[Backport] #1606 & #873 (#1750)

* ci: require tag-triggered artifacts for release uploads (#1606)

Backport of #1606 to 12.9.x. Adapted for the 12.9.x branch workflow
structure:

- ci.yml: add tag push triggers (v*, cuda-core-v*, cuda-pathfinder-v*)
  so setuptools-scm resolves exact release versions from tag refs
- release.yml: make run-id optional with auto-detection from tag-triggered
  CI runs via ci/tools/lookup-run-id; add wheel version validation via
  ci/tools/validate-release-wheels before publishing
- Add ci/tools/lookup-run-id: finds the successful tag-triggered CI run
  for a given release tag
- Add ci/tools/validate-release-wheels: rejects dev/local wheel versions
  and enforces version match against the release tag
- release_checklist.yml: add reminder to wait for tag-triggered CI

* ci: sync release-upload.yml with main and add download-wheels script

Sync release-upload.yml to match main by adding run-id and component
inputs and a 'Download and Upload Wheels' step that downloads wheels
via ci/tools/download-wheels, validates them via validate-release-wheels,
and uploads them to the GitHub Release.

Also add the ci/tools/download-wheels helper script (from main) and
wire up release.yml to pass run-id and component to the upload-archive
job.

Fixes #1120: the download-wheels script now exists on the backport
branch, so the release-upload workflow no longer fails with
'No such file or directory'.

* [pre-commit.ci] auto code formatting

---------

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

Author: leofang

.github/ISSUE_TEMPLATE/release_checklist.yml

@@ -26,6 +26,7 @@ body:
         - label: "Finalize the doc update, including release notes (\"Note: Touching docstrings/type annotations in code is OK during code freeze, apply your best judgement!\")"
         - label: Update the docs for the new version
         - label: Create a public release tag
+        - label: Wait for the tag-triggered CI run to complete, and use that run ID for release workflows
         - label: If any code change happens, rebuild the wheels from the new tag
         - label: Update the conda recipe & release conda packages
         - label: Upload conda packages to nvidia channel

.github/workflows/ci.yml

@@ -15,6 +15,12 @@ on:
     branches:
       - "pull-request/[0-9]+"
       - "12.9.x"
+    tags:
+      # Build release artifacts from tag refs so setuptools-scm resolves exact
+      # release versions instead of .dev+local variants.
+      - "v*"
+      - "cuda-core-v*"
+      - "cuda-pathfinder-v*"
 
 jobs:
   ci-vars:

.github/workflows/release-upload.yml

@@ -10,6 +10,14 @@ on:
       git-tag:
         type: string
         required: true
+      run-id:
+        description: "The GHA run ID that generated validated artifacts"
+        type: string
+        required: true
+      component:
+        description: "Component to download wheels for"
+        type: string
+        required: true
 
 concurrency:
   # Concurrency group that uses the workflow name and PR number if available
@@ -63,3 +71,19 @@ jobs:
           --clobber "${{ inputs.git-tag }}"
           --repo "${{ github.repository }}"
           release/*
+
+      - name: Download and Upload Wheels
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          # Use the shared script to download wheels
+          ./ci/tools/download-wheels "${{ inputs.run-id }}" "${{ inputs.component }}" "${{ github.repository }}" "release/wheels"
+
+          # Validate that release wheels match the expected version from tag.
+          ./ci/tools/validate-release-wheels "${{ inputs.git-tag }}" "${{ inputs.component }}" "release/wheels"
+
+          # Upload wheels to the release
+          if [[ -d "release/wheels" && $(ls -A release/wheels 2>/dev/null | wc -l) -gt 0 ]]; then
+            echo "Uploading wheels to release ${{ inputs.git-tag }}"
+            gh release upload --clobber "${{ inputs.git-tag }}" --repo "${{ github.repository }}" release/wheels/*
+          fi

.github/workflows/release.yml

@@ -24,9 +24,10 @@ on:
         required: true
         type: string
       run-id:
-        description: "The GHA run ID that generated validated artifacts"
-        required: true
+        description: "The GHA run ID that generated validated artifacts (optional - auto-detects successful tag-triggered CI run for git-tag)"
+        required: false
         type: string
+        default: ""
       build-ctk-ver:
         type: string
         required: true
@@ -43,6 +44,31 @@ defaults:
     shell: bash --noprofile --norc -xeuo pipefail {0}
 
 jobs:
+  determine-run-id:
+    runs-on: ubuntu-latest
+    outputs:
+      run-id: ${{ steps.lookup-run-id.outputs.run-id }}
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Determine Run ID
+        id: lookup-run-id
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          if [[ -n "${{ inputs.run-id }}" ]]; then
+            echo "Using provided run ID: ${{ inputs.run-id }}"
+            echo "run-id=${{ inputs.run-id }}" >> $GITHUB_OUTPUT
+          else
+            echo "Auto-detecting successful tag-triggered run ID for tag: ${{ inputs.git-tag }}"
+            RUN_ID=$(./ci/tools/lookup-run-id "${{ inputs.git-tag }}" "${{ github.repository }}")
+            echo "Auto-detected run ID: $RUN_ID"
+            echo "run-id=$RUN_ID" >> $GITHUB_OUTPUT
+          fi
+
   check-tag:
     runs-on: ubuntu-latest
     steps:
@@ -86,13 +112,14 @@ jobs:
       pull-requests: write
     needs:
       - check-tag
+      - determine-run-id
     secrets: inherit
     uses: ./.github/workflows/build-docs.yml
     with:
       build-ctk-ver: ${{ inputs.build-ctk-ver }}
       component: ${{ inputs.component }}
       git-tag: ${{ inputs.git-tag }}
-      run-id: ${{ inputs.run-id }}
+      run-id: ${{ needs.determine-run-id.outputs.run-id }}
       is-release: true
 
   upload-archive:
@@ -101,27 +128,34 @@ jobs:
       contents: write
     needs:
       - check-tag
+      - determine-run-id
     secrets: inherit
     uses: ./.github/workflows/release-upload.yml
     with:
       git-tag: ${{ inputs.git-tag }}
+      run-id: ${{ needs.determine-run-id.outputs.run-id }}
+      component: ${{ inputs.component }}
 
   publish-wheels:
     name: Publish wheels
     runs-on: ubuntu-latest
     needs:
       - check-tag
+      - determine-run-id
     environment:
       name: ${{ inputs.wheel-dst }}
       url: https://${{ (inputs.wheel-dst == 'testpypi' && 'test.') || '' }}pypi.org/p/${{ inputs.component }}/
     permissions:
       id-token: write
     steps:
+      - name: Checkout Source
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
       - name: Download component wheels
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gh run download ${{ inputs.run-id }} -p "${{ inputs.component }}*" -R ${{ github.repository }}
+          gh run download ${{ needs.determine-run-id.outputs.run-id }} -p "${{ inputs.component }}*" -R ${{ github.repository }}
           mkdir dist
           for p in ${{ inputs.component }}*
           do
@@ -133,6 +167,10 @@ jobs:
           done
           rm -rf ${{ inputs.component }}*
 
+      - name: Validate wheel versions for release tag
+        run: |
+          ./ci/tools/validate-release-wheels "${{ inputs.git-tag }}" "${{ inputs.component }}" "dist"
+
       - name: Publish package distributions to PyPI
         if: ${{ inputs.wheel-dst == 'pypi' }}
         uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0

ci/tools/download-wheels

@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+
+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# A utility script to download component wheels from GitHub Actions artifacts.
+# This script reuses the same logic that was in release.yml to maintain consistency.
+
+set -euo pipefail
+
+# Check required arguments
+if [[ $# -lt 3 ]]; then
+    echo "Usage: $0 <run-id> <component> <repository> [output-dir]" >&2
+    echo "  run-id: The GitHub Actions run ID containing the artifacts" >&2
+    echo "  component: The component name pattern to download (e.g., cuda-core, cuda-bindings)" >&2
+    echo "  repository: The GitHub repository (e.g., NVIDIA/cuda-python)" >&2
+    echo "  output-dir: Optional output directory (default: ./dist)" >&2
+    exit 1
+fi
+
+RUN_ID="$1"
+COMPONENT="$2"
+REPOSITORY="$3"
+OUTPUT_DIR="${4:-./dist}"
+
+# Ensure we have a GitHub token
+if [[ -z "${GH_TOKEN:-}" ]]; then
+    echo "Error: GH_TOKEN environment variable is required"
+    exit 1
+fi
+
+echo "Downloading wheels for component: $COMPONENT from run: $RUN_ID"
+
+# Download component wheels using the same logic as release.yml
+if [[ "$COMPONENT" == "all" ]]; then
+    # Download all component patterns
+    gh run download "$RUN_ID" -p "cuda-*" -R "$REPOSITORY"
+else
+    gh run download "$RUN_ID" -p "${COMPONENT}*" -R "$REPOSITORY"
+fi
+
+# Create output directory
+mkdir -p "$OUTPUT_DIR"
+
+# Process downloaded artifacts
+for p in cuda-*
+do
+    if [[ ! -d "$p" ]]; then
+        continue
+    fi
+
+    # exclude cython test artifacts
+    if [[ "${p}" == *-tests ]]; then
+        echo "Skipping test artifact: $p"
+        continue
+    fi
+
+    # If we're not downloading "all", only process matching component
+    if [[ "$COMPONENT" != "all" && "$p" != ${COMPONENT}* ]]; then
+        continue
+    fi
+
+    echo "Processing artifact: $p"
+    # Move wheel files to output directory
+    if [[ -d "$p" ]]; then
+        find "$p" -name "*.whl" -exec mv {} "$OUTPUT_DIR/" \;
+    fi
+done
+
+# Clean up artifact directories
+rm -rf cuda-*
+
+echo "Downloaded wheels to: $OUTPUT_DIR"
+ls -la "$OUTPUT_DIR"

