ci: fix Artifactory Cargo crate publishing

[willkill07]

Overview

Fix the GitLab Artifactory Cargo publish job so internal NeMo Flow crate dependencies resolve from the Artifactory registry during package verification.

• I confirm this contribution is my own work, or I have the right to submit it under this project's license.
• I searched existing issues and open pull requests, and this does not duplicate existing work.

Details

• Configure the Artifactory Cargo token with the expected bearer-token prefix.
• Define the Artifactory-published crate directories once and derive package names from each crate manifest.
• Temporarily add registry = "artifactory" to root workspace path dependencies before publishing so dependent crates resolve already-published internal packages from Artifactory instead of crates.io.
• Replace the stale nemo-flow-sidecar publish entry with the current nemo-flow-cli crate.

Where should the reviewer start?

Start with .gitlab-ci.yml, especially the publish:artifactory:cargo job. The key behavior is the Python snippet that rewrites workspace dependency registry metadata before the cargo publish --registry artifactory loop.

Related Issues: (use one of the action keywords Closes / Fixes / Resolves / Relates to)

• Relates to: none

Summary by CodeRabbit

• Chores
  • Updated CI/CD pipeline configuration to enhance the crate publishing process with improved flexibility and configurability.

[coderabbitai]

Walkthrough

The publish:artifactory:cargo CI job transitions from a hardcoded list of Cargo crate names to a configuration-driven approach. Crate directories are specified via environment variable, each crate's Cargo.toml is dynamically updated with the artifactory registry path, package names are extracted from those manifests, and publication proceeds with Bearer authentication.

Changes

Artifactory Cargo Publishing Automation

Layer / File(s)	Summary
Dynamic Crate Registry Configuration and Publishing .gitlab-ci.yml	publish:artifactory:cargo replaces hardcoded crate names with a configuration-driven pipeline: sets Artifactory token with Bearer prefix, introduces NEMO_FLOW_ARTIFACTORY_CRATE_DIRS environment variable, runs Python to inject registry = "artifactory" into each crate's Cargo.toml, extracts package names from modified manifests, and publishes each crate to the artifactory registry.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows Conventional Commits format with 'ci' type and concise imperative summary, is 42 characters (under 72), uses lowercase, contains no trailing period, and accurately describes the CI/publishing fix.
Description check	✅ Passed	The description includes all required sections (Overview with checkboxes, Details, Where to start, Related Issues) and provides comprehensive information about the changes and their purpose.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.gitlab-ci.yml:
- Around line 278-283: The current rewrite loop silently skips when the exact
substring path = "crates/<dir>" isn't found; update the logic that iterates
NEMO_FLOW_ARTIFACTORY_CRATE_DIRS to fail fast if an expected substitution wasn't
applied: for each crate_dir build before and after as now, attempt the replace,
then verify that the final text contains after (or at least that the original
before was present and replaced); if verification fails, log a clear error and
terminate with a non-zero exit (e.g., raise SystemExit or call sys.exit(1))
before calling manifest.write_text so the CI job aborts instead of silently
proceeding. Ensure you reference the same variables (crate_dir, before, after,
text, manifest.write_text) so the check is added in the correct place.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 187ece01-2751-4ace-8c36-4a7cb7c0edf1

📥 Commits

Reviewing files that changed from the base of the PR and between 5ac7df3 and cdaf0d1.

📒 Files selected for processing (1)

• .gitlab-ci.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Check / Run

🧰 Additional context used

📓 Path-based instructions (2)

{.github/workflows/*.{yml,yaml},.gitlab-ci.yml}

📄 CodeRabbit inference engine (.agents/skills/maintain-packaging/SKILL.md)

Ensure CI workflow references match local package names and installation methods

Files:

• .gitlab-ci.yml

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}

⚙️ CodeRabbit configuration file

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}: Review automation changes for reproducibility, pinned versions where appropriate, secret handling, and consistency with the documented validation matrix.
Pay attention to commands that need generated native artifacts, FFI libraries, or platform-specific environment variables.

Files:

• .gitlab-ci.yml

🧠 Learnings (2)

📚 Learning: 2026-04-15T18:16:52.951Z

Learnt from: bbednarski9
Repo: NVIDIA/NeMo-Flow PR: 1
File: docs/atof-event-format.md:381-381
Timestamp: 2026-04-15T18:16:52.951Z
Learning: In docs/atof-event-format.md (and when reviewing references to this format across the NeMo-Flow repo), treat `AtifExporter.events_to_steps()` as the intended public/API method name. Do not flag it as inconsistent with internal Rust symbol names (e.g., `event_to_steps` in `crates/core/src/atif.rs`)—the documentation’s public-facing naming may differ intentionally from internal implementation details.

Applied to files:

• .gitlab-ci.yml

📚 Learning: 2026-05-01T13:41:07.485Z

Learnt from: willkill07
Repo: NVIDIA/NeMo-Flow PR: 34
File: .gitlab-ci.yml:95-103
Timestamp: 2026-05-01T13:41:07.485Z
Learning: In NVIDIA/NeMo-Flow’s .gitlab-ci.yml, when listing GitHub Actions runs for a tag-triggered workflow, use `gh run list --branch "$tag"` to filter runs by the tag name. For annotated tag pushes in this repo, GitHub sets `headBranch` to the tag (e.g., `0.1.0-rc.5`), so `--branch "$tag"` returns only the tag-triggered run. Prefer this over `--commit <sha>`, which can be less precise because it may include both the tag run and a main-branch run that share the same commit SHA.

Applied to files:

• .gitlab-ci.yml

[willkill07]

/merge