ci: Remove environments

[ko3n1g]

What does this PR do ?

This simplifies secrets management, and avoid polluting the PR history with deployment updates.

Changelog

• Add specific line by line info of high level changes in this PR.

GitHub Actions CI

See the CI sectionin the Contributing doc for how to trigger the CI. A Nvidia developer will need to approve and trigger the CI for external contributors.

Before your PR is "Ready for review"

Pre checks:

• Make sure you read and followed Contributor guidelines
• Did you write any new necessary tests?
• Did you add or update any necessary documentation?
• Does the PR affect components that are optional to install? (Ex: Numba, Pynini, Apex etc)
  • Reviewer: Does the PR have correct import guards for all optional libraries?

If you haven't finished some of the above items you can still open "Draft" PR.

Additional Information

• Related to # (issue)

Summary by CodeRabbit

• Chores
  • Enhanced PyPI package publishing security by transitioning to token-based authentication with intelligent branch detection—production and release branches use dedicated secure tokens while other branches use testing tokens.
  • Simplified continuous integration and deployment workflows by removing explicit environment specifications from multiple job configurations.
  • Applied minor formatting improvements to GitHub Actions workflow definitions for consistency.

[coderabbitai]

📝 Walkthrough

Walkthrough

Multiple GitHub Actions workflows are updated to remove explicit environment bindings (nemo-ci and main) across jobs. Additionally, PyPI authentication in publishing workflows switches from username-secret to token-based credentials, with conditional branch-aware token selection.

Changes

Cohort / File(s)	Summary
Environment Bindings Removal .github/workflows/_update_dependencies.yml, .github/workflows/cache-hf-model.yml, .github/workflows/cicd-approve-test-queue.yml, .github/workflows/cicd-main.yml, .github/workflows/dependabot.yml, .github/workflows/install-test.yml, .github/workflows/release-freeze.yml	Removed environment: declarations (nemo-ci or main) from multiple job definitions, eliminating explicit environment scoping.
PyPI Token Authentication Updates .github/workflows/build-test-publish-wheel.yml, .github/workflows/release.yaml	Updated PyPI credentials from username-secret authentication to token-based authentication. TWINE_USERNAME set to literal __token__, and TWINE_PASSWORD conditionally selects between SVC_PYPI_TOKEN (on main/release branches) or SVC_PYPI_TEST_TOKEN (otherwise).
Formatting and Indentation Fixes .github/workflows/cache-hf-model.yml, .github/workflows/cicd-approve-test-queue.yml, .github/workflows/install-test.yml	Corrected indentation alignment in multi-line script blocks and updated quote style (single to double quotes) for consistency.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• ci(fix): Wheel build #2192: Modifies PyPI publishing authentication in build-test-publish-wheel workflow with token-based credentials approach.

Suggested reviewers

• chtruong814
• yaoyu-33

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: Remove environments' directly and accurately summarizes the main change: removing environment specifications from multiple GitHub Actions workflows across the codebase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Test Results For Major Changes	✅ Passed	Pull request contains only CI/CD infrastructure configuration changes (environment binding removals and PyPI auth updates) confined to .github/workflows/ with no impact on application code logic, APIs, or production behavior.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ko3n1g/ci/remove-environments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/cicd-approve-test-queue.yml (1)

84-135: ⚠️ Potential issue | 🟠 Major

approve-queue becomes a no-op — consider disabling or removing this workflow.

The script's entire value depends on "CICD NeMo" workflow runs entering waiting state, which only occurs when a job has an active environment: binding with a required-reviewer protection rule. Per this PR's broader changes, all environment: declarations are being removed from cicd-main.yml. With no environment gates left, pending_workflows (line 99–100) will always be an empty list and the approval loop (lines 108–133) will never execute. The workflow will continue burning CI minutes (scheduled every 5 minutes) with zero effect.

Consider either disabling the schedule trigger or deleting the workflow entirely as part of this cleanup.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cicd-approve-test-queue.yml around lines 84 - 135, The
approve-queue workflow is now a no-op because pending_workflows (the list
filtered from make_request("actions/runs?status=waiting") for runs named "CICD
NeMo") will always be empty after removing environment gates; remove wasted CI
runs by either deleting this workflow file entirely or disabling its schedule
trigger (remove the cron entry or stop the scheduled dispatch), and if you
prefer a safer short-term change add an early guard that exits immediately when
no waiting runs are found (check pending_workflows before the approval loop and
exit 0) so MAX_CONCURRENCY and the approval loop never run unnecessarily.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/cicd-approve-test-queue.yml:
- Around line 84-135: The approve-queue workflow is now a no-op because
pending_workflows (the list filtered from
make_request("actions/runs?status=waiting") for runs named "CICD NeMo") will
always be empty after removing environment gates; remove wasted CI runs by
either deleting this workflow file entirely or disabling its schedule trigger
(remove the cron entry or stop the scheduled dispatch), and if you prefer a
safer short-term change add an early guard that exits immediately when no
waiting runs are found (check pending_workflows before the approval loop and
exit 0) so MAX_CONCURRENCY and the approval loop never run unnecessarily.

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.