Merge branch 'main' into xet-upload-by-default

Author: coyotte508

.github/workflows/agents-publish.yml

@@ -19,27 +19,30 @@ defaults:
   run:
     working-directory: packages/agents
 
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
 jobs:
   version_and_release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
         with:
           # Needed to push the tag and the commit on the main branch, otherwise we get:
           # > Run git push --follow-tags
           # remote: error: GH006: Protected branch update failed for refs/heads/main.
           # remote: error: Changes must be made through a pull request. Required status check "lint" is expected.
           token: ${{ secrets.BOT_ACCESS_TOKEN }}
       - run: npm install -g corepack@latest && corepack enable
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           cache: "pnpm"
           cache-dependency-path: |
             packages/agents/pnpm-lock.yaml
             packages/doc-internal/pnpm-lock.yaml
-          # setting a registry enables the NODE_AUTH_TOKEN env variable where we can set an npm token.  REQUIRED
-          registry-url: "https://registry.npmjs.org"
       - run: pnpm install
       - run: git config --global user.name machineuser
       - run: git config --global user.email infra+machineuser@huggingface.co
@@ -52,19 +55,19 @@ jobs:
           git add ../..
           git commit -m "🔖 @huggingface/agents $BUMPED_VERSION"
           git tag "agents-v$BUMPED_VERSION"
-      - run: pnpm --filter agents... build && pnpm publish --no-git-checks .
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
       - run: (git pull --rebase && git push --follow-tags) || (git pull --rebase && git push --follow-tags)
-      # hack - reuse actions/setup-node@v3 just to set a new registry
-      - uses: actions/setup-node@v3
+
+      - run: pnpm --filter agents... build && pnpm publish --no-git-checks .
+      # hack - reuse actions/setup-node@v4 just to set a new registry
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           registry-url: "https://npm.pkg.github.com"
-      # Disable for now, until github supports PATs for writing github packages (https://github.com/github/roadmap/issues/558)
-      # - run: pnpm publish --no-git-checks .
-      #   env:
-      #     NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - run: pnpm publish --no-git-checks .
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: "Update Doc"
         uses: peter-evans/repository-dispatch@v2
         with:

.github/workflows/blake3-wasm-publish.yml

@@ -19,26 +19,29 @@ defaults:
   run:
     working-directory: packages/blake3-wasm
 
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
 jobs:
   version_and_release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
         with:
           # Needed to push the tag and the commit on the main branch, otherwise we get:
           # > Run git push --follow-tags
           # remote: error: GH006: Protected branch update failed for refs/heads/main.
           # remote: error: Changes must be made through a pull request. Required status check "lint" is expected.
           token: ${{ secrets.BOT_ACCESS_TOKEN }}
       - run: npm install -g corepack@latest && corepack enable
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           cache: "pnpm"
           cache-dependency-path: |
             packages/blake3-wasm/pnpm-lock.yaml
-          # setting a registry enables the NODE_AUTH_TOKEN env variable where we can set an npm token.  REQUIRED
-          registry-url: "https://registry.npmjs.org"
       - run: pnpm install
       - run: git config --global user.name machineuser
       - run: git config --global user.email infra+machineuser@huggingface.co
@@ -49,16 +52,16 @@ jobs:
           node -e "const fs = require('fs'); const package = JSON.parse(fs.readFileSync('./package.json')); package.version = '$BUMPED_VERSION'; fs.writeFileSync('./package.json', JSON.stringify(package, null, '\t') + '\n');"
           git commit . -m "🔖 @huggingface/blake3-wasm $BUMPED_VERSION"
           git tag "blake3-wasm-v$BUMPED_VERSION"
-      - run: pnpm publish --no-git-checks .
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
       - run: (git pull --rebase && git push --follow-tags) || (git pull --rebase && git push --follow-tags)
-      # hack - reuse actions/setup-node@v3 just to set a new registry
-      - uses: actions/setup-node@v3
+
+      - run: pnpm publish --no-git-checks .
+      # hack - reuse actions/setup-node@v4 just to set a new registry
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           registry-url: "https://npm.pkg.github.com"
-      # Disable for now, until github supports PATs for writing github packages (https://github.com/github/roadmap/issues/558)
-      # - run: pnpm publish --no-git-checks .
-      #   env:
-      #     NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - run: pnpm publish --no-git-checks .
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/blob-publish.yml

@@ -19,26 +19,29 @@ defaults:
   run:
     working-directory: packages/blob
 
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
 jobs:
   version_and_release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
         with:
           # Needed to push the tag and the commit on the main branch, otherwise we get:
           # > Run git push --follow-tags
           # remote: error: GH006: Protected branch update failed for refs/heads/main.
           # remote: error: Changes must be made through a pull request. Required status check "lint" is expected.
           token: ${{ secrets.BOT_ACCESS_TOKEN }}
       - run: npm install -g corepack@latest && corepack enable
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           cache: "pnpm"
           cache-dependency-path: |
             packages/blob/pnpm-lock.yaml
-          # setting a registry enables the NODE_AUTH_TOKEN env variable where we can set an npm token.  REQUIRED
-          registry-url: "https://registry.npmjs.org"
       - run: pnpm install
       - run: git config --global user.name machineuser
       - run: git config --global user.email infra+machineuser@huggingface.co
@@ -50,19 +53,18 @@ jobs:
           git commit . -m "🔖 @huggingface/blob $BUMPED_VERSION"
           git tag "blob-v$BUMPED_VERSION"
 
-      - run: pnpm publish --no-git-checks .
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
       - run: (git pull --rebase && git push --follow-tags) || (git pull --rebase && git push --follow-tags)
-      # hack - reuse actions/setup-node@v3 just to set a new registry
-      - uses: actions/setup-node@v3
+
+      - run: pnpm publish --no-git-checks .
+      # hack - reuse actions/setup-node@v4 just to set a new registry
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           registry-url: "https://npm.pkg.github.com"
-      # Disable for now, until github supports PATs for writing github packages (https://github.com/github/roadmap/issues/558)
-      # - run: pnpm publish --no-git-checks .
-      #   env:
-      #     NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - run: pnpm publish --no-git-checks .
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: "Update Doc"
         uses: peter-evans/repository-dispatch@v2
         with:

.github/workflows/dduf-publish.yml

@@ -19,26 +19,29 @@ defaults:
   run:
     working-directory: packages/dduf
 
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
 jobs:
   version_and_release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
         with:
           # Needed to push the tag and the commit on the main branch, otherwise we get:
           # > Run git push --follow-tags
           # remote: error: GH006: Protected branch update failed for refs/heads/main.
           # remote: error: Changes must be made through a pull request. Required status check "lint" is expected.
           token: ${{ secrets.BOT_ACCESS_TOKEN }}
       - run: npm install -g corepack@latest && corepack enable
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           cache: "pnpm"
           cache-dependency-path: |
             packages/dduf/pnpm-lock.yaml
-          # setting a registry enables the NODE_AUTH_TOKEN env variable where we can set an npm token.  REQUIRED
-          registry-url: "https://registry.npmjs.org"
       - run: pnpm install
       - run: git config --global user.name machineuser
       - run: git config --global user.email infra+machineuser@huggingface.co
@@ -53,19 +56,18 @@ jobs:
       - name: "Check Deps are published before publishing this package"
         run: pnpm -w check-deps blob
 
-      - run: pnpm publish --no-git-checks .
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
       - run: (git pull --rebase && git push --follow-tags) || (git pull --rebase && git push --follow-tags)
-      # hack - reuse actions/setup-node@v3 just to set a new registry
-      - uses: actions/setup-node@v3
+
+      - run: pnpm publish --no-git-checks .
+      # hack - reuse actions/setup-node@v4 just to set a new registry
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           registry-url: "https://npm.pkg.github.com"
-      # Disable for now, until github supports PATs for writing github packages (https://github.com/github/roadmap/issues/558)
-      # - run: pnpm publish --no-git-checks .
-      #   env:
-      #     NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - run: pnpm publish --no-git-checks .
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: "Update Doc"
         uses: peter-evans/repository-dispatch@v2
         with:

.github/workflows/gearhash-wasm-publish.yml

@@ -19,26 +19,29 @@ defaults:
   run:
     working-directory: packages/gearhash-wasm
 
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
 jobs:
   version_and_release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
         with:
           # Needed to push the tag and the commit on the main branch, otherwise we get:
           # > Run git push --follow-tags
           # remote: error: GH006: Protected branch update failed for refs/heads/main.
           # remote: error: Changes must be made through a pull request. Required status check "lint" is expected.
           token: ${{ secrets.BOT_ACCESS_TOKEN }}
       - run: npm install -g corepack@latest && corepack enable
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           cache: "pnpm"
           cache-dependency-path: |
             packages/gearhash-wasm/pnpm-lock.yaml
-          # setting a registry enables the NODE_AUTH_TOKEN env variable where we can set an npm token.  REQUIRED
-          registry-url: "https://registry.npmjs.org"
       - run: pnpm install
       - run: git config --global user.name machineuser
       - run: git config --global user.email infra+machineuser@huggingface.co
@@ -49,16 +52,16 @@ jobs:
           node -e "const fs = require('fs'); const package = JSON.parse(fs.readFileSync('./package.json')); package.version = '$BUMPED_VERSION'; fs.writeFileSync('./package.json', JSON.stringify(package, null, '\t') + '\n');"
           git commit . -m "🔖 @huggingface/gearhash-wasm $BUMPED_VERSION"
           git tag "gearhash-wasm-v$BUMPED_VERSION"
-      - run: pnpm publish --no-git-checks .
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
       - run: (git pull --rebase && git push --follow-tags) || (git pull --rebase && git push --follow-tags)
-      # hack - reuse actions/setup-node@v3 just to set a new registry
-      - uses: actions/setup-node@v3
+
+      - run: pnpm publish --no-git-checks .
+      # hack - reuse actions/setup-node@v4 just to set a new registry
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           registry-url: "https://npm.pkg.github.com"
-      # Disable for now, until github supports PATs for writing github packages (https://github.com/github/roadmap/issues/558)
-      # - run: pnpm publish --no-git-checks .
-      #   env:
-      #     NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - run: pnpm publish --no-git-checks .
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/gguf-publish.yml

@@ -23,26 +23,29 @@ defaults:
   run:
     working-directory: packages/gguf
 
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
 jobs:
   version_and_release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
         with:
           # Needed to push the tag and the commit on the main branch, otherwise we get:
           # > Run git push --follow-tags
           # remote: error: GH006: Protected branch update failed for refs/heads/main.
           # remote: error: Changes must be made through a pull request. Required status check "lint" is expected.
           token: ${{ secrets.BOT_ACCESS_TOKEN }}
       - run: npm install -g corepack@latest && corepack enable
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           cache: "pnpm"
           cache-dependency-path: |
             packages/gguf/pnpm-lock.yaml
-          # setting a registry enables the NODE_AUTH_TOKEN env variable where we can set an npm token.  REQUIRED
-          registry-url: "https://registry.npmjs.org"
       - run: pnpm install
       - run: git config --global user.name machineuser
       - run: git config --global user.email infra+machineuser@huggingface.co
@@ -58,16 +61,15 @@ jobs:
         name: "Check Deps are published before publishing this package"
         run: pnpm -w check-deps tasks
 
-      - run: pnpm publish --no-git-checks .
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
       - run: (git pull --rebase && git push --follow-tags) || (git pull --rebase && git push --follow-tags)
-      # hack - reuse actions/setup-node@v3 just to set a new registry
-      - uses: actions/setup-node@v3
+
+      - run: pnpm publish --no-git-checks .
+      # hack - reuse actions/setup-node@v4 just to set a new registry
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           registry-url: "https://npm.pkg.github.com"
-      # Disable for now, until github supports PATs for writing github packages (https://github.com/github/roadmap/issues/558)
-      # - run: pnpm publish --no-git-checks .
-      #   env:
-      #     NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - run: pnpm publish --no-git-checks .
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}