mirror of
https://github.com/unslothai/unsloth.git
synced 2026-07-09 15:58:41 +00:00
Bumps the actions group with 11 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `4.2.2` | `7.0.0` | | [actions/setup-python](https://github.com/actions/setup-python) | `6.2.0` | `6.3.0` | | [actions/cache/restore](https://github.com/actions/cache) | `5.0.5` | `6.1.0` | | [actions/cache/save](https://github.com/actions/cache) | `5.0.5` | `6.1.0` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.6.1` | `7.0.1` | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.19.1` | `2.19.4` | | [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | `2.4.1` | `2.4.3` | | [github/codeql-action](https://github.com/github/codeql-action) | `3` | `4.36.3` | | [tauri-apps/tauri-action](https://github.com/tauri-apps/tauri-action) | `0.6.2` | `1.0.0` | | [trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog) | `3.95.3` | `3.95.8` | | [actions/stale](https://github.com/actions/stale) | `10.2.0` | `10.3.0` | Updates `actions/checkout` from 4.2.2 to 7.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4.2.2...9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0) Updates `actions/setup-python` from 6.2.0 to 6.3.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v6.2.0...ece7cb06caefa5fff74198d8649806c4678c61a1) Updates `actions/cache/restore` from 5.0.5 to 6.1.0 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](27d5ce7f10...55cc834586) Updates `actions/cache/save` from 5.0.5 to 6.1.0 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](27d5ce7f10...55cc834586) Updates `actions/upload-artifact` from 4.6.1 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v4.6.1...043fb46d1a93c77aae656e7c1c64a875d1fc6a0a) Updates `step-security/harden-runner` from 2.19.1 to 2.19.4 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](a5ad31d6a1...9af89fc715) Updates `ossf/scorecard-action` from 2.4.1 to 2.4.3 - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](f49aabe0b5...4eaacf0543) Updates `github/codeql-action` from 3 to 4.36.3 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v3...v4.36.3) Updates `tauri-apps/tauri-action` from 0.6.2 to 1.0.0 - [Release notes](https://github.com/tauri-apps/tauri-action/releases) - [Changelog](https://github.com/tauri-apps/tauri-action/blob/dev/CHANGELOG.md) - [Commits](84b9d35b5f...1deb371b0c) Updates `trufflesecurity/trufflehog` from 3.95.3 to 3.95.8 - [Release notes](https://github.com/trufflesecurity/trufflehog/releases) - [Commits](37b77001d0...00155c9dc5) Updates `actions/stale` from 10.2.0 to 10.3.0 - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](b5d41d4e1d...eb5cf3af3a) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/setup-python dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/cache/restore dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/cache/save dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: step-security/harden-runner dependency-version: 2.19.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: ossf/scorecard-action dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: github/codeql-action dependency-version: 4.36.3 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: tauri-apps/tauri-action dependency-version: 1.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: trufflesecurity/trufflehog dependency-version: 3.95.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/stale dependency-version: 10.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
