chore(deps): aggregate core dependabot updates#963
Conversation
There was a problem hiding this comment.
Alignment Review Report
Aggregate codex/dependabot-core-* roll-up bumping the pinned huggingface/doc-builder reusable-workflow SHA 7e6bd45 → 6108e850 across all 3 doc workflows. This is the aggregate counterpart of sibling PRs #960 (upload) / #961 (build_main) / #962 (build_pr), doing all three in one commit.
Automated Checks
- Lint: N/A (PASS for PR scope) — 0 Python files changed (diff is 3 workflow YAML files).
lint.shis Python-only and can't run on the review VM (uv not installed); when run it only flags ~20 pre-existingenvs/**reformat candidates unrelated to this PR. TOML/YAML/lockfiles aren't linted. - Debug code: CLEAN (for PR scope) —
check-debug.shhits are all pre-existingsrc/files (cli/commands/build.py,fork.pyprints;__main__.py,serve.py,test_local_docker_provider.pyTODOs). None are in this PR's diff.
Open RFCs Context
No open RFC covers CI, GitHub Actions, the doc-build pipeline, or dependency management (RFCs 000–005 In Review, 010 Draft — all runtime-API / training-loss scoped). None relevant here.
Tier 1: Fixes Required
None.
- No stale-branch merge conflict (the failure mode that hit the analogous aggregate #930):
git merge-tree --write-tree origin/main <head>returns a clean single tree (exit 0).origin/maintip is6823135a(#932) — exactly this PR's base — so the PR is a clean 1-commit fast-forward.
Tier 2: Alignment Discussion
Principle Conflicts
None identified. Full-commit-SHA pinning + dependabot freshness aligns with the reproducibility/security principle (PRINCIPLES.md L15). hf_token and comment-bot creds stay secrets.* references (not hardcoded) → no credential-exposure invariant concern.
RFC Conflicts
None identified.
What I verified
- All 3 pins move consistently to
6108e850(build_documentation.yml:12, build_pr_documentation.yml:13, upload_pr_documentation.yml:11) — no leftover sibling on the old SHA. - Clean fast-forward to main tip:
7e6bd45...6108e850is ahead 4 / behind 0, and6108e850== doc-builder's currentmainHEAD (compare ... == identical), so the trailing# maincomment stays accurate. Tip commit = doc-builder #807. - Caller contracts safe: across the bump only
upload_pr_documentation.yml's reusable workflow changed (build_main + build_pr are byte-identical). Itson: workflow_call:inputs/secrets are unchanged (internal-only: doc-builder now installed viasetup-uvinstead of a repo checkout). OpenEnv's caller supplies requiredpackage_name+hf_token; cross-workflow artifactdoc-build-artifactunchanged. - Reconvergence: this aggregate lands all 3 pins in one commit, superseding the 3 separate sibling PRs #960/#961/#962 (same target SHA) — if this merges, those become redundant.
Summary
- 0 mechanical issues to fix
- 0 alignment points for human review
- 0 RFC conflicts to discuss
Sent by Cursor Automation: Pre-review
| jobs: | ||
| build: | ||
| uses: huggingface/doc-builder/.github/workflows/build_main_documentation.yml@7e6bd45ee271b96e75484eeafea1b3e6139cd0c7 # main | ||
| uses: huggingface/doc-builder/.github/workflows/build_main_documentation.yml@6108e850ae1cf2f71bb0815a600bcd50c39abfa7 # main |
There was a problem hiding this comment.
Main-docs pin → 6108e850. The called build_main_documentation.yml is byte-identical across 7e6bd45...6108e850 (not in the doc-builder compare's changed-files list), so this is effectively a no-op forward-bump that just advances the pin to doc-builder's main HEAD — the # main comment stays accurate. Caller supplies required commit_sha + package: openenv + hf_token.
| build: | ||
| if: github.event.pull_request.draft == false | ||
| uses: huggingface/doc-builder/.github/workflows/build_pr_documentation.yml@7e6bd45ee271b96e75484eeafea1b3e6139cd0c7 # main | ||
| uses: huggingface/doc-builder/.github/workflows/build_pr_documentation.yml@6108e850ae1cf2f71bb0815a600bcd50c39abfa7 # main |
There was a problem hiding this comment.
PR-docs build pin → 6108e850. build_pr_documentation.yml is also byte-identical across the bump, so no behavioral change to the PR doc build. Caller passes required commit_sha + pr_number + package: openenv (no secrets needed) — all satisfied.
| jobs: | ||
| build: | ||
| uses: huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml@7e6bd45ee271b96e75484eeafea1b3e6139cd0c7 # main | ||
| uses: huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml@6108e850ae1cf2f71bb0815a600bcd50c39abfa7 # main |
There was a problem hiding this comment.
The one reusable workflow whose definition actually changed across 7e6bd45...6108e850, but the change is internal-only (doc-builder repo checkout replaced by astral-sh/setup-uv). The on: workflow_call: interface is unchanged: required input package_name and required secret hf_token are both supplied by this caller (comment-bot creds optional), and the consumed artifact name doc-build-artifact is intact. No breakage.


Aggregates the current non-env Dependabot updates into one maintainer-facing PR.
Included source PRs:
No
src/files or runtime dependency files are changed; this is limited to GitHub documentation workflow pins.Validation:
git diff --check hf/main...HEAD