ci: authenticate Cargo Artifactory index fetch

[willkill07]

Overview

Fix the scheduled Cargo Artifactory publish job so Cargo can authenticate both the registry index fetch and the publish request.

• I confirm this contribution is my own work, or I have the right to submit it under this project's license.
• I searched existing issues and open pull requests, and this does not duplicate existing work.

Details

• Add NEMO_FLOW_CI_PYTHON_VERSION and use uv-managed Python 3.11 for the Cargo publish job's inline metadata parsing.
• Remove the apt-installed python3 dependency from the Cargo publish job.
• Install git, configure Cargo to fetch the Artifactory registry index with the Git CLI, and write a scoped Git credential entry from the existing Artifactory CI secrets.
• Keep the existing Cargo registry token for the publish request itself.

Where should the reviewer start?

Start with .gitlab-ci.yml, especially the publish:artifactory:cargo job credential setup.

Related Issues: (use one of the action keywords Closes / Fixes / Resolves / Relates to)

• Relates to: none

Summary by CodeRabbit

• Chores
  • Enhanced CI/CD pipeline configuration to strengthen the Cargo package publishing process with improved dependency management
  • Upgraded Artifactory credential handling with more secure credential configuration and git integration capabilities
  • Optimized build environment setup for increased reliability, consistency, and automated version tracking across publishing workflows

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: ef240806-08fc-4cc3-b40a-2a05fe18b1ce

📥 Commits

Reviewing files that changed from the base of the PR and between 696bd99 and b706239.

📒 Files selected for processing (1)

• .gitlab-ci.yml

📜 Recent review details

🧰 Additional context used

📓 Path-based instructions (2)

{.github/workflows/**/*.{yml,yaml},.gitlab-ci.yml}

📄 CodeRabbit inference engine (.agents/skills/maintain-packaging/SKILL.md)

Keep CI workflow package name references consistent with local package configurations

Files:

• .gitlab-ci.yml

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}

⚙️ CodeRabbit configuration file

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}: Review automation changes for reproducibility, pinned versions where appropriate, secret handling, and consistency with the documented validation matrix.
Pay attention to commands that need generated native artifacts, FFI libraries, or platform-specific environment variables.

Files:

• .gitlab-ci.yml

🧠 Learnings (2)

📚 Learning: 2026-04-15T18:16:52.951Z

Learnt from: bbednarski9
Repo: NVIDIA/NeMo-Flow PR: 1
File: docs/atof-event-format.md:381-381
Timestamp: 2026-04-15T18:16:52.951Z
Learning: In docs/atof-event-format.md (and when reviewing references to this format across the NeMo-Flow repo), treat `AtifExporter.events_to_steps()` as the intended public/API method name. Do not flag it as inconsistent with internal Rust symbol names (e.g., `event_to_steps` in `crates/core/src/atif.rs`)—the documentation’s public-facing naming may differ intentionally from internal implementation details.

Applied to files:

• .gitlab-ci.yml

📚 Learning: 2026-05-01T13:41:07.485Z

Learnt from: willkill07
Repo: NVIDIA/NeMo-Flow PR: 34
File: .gitlab-ci.yml:95-103
Timestamp: 2026-05-01T13:41:07.485Z
Learning: In NVIDIA/NeMo-Flow’s .gitlab-ci.yml, when listing GitHub Actions runs for a tag-triggered workflow, use `gh run list --branch "$tag"` to filter runs by the tag name. For annotated tag pushes in this repo, GitHub sets `headBranch` to the tag (e.g., `0.1.0-rc.5`), so `--branch "$tag"` returns only the tag-triggered run. Prefer this over `--commit <sha>`, which can be less precise because it may include both the tag run and a main-branch run that share the same commit SHA.

Applied to files:

• .gitlab-ci.yml

🔇 Additional comments (5)

.gitlab-ci.yml (5)

20-20: LGTM!

Pinned Python version variable maintains consistency with other CI version declarations and ensures reproducible builds.

---

222-227: LGTM!

The shift from apt-installed python3 to uv-managed Python is cleaner, and adding git is required for the credential-based registry index fetch via git-fetch-with-cli.

---

244-256: LGTM!

The uv run --no-project python - pattern correctly executes inline Python without requiring a project context. The subsequent empty check handles extraction failures.

---

263-282: LGTM!

The git credential setup is correctly implemented:

• quote(safe="") properly URL-encodes special characters in username/password
• credential.useHttpPath = true ensures path-scoped matching for Artifactory
• File permissions (600) are appropriately restrictive

The environment variables are pre-validated at lines 235-238, so the Python script can safely assume they exist.

---

284-300: LGTM!

The dual authentication mechanism is correctly implemented:

• Git credentials (via credential helper) handle the authenticated index fetch
• Cargo token (credential-provider = "cargo:token") handles the publish API request
• git-fetch-with-cli = true bridges these by routing index fetches through git

Credentials file is properly secured with 600 permissions.

---

Walkthrough

GitLab CI pipeline update to the Cargo publish job that replaces system Python installation with uv-managed Python, updates version extraction and GitHub tag parsing to use uv run, and adds URL-encoded Artifactory credential generation with git credential storage configuration.

Changes

Cargo Artifactory Publishing Workflow

Layer / File(s)	Summary
Pipeline Configuration .gitlab-ci.yml (lines 17–20)	New pipeline variable NEMO_FLOW_CI_PYTHON_VERSION: "3.11" defines the Python version for Cargo publish job.
Python Installation .gitlab-ci.yml (lines 222–227)	before_script removes python3 from apt packages; adds uv python install "${NEMO_FLOW_CI_PYTHON_VERSION}" to install Python via uv.
Version Extraction .gitlab-ci.yml (lines 245–252)	GitHub tag and version extraction switches from python3 command to uv run --no-project python for reading collected/github-run.json.
Credential & Registry Setup .gitlab-ci.yml (lines 262–299)	Adds Python snippet to generate URL-encoded Artifactory credential index URL, configures git credentials storage at ${HOME}/.git-credentials with HTTP path mode, and adds net.git-fetch-with-cli = true to Cargo config before writing credentials.toml.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• NVIDIA/NeMo-Flow#59: Both PRs modify the publish:artifactory:cargo CI job; this PR enhances the job with Python-based version extraction and URL-encoded credential generation for Artifactory authentication.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows Conventional Commits format with a valid ci type and concise imperative summary, is under 72 characters, and accurately describes the main change.
Description check	✅ Passed	The description covers all required template sections with sufficient detail about changes, implementation approach, reviewer guidance, and includes completed compliance checkboxes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[willkill07]

/merge