ci: configure Cargo Artifactory sparse registry

[willkill07]

Overview

Configure the scheduled GitLab Cargo publishing job to use Artifactory's Cargo sparse registry settings directly through Cargo config and credentials.

• I confirm this contribution is my own work, or I have the right to submit it under this project's license.
• I searched existing issues and open pull requests, and this does not duplicate existing work.

Details

• Set Cargo's default registry to artifactory in ${CARGO_HOME}/config.toml.
• Normalize NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL by stripping an optional sparse+ prefix, trimming trailing slashes, validating https://<host>/artifactory/api/cargo/<repo>/index, and writing a single sparse+.../index/ registry URL.
• Configure publish credentials as Bearer ${NEMO_FLOW_CI_ARTIFACTORY_KEY} in ${CARGO_HOME}/credentials.toml.
• Remove the previous authenticated git-index setup.
• Publish each crate explicitly with --registry artifactory so publishing does not depend only on the configured default registry.
• Drop the Cargo publishing job's dependency on NEMO_FLOW_CI_ARTIFACTORY_USER.

Validation performed locally:

• git diff --check -- .gitlab-ci.yml
• Ruby YAML parse of .gitlab-ci.yml
• Shell normalization/rejection checks for the Cargo registry URL
• Commit-time pre-commit hooks for .gitlab-ci.yml

Where should the reviewer start?

Start with .gitlab-ci.yml, in the publish:artifactory:cargo job where Cargo config, credentials, URL validation, and publishing are set up.

Related Issues: (use one of the action keywords Closes / Fixes / Resolves / Relates to)

• Relates to ci: publish Cargo crates to Artifactory #59
• Relates to ci: authenticate Cargo Artifactory index fetch #60

Summary by CodeRabbit

• Chores
  • Publishing automation now derives the Cargo registry index at runtime instead of using a static value.
  • Registry configuration and credentials are generated at publish time, with clearer logging of the selected index.
  • Simplified publish validation and credential handling; initial validation now requires only the Artifactory key and Cargo URL.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• ✅ Review completed - (🔄 Check again to review again)

Walkthrough

The publish:artifactory:cargo CI job now derives the Cargo registry index at runtime from NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL, emits the resolved index, and writes config.toml/credentials.toml for token-based auth; legacy user-based git credential wiring and static index config were removed. (≤50 words)

Changes

Cargo Registry Configuration Derivation

Layer / File(s)	Summary
Validation .gitlab-ci.yml (~lines 235-238)	Preliminary validation now requires only NEMO_FLOW_CI_ARTIFACTORY_KEY and NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL; the user-based variable requirement was removed.
Data Shape / Computation .gitlab-ci.yml (~lines 262-271)	Derives cargo_registry_index by pattern-matching the provided Artifactory Cargo URL (handling sparse vs direct index forms) and computes artifactory_base and cargo_repo.
Core Implementation .gitlab-ci.yml (~lines 272-283)	Emits the chosen registry index and writes config.toml and credentials.toml configured for token-based authentication using the provided key.
Removal of Legacy Wiring .gitlab-ci.yml (~lines 276-283 removed)	Removes prior static index env usage, git-fetch-with-cli/[net] git settings, and legacy git credential wiring that enforced a user-based flow.
Logging / Visibility .gitlab-ci.yml (~lines 262-275)	Logs the resolved cargo_registry_index for job visibility.

Sequence Diagram(s)

sequenceDiagram
    participant CI as GitLab CI job
    participant AF as Artifactory
    participant FS as Filesystem
    participant Cargo as cargo client

    CI->>AF: Read NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL
    CI->>CI: Pattern-match URL -> compute cargo_registry_index
    CI->>FS: Write config.toml & credentials.toml (token auth)
    Cargo->>FS: Read config.toml for registry index
    Cargo->>AF: Publish crate to computed registry index

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title follows Conventional Commits format (ci: fix...), uses lowercase type and scope, is under 72 characters, and accurately summarizes the main change of fixing Cargo Artifactory registry configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	Pull request description follows the template with all required sections completed: Overview with confirmations, detailed explanation of changes, reviewer guidance, and related issues.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.gitlab-ci.yml:
- Around line 264-274: The case branch matching "*/api/local/*" is too
permissive and allows empty or multi-segment repo names; update the validation
for cargo_registry_url inside the case handling so only URLs ending with a
single non-empty segment after /api/local/ are accepted (e.g. match the URL
against a stricter pattern like .*/api/local/[^/]+$), and add an explicit
rejection branch for URLs with trailing slashes or extra path segments before
computing artifactory_base, cargo_repo and cargo_registry_index; implement the
check using the same cargo_registry_url variable (via a stricter shell pattern
match or grep -E) and keep the subsequent parameter expansions that set
artifactory_base, cargo_repo and cargo_registry_index unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 0ac18b9e-bf19-4d6a-aaf9-0a375682bb43

📥 Commits

Reviewing files that changed from the base of the PR and between 4dfb594 and c8a58d6.

📒 Files selected for processing (1)

• .gitlab-ci.yml

📜 Review details

🧰 Additional context used

📓 Path-based instructions (2)

{.github/workflows/**/*.{yml,yaml},.gitlab-ci.yml}

📄 CodeRabbit inference engine (.agents/skills/maintain-packaging/SKILL.md)

Keep CI workflow package name references consistent with local package configurations

Files:

• .gitlab-ci.yml

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}

⚙️ CodeRabbit configuration file

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}: Review automation changes for reproducibility, pinned versions where appropriate, secret handling, and consistency with the documented validation matrix.
Pay attention to commands that need generated native artifacts, FFI libraries, or platform-specific environment variables.

Files:

• .gitlab-ci.yml

🧠 Learnings (2)

📚 Learning: 2026-04-15T18:16:52.951Z

Learnt from: bbednarski9
Repo: NVIDIA/NeMo-Flow PR: 1
File: docs/atof-event-format.md:381-381
Timestamp: 2026-04-15T18:16:52.951Z
Learning: In docs/atof-event-format.md (and when reviewing references to this format across the NeMo-Flow repo), treat `AtifExporter.events_to_steps()` as the intended public/API method name. Do not flag it as inconsistent with internal Rust symbol names (e.g., `event_to_steps` in `crates/core/src/atif.rs`)—the documentation’s public-facing naming may differ intentionally from internal implementation details.

Applied to files:

• .gitlab-ci.yml

📚 Learning: 2026-05-01T13:41:07.485Z

Learnt from: willkill07
Repo: NVIDIA/NeMo-Flow PR: 34
File: .gitlab-ci.yml:95-103
Timestamp: 2026-05-01T13:41:07.485Z
Learning: In NVIDIA/NeMo-Flow’s .gitlab-ci.yml, when listing GitHub Actions runs for a tag-triggered workflow, use `gh run list --branch "$tag"` to filter runs by the tag name. For annotated tag pushes in this repo, GitHub sets `headBranch` to the tag (e.g., `0.1.0-rc.5`), so `--branch "$tag"` returns only the tag-triggered run. Prefer this over `--commit <sha>`, which can be less precise because it may include both the tag run and a main-branch run that share the same commit SHA.

Applied to files:

• .gitlab-ci.yml

[coderabbitai]

♻️ Duplicate comments (1)

.gitlab-ci.yml (1)

262-270: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Derivation logic is missing; current sparse index is malformed for the documented CI URL format.

At Line 262, the code only prefixes sparse+ to NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL. For inputs like .../artifactory/api/local/<repo>, Cargo needs sparse+.../artifactory/api/cargo/<repo>/index/. Add strict validation plus conversion before writing config.toml.

Suggested minimal fix

-      cargo_registry_index="sparse+${NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL}"
+      cargo_registry_url="${NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL%/}"
+      case "$cargo_registry_url" in
+        */api/local/*/*|*/api/local/|*/api/local)
+          echo "Error: NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL must end with /api/local/<repo>: ${NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL}" >&2
+          exit 1
+          ;;
+        */api/local/*)
+          artifactory_base="${cargo_registry_url%%/api/local/*}"
+          cargo_repo="${cargo_registry_url#*/api/local/}"
+          cargo_registry_index="sparse+${artifactory_base}/api/cargo/${cargo_repo}/index/"
+          ;;
+        *)
+          echo "Error: NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL must match .../artifactory/api/local/<repo>: ${NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL}" >&2
+          exit 1
+          ;;
+      esac
       echo "Using Cargo Artifactory registry index ${cargo_registry_index}"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.gitlab-ci.yml around lines 262 - 270, The sparse index value currently set
via cargo_registry_index="sparse+${NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL}" is
malformed for Artifactory CI URLs—validate and transform
NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL before writing cargo_registry_index and
config.toml: detect and reject unexpected formats, convert inputs like
.../artifactory/api/local/<repo> into the Cargo index form
.../artifactory/api/cargo/<repo>/index/ (then prefix with "sparse+"), and only
write the resulting cargo_registry_index into the "${cargo_home}/config.toml";
update the echo to print the validated/converted cargo_registry_index and fail
the job with a clear error if validation fails.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.gitlab-ci.yml:
- Around line 262-270: The sparse index value currently set via
cargo_registry_index="sparse+${NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL}" is malformed
for Artifactory CI URLs—validate and transform
NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL before writing cargo_registry_index and
config.toml: detect and reject unexpected formats, convert inputs like
.../artifactory/api/local/<repo> into the Cargo index form
.../artifactory/api/cargo/<repo>/index/ (then prefix with "sparse+"), and only
write the resulting cargo_registry_index into the "${cargo_home}/config.toml";
update the echo to print the validated/converted cargo_registry_index and fail
the job with a clear error if validation fails.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 1fcec25f-553a-4cbe-a77c-0dbee501dd1b

📥 Commits

Reviewing files that changed from the base of the PR and between c8a58d6 and cab3197.

📒 Files selected for processing (1)

• .gitlab-ci.yml

📜 Review details

🧰 Additional context used

📓 Path-based instructions (2)

{.github/workflows/**/*.{yml,yaml},.gitlab-ci.yml}

📄 CodeRabbit inference engine (.agents/skills/maintain-packaging/SKILL.md)

Keep CI workflow package name references consistent with local package configurations

Files:

• .gitlab-ci.yml

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}

⚙️ CodeRabbit configuration file

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}: Review automation changes for reproducibility, pinned versions where appropriate, secret handling, and consistency with the documented validation matrix.
Pay attention to commands that need generated native artifacts, FFI libraries, or platform-specific environment variables.

Files:

• .gitlab-ci.yml

🧠 Learnings (2)

📚 Learning: 2026-04-15T18:16:52.951Z

Learnt from: bbednarski9
Repo: NVIDIA/NeMo-Flow PR: 1
File: docs/atof-event-format.md:381-381
Timestamp: 2026-04-15T18:16:52.951Z
Learning: In docs/atof-event-format.md (and when reviewing references to this format across the NeMo-Flow repo), treat `AtifExporter.events_to_steps()` as the intended public/API method name. Do not flag it as inconsistent with internal Rust symbol names (e.g., `event_to_steps` in `crates/core/src/atif.rs`)—the documentation’s public-facing naming may differ intentionally from internal implementation details.

Applied to files:

• .gitlab-ci.yml

📚 Learning: 2026-05-01T13:41:07.485Z

Learnt from: willkill07
Repo: NVIDIA/NeMo-Flow PR: 34
File: .gitlab-ci.yml:95-103
Timestamp: 2026-05-01T13:41:07.485Z
Learning: In NVIDIA/NeMo-Flow’s .gitlab-ci.yml, when listing GitHub Actions runs for a tag-triggered workflow, use `gh run list --branch "$tag"` to filter runs by the tag name. For annotated tag pushes in this repo, GitHub sets `headBranch` to the tag (e.g., `0.1.0-rc.5`), so `--branch "$tag"` returns only the tag-triggered run. Prefer this over `--commit <sha>`, which can be less precise because it may include both the tag run and a main-branch run that share the same commit SHA.

Applied to files:

• .gitlab-ci.yml

🔇 Additional comments (2)

.gitlab-ci.yml (2)

235-237: Fail-fast input guard is solid.

The required-variable check is clear and prevents ambiguous downstream publish failures.

---

275-279: Credential file permission hardening is good.

Writing to credentials.toml and immediately restricting it to mode 600 is the right pattern for CI secret handling.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.gitlab-ci.yml (1)

262-269: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Validate and normalize the Cargo sparse index URL before writing config.

Line 262 blindly prefixes sparse+ and accepts any value, so malformed inputs (wrong path, extra segments, already-prefixed values, missing trailing slash) can produce an invalid index and fail late in cargo publish. Add a strict check and normalize to a single trailing slash.

Suggested fix

-      cargo_registry_index="sparse+${NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL}"
+      cargo_registry_url="${NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL%/}"
+      if ! printf '%s\n' "$cargo_registry_url" | grep -Eq '^https://[^/]+/artifactory/api/cargo/[^/]+/index$'; then
+        echo "Error: NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL must match https://<host>/artifactory/api/cargo/<repo>/index: ${NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL}" >&2
+        exit 1
+      fi
+      cargo_registry_index="sparse+${cargo_registry_url}/"
       echo "Using Cargo Artifactory registry index ${cargo_registry_index}"

#!/bin/bash
set -eu
# Read-only sanity check for URL-shape handling behavior.
for url in \
  'https://example.jfrog.io/artifactory/api/cargo/repo/index' \
  'https://example.jfrog.io/artifactory/api/cargo/repo/index/' \
  'sparse+https://example.jfrog.io/artifactory/api/cargo/repo/index/' \
  'https://example.jfrog.io/artifactory/api/local/repo' \
  'https://example.jfrog.io/artifactory/api/cargo/repo/extra/index'
do
  v="${url%/}"
  if printf '%s\n' "$v" | grep -Eq '^https://[^/]+/artifactory/api/cargo/[^/]+/index$'; then
    echo "ACCEPT -> sparse+${v}/"
  else
    echo "REJECT -> ${url}"
  fi
done

As per coding guidelines: "Review automation changes for reproducibility, pinned versions where appropriate, secret handling, and consistency with the documented validation matrix."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.gitlab-ci.yml around lines 262 - 269, Validate and normalize the Cargo
index URL before writing config by sanitizing the value used for
cargo_registry_index: strip any existing "sparse+" prefix if present, verify the
remaining URL matches a strict pattern like
^https://[^/]+/artifactory/api/cargo/[^/]+/index$ (reject otherwise), then
append a single trailing slash and prepend "sparse+" only once; update the logic
that currently sets cargo_registry_index and the subsequent echo/cat block to
use this normalized value so you never write malformed indexes into
"${cargo_home}/config.toml".

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.gitlab-ci.yml:
- Around line 280-282: The cargo publish invocation in the for loop (the lines
calling cargo publish --package "$crate" --allow-dirty) can default to crates-io
if config or CARGO_HOME are misconfigured; update the command to explicitly pass
--registry artifactory (i.e. change cargo publish --package "$crate"
--allow-dirty to cargo publish --package "$crate" --allow-dirty --registry
artifactory) for each package in the loop to guarantee publishing to
artifactory.

---

Duplicate comments:
In @.gitlab-ci.yml:
- Around line 262-269: Validate and normalize the Cargo index URL before writing
config by sanitizing the value used for cargo_registry_index: strip any existing
"sparse+" prefix if present, verify the remaining URL matches a strict pattern
like ^https://[^/]+/artifactory/api/cargo/[^/]+/index$ (reject otherwise), then
append a single trailing slash and prepend "sparse+" only once; update the logic
that currently sets cargo_registry_index and the subsequent echo/cat block to
use this normalized value so you never write malformed indexes into
"${cargo_home}/config.toml".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 032c6815-2d7c-485b-a83e-2a5618de420e

📥 Commits

Reviewing files that changed from the base of the PR and between cab3197 and 31dbc18.

📒 Files selected for processing (1)

• .gitlab-ci.yml

📜 Review details

🧰 Additional context used

📓 Path-based instructions (2)

{.github/workflows/**/*.{yml,yaml},.gitlab-ci.yml}

📄 CodeRabbit inference engine (.agents/skills/maintain-packaging/SKILL.md)

Keep CI workflow package name references consistent with local package configurations

Files:

• .gitlab-ci.yml

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}

⚙️ CodeRabbit configuration file

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}: Review automation changes for reproducibility, pinned versions where appropriate, secret handling, and consistency with the documented validation matrix.
Pay attention to commands that need generated native artifacts, FFI libraries, or platform-specific environment variables.

Files:

• .gitlab-ci.yml

🧠 Learnings (2)

📚 Learning: 2026-04-15T18:16:52.951Z

Learnt from: bbednarski9
Repo: NVIDIA/NeMo-Flow PR: 1
File: docs/atof-event-format.md:381-381
Timestamp: 2026-04-15T18:16:52.951Z
Learning: In docs/atof-event-format.md (and when reviewing references to this format across the NeMo-Flow repo), treat `AtifExporter.events_to_steps()` as the intended public/API method name. Do not flag it as inconsistent with internal Rust symbol names (e.g., `event_to_steps` in `crates/core/src/atif.rs`)—the documentation’s public-facing naming may differ intentionally from internal implementation details.

Applied to files:

• .gitlab-ci.yml

📚 Learning: 2026-05-01T13:41:07.485Z

Learnt from: willkill07
Repo: NVIDIA/NeMo-Flow PR: 34
File: .gitlab-ci.yml:95-103
Timestamp: 2026-05-01T13:41:07.485Z
Learning: In NVIDIA/NeMo-Flow’s .gitlab-ci.yml, when listing GitHub Actions runs for a tag-triggered workflow, use `gh run list --branch "$tag"` to filter runs by the tag name. For annotated tag pushes in this repo, GitHub sets `headBranch` to the tag (e.g., `0.1.0-rc.5`), so `--branch "$tag"` returns only the tag-triggered run. Prefer this over `--commit <sha>`, which can be less precise because it may include both the tag run and a main-branch run that share the same commit SHA.

Applied to files:

• .gitlab-ci.yml

[willkill07]

Addressed the latest .gitlab-ci.yml review comments in 3cb2d08:

• Restored explicit --registry artifactory on each cargo publish invocation so publishing does not depend solely on the configured default registry.
• Normalized NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL before writing Cargo config by stripping an optional sparse+ prefix, removing trailing slashes, validating the URL against https://<host>/artifactory/api/cargo/<repo>/index, and then writing exactly sparse+.../index/.

Validation rerun: git diff --check -- .gitlab-ci.yml, YAML parse, shell normalization/rejection checks, and commit-time pre-commit hooks for .gitlab-ci.yml.