Skip to content

ci: authenticate HuggingFace model prefetch to avoid rate limits#1948

Open
NirWolfer wants to merge 1 commit into
ai-dynamo:mainfrom
NirWolfer:ci/hf-token-rate-limit-fix
Open

ci: authenticate HuggingFace model prefetch to avoid rate limits#1948
NirWolfer wants to merge 1 commit into
ai-dynamo:mainfrom
NirWolfer:ci/hf-token-rate-limit-fix

Conversation

@NirWolfer

@NirWolfer NirWolfer commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

What?

The shared CI egress was being rate-limited by HuggingFace on anonymous requests, causing the vLLM and SGLang sanity stages to fail during Qwen/Qwen3-8B prefetch.

Bind the svc-nixl-hf-token Jenkins secret text credential as HF_TOKEN in the build-wheel pipeline and pass it through to the sanity testScript so snapshot_download authenticates rather than hitting the anonymous rate limit.

Why?

rate limit failing build-wheel pipeline on rare occasions

How?

It is optional, but for complex PRs, please provide information about the design,
architecture, approach, etc.

Summary by CodeRabbit

  • Bug Fixes

    • Improved vLLM and SGLang aarch64 sanity checks by authenticating Hugging Face model downloads when credentials are available.
    • Reduced the likelihood of model prefetch failures caused by anonymous Hugging Face rate limits on shared CI network addresses.
  • Documentation

    • Updated CI documentation to explain the authenticated model prefetch behavior and credential configuration.

The shared CI egress IP (216.228.125.129) was being rate-limited by
HuggingFace on anonymous requests, causing the vLLM and SGLang sanity
stages to fail during Qwen/Qwen3-8B prefetch.

Bind the svc-nixl-hf-token Jenkins secret text credential as HF_TOKEN
in the build-wheel pipeline and pass it through to the sanity testScript
so snapshot_download authenticates rather than hitting the anonymous
rate limit.

Signed-off-by: NirWolfer <nwolfer@nvidia.com>
@NirWolfer
NirWolfer requested review from a team as code owners July 15, 2026 13:12
@github-actions

Copy link
Copy Markdown

👋 Hi NirWolfer! Thank you for contributing to ai-dynamo/nixl.

Your PR reviewers will review your contribution then trigger the CI to test your changes.

🚀

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

The CI wheel-build matrix injects the svc-nixl-hf-token credential as HF_TOKEN for vLLM and SGLang sanity tests. The model prefetch script passes this token to Hugging Face downloads, and the CI overview documents the behavior.

Changes

Hugging Face prefetch authentication

Layer / File(s) Summary
Credential propagation and model download
.ci/jenkins/lib/build-wheel-matrix.yaml, .gitlab/test_vllm_sglang_sanity.sh, .ci/docs/ci-overview.md
The Jenkins matrix provides HF_TOKEN to both sanity commands, the prefetch script passes it to snapshot_download, and the CI documentation describes the credential mapping.

Estimated code review effort: 2 (Simple) | ~10 minutes

Suggested reviewers: ntsemah

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the CI change to authenticate HuggingFace model prefetches and avoid rate limits.
Description check ✅ Passed The description follows the template with clear What and Why sections; How is optional and can remain blank.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.ci/jenkins/lib/build-wheel-matrix.yaml:
- Around line 79-80: Restrict the HF_TOKEN binding from the top-level wheel job
credentials to only the vLLM/SGLang sanity steps in the matrix. Update the
relevant sanity-step wrapper or invocation so the token is available there while
remaining unavailable to build and image stages that execute PR-controlled code.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 0320dcd5-72f6-4a52-9d9e-f9444166d13c

📥 Commits

Reviewing files that changed from the base of the PR and between 22cdab3 and bd426fa.

📒 Files selected for processing (3)
  • .ci/docs/ci-overview.md
  • .ci/jenkins/lib/build-wheel-matrix.yaml
  • .gitlab/test_vllm_sglang_sanity.sh

Comment on lines +79 to +80
- credentialsId: 'svc-nixl-hf-token'
variable: 'HF_TOKEN'

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
rg -n -C 5 'credentials:|HF_TOKEN|testScript:' .ci/jenkins .gitlab

Repository: ai-dynamo/nixl

Length of output: 34719


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== build-wheel-matrix context =="
sed -n '1,120p' .ci/jenkins/lib/build-wheel-matrix.yaml
echo
echo "== sanity steps =="
sed -n '330,390p' .ci/jenkins/lib/build-wheel-matrix.yaml
echo
echo "== slurmCI usage elsewhere with env vars in testScript =="
rg -n -C 3 'testScript: ".*\$\{[A-Z_]+\}.*"|module: slurmCI' .ci/jenkins/lib .ci/jenkins/pipeline

Repository: ai-dynamo/nixl

Length of output: 27723


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== build-wheel-matrix step map =="
ast-grep outline .ci/jenkins/lib/build-wheel-matrix.yaml --view expanded | sed -n '1,220p'
echo
echo "== slurmCI references =="
rg -n -C 4 '\bslurmCI\b|testScript:|credentialsId:' .ci/jenkins .gitlab | sed -n '1,260p'
echo
echo "== any docs or code for command logging / argument passing =="
rg -n -C 3 'command.*log|log.*command|testScript|slurmCI.*args|env.*credentials|mask' .ci/jenkins .gitlab README.md

Repository: ai-dynamo/nixl

Length of output: 30651


Scope HF_TOKEN to the sanity steps only.
This top-level credentials block makes the token available to the whole wheel job, including the build/image stages that can run PR-controlled code. Bind it only around the vLLM/SGLang sanity steps, or forward it without exposing it to the rest of the matrix.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.ci/jenkins/lib/build-wheel-matrix.yaml around lines 79 - 80, Restrict the
HF_TOKEN binding from the top-level wheel job credentials to only the
vLLM/SGLang sanity steps in the matrix. Update the relevant sanity-step wrapper
or invocation so the token is available there while remaining unavailable to
build and image stages that execute PR-controlled code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant