ci: Major refactor of release-workflows by ko3n1g · Pull Request #1911 · NVIDIA-NeMo/Curator

ko3n1g · 2026-05-05T08:54:56Z

Why

See the design discussion in NVIDIA-NeMo/FW-CI-templates#466.

What

Delete .github/workflows/build-test-publish-wheel.yml.
Rewrite .github/workflows/release.yml as the single caller for both push and workflow_dispatch.

Test plan

PR validate-only (push (mirror), sha fdbac7f, 2026-05-07T12:01:00Z, success): https://github.com/NVIDIA-NeMo/Curator/actions/runs/25494488916
workflow_dispatch dry-run=true (sha fdbac7f, 2026-05-07T12:00:56Z, success): https://github.com/NVIDIA-NeMo/Curator/actions/runs/25494485717
Real release via workflow_dispatch dry-run=false on the next planned RC.

Rollout

Land FW-CI-templates#466.
Cut FW-CI-templates v1.0.0.
Bump the SHA pin in this PR → tag.

…nly mode See NVIDIA-NeMo/FW-CI-templates#466 for design discussion. - Delete build-test-publish-wheel.yml. - Rewrite release.{yml,yaml} as the single caller for both push and workflow_dispatch. validate-only derives from the trigger. - One pin to FW-CI-templates governs PR rehearsal and real release. Signed-off-by: oliver könig <okoenig@nvidia.com>

greptile-apps · 2026-05-05T08:58:07Z

Greptile Summary

This PR consolidates the release workflow by deleting build-test-publish-wheel.yml and rewriting release.yml as a single caller for both push (validate-only) and workflow_dispatch (real release) events. It also adds MANIFEST.in rules to include non-Python data files in the source distribution and configures check-manifest in pyproject.toml.

Workflow consolidation: release.yml now triggers on push (runs in validate-only mode) and workflow_dispatch (runs the full release pipeline), replacing the separate build-test-publish-wheel.yml with a unified entry point pinned to FW-CI-templates@v1.0.0.
Data file packaging: MANIFEST.in gains a recursive-include directive for CSV, JSON, YAML, TXT, MD, and py.typed files inside nemo_curator; a [tool.check-manifest] ignore list is added to pyproject.toml.
Changelog transformer: changelog-config.json adds a regex transformer to strip cherry-pick prefix lines from changelog entries.

Confidence Score: 3/5

Not safe to merge until the boolean-coercion bugs, missing actions:read permission, and wheel packaging gap are resolved.

Three issues flagged in earlier review rounds remain unaddressed: boolean coercion on workflow_dispatch inputs overrides explicit false values, the release-summary job calls gh run view without actions:read causing guaranteed 403s, and MANIFEST.in additions do not affect wheel builds without include-package-data = true.

release.yml (boolean coercion on lines 74-77, missing actions:read permission) and pyproject.toml/MANIFEST.in (wheel packaging gap).

Important Files Changed

Filename	Overview
.github/workflows/release.yml	Major rewrite consolidating push and workflow_dispatch triggers; has outstanding issues with boolean coercion for dry-run, generate-changelog, and publish-docs inputs, and the release-summary job requires actions:read which is not granted in the top-level permissions block.
.github/workflows/build-test-publish-wheel.yml	Deleted — its functionality is absorbed into the rewritten release.yml.
MANIFEST.in	Adds recursive-include for non-Python data files; fixes sdist packaging but wheels still require include-package-data = true in pyproject.toml.
pyproject.toml	Adds [tool.check-manifest] ignore list; does not add include-package-data = true, so wheel builds still exclude the data files that MANIFEST.in intends to ship.
.github/workflows/config/changelog-config.json	Adds a changelog transformer regex to unwrap cherry-pick subject lines; whitespace-only reformatting otherwise.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[push to main / release branch / pull-request/**] -->|validate-only=true| C
    B[workflow_dispatch\ndry-run, generate-changelog,\npublish-docs, release-ref] -->|validate-only=false| C
    C[release job\nFW-CI-templates/_release_library.yml@v1.0.0]
    C -->|validate-only=true| D[Build & test wheel only\nNo publish]
    C -->|validate-only=false, dry-run=false| E[Build, test, publish wheel\nGH release + changelog\nPublish docs]
    C -->|validate-only=false, dry-run=true| F[Compute release\nNo publish]
    D --> G[release-summary job]
    E --> G
    F --> G
    G -->|gh run view - needs actions:read| H{Failed jobs?}
    H -->|0 failures| I[✅ exit 0]
    H -->|≥1 failure| J[❌ exit 1]

