Skip to content

Bump transformers from 4.57.6 to 5.3.0 #3302

Bump transformers from 4.57.6 to 5.3.0

Bump transformers from 4.57.6 to 5.3.0 #3302

# only has to pass for python 3.10
name: Static code checks
on:
push:
branches:
main
pull_request:
branches:
main
jobs:
run-code-check:
runs-on: ubuntu-latest
permissions:
contents: read
actions: write
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Install uv
uses: astral-sh/setup-uv@v8.2.0
with:
version: "0.9.11"
enable-cache: true
- name: Set up Python
uses: actions/setup-python@v6.2.0
with:
python-version-file: ".python-version"
- name: Set up cache
uses: actions/cache@v5
id: cached-uv-dependencies
with:
path: .venv
key: venv-${{ runner.os }}-${{ hashFiles('**/uv.lock') }}
- name: Install dependencies
run: uv sync --group dev --group test --group codestyle
- name: Pre-commit Checks
run: uv run pre-commit run --all-files
- name: pip-audit (gh-action-pip-audit)
uses: pypa/gh-action-pip-audit@v1.1.0
with:
virtual-environment: .venv/
# CVE-2026-26007, CVE-2026-34073 are cryptography vulnerability that requires cryptography>=46.0.5, but
# flwr (flower) requires cryptography<45.0.0, blocking the upgrade.
# CVE-2026-1839 is a vulnerability in HF transformers, but they've messed up their typing in 5+ so we're
# deferring this.
# PYSEC-2025-217 is a transformers vulnerability without a fix yet.
# PYSEC-2026-73 is a keras vulnerability fixed in 3.13, but this requires upgrade the python version, which
# we will defer for now.
ignore-vulns: |
CVE-2026-26007
CVE-2026-34073
CVE-2026-1839
PYSEC-2025-217
PYSEC-2026-73
# Deleting some temporary files and useless folders to free up space
# Deleting /usr/share/dotnet should clear ~4GB of space.
# Deleting /usr/local/lib/android should clear ~12GB of space.
- name: Cleanup space (before cache save)
run: |
df -h /dev/root
sudo rm -rf /usr/share/dotnet /usr/local/lib/android
df -h /dev/root
- name: Minimize uv cache
run: uv cache prune --ci