Skip to content

chore(deps): aggregate core dependabot updates#963

Merged
burtenshaw merged 1 commit into
mainfrom
codex/dependabot-core-2026-07-14
Jul 15, 2026
Merged

chore(deps): aggregate core dependabot updates#963
burtenshaw merged 1 commit into
mainfrom
codex/dependabot-core-2026-07-14

Conversation

@burtenshaw

Copy link
Copy Markdown
Collaborator

Aggregates the current non-env Dependabot updates into one maintainer-facing PR.

Included source PRs:

No src/ files or runtime dependency files are changed; this is limited to GitHub documentation workflow pins.

Validation:

  • git diff --check hf/main...HEAD

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alignment Review Report

Aggregate codex/dependabot-core-* roll-up bumping the pinned huggingface/doc-builder reusable-workflow SHA 7e6bd456108e850 across all 3 doc workflows. This is the aggregate counterpart of sibling PRs #960 (upload) / #961 (build_main) / #962 (build_pr), doing all three in one commit.

Automated Checks

  • Lint: N/A (PASS for PR scope) — 0 Python files changed (diff is 3 workflow YAML files). lint.sh is Python-only and can't run on the review VM (uv not installed); when run it only flags ~20 pre-existing envs/** reformat candidates unrelated to this PR. TOML/YAML/lockfiles aren't linted.
  • Debug code: CLEAN (for PR scope)check-debug.sh hits are all pre-existing src/ files (cli/commands/build.py, fork.py prints; __main__.py, serve.py, test_local_docker_provider.py TODOs). None are in this PR's diff.

Open RFCs Context

No open RFC covers CI, GitHub Actions, the doc-build pipeline, or dependency management (RFCs 000–005 In Review, 010 Draft — all runtime-API / training-loss scoped). None relevant here.

Tier 1: Fixes Required

None.

  • No stale-branch merge conflict (the failure mode that hit the analogous aggregate #930): git merge-tree --write-tree origin/main <head> returns a clean single tree (exit 0). origin/main tip is 6823135a (#932) — exactly this PR's base — so the PR is a clean 1-commit fast-forward.

Tier 2: Alignment Discussion

Principle Conflicts

None identified. Full-commit-SHA pinning + dependabot freshness aligns with the reproducibility/security principle (PRINCIPLES.md L15). hf_token and comment-bot creds stay secrets.* references (not hardcoded) → no credential-exposure invariant concern.

RFC Conflicts

None identified.

What I verified

  • All 3 pins move consistently to 6108e850 (build_documentation.yml:12, build_pr_documentation.yml:13, upload_pr_documentation.yml:11) — no leftover sibling on the old SHA.
  • Clean fast-forward to main tip: 7e6bd45...6108e850 is ahead 4 / behind 0, and 6108e850 == doc-builder's current main HEAD (compare ... == identical), so the trailing # main comment stays accurate. Tip commit = doc-builder #807.
  • Caller contracts safe: across the bump only upload_pr_documentation.yml's reusable workflow changed (build_main + build_pr are byte-identical). Its on: workflow_call: inputs/secrets are unchanged (internal-only: doc-builder now installed via setup-uv instead of a repo checkout). OpenEnv's caller supplies required package_name + hf_token; cross-workflow artifact doc-build-artifact unchanged.
  • Reconvergence: this aggregate lands all 3 pins in one commit, superseding the 3 separate sibling PRs #960/#961/#962 (same target SHA) — if this merges, those become redundant.

Summary

  • 0 mechanical issues to fix
  • 0 alignment points for human review
  • 0 RFC conflicts to discuss
Open in Web View Automation 

Sent by Cursor Automation: Pre-review

jobs:
build:
uses: huggingface/doc-builder/.github/workflows/build_main_documentation.yml@7e6bd45ee271b96e75484eeafea1b3e6139cd0c7 # main
uses: huggingface/doc-builder/.github/workflows/build_main_documentation.yml@6108e850ae1cf2f71bb0815a600bcd50c39abfa7 # main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Main-docs pin → 6108e850. The called build_main_documentation.yml is byte-identical across 7e6bd45...6108e850 (not in the doc-builder compare's changed-files list), so this is effectively a no-op forward-bump that just advances the pin to doc-builder's main HEAD — the # main comment stays accurate. Caller supplies required commit_sha + package: openenv + hf_token.

build:
if: github.event.pull_request.draft == false
uses: huggingface/doc-builder/.github/workflows/build_pr_documentation.yml@7e6bd45ee271b96e75484eeafea1b3e6139cd0c7 # main
uses: huggingface/doc-builder/.github/workflows/build_pr_documentation.yml@6108e850ae1cf2f71bb0815a600bcd50c39abfa7 # main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR-docs build pin → 6108e850. build_pr_documentation.yml is also byte-identical across the bump, so no behavioral change to the PR doc build. Caller passes required commit_sha + pr_number + package: openenv (no secrets needed) — all satisfied.

jobs:
build:
uses: huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml@7e6bd45ee271b96e75484eeafea1b3e6139cd0c7 # main
uses: huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml@6108e850ae1cf2f71bb0815a600bcd50c39abfa7 # main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The one reusable workflow whose definition actually changed across 7e6bd45...6108e850, but the change is internal-only (doc-builder repo checkout replaced by astral-sh/setup-uv). The on: workflow_call: interface is unchanged: required input package_name and required secret hf_token are both supplied by this caller (comment-bot creds optional), and the consumed artifact name doc-build-artifact is intact. No breakage.

@burtenshaw burtenshaw merged commit 2149f74 into main Jul 15, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

codex codex-automation Dependencies enhancement New feature or request github_actions Pull requests that update GitHub Actions code size: small Small pull request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant