Skip to content

[feat] Support Python 3.13 and Torch 2.12 dependency installs#344

Merged
QG-phy merged 1 commit into
deepmodeling:mainfrom
QG-phy:codex/dependency-compat-install
Jun 24, 2026
Merged

[feat] Support Python 3.13 and Torch 2.12 dependency installs#344
QG-phy merged 1 commit into
deepmodeling:mainfrom
QG-phy:codex/dependency-compat-install

Conversation

@QG-phy

@QG-phy QG-phy commented Jun 24, 2026

Copy link
Copy Markdown
Collaborator

Summary

This PR updates DeePTB's tested dependency support and installation path around the Python / PyTorch / PyG stack.

Key changes:

  • Support Python 3.10-3.13 in pyproject.toml and the tested installer; Python 3.14 remains out of scope because TorchScript needs a separate migration.
  • Broaden developer Torch compatibility to torch>=2.5.1,<=2.12.1 and update the tested CPU path to Torch 2.12.1 with matching PyG / torch-scatter binary wheels.
  • Add a conservative install.sh path that selects tested CPU/GPU backend combinations and refuses unsupported or source-build fallback paths.
  • Preserve the current RTX 5090 path as Python 3.12/3.13 + torch 2.10.0+cu128 + torch-scatter 2.1.2+pt210cu128; torch 2.12.x+cu130 is documented as requiring a newer driver.
  • Add compatibility matrix tooling and maintenance docs for future Python / Torch / PyG upgrade testing.
  • Update README and quick-start installation docs to recommend install.sh for new machines and keep uv sync as the developer-managed path.
  • Add a manual-only GPU compatibility workflow for shared self-hosted GPU runners; it is not triggered by PRs by default.
  • Gate native MKL FEAST tests behind DPTB_TEST_MKL_FEAST=1 because the FEAST native solver issue is separate from dependency compatibility.

Validation

Local / remote compatibility checks:

  • uv lock --dry-run
  • python tools/compat/test_matrix.py --job py312-torch2121-cpu --job py313-torch2121-cpu-modern-cdeps --no-tests --results-dir tools/compat/results_depcheck
  • python tools/compat/test_matrix.py --job py313-torch2121-cpu-modern-cdeps --skip-install --results-dir tools/compat/results_depcheck --test-command python -m pytest dptb/tests -m "not slow" -q
  • RTX 5090 remote checks for gpu-py312-torch210-cu128 and gpu-py313-torch210-cu128-modern-cdeps

Final CPU not slow result:

  • 445 passed, 30 skipped, 34 deselected, 249 warnings in 109.67s

Final RTX 5090 GPU not slow results:

  • gpu-py312-torch210-cu128: 444 passed, 31 skipped, 34 deselected
  • gpu-py313-torch210-cu128-modern-cdeps: 444 passed, 31 skipped, 34 deselected

CI status at the time of this update:

  • docs and hygiene checks passed
  • CPU unit test workflow is running after the latest documentation/workflow update

@github-actions

github-actions Bot commented Jun 24, 2026

Copy link
Copy Markdown

This advisory review plan was generated from changed file names using trusted base-branch code.
此审查计划由受信任的 base 分支代码根据变更文件名生成,仅作为维护者辅助。

DeePTB PR Review Plan / DeePTB PR 审查计划

Risk / 风险等级: Medium (中) · Changed files / 变更文件: 15

Why / 风险来源

  • GitHub Actions and CI changed. / GitHub Actions 与 CI 有变更。
  • Tests changed. / 测试 有变更。
  • Documentation changed. / 文档有变更。
  • Some files are unclassified by current risk_map.md. / 部分文件尚未被当前风险地图覆盖。

Recommended Review / 建议审查重点

  • Run the Maintainer Review Prompt. / 运行维护者审查 prompt。
  • Run the Test Gap Review Prompt. / 运行测试缺口审查 prompt。
  • Confirm the changed behavior matches the PR scope. / 确认变更行为和 PR 范围一致。
Detailed risk areas
  • GitHub Actions and CI (Medium): .github/workflows/gpu_compat.yml, .github/workflows/unit_test.yml
  • Tests (Medium): dptb/tests/test_energy_feast.py, dptb/tests/test_export.py, dptb/tests/test_feast_wrapper.py, dptb/tests/test_pardisoeig.py
  • Documentation (Low): README.md, docs/maintenance/dependency_compatibility.md, docs/maintenance/dependency_upgrade_test_plan.md, docs/quick_start/easy_install.md
  • Packaging metadata (Low): pyproject.toml
  • Maintenance governance (Low): docs/maintenance/dependency_compatibility.md, docs/maintenance/dependency_upgrade_test_plan.md
  • Unclassified by current risk_map.md: install.sh, tools/compat/matrix.json, tools/compat/test_matrix.py, ut.sh
Human review focus
  • GitHub Actions and CI: trigger scope, required checks, dependency installation, and runtime noise
  • Tests: marker choice, regression coverage, skipped environments, and assertions
  • Documentation: stale commands, stale paths, config consistency, and Sphinx warnings
  • Packaging metadata: dependency compatibility and install behavior
  • Maintenance governance: review guidance consistency and low-noise maintainer workflow
Local commands and hold conditions

Suggested local commands:

  • python scripts/ci/check_repository_hygiene.py
  • uv run python -m sphinx -b html docs docs/_build/pr-review-plan-html
  • uv run pytest ./dptb/tests -m smoke
  • uv run pytest ./dptb/tests -m regression

Hold conditions:

  • CI failed and the failure is not explained.
  • The PR scope is unclear or mixes unrelated changes.
  • AI review found a plausible correctness issue that was not fixed or explicitly waived.

Advisory only. / 仅作为审查辅助。

@QG-phy QG-phy marked this pull request as ready for review June 24, 2026 17:27
@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

This PR rewrites install.sh into a backend-aware installer that pins tested torch/torch-geometric/torch-scatter combinations per CUDA target, adds a tools/compat/ matrix runner that provisions isolated environments and validates binary wheels, updates pyproject.toml Python and dependency ranges, adjusts CI workflows, adds optional-dependency test guards, and documents the new compatibility policy.

Changes

Dependency Compatibility Tooling and Installer Overhaul

Layer / File(s) Summary
Package metadata and CI test entrypoints
pyproject.toml, .github/workflows/unit_test.yml, ut.sh
Updates requires-python to >=3.10,<3.14, revises dependency bounds and find-links index, removes the CI Docker container, and consolidates ut.sh to install via install.sh cpu --extra pythtb --test and invoke pytest from .venv.
install.sh backend selection and validation
install.sh
Full rewrite: CLI argument parsing; Python 3.10–3.13 enforcement; CUDA detection and mapping to cu118cu130 (rejecting cu132); backend-specific pinning of torch, torch-scatter, and torch-geometric; uv venv creation; editable uv pip install with --overrides, --find-links, and --only-binary constraints; and post-install platform-wheel and CUDA-availability verification.
GPU compatibility CI workflow
.github/workflows/gpu_compat.yml
Adds a manual workflow_dispatch workflow that installs the GPU stack via install.sh, runs a CUDA and torch_scatter.scatter_add smoke test, and conditionally runs pytest with a user-provided marker expression on a self-hosted GPU runner.
Compatibility matrix runner
tools/compat/matrix.json, tools/compat/test_matrix.py
Adds a JSON matrix of CPU and GPU jobs (Python 3.10–3.14 × Torch 2.5.1–2.12.1 × cpu/cu128/cu130), and a CLI runner that provisions per-job uv environments, generates overrides.txt, probes installed metadata, validates torch-scatter binary-wheel provenance, runs scatter smoke tests, executes configured pytest commands, and writes per-job JSON reports.
Optional-dependency test guards and fix
dptb/tests/test_energy_feast.py, dptb/tests/test_feast_wrapper.py, dptb/tests/test_pardisoeig.py, dptb/tests/test_export.py
Adds module-level DPTB_TEST_MKL_FEAST=1 environment skips to FEAST tests, an import-time pytest.importorskip("vbcsr") guard in test_pardisoeig.py, and makes the orbital-count assertion in test_export.py fall back from _norb to norb.
Maintenance and user-facing documentation
docs/maintenance/dependency_compatibility.md, docs/maintenance/dependency_upgrade_test_plan.md, README.md, docs/quick_start/easy_install.md
Adds a compatibility guide (Local Matrix Tool, Installation Policy, Binary Wheel Rule, tested support summary) and an upgrade test plan; updates README and quick-start install docs to document the install.sh CPU/GPU flow, revised Python range, and optional extras.

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant install.sh
  participant uv
  participant PyG as PyG Wheel Index
  participant Verify as Post-Install Verification

  User->>install.sh: ./install.sh [cpu|auto|gpu|cu128|cu130] [--extra ...] [--test]
  install.sh->>install.sh: Enforce Python 3.10-3.13
  install.sh->>install.sh: Detect CUDA via nvidia-smi, map backend
  install.sh->>install.sh: Pin torch / torch-scatter / torch-geometric versions
  install.sh->>PyG: Compute find-links URL for backend
  install.sh->>uv: Create .venv
  install.sh->>uv: pip install -e with --overrides --only-binary constraints
  uv-->>install.sh: Packages installed
  install.sh->>Verify: Read torch-scatter WHEEL metadata
  Verify-->>install.sh: Platform wheel confirmed (or fail)
  install.sh->>Verify: python -c "torch.cuda.is_available()"
  Verify-->>install.sh: CUDA available (or fail for GPU backend)
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 10.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check ⚠️ Warning The description covers summary and validation, but it omits required template sections like Scope, Impact Area, Risk/Compatibility, AI Assistance, and Merge Decision. Fill in every template section, especially Scope, DeePTB Impact Area, Risk And Compatibility, Tests, AI Assistance, and Merge Decision, with specific details.
✅ Passed checks (3 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly matches the main change: expanding dependency installs to support Python 3.13 and Torch 2.12.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
tools/compat/test_matrix.py (1)

246-264: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Local scatter_version shadows the module-level scatter_version() function.

The local variable on Line 246 reuses the name of the function defined at Line 74. It works today because the function isn't called later in run_job, but it's a refactoring hazard. Consider renaming to e.g. scatter_installed_version.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/compat/test_matrix.py` around lines 246 - 264, The local variable in
run_job is shadowing the module-level scatter_version() helper, which can create
refactoring hazards and confusion. Rename the local scatter_version binding in
the torch-scatter package probe to a distinct name such as
scatter_installed_version, and update the subsequent
result["torch_scatter_binary_wheel"] assignment to use the new identifier while
leaving the scatter_version() function unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@install.sh`:
- Around line 82-85: The backend selection in select_backend is returning torch
backend values like cu121, cu124, and cu132 that are later passed directly into
uv pip install --torch-backend, but uv only accepts a limited set of backend
names. Update the backend mapping so the CUDA 12.1/12.4/13.2 cases translate to
a uv-supported backend before installation, while preserving the existing
PyG-specific label used by find_links_url; use select_backend and the install
path that builds the uv command to apply the fix.

In `@tools/compat/test_matrix.py`:
- Line 270: The test command selection in main() is treating an explicit empty
list from --test-command '' as if no value was provided, so it falls back to
matrix["default_test_command"]. Update the logic around args.test_command and
matrix["default_test_command"] to distinguish None from an intentionally empty
list, and keep the skip path when --test-command is set to an empty string while
preserving the default only when no override is supplied.

---

Nitpick comments:
In `@tools/compat/test_matrix.py`:
- Around line 246-264: The local variable in run_job is shadowing the
module-level scatter_version() helper, which can create refactoring hazards and
confusion. Rename the local scatter_version binding in the torch-scatter package
probe to a distinct name such as scatter_installed_version, and update the
subsequent result["torch_scatter_binary_wheel"] assignment to use the new
identifier while leaving the scatter_version() function unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bca19d0d-5b14-46d7-a7df-5186e83c08f1

📥 Commits

Reviewing files that changed from the base of the PR and between aa76ea0 and 023526a.

📒 Files selected for processing (9)
  • docs/maintenance/dependency_compatibility.md
  • docs/maintenance/dependency_upgrade_test_plan.md
  • dptb/tests/test_energy_feast.py
  • dptb/tests/test_feast_wrapper.py
  • dptb/tests/test_pardisoeig.py
  • install.sh
  • pyproject.toml
  • tools/compat/matrix.json
  • tools/compat/test_matrix.py

Comment thread install.sh
Comment on lines +82 to +85
elif cuda >= (12, 4):
print("cu124")
elif cuda >= (12, 1):
print("cu121")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What values does uv's uv pip install --torch-backend flag accept in the latest uv release?

💡 Result:

The --torch-backend flag in uv accepts auto as a special value for automatic detection, or specific CUDA/ROCm version strings (e.g., cu130, cu121, cu118) corresponding to the PyTorch index variants [1]. When set to auto, uv queries the system for installed CUDA drivers, AMD GPU versions, or Intel GPU presence and automatically selects the most compatible PyTorch index for packages like torch and torchvision [1]. If no supported GPU is detected, it defaults to the CPU-only index [1]. Alternatively, you can manually specify a target backend to force the use of a specific PyTorch index (e.g., --torch-backend=cu130) [1]. This flag is currently available specifically within the uv pip interface [1]. Functionality can also be controlled using the UV_TORCH_BACKEND environment variable [1].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail

git ls-files install.sh
wc -l install.sh
sed -n '70,230p' install.sh
rg -n "torch-backend|cuda_to_backend|cu121|cu124|cu132|find_links_url" install.sh

Repository: deepmodeling/DeePTB

Length of output: 5616


🏁 Script executed:

#!/bin/bash
set -euo pipefail

git ls-files install.sh
wc -l install.sh
sed -n '70,230p' install.sh
rg -n "torch-backend|cuda_to_backend|cu121|cu124|cu132|find_links_url" install.sh

Repository: deepmodeling/DeePTB

Length of output: 5616


🏁 Script executed:

#!/bin/bash
set -euo pipefail

git ls-files install.sh
wc -l install.sh
sed -n '70,230p' install.sh
rg -n "torch-backend|cuda_to_backend|cu121|cu124|cu132|find_links_url" install.sh

Repository: deepmodeling/DeePTB

Length of output: 5616


🌐 Web query:

Latest uv docs accepted values for uv pip install --torch-backend cu121 cu124 cu126 cu128 cu130 cpu auto rocm6 xpu

💡 Result:

The uv pip install --torch-backend flag is used to select the appropriate PyTorch index for installation [1][2]. Based on official documentation and community-verified technical resources, the accepted values for this option include [2][3]: - auto: Automatically detects the available hardware (CUDA, AMD/ROCm, or Intel/XPU) and selects the most compatible PyTorch index [1][2]. If no compatible GPU is found, it defaults to the CPU-only index [1][2]. - cpu: Selects the CPU-only PyTorch index [2][3]. - cu118: Selects the PyTorch index for CUDA 11.8 [2]. - cu126: Selects the PyTorch index for CUDA 12.6 [2][3]. - cu128: Selects the PyTorch index for CUDA 12.8 [2]. - cu130: Selects the PyTorch index for CUDA 13.0 [1][2]. - rocm6: Selects the PyTorch index for ROCm 6 [2]. - xpu: Selects the PyTorch index for Intel XPU [2]. Important usage notes: - Availability: The --torch-backend flag is currently only supported in uv pip commands [1][2][3]. It does not work with uv lock, uv sync, or uv run [2]. - Environment Variable: You can also set these values using the UV_TORCH_BACKEND environment variable [1][2]. - Preview Status: This feature is considered to be in preview and may change in future releases [3]. Always consult the official uv documentation for the most current information regarding supported versions [1][3].

Citations:


Use a uv-supported backend name before passing --torch-backend. select_backend can still return cu121, cu124, and cu132, and those values are forwarded directly to uv pip install --torch-backend at line 205. uv only accepts auto, cpu, cu118, cu126, cu128, cu130, rocm6, and xpu, so the 12.1/12.4/13.2 paths will fail. Map those cases to a supported uv backend and keep the separate PyG label for find_links_url.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@install.sh` around lines 82 - 85, The backend selection in select_backend is
returning torch backend values like cu121, cu124, and cu132 that are later
passed directly into uv pip install --torch-backend, but uv only accepts a
limited set of backend names. Update the backend mapping so the CUDA
12.1/12.4/13.2 cases translate to a uv-supported backend before installation,
while preserving the existing PyG-specific label used by find_links_url; use
select_backend and the install path that builds the uv command to apply the fix.

Comment thread tools/compat/test_matrix.py Outdated
@QG-phy QG-phy force-pushed the codex/dependency-compat-install branch 2 times, most recently from fe6b0eb to d1990dc Compare June 24, 2026 17:56

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tools/compat/test_matrix.py`:
- Around line 162-178: The smoke probe in smoke_probe_code only uses CPU
tensors, so GPU smoke jobs never validate the CUDA path for torch_scatter.
Update the probe to create tensors on CUDA when a GPU is available (while
preserving a CPU fallback if needed) and run scatter_add on those CUDA tensors
so the probe exercises the CUDA wheel in GPU jobs. Keep the change localized to
smoke_probe_code and its tensor creation/scatter_add call so the same import and
assertion flow still works.
- Around line 241-268: The version probe in test_matrix.py records
torch_backend.cuda_available but never enforces it, so GPU jobs can pass on
CPU-only execution; update the matrix validation flow around
version_probe_code()/parse_probe_json() to assert CUDA is actually available for
+cu* jobs, and fail early before proceeding to the torch-scatter binary wheel
and import-and-scatter-smoke steps when cuda_available is false.
- Around line 211-275: The matrix subprocesses in run_job() are inheriting
DPTB_TEST_MKL_FEAST from the parent environment, which can accidentally
re-enable the native FEAST path. Build an explicit child environment before
invoking run() for the venv/install/version-probe/tests steps, unset
DPTB_TEST_MKL_FEAST by default, and only preserve it when a specific job
configuration explicitly opts in. Keep the change localized around run_job(),
the install_cmd/run calls, and the job/environment setup used for spawned
compatibility jobs.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3d57668c-a05d-4e48-b655-273e8ddc9052

📥 Commits

Reviewing files that changed from the base of the PR and between 023526a and fe6b0eb.

📒 Files selected for processing (11)
  • .github/workflows/unit_test.yml
  • docs/maintenance/dependency_compatibility.md
  • docs/maintenance/dependency_upgrade_test_plan.md
  • dptb/tests/test_energy_feast.py
  • dptb/tests/test_feast_wrapper.py
  • dptb/tests/test_pardisoeig.py
  • install.sh
  • pyproject.toml
  • tools/compat/matrix.json
  • tools/compat/test_matrix.py
  • ut.sh
💤 Files with no reviewable changes (1)
  • .github/workflows/unit_test.yml
✅ Files skipped from review due to trivial changes (1)
  • docs/maintenance/dependency_compatibility.md
🚧 Files skipped from review as they are similar to previous changes (6)
  • tools/compat/matrix.json
  • dptb/tests/test_energy_feast.py
  • dptb/tests/test_pardisoeig.py
  • dptb/tests/test_feast_wrapper.py
  • pyproject.toml
  • install.sh

Comment thread tools/compat/test_matrix.py
Comment thread tools/compat/test_matrix.py
Comment thread tools/compat/test_matrix.py Outdated
@QG-phy QG-phy force-pushed the codex/dependency-compat-install branch 2 times, most recently from 98be238 to 0aa11ca Compare June 24, 2026 18:10
@QG-phy QG-phy force-pushed the codex/dependency-compat-install branch from 0aa11ca to 23f10af Compare June 24, 2026 18:30
@QG-phy QG-phy changed the title [codex] Update dependency compatibility install path Support Python 3.13 and Torch 2.12 dependency installs Jun 24, 2026
@QG-phy QG-phy changed the title Support Python 3.13 and Torch 2.12 dependency installs [feat] Update dependency compatibility Python -> 3.13; Torch-> 2.12 Jun 24, 2026
@QG-phy QG-phy changed the title [feat] Update dependency compatibility Python -> 3.13; Torch-> 2.12 [feat] Support Python 3.13 and Torch 2.12 dependency installs Jun 24, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (3)
.github/workflows/gpu_compat.yml (2)

30-33: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Disable credential persistence on the self-hosted runner checkout.