136 lines
5.3 KiB
YAML
136 lines
5.3 KiB
YAML
# SPDX-License-Identifier: AGPL-3.0-only
|
|
# Copyright 2026-present the Unsloth AI Inc. team. All rights reserved.
|
|
|
|
# Builds the PyPI wheel from the PR branch, then verifies the built wheel
|
|
# actually contains what we expect to ship and does NOT contain the broken
|
|
# Studio bundle that 2026.5.1 published. This is the single workflow that
|
|
# would have blocked the 2026.5.1 release before twine upload.
|
|
#
|
|
# Verified locally end-to-end against this branch:
|
|
# - python -m build produces unsloth-<version>-py3-none-any.whl in 13s
|
|
# - wheel content sanity passes:
|
|
# lockfile shipped, frontend dist shipped,
|
|
# no node_modules in wheel, no bun.lock in wheel,
|
|
# main bundle has unstable_Provider hits=1 (assistant-ui internals only).
|
|
# - Studio backend imports cleanly from the installed wheel with the
|
|
# lightweight dep set below.
|
|
|
|
name: Wheel CI
|
|
|
|
on:
|
|
pull_request:
|
|
paths:
|
|
- 'pyproject.toml'
|
|
- 'studio/**'
|
|
- 'unsloth/**'
|
|
- 'unsloth_cli/**'
|
|
- '.github/workflows/wheel-smoke.yml'
|
|
push:
|
|
branches: [main, pip]
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
wheel:
|
|
name: Wheel build + content sanity + import smoke
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 15
|
|
steps:
|
|
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
|
with:
|
|
node-version: '22'
|
|
|
|
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
|
|
with:
|
|
python-version: '3.12'
|
|
|
|
- name: Lockfile supply-chain audit (pre-install scan)
|
|
run: python3 scripts/lockfile_supply_chain_audit.py
|
|
|
|
- name: Build frontend
|
|
# Lifecycle scripts (esbuild native-binary postinstall, etc.) are
|
|
# required for `vite build`. The pre-install lockfile structural
|
|
# audit (lockfile_supply_chain_audit.py) is the practical defence
|
|
# against the npm postinstall-dropper class -- it fires BEFORE any
|
|
# tarball runs, on the injection pattern itself rather than an
|
|
# advisory-DB lookup.
|
|
run: |
|
|
cd studio/frontend
|
|
npm ci --no-fund --no-audit
|
|
npm run build
|
|
|
|
- name: Build wheel + sdist
|
|
run: |
|
|
python -m pip install --upgrade pip build
|
|
rm -rf dist build ./*.egg-info
|
|
python -m build
|
|
|
|
- name: Wheel content sanity
|
|
run: |
|
|
python - <<'PY'
|
|
import zipfile, glob, sys
|
|
w = glob.glob("dist/unsloth-*.whl")
|
|
if not w:
|
|
print("FAIL: no wheel produced"); sys.exit(2)
|
|
w = w[0]
|
|
print(f"wheel: {w}")
|
|
with zipfile.ZipFile(w) as z:
|
|
n = z.namelist()
|
|
checks = {
|
|
"lockfile shipped": any(s.endswith("studio/frontend/package-lock.json") for s in n),
|
|
"frontend dist shipped": any(s.endswith("studio/frontend/dist/index.html") for s in n),
|
|
"no node_modules": not any("studio/frontend/node_modules/" in s for s in n),
|
|
"no bun.lock": not any(s.endswith("studio/frontend/bun.lock") for s in n),
|
|
}
|
|
js = [s for s in n
|
|
if "studio/frontend/dist/assets/" in s
|
|
and s.endswith(".js")
|
|
and "/index-" in s]
|
|
if not js:
|
|
print("FAIL: no main bundle index-*.js in wheel"); sys.exit(2)
|
|
data = z.read(js[0]).decode("utf-8", "replace")
|
|
hits = data.count("unstable_Provider:")
|
|
print(f"main bundle: {js[0]}")
|
|
print(f"unstable_Provider hits: {hits} (>=4 indicates 2026.5.1 regression)")
|
|
checks["bundle has no Studio unstable_Provider call site"] = (hits < 4)
|
|
|
|
print()
|
|
for k, v in checks.items():
|
|
print(f" [{'PASS' if v else 'FAIL'}] {k}")
|
|
sys.exit(0 if all(checks.values()) else 1)
|
|
PY
|
|
|
|
- name: Studio backend import smoke
|
|
# Imports `studio.backend.main:app` from the freshly-installed wheel in
|
|
# a clean venv. This catches the class of bug that 2026.5.1 shipped with:
|
|
# frontend dist missing, package-lock.json missing, or the wheel's Python
|
|
# source tree broken in a way that surfaces only at app construction time.
|
|
run: |
|
|
python -m venv /tmp/v
|
|
/tmp/v/bin/pip install --upgrade pip
|
|
/tmp/v/bin/pip install -r studio/backend/requirements/studio.txt
|
|
/tmp/v/bin/pip install \
|
|
python-multipart aiofiles sqlalchemy cryptography \
|
|
pyyaml jinja2 mammoth unpdf requests \
|
|
'numpy<3'
|
|
/tmp/v/bin/pip install --no-deps dist/unsloth-*.whl
|
|
# Run from /tmp so Python imports the installed package, not the source tree.
|
|
cd /tmp
|
|
/tmp/v/bin/python -c "from studio.backend.main import app; print('Studio backend OK:', app.title)"
|
|
|
|
- name: Upload wheel on failure
|
|
if: failure()
|
|
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
|
with:
|
|
name: unsloth-wheel
|
|
path: dist/
|
|
retention-days: 7
|