Merge branch 'main' into xpu-skill

Author: sayakpaul

.github/pull_request_template.md

@@ -5,8 +5,11 @@
 > avoids wasted effort on changes we may not be able to merge. Please only create
 > a PR once one of the project maintainers agrees on your outlined approach.
 >
-> PRs of contributors who are not vouched for are automatically closed. You can
-> become a vouched contributor by discussing a change first as outlined above.
+> PRs of contributors who are not vouched for are automatically closed. Regular
+> contributors are added to the vouch list.
+>
+> For, LLM-generated changes, we prefer that you write your prompt in an issue
+> over a PR with LLM-generated changes.
 
 ## Related issue
 
@@ -39,3 +42,7 @@ Closes #
 - [ ] This PR is linked to an issue that was discussed and approved
 - [ ] I have tested these changes locally
 - [ ] New/changed functionality has test coverage
+- LLM disclosure:
+  - [ ] I did not use an LLM to create this PR.
+  - [ ] I used and LLM for assistance while creating this PR.
+  - [ ] This PR was mostly or completely generated by an LLM.

.github/workflows/build_kernel.yaml

@@ -50,6 +50,7 @@ jobs:
           name: built-kernels-${{ matrix.arch }}
           path: |
             activation-kernel
+            cpp20-symbols-kernel
             cutlass-gemm-kernel
             cutlass-gemm-tvm-ffi-kernel
             extra-data
@@ -60,8 +61,11 @@ jobs:
             silu-and-mul-kernel
 
   test:
-    name: Test kernels
+    name: Test kernels (UBI ${{ matrix.ubi_version }})
     needs: build
+    strategy:
+      matrix:
+        ubi_version: [8, 9]
     runs-on:
       group: aws-g6-12xlarge-plus
     steps:
@@ -76,9 +80,10 @@ jobs:
       - name: Build Docker image
         run: |
           docker build \
-            -t kernel-builder:latest \
+            -t kernel-builder:ubi${{ matrix.ubi_version }} \
+            --build-arg UBI_VERSION=${{ matrix.ubi_version }} \
             -f nix-builder/tests/Dockerfile.test-kernel .
 
       - name: Run Tests
         run: |
-          docker run --gpus all kernel-builder:latest
+          docker run --gpus all kernel-builder:ubi${{ matrix.ubi_version }}

.github/workflows/security-audit.yml

@@ -138,12 +138,32 @@ jobs:
           COMMIT_URL: ${{ github.event.head_commit.url }}
           COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
           COMMIT_AUTHOR: ${{ github.event.head_commit.author.username || github.event.head_commit.author.name }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+        shell: bash
         run: |
           FINDINGS=$(cat /tmp/audit_result.txt)
           COMMIT_TITLE=$(printf '%s\n' "$COMMIT_MESSAGE" | head -n1)
 
-          printf -v HEADER '*Security Audit Finding*\n*Commit:* <%s|%s>\n*Author:* %s\n\n---\n\n' \
-            "$COMMIT_URL" "$COMMIT_TITLE" "$COMMIT_AUTHOR"
+          # GitHub username -> Slack member ID. Entries here are only tagged
+          # when the GitHub API confirms the user currently has the admin or
+          # maintain role on this repo, so stale entries are inert.
+          declare -A SLACK_IDS=(
+            ["danieldk"]="U072206PXLK"
+            ["drbh"]="U06C9TW7RDY"
+            ["sayakpaul"]="U03AU4E7DJB"
+          )
+
+          MENTION=""
+          if [ -n "${SLACK_IDS[$COMMIT_AUTHOR]:-}" ]; then
+            ROLE=$(gh api "repos/${REPO}/collaborators/${COMMIT_AUTHOR}/permission" --jq '.role_name' 2>/dev/null || true)
+            if [ "$ROLE" = "admin" ] || [ "$ROLE" = "maintain" ]; then
+              MENTION="<@${SLACK_IDS[$COMMIT_AUTHOR]}> "
+            fi
+          fi
+
+          printf -v HEADER '%s*Security Audit Finding*\n*Commit:* <%s|%s>\n*Author:* %s\n\n---\n\n' \
+            "$MENTION" "$COMMIT_URL" "$COMMIT_TITLE" "$COMMIT_AUTHOR"
 
           jq -n \
             --arg text "${HEADER}${FINDINGS}" \

.github/workflows/test_e2e.yaml

@@ -89,6 +89,13 @@ jobs:
           cd /tmp/kernels-upload-test
           sed -i 's|github:huggingface/kernels|path:'"$GITHUB_WORKSPACE"'|' flake.nix
 
+      - name: Make flake a Git repo
+        run: |
+          cd /tmp/kernels-upload-test
+          git config --global user.email "bottie@mcbotface.hf.co"
+          git config --global user.name "Botty McBotface"
+          git init && git add . && git commit -m "e2e test"
+
       - name: Determine latest variant
         id: variant
         run: |

.pre-commit-config.yaml

@@ -0,0 +1,17 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: f23336e5dc4bf11588d7db19f675418cf570971b
+    hooks:
+      - id: no-commit-to-branch
+        args: ["--branch", "main"]
+
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: b831c3dc5d27d9da294ae4e915773b99aa24a7c5
+    hooks:
+      - id: ruff-check
+        args: [--fix]
+      - id: ruff-format
+  - repo: https://github.com/NixOS/nixfmt
+    rev: ccb94535e519e94b77d6bda76ac1de06e9f11284
+    hooks:
+      - id: nixfmt-nix

docs/source/_toctree.yml

@@ -66,3 +66,7 @@
     - local: builder-cli
       title: Builder CLI Reference
   title: CLI Reference
+- sections:
+    - local: builder/design-nix-builder
+      title: Nix Builder
+  title: Design

docs/source/basic-usage.md

@@ -28,8 +28,7 @@ get the latest kernel build from the `v1` branch.
 Kernels within a version branch must never break the API or remove builds
 for older PyTorch versions. This ensures that your code will continue to work.
 
-Some kernels have not yet been updated to use versioning yet. In these cases,
-you can use `get_kernel` without the `version` argument.
+Hub kernels must be loaded with either a `version` or an explicit `revision`.
 
 ## Checking Kernel Availability
 

docs/source/builder/design-nix-builder.md

@@ -0,0 +1,115 @@
+# Nix Builder design
+
+## Introduction
+
+kernel-builder uses a Nix-based builder that orchestrates the build. The Nix
+builder provides:
+
+- Reproducible evaluation. The same Nix builder version will always produce
+  the same derivations (build recipes).
+- Largely reproducible builds by using a build sandbox that only has the
+  dependencies specified in a derivation.
+- Seamless creation of different build environments (e.g. different Torch
+  and CUDA combinations).
+
+## Kernel build steps
+
+A kernel derivation builds a kernel in the following steps:
+
+1. Generate CMake files for the kernel using
+   `kernel-builder create-pyproject`.
+2. Generate Ninja build files using CMake.
+3. Build the kernel using Ninja.
+4. Perform various checks on the compiled kernel, such as:
+   - Verify that the kernel only uses ABI3/`manylinux_2_28` symbols.
+   - Verify that the kernel can be loaded by the `kernels` Python package.
+5. Strip runpaths (ELF-embedded library directories) from kernel binaries
+   to make the kernel distribution-independent.
+
+## manylinux_2_28 compatibility
+
+To achieve `manylinux_2_28` compatibility, kernels are built using a
+toolchain similar to the `manylinux_2_28` Docker images. This toolchain
+is based on the gcc toolsets from AlmaLinux 8. `manylinux_2_28` [uses
+AlmaLinux 8 as its base](https://github.com/pypa/manylinux#manylinux_2_28-almalinux-8-based),
+so we have to compile against the same glibc/libstdc++ versions to
+ensure compatibility.
+
+We repackage the AlmaLinux 8 toolsets and libstdc++ as Nix derivations (see
+the `nix-builder/packages/manylinux_2_28` source directory). Then we merge
+various toolset packages to an unwrapped gcc that resembles unwrapped gcc in
+nixpkgs. Finally, we wrap binutils and gcc to combine them into a stdenv.
+
+The stdenv does not reuse glibc from AlmaLinux, since its dynamic loader has
+hardcoded FHS paths (`/lib64` etc.) that are not valid in Nix. Using this
+dynamic loader results in linking errors, since the paths in the dynamic
+loader are used as a last resort (to link glibc libraries). So, instead we
+build our own glibc 2.28 package
+(see `nix-builder/pkgs/manylinux_2_28/stdenv.nix`) and use that.
+
+## The package set pattern
+
+We repackage various existing package sets as Nix derivations. For instance,
+this is done for ROCm, XPU, and manylinux_2_28 packages. We do this because
+we want these libraries to be as close as what the user would install. This
+avoids compatibility issues between the kernels and the official vendor
+packages. For instance, suppose that we built a ROCm library as a shared
+library and ROCm provides the same library as a static library, then compiled
+kernels could use symbols that cannot be resolved when installing the official
+ROCm packages. Similarly, using the official packages allows us to test
+against the official upstram packages.
+
+These package sets all follow the same pattern:
+
+```nix
+{
+  lib,
+  callPackage,
+  newScope,
+  pkgs,
+}:
+
+{
+  packageMetadata,
+}:
+
+let
+  inherit (lib.fixedPoints) extends composeManyExtensions;
+
+  fixedPoint = final: {
+    inherit lib;
+  };
+  composed = lib.composeManyExtensions [
+    # Base package set.
+    (import ./components.nix { inherit packageMetadata; })
+
+    # Package-specific overrides.
+    (import ./overrides.nix)
+
+    # Additional overlays that extend the package set.
+    (import ./some-overlay.nix)
+  ];
+in
+lib.makeScope newScope (lib.extends composed fixedPoint)
+```
+
+We use a fixed point to build up the package set as a list of
+[overlays](https://nixos.org/manual/nixpkgs/stable/#sec-overlays-definition).
+This has various benefits. For instance, it allows us to refine the
+package set incrementally and we can refer to the final versions of
+packages in intermediate overlays.
+
+The package sets all use a similar list of overlays:
+
+- An initial overlay (`components.nix`) that applies a generic builder
+  to the package set metadata. The metadata typically comes from a Yum/DNF
+  repository that contains RPM packages.The generic builder will extract the
+  RPMs and move binaries, libraries, and headers to the right location. This
+  results in a set of Nix derivations that may or may not build.
+- The next overlay (`overrides.nix`) fixes up derivations generated by the
+  generic builder in the previous overlay that do not build. Fixing the
+  derivations typically consists of adding missing dependencies and changing
+  embedded FHS paths to Nix store paths.
+- Additional overlays with derivations that combine outputs from previous
+  overlays. One typical example are derivations that construct a full compiler
+  toolchain (e.g. `nix-builder/pkgs/manylinux_2_28/gcc-unwrapped.nix`).

docs/source/layers.md

@@ -177,9 +177,8 @@ will get the latest kernel build from the `v1` branch. Kernel layers
 within a version branch must never break the API or remove builds for
 older PyTorch versions. This ensures that your code will continue to
 work.
-
-Some kernels have not yet been updated to use versioning yet. In these cases,
-you can use `LayerRepository` without the `version` argument.
+Hub-backed `LayerRepository` and `FuncRepository` entries must specify
+either a `version` or an explicit `revision`.
 
 You can register a mapping, like the one above, using `register_kernel_mapping`:
 
@@ -210,6 +209,7 @@ kernel_layer_mapping = {
         "cuda": FuncRepository(
             repo_id="kernels-community/activation",
             func_name="silu_and_mul",
+            version=1,
         ),
     }
 }

docs/source/migration.md

@@ -6,8 +6,8 @@
 
 Before `kernels` 0.12, kernels could be pulled from a repository
 without specifying a version. This is deprecated in kernels 0.12
-and will become an error in kernels 0.14. Instead, use of a kernel
-should always specify a version (except for local kernels).
+and is an error in kernels 0.15. Instead, use of a kernel should
+always specify a version or revision (except for local kernels).
 
 Kernels only use a major version. The kernel maintainer is responsible
 for never breaking a kernel within a major version and should bump up