On a long-lived self-hosted GPU runner, actions/checkout persists the auth token in .git/config by default, leaving it on disk for later steps/jobs. Since this workflow doesn't push, set persist-credentials: false.

🔒 Proposed fix
       - name: Checkout
         uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/gpu_compat.yml around lines 30 - 33, The Checkout step in
the gpu_compat workflow currently leaves the GitHub token persisted on the
self-hosted runner; update the actions/checkout usage to disable credential
persistence by setting persist-credentials to false. Use the Checkout step in
the workflow as the target for this change so the token is not written to
.git/config for later steps or jobs.

Source: Linters/SAST tools


31-31: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

Pin actions/checkout to a commit SHA.

A blanket policy flags the floating @v6 tag. Pin to the full commit hash (optionally with a # v6.x.x comment) for supply-chain integrity.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/gpu_compat.yml at line 31, The GPU compatibility workflow
is using the floating actions/checkout@v6 reference, which should be pinned for
supply-chain integrity. Update the checkout step in the workflow to use the full
commit SHA for actions/checkout instead of the version tag, and optionally keep
a brief v6.x.x comment for readability.

Source: Linters/SAST tools

tools/compat/test_matrix.py (1)

187-193: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

parse_probe_json brace-scanning is fragile if surrounding output contains braces.

run() merges stderr into stdout, so warnings printed before/after the JSON block (e.g. Torch/PyG deprecation messages) can contain {/}. find("{")/rfind("}") would then span past the real JSON object and fail to parse. A delimited sentinel around the JSON payload in version_probe_code() would make extraction deterministic.

♻️ Sentinel-based extraction

In version_probe_code():

-print(json.dumps(result, indent=2, sort_keys=True))
+print("<<<PROBE_JSON>>>")
+print(json.dumps(result, indent=2, sort_keys=True))
+print("<<<END_PROBE_JSON>>>")

In parse_probe_json:

-    start = output.find("{")
-    end = output.rfind("}")
-    if start == -1 or end == -1 or end < start:
-        raise ValueError("probe output did not contain a JSON object")
-    return json.loads(output[start : end + 1])
+    marker_start = output.find("<<<PROBE_JSON>>>")
+    marker_end = output.find("<<<END_PROBE_JSON>>>")
+    if marker_start == -1 or marker_end == -1:
+        raise ValueError("probe output did not contain a JSON object")
+    payload = output[marker_start + len("<<<PROBE_JSON>>>") : marker_end]
+    return json.loads(payload)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/compat/test_matrix.py` around lines 187 - 193, `parse_probe_json`
currently scans for the first and last brace, which can break when `run()`
merges warning output that also contains braces. Update `version_probe_code()`
to wrap the JSON payload with unique sentinel markers, then change
`parse_probe_json` to extract only the text between those markers before calling
`json.loads`. Use the existing `version_probe_code()` and `parse_probe_json`
symbols to keep the extraction deterministic even when stderr warnings are
present.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/gpu_compat.yml:
- Around line 67-70: The Run pytest step in the workflow is vulnerable to
shell/template injection because `pytest_mark` is interpolated directly into the
`run` command. Update the `Run pytest` step to pass `inputs.pytest_mark` through
an environment variable and reference that variable inside the shell command
instead of using direct workflow expression expansion. Keep the fix localized to
the `Run pytest` job step in `gpu_compat.yml`, preserving the existing
`inputs.run_pytest` condition while ensuring the marker value is treated as
plain data.

---

Nitpick comments:
In @.github/workflows/gpu_compat.yml:
- Around line 30-33: The Checkout step in the gpu_compat workflow currently
leaves the GitHub token persisted on the self-hosted runner; update the
actions/checkout usage to disable credential persistence by setting
persist-credentials to false. Use the Checkout step in the workflow as the
target for this change so the token is not written to .git/config for later
steps or jobs.
- Line 31: The GPU compatibility workflow is using the floating
actions/checkout@v6 reference, which should be pinned for supply-chain
integrity. Update the checkout step in the workflow to use the full commit SHA
for actions/checkout instead of the version tag, and optionally keep a brief
v6.x.x comment for readability.

