feat: Major refactoring of the release-workflows

[ko3n1g]

Design issues addressed

#	Issue	Solution
1	Coverage drift. PR runs only exercised the wheel build. Bump, GH-release, docs-build paths broke for the first time at real-release time.	New validate-only mode runs the full release pipeline inert (no PyPI, no PR push, no GH release POST, no docs publish, no Slack). PRs now rehearse what ships.
2	TestPyPI bloat. dry-run uploaded to TestPyPI on every push to main / release branches. Quota fills up.	Drop TestPyPI entirely. Metadata compliance now checked locally via twine check + check-wheel-contents + check-manifest.
3	Pin drift. Two separate caller files (build-test-publish-wheel.yml for PRs, release.yaml for releases) each pinned FW-CI-templates independently. The version tested on PR was rarely the version that shipped.	Single consumer file. validate-only is derived from the trigger; one pin governs both PR rehearsal and real release.
4	Multi-wheel consumers couldn't use the shared orchestration. Megatron-LM publishes two PyPI projects with a custom multi-arch matrix; the monolithic _release_library.yml couldn't accommodate this without forking ~500 lines of YAML.	Decompose into composable reusable workflows: _release_bump.yml (multi-target capable), _release_finalize.yml, plus the existing _build_test_publish_wheel.yml. Single-wheel consumers keep using _release_library.yml (now a thin wrapper). Multi-wheel consumers compose at the consumer level.
5	Mixed auth: PAT vs GitHub App. Some consumers used a personal access token (PAT) for git push + PR creation; others used a GitHub App. The branching auth path doubled the surface area in _release_bump.yml (PAT fallback, conditional GPG signing, hybrid commit identity) and obscured which identity the bump commits ran under.	Drop PAT support entirely. _release_bump.yml requires app-id + BOT_KEY; auth is always the GitHub App bot token. Consumers must configure vars.BOT_ID and secrets.BOT_KEY (org-level BOT_ID already covers most repos).
6	GPG signing for the bump commit required two extra per-repo secrets (SSH_KEY, SSH_PWD) that nothing else in the pipeline used. Setting them up correctly was a recurring onboarding tax with little payoff — the bump commit is a bot-authored mechanical edit, not a thing a human reviews for cryptographic provenance.	Drop GPG signing from _release_bump.yml. The bump commit is now committed under the github-actions[bot] identity with -s (signoff) only; the App-token authorizes the push. SSH_KEY and SSH_PWD are no longer accepted as secrets; consumers should remove them from their release.yaml secrets: blocks at the next pin bump.

Workflow composition

Single-wheel consumer (Megatron-Bridge, NeMo, NeMo-RL, NeMo-Curator):

flowchart LR
    T[push or workflow_dispatch] --> PF[pre-flight]
    PF --> W["_release_library.yml<br/>(wrapper)"]
    subgraph W [ ]
      direction LR
      B["_release_bump.yml"] --> WH["_build_test_publish_wheel.yml"] --> F["_release_finalize.yml"]
    end
    W --> S[release-summary]

Loading

validate-only is set from the trigger (true on push, false on workflow_dispatch).
External interface unchanged — existing consumers need no code change beyond the pin bump.

Multi-wheel consumer (Megatron-LM): two PyPI projects (megatron-core, megatron_fsdp), three wheel cells (core arm64+amd64, fsdp amd64), each producing cp311+cp312+cp313 manylinux wheels. Composed at the consumer level:

flowchart LR
    T[push or workflow_dispatch] --> PF[pre-flight push only]
    PF --> B["FW-CI-templates<br/>_release_bump.yml<br/>(multi-target)"]
    B --> WH["consumer-local<br/>_build_test_publish_wheel.yml<br/>(manylinux matrix)"]
    WH --> F["FW-CI-templates<br/>_release_finalize.yml"]
    F --> PD["consumer-local<br/>release-docs.yml"]
    PD --> S[release-summary]

Loading

bump-targets JSON input lets one bump commit cover both packages. _release_finalize.yml takes release-version from the bump output, so the consumer can sandwich its own wheel and docs jobs between the two phases.

Technical drilldown

_release_bump.yml (new)

flowchart LR
    A["check-admin-permission<br/><i>advisory if validate-only</i>"] --> B[bump-next-version]
    B --> B1["compute<br/>release-version<br/>+ next-version"]
    B1 --> B2["push tmp branch<br/>+ open PR"]
    B2 --> B3[wait for status checks]
    B3 --> B4["merge into<br/>version-bump-branch"]
    B4 --> B5[delete tmp branch]
    B1 -.->|validate-only| Out[done — write to step summary]
    B4 -.->|validate-only OR dry-run| EchoMerge[echo push command]

Loading

• Targets: JSON array bump-targets: [{python-package, src-dir}, ...]. Single-target consumers keep using python-package + has-src-dir; that path falls through to a one-element array internally.
• Auth: GitHub App only (actions/create-github-app-token, requires app-id + BOT_KEY). The bump commit is unsigned, authored by github-actions[bot], signed off with -s. The App token authorizes the push and the PR creation.
• Outputs: release-version (current, what's being released) and next-version (post-bump, used in PR title and summary).
• Inert mode: validate-only skips everything past the version compute (the branch-cycle is the only thing that distinguishes PR rehearsal from workflow_dispatch dry-run=true). dry-run (validate-only=false) still pushes the tmp branch + PR + status wait + cleanup, but echoes the final merge.

_release_finalize.yml (new)

flowchart LR
    C[create-gh-release] --> D[build-docs]
    C --> N[notify]
    D --> P[publish-docs]
    C -.->|validate-only OR dry-run| EchoCurl[echo curl payload]
    D -.->|publish-docs=false| SkipD[skipped]
    P -.->|validate-only OR dry-run| EchoSync[aws s3 sync --dryrun]
    N -.->|validate-only| Summary[render to step summary]

Loading

• Inputs: release-version and pypi-name come from upstream jobs (bump + wheel) — finalize is agnostic to how the wheel was built. This decoupling is what enables consumer-local wheel matrices.
• Inert gate: IS_INERT = validate-only OR dry-run. create-gh-release echoes the curl POST under IS_INERT.
• Docs: build-docs and publish-docs always run when publish-docs=true. The underlying publish-docs action's dry-run flag is wired to IS_INERT, so aws s3 sync is skipped on PR rehearsal. Consumers with monorepo layouts can pass docs-root-dir (where the docs pyproject.toml lives) and docs-requirements-file (pip-install style instead of uv sync --only-group docs).
• Notify: posts to Slack only on workflow_dispatch (dry-run prefix when dry-run=true). Validate-only renders the assembled message to $GITHUB_STEP_SUMMARY so we still validate the build-step's shell logic without spamming the channel.
• Resilience: all secrets are required: false; the CHANGELOG.md read is guarded by [[ -f CHANGELOG.md ]] with a placeholder fallback.

_release_library.yml (refactored as wrapper)

flowchart LR
    B[bump<br/>_release_bump.yml] --> W[build-test-publish-wheel<br/>_build_test_publish_wheel.yml]
    W --> F[finalize<br/>_release_finalize.yml]
    F --> Out["release-version<br/>= bump.outputs.release-version<br/>OR wheel.outputs.version"]

Loading

• ~80 lines, pure plumbing.
• Inner workflows referenced via ./.github/workflows/... so they always travel together at the same FW-CI-templates ref.
• External interface preserved — existing single-wheel consumers bump only the pin; their with: / secrets: blocks stay byte-identical.
• The deleted build-test-publish-wheel-dry-run job (old TestPyPI smoke test) is replaced by per-PR validate-only — same code path, every push, instead of once per release.

Breaking change

_build_test_publish_wheel.yml no longer accepts dry-run. To skip publishing, use no-publish: true.

Companion PRs

Repo	PR	Wheel build	Notes
Megatron-Bridge	NVIDIA-NeMo/Megatron-Bridge#3658	shared (NGC pytorch container)	wrapper consumer
Megatron-LM	NVIDIA/Megatron-LM#4602	consumer-local manylinux matrix	multi-wheel (megatron-core + megatron_fsdp)
Automodel	NVIDIA-NeMo/Automodel#2127	shared (linux-amd64-cpu16)	wrapper consumer
NeMo-Curator	NVIDIA-NeMo/Curator#1911	shared (ubuntu-latest)	wrapper consumer; docs handled by Fern (FW-CI publish-docs skipped)
NeMo-RL	NVIDIA-NeMo/RL#2397	n/a (skip-wheel-build: true)	wrapper consumer; pull_request: trigger used (no copy-pr-bot mirror)
NeMo-Run	NVIDIA-NeMo/Run#502	shared (ubuntu-latest)	wrapper consumer; setuptools-dynamic packaging
NeMo-Export-Deploy	NVIDIA-NeMo/Export-Deploy#663	shared (NGC pytorch container)	wrapper consumer; multi-toplevel wheel (wheel-content-ignore: W009)
NeMo-Evaluator	NVIDIA-NeMo/Evaluator#962	shared, two parallel calls	wrapper consumer (two PyPI projects: nemo-evaluator + nemo-evaluator-launcher); monorepo (docs-root-dir: ".", docs-requirements-file)
Emerging-Optimizers	NVIDIA-NeMo/Emerging-Optimizers#176	n/a (skip-wheel-build: true)	wrapper consumer; no PyPI publish (same pattern as NeMo-RL)
NeMo-Gym	NVIDIA-NeMo/Gym#1242	shared (ubuntu-latest)	wrapper consumer; uv packaging
NeMo	NVIDIA-NeMo/NeMo#15668	shared (ubuntu-latest)	wrapper consumer; largest consumer; bumped from FW-CI v0.80.3

Test plan

• Phase 1 validate-only on push (MB#3658)
• Phase 1 dry-run dispatch (MB)
• Phase 2 wrapper preserves single-wheel behavior (MB#3658, post-rebase)
• Phase 2 multi-wheel push rehearsal (MLM#4602)
• Phase 2 multi-wheel dry-run dispatch (MLM)
• PR-push rehearsal across all 8 consumer PRs.
• Dry-run dispatch across all 8 consumer PRs.
• Path C verification via the next planned RC release.

Rollout

1. Merge this PR.
2. Cut FW-CI-templates v1.0.0 (drops dry-run from _build_test_publish_wheel.yml).
3. Bump the consumer PR pins from SHA → tag and merge.
4. Future single-wheel consumers adopt the consolidated single-caller pattern.

[chtruong814]

Does the app path work? If so, if we're building a new workflow, let's not allow the fall back?

[ko3n1g]

okay, app is now mandatory for all - including MLM

[chtruong814]

we're not supporting hatch anymore right? Or nemo run still needs to be updated?

[ko3n1g]

that was a glitch, thanks for finding it