From 899ec63b81b3b2823de2d62b0715e312e523d09b Mon Sep 17 00:00:00 2001 From: James Lamb Date: Mon, 18 May 2026 21:20:26 -0500 Subject: [PATCH] fix zizmor checks, nightly builds, and update-version.sh (#877) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A few things are broken in this repo right now, this fixes them. ## nightly builds See #878 Still not sure of the exact cause, but at a step where we use `conda install python` to upgrade/downgrade Python in the `base` environment, all builds where it's different from what was already installed in the `condaforge/miniforge` image fail like this: ```text Traceback (most recent call last): File "/opt/conda/lib/python3.13/site-packages/conda/exception_handler.py", line 30, in __call__ File "/opt/conda/lib/python3.13/site-packages/conda/cli/main.py", line 53, in main_subshell File "/opt/conda/lib/python3.13/site-packages/conda/cli/conda_argparse.py", line 190, in do_call File "/opt/conda/lib/python3.13/site-packages/conda/notices/core.py", line 132, in wrapper File "/opt/conda/lib/python3.13/site-packages/conda/notices/core.py", line 82, in display_notices ImportError: cannot import name 'views' from 'conda.notices' (/opt/conda/lib/python3.13/site-packages/conda/notices/__init__.py) ``` I suspect this is due to one of these changes to `conda`'s import structure, maybe https://github.com/conda/conda/pull/15879 Force-reinstalling `conda` before any other operations fixes this. ## zizmor checks When the `release/26.08` branch was cut, it removed inline comments like `# zizmor: ignore[unpinned-uses]`. Commit that broke this: https://github.com/rapidsai/docker/commit/935ed5a80dcffd3b9aaa16ce09e22595069d4c29 This causes `pre-commit` to fail on the `release/26.06` branch with a few errors like this: ```text error[unpinned-uses]: unpinned action reference --> .github/workflows/build-test-publish-images.yml:46:11 | 46 | uses: rapidsai/shared-workflows/.github/workflows/pr-builder.yaml@release/26.06 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | = note: audit confidence → High ``` This fixes that by moving that configuration into a `zizmor.yml` file, as most other PRs in https://github.com/rapidsai/build-planning/issues/275 did. ## `update-version.sh` There's one lingering `26.04` reference that was missed when `release/26.06` was cut, and one new `26.06` that would be missed the next time we cut a release branch. This fixes both of those. Tested like this: ```shell ci/release/update-version.sh --run-context=release '26.08.00' git grep -E '26\.4|26\.04|26\.2|26\.02' ``` ## Notes for Reviewers Running `pre-commit run --all-files` before pushing that release commit would have caught the `zizmor` issue. Authors: - James Lamb (https://github.com/jameslamb) Approvers: - Bradley Dice (https://github.com/bdice) URL: https://github.com/rapidsai/docker/pull/877 --- .github/zizmor.yml | 12 ++++++++++++ CONTRIBUTING.md | 2 +- ci/release/update-version.sh | 6 +++++- context/scripts/configure-conda-base-environment | 5 +++++ 4 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..bd8dc984 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,12 @@ +# Copyright (c) 2026, NVIDIA CORPORATION & AFFILIATES. All rights reserved. + +rules: + unpinned-uses: + config: + policies: + # We require SHA-pinning for all workflows and actions _except_ for those from + # rapidsai/shared-workflows and rapidsai/shared-actions + "rapidsai/shared-workflows/*": any + "rapidsai/shared-actions/*": any + "actions/*": ref-pin + "*": hash-pin diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 26553360..9aae81a3 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -24,7 +24,7 @@ export LINUX_VER=ubuntu24.04 export PYTHON_VER=3.14 # RAPIDS version in {major}.{minor} -export RAPIDS_VER=26.04 +export RAPIDS_VER=26.06 # rapidsai/base docker build $(ci/compute-build-args.sh) \ diff --git a/ci/release/update-version.sh b/ci/release/update-version.sh index b342266c..d480f942 100755 --- a/ci/release/update-version.sh +++ b/ci/release/update-version.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Copyright (c) 2023-2025, NVIDIA CORPORATION. +# Copyright (c) 2023-2026, NVIDIA CORPORATION. ## Usage # Primary interface: bash update-version.sh [--run-context=main|release] @@ -100,6 +100,10 @@ sed_runner "s/com\.nvidia\.workbench\.image-version=.*/com.nvidia.workbench.imag sed_runner "s|ARG RAPIDS_BRANCH=\"release/[0-9]\+\.[0-9]\+\"|ARG RAPIDS_BRANCH=\"${RAPIDS_BRANCH_NAME}\"|g" Dockerfile sed_runner "s|ARG RAPIDS_BRANCH=\"main\"|ARG RAPIDS_BRANCH=\"${RAPIDS_BRANCH_NAME}\"|g" Dockerfile +# docs +sed_runner "s|RAPIDS_VER=[[:digit:]]\+\.[[:digit:]]|RAPIDS_VER=${NEXT_SHORT_TAG}|g" CONTRIBUTING.md +sed_runner "s|[[:digit:]]\+\.[[:digit:]]-cuda|${NEXT_SHORT_TAG}-cuda|g" SECURITY.md + # CI files for FILE in .github/workflows/*.yaml .github/workflows/*.yml; do sed_runner "/shared-workflows/ s|@.*|@${WORKFLOW_BRANCH_REF}|g" "${FILE}" diff --git a/context/scripts/configure-conda-base-environment b/context/scripts/configure-conda-base-environment index 34f87531..24e5c8e9 100755 --- a/context/scripts/configure-conda-base-environment +++ b/context/scripts/configure-conda-base-environment @@ -34,6 +34,11 @@ if [[ "$PYTHON_VERSION_PADDED" > "3.12" ]]; then else PYTHON_ABI_TAG="cpython" fi + +# force-reinstall 'conda' first, to clear out any files left behind from updates +rapids-conda-retry install -y -n base --force-reinstall 'conda>=26.5.0' + +# update Python in the environment rapids-conda-retry install -y -n base "python>=${PYTHON_VERSION},<${PYTHON_UPPER_BOUND}=*_${PYTHON_ABI_TAG}" rapids-conda-retry update --all -y -n base find /opt/conda -follow -type f -name '*.a' -delete