Skip repo creation when using short-lived JWT tokens with CLI

[coyotte508]

See huggingface/hub-docs#2506 / https://moon-ci-docs.huggingface.co/docs/hub/pr_2506/en/trusted-publishers (not published to main doc yet)

      - name: Upload checkpoint
        # `hf upload` calls create_repo() first, which a Trusted Publisher token
        # isn't allowed to do. Call upload_folder() directly to skip that step.
        run: |
          python - <<'PY'
          import os
          from huggingface_hub import upload_folder

          upload_folder(
              repo_id="acme/awesome-model",
              folder_path="./checkpoint",
              commit_message=f"Publish from {os.environ['GITHUB_SHA'][:7]}",
          )
          PY

We have to call the API directly instead of being able to use the CLI (which sees a 401 from the JWT and gives up)

This PR skips the create repo in case of jwt - the JWT doesn't work on create_repo endpoint because it's not a scoped route (and doesn't support jwt auth anyway)

---

Note

Low Risk
Small, conditional branch around repo creation for a specific token prefix; normal PAT flows unchanged.

Overview
hf upload and large-folder uploads no longer call create_repo when the effective auth token is a short-lived JWT (hf_jwt_...). The code resolves the token from the CLI/API/get_token() and, for JWTs, assumes the target repo already exists and continues with upload only.

This unblocks Trusted Publisher / CI flows where JWTs are repo-scoped and cannot create repos (which previously caused 401s and forced workarounds like calling upload_folder() directly instead of the CLI).

^{Reviewed by Cursor Bugbot for commit baf96e2. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit baf96e2. Configure here.}

[cursor]

Skipped repo_id normalization when JWT token detected

Low Severity

When create_repo is skipped (JWT path), the repo_id normalization that create_repo previously provided is also lost. In the non-JWT path, repo_id = repo_url.repo_id resolves a bare name like "my-model" to "username/my-model". In the JWT path, repo_id stays as the user-provided value. All subsequent API calls (list_repo_commits, upload_file, upload_folder, worker threads) use this potentially un-normalized repo_id, which could cause 404 errors if a user passes a non-fully-qualified name.

Additional Locations (1)

• src/huggingface_hub/cli/upload.py#L217-L219

 

^{Reviewed by Cursor Bugbot for commit baf96e2. Configure here.}

[coyotte508]

Probably fine to require explicit repo names with jwts

[bot-ci-comment]

The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update.

[Wauplin]

Closing in favor of #4294. I prefer a solution directly in create_repo/create_bucket instead of manually checking hf_jwt_ format. Let me know if that's fine with you @coyotte508