workflow uses floating
tags for GitHub Actions (actions/checkout@v4, astral-sh/setup-uv@v7,
actions/upload-artifact@v4, actions/download-artifact@v4) which is inconsistent
with the commit-SHA pinning used in build_wheels.yml; update each use to the
exact commit SHA (the same pattern used in build_wheels.yml) so the workflow
pins those actions to immutable SHAs, replacing the tag references with their
corresponding commit SHAs for actions/checkout, astral-sh/setup-uv,
actions/upload-artifact and actions/download-artifact to enforce consistent
supply-chain protection.

---

47-48: The OPT_PYTHON cffi installation (lines 43–46) is dead code with the explicit --python 3.14 flag.

maturin build --python 3.14 builds only for the specified interpreter and does not auto-discover other Python interpreters. The comment above (lines 38–41) describes maturin's auto-discovery behavior, but that path is not exercised here. The sudo $OPT_PYTHON -m pip install cffi step is redundant and can be removed, along with the apt-get install libffi-dev step, unless kept as a defensive measure for future workflow changes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-riscv64.yml around lines 47 - 48, The workflow runs
`maturin build --python 3.14`, so the earlier `OPT_PYTHON` cffi install is dead
code; remove the `sudo $OPT_PYTHON -m pip install cffi` step and the related
`apt-get install libffi-dev` installation (or, if you intend to keep defensive
packages, explicitly document that they are optional), and update the preceding
comment to reflect that `maturin` is being invoked for a single interpreter via
`maturin build --python 3.14` rather than using autodiscovery; reference
`OPT_PYTHON`, the `maturin build --python 3.14` invocation, and `apt-get install
libffi-dev` to locate the lines to change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build-riscv64.yml:
- Around line 42-46: The find invocation that sets OPT_PYTHON is too
restrictive: increase the search depth (e.g., change -maxdepth 3 to at least
-maxdepth 6) and broaden the name pattern so it matches versioned Python
executables (e.g., use -name "python3*" or a glob matching python3.*) and
consider matching executable files (e.g., -type f -executable) so OPT_PYTHON
actually points to the runner's Python binary before running sudo "$OPT_PYTHON"
-m pip install --quiet cffi.

---

Nitpick comments:
In @.github/workflows/build-riscv64.yml:
- Line 21: The workflow uses floating tags for GitHub Actions
(actions/checkout@v4, astral-sh/setup-uv@v7, actions/upload-artifact@v4,
actions/download-artifact@v4) which is inconsistent with the commit-SHA pinning
used in build_wheels.yml; update each use to the exact commit SHA (the same
pattern used in build_wheels.yml) so the workflow pins those actions to
immutable SHAs, replacing the tag references with their corresponding commit
SHAs for actions/checkout, astral-sh/setup-uv, actions/upload-artifact and
actions/download-artifact to enforce consistent supply-chain protection.
- Around line 47-48: The workflow runs `maturin build --python 3.14`, so the
earlier `OPT_PYTHON` cffi install is dead code; remove the `sudo $OPT_PYTHON -m
pip install cffi` step and the related `apt-get install libffi-dev` installation
(or, if you intend to keep defensive packages, explicitly document that they are
optional), and update the preceding comment to reflect that `maturin` is being
invoked for a single interpreter via `maturin build --python 3.14` rather than
using autodiscovery; reference `OPT_PYTHON`, the `maturin build --python 3.14`
invocation, and `apt-get install libffi-dev` to locate the lines to change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5122b8a1-62fe-4e7d-abe9-760e9838ab47

📥 Commits

Reviewing files that changed from the base of the PR and between 69530d5 and adf49e8.

📒 Files selected for processing (2)

• .github/workflows/build-riscv64.yml
• .github/workflows/build_wheels.yml