ci: authenticate HuggingFace model prefetch to avoid rate limits#1948
ci: authenticate HuggingFace model prefetch to avoid rate limits#1948NirWolfer wants to merge 1 commit into
Conversation
The shared CI egress IP (216.228.125.129) was being rate-limited by HuggingFace on anonymous requests, causing the vLLM and SGLang sanity stages to fail during Qwen/Qwen3-8B prefetch. Bind the svc-nixl-hf-token Jenkins secret text credential as HF_TOKEN in the build-wheel pipeline and pass it through to the sanity testScript so snapshot_download authenticates rather than hitting the anonymous rate limit. Signed-off-by: NirWolfer <nwolfer@nvidia.com>
|
👋 Hi NirWolfer! Thank you for contributing to ai-dynamo/nixl. Your PR reviewers will review your contribution then trigger the CI to test your changes. 🚀 |
📝 WalkthroughWalkthroughThe CI wheel-build matrix injects the ChangesHugging Face prefetch authentication
Estimated code review effort: 2 (Simple) | ~10 minutes Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.ci/jenkins/lib/build-wheel-matrix.yaml:
- Around line 79-80: Restrict the HF_TOKEN binding from the top-level wheel job
credentials to only the vLLM/SGLang sanity steps in the matrix. Update the
relevant sanity-step wrapper or invocation so the token is available there while
remaining unavailable to build and image stages that execute PR-controlled code.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Enterprise
Run ID: 0320dcd5-72f6-4a52-9d9e-f9444166d13c
📒 Files selected for processing (3)
.ci/docs/ci-overview.md.ci/jenkins/lib/build-wheel-matrix.yaml.gitlab/test_vllm_sglang_sanity.sh
| - credentialsId: 'svc-nixl-hf-token' | ||
| variable: 'HF_TOKEN' |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
rg -n -C 5 'credentials:|HF_TOKEN|testScript:' .ci/jenkins .gitlabRepository: ai-dynamo/nixl
Length of output: 34719
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== build-wheel-matrix context =="
sed -n '1,120p' .ci/jenkins/lib/build-wheel-matrix.yaml
echo
echo "== sanity steps =="
sed -n '330,390p' .ci/jenkins/lib/build-wheel-matrix.yaml
echo
echo "== slurmCI usage elsewhere with env vars in testScript =="
rg -n -C 3 'testScript: ".*\$\{[A-Z_]+\}.*"|module: slurmCI' .ci/jenkins/lib .ci/jenkins/pipelineRepository: ai-dynamo/nixl
Length of output: 27723
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== build-wheel-matrix step map =="
ast-grep outline .ci/jenkins/lib/build-wheel-matrix.yaml --view expanded | sed -n '1,220p'
echo
echo "== slurmCI references =="
rg -n -C 4 '\bslurmCI\b|testScript:|credentialsId:' .ci/jenkins .gitlab | sed -n '1,260p'
echo
echo "== any docs or code for command logging / argument passing =="
rg -n -C 3 'command.*log|log.*command|testScript|slurmCI.*args|env.*credentials|mask' .ci/jenkins .gitlab README.mdRepository: ai-dynamo/nixl
Length of output: 30651
Scope HF_TOKEN to the sanity steps only.
This top-level credentials block makes the token available to the whole wheel job, including the build/image stages that can run PR-controlled code. Bind it only around the vLLM/SGLang sanity steps, or forward it without exposing it to the rest of the matrix.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.ci/jenkins/lib/build-wheel-matrix.yaml around lines 79 - 80, Restrict the
HF_TOKEN binding from the top-level wheel job credentials to only the
vLLM/SGLang sanity steps in the matrix. Update the relevant sanity-step wrapper
or invocation so the token is available there while remaining unavailable to
build and image stages that execute PR-controlled code.
What?
The shared CI egress was being rate-limited by HuggingFace on anonymous requests, causing the vLLM and SGLang sanity stages to fail during Qwen/Qwen3-8B prefetch.
Bind the svc-nixl-hf-token Jenkins secret text credential as HF_TOKEN in the build-wheel pipeline and pass it through to the sanity testScript so snapshot_download authenticates rather than hitting the anonymous rate limit.
Why?
rate limit failing build-wheel pipeline on rare occasions
How?
It is optional, but for complex PRs, please provide information about the design,
architecture, approach, etc.
Summary by CodeRabbit
Bug Fixes
Documentation