ci/tools/lookup-run-id

@@ -0,0 +1,104 @@
+#!/usr/bin/env bash
+
+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# A utility script to find the GitHub Actions workflow run ID for a given git tag.
+# This script requires a successful CI run that was triggered by the tag push.
+
+set -euo pipefail
+
+# Check required arguments
+if [[ $# -lt 2 ]]; then
+    echo "Usage: $0 <git-tag> <repository> [workflow-name]" >&2
+    echo "  git-tag: The git tag to find the corresponding workflow run for" >&2
+    echo "  repository: The GitHub repository (e.g., NVIDIA/cuda-python)" >&2
+    echo "  workflow-name: Optional workflow name to filter by (default: CI)" >&2
+    echo "" >&2
+    echo "Examples:" >&2
+    echo "  $0 v13.0.1 NVIDIA/cuda-python" >&2
+    echo "  $0 v13.0.1 NVIDIA/cuda-python \"CI\"" >&2
+    exit 1
+fi
+
+GIT_TAG="${1}"
+REPOSITORY="${2}"
+WORKFLOW_NAME="${3:-CI}"
+
+# Ensure we have required tools
+if [[ -z "${GH_TOKEN:-}" ]]; then
+    echo "Error: GH_TOKEN environment variable is required" >&2
+    exit 1
+fi
+
+if ! command -v jq >/dev/null 2>&1; then
+    echo "Error: jq is required but not installed" >&2
+    exit 1
+fi
+
+if ! command -v gh >/dev/null 2>&1; then
+    echo "Error: GitHub CLI (gh) is required but not installed" >&2
+    exit 1
+fi
+
+echo "Looking up run ID for tag: ${GIT_TAG} in repository: ${REPOSITORY}" >&2
+
+# Resolve git tag to commit SHA
+if ! COMMIT_SHA=$(git rev-parse "${GIT_TAG}"); then
+    echo "Error: Could not resolve git tag '${GIT_TAG}' to a commit SHA" >&2
+    echo "Make sure the tag exists and you have fetched it" >&2
+    exit 1
+fi
+
+echo "Resolved tag '${GIT_TAG}' to commit: ${COMMIT_SHA}" >&2
+
+# Find workflow runs for this commit
+echo "Searching for '${WORKFLOW_NAME}' workflow runs for commit: ${COMMIT_SHA} (tag: ${GIT_TAG})" >&2
+
+# Get completed workflow runs for this commit.
+RUN_DATA=$(gh run list \
+    --repo "${REPOSITORY}" \
+    --commit "${COMMIT_SHA}" \
+    --workflow "${WORKFLOW_NAME}" \
+    --status completed \
+    --json databaseId,workflowName,status,conclusion,headSha,headBranch,event,createdAt,url \
+    --limit 50)
+
+if [[ -z "${RUN_DATA}" || "${RUN_DATA}" == "[]" ]]; then
+    echo "Error: No completed '${WORKFLOW_NAME}' workflow runs found for commit ${COMMIT_SHA}" >&2
+    echo "Available workflow runs for this commit:" >&2
+    gh run list --repo "${REPOSITORY}" --commit "${COMMIT_SHA}" --limit 10 || true
+    exit 1
+fi
+
+# Filter for successful push runs from the tag ref.
+RUN_ID=$(echo "${RUN_DATA}" | jq -r --arg tag "${GIT_TAG}" '
+    map(select(.conclusion == "success" and .event == "push" and .headBranch == $tag))
+    | sort_by(.createdAt)
+    | reverse
+    | .[0].databaseId // empty
+')
+
+if [[ -z "${RUN_ID}" ]]; then
+    echo "Error: No successful '${WORKFLOW_NAME}' workflow runs found for tag '${GIT_TAG}'." >&2
+    echo "This release workflow now requires artifacts from a tag-triggered CI run." >&2
+    echo "If you just pushed the tag, wait for CI on that tag to finish and retry." >&2
+    echo "" >&2
+    echo "Completed runs for commit ${COMMIT_SHA}:" >&2
+    echo "${RUN_DATA}" | jq -r '.[] | "\(.databaseId): event=\(.event // "null"), headBranch=\(.headBranch // "null"), conclusion=\(.conclusion // "null"), status=\(.status // "null"), createdAt=\(.createdAt // "null")"' >&2
+    exit 1
+fi
+
+echo "Found workflow run ID: ${RUN_ID} for tag '${GIT_TAG}'" >&2
+
+# Verify the run has the expected artifacts by checking if there are any artifacts
+echo "Verifying artifacts exist for run ${RUN_ID}..." >&2
+ARTIFACT_LIST=$(gh run view "${RUN_ID}" --repo "${REPOSITORY}" --json url || echo "")
+
+if [[ -z "${ARTIFACT_LIST}" ]]; then
+    echo "Warning: Could not verify artifacts for workflow run ${RUN_ID}" >&2
+fi
+
+# Output the run ID (this is what gets used by calling scripts)
+echo "${RUN_ID}"