_{Reviews (37): Last reviewed commit: "ci: docs-fail-on-warning false for Curat..." | Re-trigger Greptile}

greptile-apps · 2026-05-05T08:58:11Z

+      validate-only: ${{ github.event_name != 'workflow_dispatch' }}
+      dry-run: ${{ inputs.dry-run || false }}
+      version-bump-branch: ${{ inputs.version-bump-branch || github.ref_name }}
+      gh-release-use-changelog-builder: ${{ inputs.generate-changelog || true }}


The || true fallback silently overrides an explicit false from workflow_dispatch. In GitHub Actions expressions, false || true evaluates to true, so dispatching with generate-changelog: false will still produce a changelog run. For push events (where the input is absent and evaluates to an empty string), '' || true correctly produces true — but the same expression breaks the user-controlled path.

Suggested change

gh-release-use-changelog-builder: ${{ inputs.generate-changelog || true }}

gh-release-use-changelog-builder: ${{ github.event_name == 'workflow_dispatch' && inputs.generate-changelog || true }}

greptile-apps · 2026-05-05T08:58:12Z

  release:
-    uses: NVIDIA-NeMo/FW-CI-templates/.github/workflows/_release_library.yml@v0.73.0
+    if: '!cancelled()'
+    uses: NVIDIA-NeMo/FW-CI-templates/.github/workflows/_release_library.yml@b7091aadca729136b12c48d45b832633c681b131


The reusable workflow is pinned to a raw commit SHA (b7091aadca729136b12c48d45b832633c681b131) that has no corresponding public tag. The PR's own rollout plan (step 3) says to replace this SHA with the v1.0.0 tag before merging. If merged in its current state, the pin references an internal, untagged commit that is harder to audit and could silently break if upstream history is cleaned up.

greptile-apps · 2026-05-05T08:58:13Z

+      release-ref: ${{ inputs.release-ref || github.sha }}
      python-package: nemo_curator
-      python-version: "3.11"
+      python-version: "3.10"


The Python version was silently downgraded from 3.11 to 3.10. Both the deleted build-test-publish-wheel.yml and the previous release.yml used 3.11. Releasing a wheel built against an older Python minor version can change ABI compatibility and may produce a different wheel tag than what consumers expect. Was this intentional (e.g., to match the project's declared minimum version)?

…in-check always on) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: oliver könig <okoenig@nvidia.com>

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: oliver könig <okoenig@nvidia.com>

Why: aligns with MBridge/Automodel/ExD/Eval/MLM — push pattern now covers the copy-pr-bot mirror branches, so the validate-only release rehearsal fires at PR time instead of only on workflow_dispatch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: oliver könig <okoenig@nvidia.com>

ko3n1g · 2026-05-06T16:12:42Z

/ok to test 789407e

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: oliver könig <okoenig@nvidia.com>

…quirements-file) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: oliver könig <okoenig@nvidia.com>

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: oliver könig <okoenig@nvidia.com>

greptile-apps · 2026-05-06T19:10:45Z

+[tool.check-manifest]
+ignore = [


MANIFEST.in directives only affect the sdist. Setuptools consults a separate mechanism for wheels: either include-package-data = true in [tool.setuptools] (respects VCS + MANIFEST.in) or explicit [tool.setuptools.package-data] globs. Without one of these, nemo_curator/utils/code_meta.csv and every other non-.py file added via MANIFEST.in will still be absent from the installed wheel — the runtime breakage this PR intends to fix will remain for pip install nemo-curator users.

Suggested change

[tool.check-manifest]

ignore = [

[tool.setuptools]

include-package-data = true

[tool.check-manifest]

ignore = [

…ansformer Why: HYBRID mode renders raw commits when no PR matches by merge_commit_sha (helps release branches built via cherry-pick). The transformer cleans up cp titles to show the inner PR title only. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: oliver könig <okoenig@nvidia.com>

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: oliver könig <okoenig@nvidia.com>

ko3n1g · 2026-05-07T08:26:40Z

/ok to test 6beb683

…ry-run) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: oliver könig <okoenig@nvidia.com>

ko3n1g · 2026-05-07T08:28:17Z

/ok to test 79c89e5

…sthrough Why: SLACK_WEBHOOK now resolves at the env scope (public/main) so the env-scoped secret value is used. No longer pass it as a workflow_call secret. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: oliver könig <okoenig@nvidia.com>

Lets env-scoped SLACK_WEBHOOK reach the notify job in the called workflow. Signed-off-by: oliver könig <okoenig@nvidia.com>