From c350aa1fbe1269fe02f4d6dadcfb4fcd386e025d Mon Sep 17 00:00:00 2001 From: James Lamb Date: Mon, 18 May 2026 13:27:55 -0500 Subject: [PATCH 1/4] fix zizmor checks --- .github/zizmor.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..bd8dc984 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,12 @@ +# Copyright (c) 2026, NVIDIA CORPORATION & AFFILIATES. All rights reserved. + +rules: + unpinned-uses: + config: + policies: + # We require SHA-pinning for all workflows and actions _except_ for those from + # rapidsai/shared-workflows and rapidsai/shared-actions + "rapidsai/shared-workflows/*": any + "rapidsai/shared-actions/*": any + "actions/*": ref-pin + "*": hash-pin From e3c932ba967620e5439d73b8503a4c3dbc58b592 Mon Sep 17 00:00:00 2001 From: James Lamb Date: Mon, 18 May 2026 16:52:40 -0500 Subject: [PATCH 2/4] force-reinstall conda --- CONTRIBUTING.md | 2 +- ci/release/update-version.sh | 4 +++- context/scripts/configure-conda-base-environment | 7 +++++++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 26553360..9aae81a3 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -24,7 +24,7 @@ export LINUX_VER=ubuntu24.04 export PYTHON_VER=3.14 # RAPIDS version in {major}.{minor} -export RAPIDS_VER=26.04 +export RAPIDS_VER=26.06 # rapidsai/base docker build $(ci/compute-build-args.sh) \ diff --git a/ci/release/update-version.sh b/ci/release/update-version.sh index b342266c..bd4719c7 100755 --- a/ci/release/update-version.sh +++ b/ci/release/update-version.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Copyright (c) 2023-2025, NVIDIA CORPORATION. +# Copyright (c) 2023-2026, NVIDIA CORPORATION. ## Usage # Primary interface: bash update-version.sh [--run-context=main|release] @@ -115,3 +115,5 @@ sed_runner "s/[[:digit:]]\+\.[[:digit:]]\+a-py/${NEXT_SHORT_TAG}a-py/g" cuvs-ben sed_runner "s/[[:digit:]]\+\.[[:digit:]]\+a-cuda/${NEXT_SHORT_TAG}a-cuda/g" cuvs-bench/README.md sed_runner "s/[[:digit:]]\+\.[[:digit:]]\+a-cuda/${NEXT_SHORT_TAG}a-cuda/g" tests/container-canary/README.md + +# TODO: update in README.md too diff --git a/context/scripts/configure-conda-base-environment b/context/scripts/configure-conda-base-environment index 34f87531..fb2808bd 100755 --- a/context/scripts/configure-conda-base-environment +++ b/context/scripts/configure-conda-base-environment @@ -34,8 +34,15 @@ if [[ "$PYTHON_VERSION_PADDED" > "3.12" ]]; then else PYTHON_ABI_TAG="cpython" fi + +# force-reinstall 'conda' first, to clear out any files +# left behind from updates +rapids-conda-retry install -y -n base --force-reinstall 'conda>=26.5.0' + +# update Python in the environment rapids-conda-retry install -y -n base "python>=${PYTHON_VERSION},<${PYTHON_UPPER_BOUND}=*_${PYTHON_ABI_TAG}" rapids-conda-retry update --all -y -n base + find /opt/conda -follow -type f -name '*.a' -delete find /opt/conda -follow -type f -name '*.pyc' -delete From 6a5c1b119b5cd96482f56e02056d02c48d46b057 Mon Sep 17 00:00:00 2001 From: James Lamb Date: Mon, 18 May 2026 17:19:03 -0500 Subject: [PATCH 3/4] fix update-version.sh --- ci/release/update-version.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ci/release/update-version.sh b/ci/release/update-version.sh index bd4719c7..76c56f24 100755 --- a/ci/release/update-version.sh +++ b/ci/release/update-version.sh @@ -100,6 +100,10 @@ sed_runner "s/com\.nvidia\.workbench\.image-version=.*/com.nvidia.workbench.imag sed_runner "s|ARG RAPIDS_BRANCH=\"release/[0-9]\+\.[0-9]\+\"|ARG RAPIDS_BRANCH=\"${RAPIDS_BRANCH_NAME}\"|g" Dockerfile sed_runner "s|ARG RAPIDS_BRANCH=\"main\"|ARG RAPIDS_BRANCH=\"${RAPIDS_BRANCH_NAME}\"|g" Dockerfile +# docs +sed_runner "s|RAPIDS_VER=[[:digit:]]\+\.[[:digit:]]|RAPIDS_VER=${NEXT_SHORT_TAG}|g" CONTRIBUTING.md +sed_runner "s|[[:digit:]]\+\.[[:digit:]]-cuda|${NEXT_SHORT_TAG}-cuda|g" SECURITY.md + # CI files for FILE in .github/workflows/*.yaml .github/workflows/*.yml; do sed_runner "/shared-workflows/ s|@.*|@${WORKFLOW_BRANCH_REF}|g" "${FILE}" From 1a552102cfa60b31a9a0420ba9c5079dfc2a27e3 Mon Sep 17 00:00:00 2001 From: James Lamb Date: Mon, 18 May 2026 17:27:39 -0500 Subject: [PATCH 4/4] minor formatting fixes --- ci/release/update-version.sh | 2 -- context/scripts/configure-conda-base-environment | 4 +--- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/ci/release/update-version.sh b/ci/release/update-version.sh index 76c56f24..d480f942 100755 --- a/ci/release/update-version.sh +++ b/ci/release/update-version.sh @@ -119,5 +119,3 @@ sed_runner "s/[[:digit:]]\+\.[[:digit:]]\+a-py/${NEXT_SHORT_TAG}a-py/g" cuvs-ben sed_runner "s/[[:digit:]]\+\.[[:digit:]]\+a-cuda/${NEXT_SHORT_TAG}a-cuda/g" cuvs-bench/README.md sed_runner "s/[[:digit:]]\+\.[[:digit:]]\+a-cuda/${NEXT_SHORT_TAG}a-cuda/g" tests/container-canary/README.md - -# TODO: update in README.md too diff --git a/context/scripts/configure-conda-base-environment b/context/scripts/configure-conda-base-environment index fb2808bd..24e5c8e9 100755 --- a/context/scripts/configure-conda-base-environment +++ b/context/scripts/configure-conda-base-environment @@ -35,14 +35,12 @@ else PYTHON_ABI_TAG="cpython" fi -# force-reinstall 'conda' first, to clear out any files -# left behind from updates +# force-reinstall 'conda' first, to clear out any files left behind from updates rapids-conda-retry install -y -n base --force-reinstall 'conda>=26.5.0' # update Python in the environment rapids-conda-retry install -y -n base "python>=${PYTHON_VERSION},<${PYTHON_UPPER_BOUND}=*_${PYTHON_ABI_TAG}" rapids-conda-retry update --all -y -n base - find /opt/conda -follow -type f -name '*.a' -delete find /opt/conda -follow -type f -name '*.pyc' -delete