In `@tools/compat/test_matrix.py`:
- Around line 187-193: `parse_probe_json` currently scans for the first and last
brace, which can break when `run()` merges warning output that also contains
braces. Update `version_probe_code()` to wrap the JSON payload with unique
sentinel markers, then change `parse_probe_json` to extract only the text
between those markers before calling `json.loads`. Use the existing
`version_probe_code()` and `parse_probe_json` symbols to keep the extraction
deterministic even when stderr warnings are present.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8c6c4550-78f8-4b31-939e-9c2686061fb9

📥 Commits

Reviewing files that changed from the base of the PR and between fe6b0eb and 23f10af.

📒 Files selected for processing (15)
  • .github/workflows/gpu_compat.yml
  • .github/workflows/unit_test.yml
  • README.md
  • docs/maintenance/dependency_compatibility.md
  • docs/maintenance/dependency_upgrade_test_plan.md
  • docs/quick_start/easy_install.md
  • dptb/tests/test_energy_feast.py
  • dptb/tests/test_export.py
  • dptb/tests/test_feast_wrapper.py
  • dptb/tests/test_pardisoeig.py
  • install.sh
  • pyproject.toml
  • tools/compat/matrix.json
  • tools/compat/test_matrix.py
  • ut.sh
💤 Files with no reviewable changes (1)
  • .github/workflows/unit_test.yml
✅ Files skipped from review due to trivial changes (2)
  • dptb/tests/test_pardisoeig.py
  • README.md
🚧 Files skipped from review as they are similar to previous changes (7)
  • ut.sh
  • dptb/tests/test_feast_wrapper.py
  • dptb/tests/test_energy_feast.py
  • tools/compat/matrix.json
  • docs/maintenance/dependency_compatibility.md
  • install.sh
  • pyproject.toml

Comment on lines +67 to +70
- name: Run pytest
if: inputs.run_pytest
run: |
.venv/bin/python -m pytest dptb/tests -m "${{ inputs.pytest_mark }}" -q

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Template injection: pass pytest_mark through an env var, not direct interpolation.

pytest_mark is a free-text workflow_dispatch input expanded directly into the run: shell, so a malicious marker value can break out of the pytest argument and execute arbitrary commands on the self-hosted GPU runner. Unlike backend (a choice constrained to cu128/cu130), this value is unconstrained. Bind it to an environment variable and reference it as a shell variable so it is never evaluated as workflow expression code.

🔒 Proposed fix
       - name: Run pytest
         if: inputs.run_pytest
+        env:
+          PYTEST_MARK: ${{ inputs.pytest_mark }}
         run: |
-          .venv/bin/python -m pytest dptb/tests -m "${{ inputs.pytest_mark }}" -q
+          .venv/bin/python -m pytest dptb/tests -m "$PYTEST_MARK" -q
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Run pytest
if: inputs.run_pytest
run: |
.venv/bin/python -m pytest dptb/tests -m "${{ inputs.pytest_mark }}" -q
- name: Run pytest
if: inputs.run_pytest
env:
PYTEST_MARK: ${{ inputs.pytest_mark }}
run: |
.venv/bin/python -m pytest dptb/tests -m "$PYTEST_MARK" -q
🧰 Tools
🪛 zizmor (1.26.1)

[error] 70-70: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/gpu_compat.yml around lines 67 - 70, The Run pytest step
in the workflow is vulnerable to shell/template injection because `pytest_mark`
is interpolated directly into the `run` command. Update the `Run pytest` step to
pass `inputs.pytest_mark` through an environment variable and reference that
variable inside the shell command instead of using direct workflow expression
expansion. Keep the fix localized to the `Run pytest` job step in
`gpu_compat.yml`, preserving the existing `inputs.run_pytest` condition while
ensuring the marker value is treated as plain data.

Source: Linters/SAST tools

@QG-phy QG-phy merged commit 47f77d3 into deepmodeling:main Jun 24, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant