feat(deps): add version discrepancy detection and composite action

- Add composite action for dependency extraction setup to reduce duplication
- Implement version discrepancy detection to identify dependencies pinned at
  different versions across the repo
- Output GitHub Actions warning annotations for CI visibility
- Add normalize_dependency_name() to handle common naming variations
- Add detect_version_discrepancies() to identify version conflicts
- Update workflows to use the new composite action
- Display discrepancy warnings in extraction summary with actionable tips

Addresses nv-tusharma's feedback about using composite actions.
Adds warning system as requested to detect version conflicts that could
cause runtime issues, build failures, or security vulnerabilities.

Related: DYN-1235
Signed-off-by: Dan Gil <[email protected]>

Author: dagil-nvidia

.github/actions/dependency-extraction-setup/action.yml

@@ -0,0 +1,35 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: 'Dependency Extraction Setup'
+description: 'Set up Python environment and install dependencies for dependency extraction'
+inputs:
+  python-version:
+    description: 'Python version to use'
+    required: false
+    default: '3.12'
+
+runs:
+  using: "composite"
+  steps:
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ inputs.python-version }}
+
+    - name: Install dependencies
+      shell: bash
+      run: pip install pyyaml
+

.github/workflows/dependency-extraction-nightly.yml

@@ -35,14 +35,11 @@ jobs:
         with:
           fetch-depth: 0 # Need history for comparison
 
-      - name: Set up Python
-        uses: actions/setup-python@v5
+      - name: Setup dependency extraction environment
+        uses: ./.github/actions/dependency-extraction-setup
         with:
           python-version: '3.12'
 
-      - name: Install dependencies
-        run: pip install pyyaml
-
       - name: Run dependency extraction
         run: |
           TIMESTAMP=$(date +%Y%m%d_%H%M)

.github/workflows/dependency-extraction-release.yml

@@ -40,14 +40,11 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Set up Python
-        uses: actions/setup-python@v5
+      - name: Setup dependency extraction environment
+        uses: ./.github/actions/dependency-extraction-setup
         with:
           python-version: '3.12'
 
-      - name: Install dependencies
-        run: pip install pyyaml
-
       - name: Extract version from branch or input
         id: version
         run: |

.github/workflows/extract_dependency_versions.py

@@ -1833,6 +1833,123 @@ def write_unversioned_report(self, output_path: Path) -> None:
 
         print(f"✓ Written {len(unversioned)} unversioned dependencies to {output_path}")
 
+    def normalize_dependency_name(self, name: str) -> str:
+        """
+        Normalize dependency names to detect the same dependency referred to differently.
+        
+        Examples:
+            - torch, pytorch, PyTorch -> pytorch
+            - tensorflow, TensorFlow -> tensorflow
+            - numpy, NumPy -> numpy
+        
+        Note: This is intentionally conservative to avoid false positives.
+        Only normalizes well-known dependencies with common naming variations.
+        """
+        # Convert to lowercase for comparison
+        name_lower = name.lower()
+        
+        # Common normalization rules (ordered by specificity to avoid false matches)
+        normalizations = {
+            "tensorrt-llm": "tensorrt-llm",
+            "trtllm": "tensorrt-llm",
+            "tensorrt": "tensorrt",
+            "pytorch": "pytorch",
+            "torch": "pytorch",
+            "tensorflow": "tensorflow",
+            "cuda": "cuda",
+            "cudnn": "cudnn",
+            "nccl": "nccl",
+            "nixl": "nixl",
+        }
+        
+        # Check if name matches any normalization rules (exact or starts with)
+        for key, normalized in normalizations.items():
+            if name_lower == key or name_lower.startswith(key + " "):
+                return normalized
+        
+        # Default: return the lowercase name unchanged
+        # This avoids false positives from overly broad matching
+        return name_lower.strip()
+
+    def detect_version_discrepancies(self) -> List[Dict[str, any]]:
+        """
+        Detect dependencies that appear multiple times with different versions.
+        
+        Returns:
+            List of dictionaries containing discrepancy information:
+            - dependency_name: The normalized dependency name
+            - instances: List of {version, source_file, component} for each occurrence
+        """
+        # Group dependencies by normalized name
+        dependency_groups = {}
+        
+        for dep in self.dependencies:
+            normalized_name = self.normalize_dependency_name(dep["Dependency Name"])
+            
+            # Skip unversioned dependencies for discrepancy detection
+            if dep["Version"] in ["unspecified", "N/A", "", "latest"]:
+                continue
+            
+            if normalized_name not in dependency_groups:
+                dependency_groups[normalized_name] = []
+            
+            dependency_groups[normalized_name].append({
+                "original_name": dep["Dependency Name"],
+                "version": dep["Version"],
+                "source_file": dep["Source File"],
+                "component": dep["Component"],
+                "category": dep["Category"],
+                "critical": dep["Critical"] == "Yes",
+            })
+        
+        # Detect discrepancies: same normalized name with different versions
+        discrepancies = []
+        
+        for normalized_name, instances in dependency_groups.items():
+            # Get unique versions
+            versions = set(inst["version"] for inst in instances)
+            
+            # If multiple versions exist, it's a discrepancy
+            if len(versions) > 1:
+                discrepancies.append({
+                    "normalized_name": normalized_name,
+                    "versions": sorted(versions),
+                    "instances": instances,
+                    "is_critical": any(inst["critical"] for inst in instances),
+                })
+        
+        return discrepancies
+
+    def _output_github_warnings(self, discrepancies: List[Dict[str, any]]) -> None:
+        """
+        Output GitHub Actions warning annotations for version discrepancies.
+        
+        This uses the GitHub Actions workflow command format:
+        ::warning file={file},line={line}::{message}
+        
+        See: https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions
+        """
+        for disc in discrepancies:
+            normalized_name = disc["normalized_name"]
+            versions = disc["versions"]
+            is_critical = disc["is_critical"]
+            instances = disc["instances"]
+            
+            # Create a concise message for the annotation
+            critical_prefix = "[CRITICAL] " if is_critical else ""
+            versions_str = ", ".join(versions)
+            
+            # Output a warning for each source file where the dependency appears
+            for inst in instances:
+                message = (
+                    f"{critical_prefix}Version discrepancy detected for '{normalized_name}': "
+                    f"found {inst['version']} here, but also appears as {versions_str} elsewhere"
+                )
+                
+                # Output GitHub Actions warning annotation
+                # Format: ::warning file={name}::{message}
+                print(f"::warning file={inst['source_file']}::{message}")
+
     def print_summary(self) -> None:
         """Print comprehensive summary statistics."""
         components = {}
@@ -1919,6 +2036,47 @@ def print_summary(self) -> None:
         else:
             print("\n✓ All dependencies have version specifiers")
 
+        # Check for version discrepancies
+        discrepancies = self.detect_version_discrepancies()
+        if discrepancies:
+            print(
+                f"\n⚠️  WARNING: Found {len(discrepancies)} dependencies with version discrepancies!"
+            )
+            print("\nDependencies pinned at different versions across the repo:")
+            
+            for disc in discrepancies[:10]:  # Show first 10
+                critical_flag = " [CRITICAL]" if disc["is_critical"] else ""
+                print(f"\n  • {disc['normalized_name']}{critical_flag}")
+                print(f"    Versions found: {', '.join(disc['versions'])}")
+                print(f"    Locations:")
+                
+                for inst in disc["instances"][:5]:  # Show first 5 instances
+                    print(
+                        f"      - {inst['version']:15s} in {inst['component']:10s} "
+                        f"({inst['source_file']})"
+                    )
+                
+                if len(disc["instances"]) > 5:
+                    print(f"      ... and {len(disc['instances']) - 5} more locations")
+            
+            if len(discrepancies) > 10:
+                print(f"\n  ... and {len(discrepancies) - 10} more discrepancies")
+            
+            print("\n  💡 Tip: Version discrepancies can cause:")
+            print("     - Runtime conflicts and crashes")
+            print("     - Unexpected behavior differences between components")
+            print("     - Build failures due to incompatible APIs")
+            print("     - Security vulnerabilities if older versions are used")
+            print(
+                "\n  Consider standardizing versions across the repo or documenting why "
+                "differences are necessary."
+            )
+            
+            # Output GitHub Actions warnings for CI visibility
+            self._output_github_warnings(discrepancies)
+        else:
+            print("\n✓ No version discrepancies detected")
+
         # Check against baseline and warn if exceeded
         if total_deps > self.baseline_count:
             increase = total_deps - self.baseline_count