ai-dynamo
diff --git a/‎.github/reports/README.md‎
Lines changed: 131 additions & 0 deletions b/‎.github/reports/README.md‎
Lines changed: 131 additions & 0 deletions
diff --git a/‎.github/reports/releases/.gitkeep‎
Lines changed: 1 addition & 0 deletions b/‎.github/reports/releases/.gitkeep‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/dependency-extraction-nightly.yml‎
Lines changed: 155 additions & 0 deletions b/‎.github/workflows/dependency-extraction-nightly.yml‎
Lines changed: 155 additions & 0 deletions
@@ -0,0 +1,131 @@
+# Dependency Reports
+
+This directory contains the latest dependency extraction reports for the Dynamo repository.
+
+## Files
+
+### `dependency_versions_latest.csv`
+The most recent dependency extraction results. Updated nightly by the automated CI workflow.
+
+### `unversioned_dependencies_latest.csv`
+List of dependencies without explicit version constraints. These should be reviewed and pinned for reproducible builds.
+
+### `releases/dependency_versions_vX.X.X.csv`
+Permanent snapshots of dependencies for each release version. Created automatically when release branches are cut.
+
+**Examples:**
+- `releases/dependency_versions_v1.2.3.csv` - Release 1.2.3 snapshot
+- `releases/dependency_versions_v2.0.0.csv` - Release 2.0.0 snapshot
+
+**CSV Columns:**
+- **Component** - Component category (trtllm, vllm, sglang, operator, shared)
+- **Category** - Dependency type (Base Image, Framework, Go Module, Python Package, Docker Compose Service, Helm Chart, etc.)
+- **Dependency Name** - Human-readable name
+- **Version** - Version number or constraint
+- **Source File** - Relative path to file defining the dependency
+- **GitHub URL** - Clickable link to source line
+- **Package Source URL** - Direct link to package documentation:
+  - PyPI for Python packages
+  - Docker Hub or NGC Catalog for containers
+  - Artifact Hub for Helm charts
+  - pkg.go.dev for Go modules
+  - Official download pages for languages/tools
+- **Status** - Legacy status field (New, Changed, Unchanged)
+- **Diff from Latest** - Comparison to latest nightly:
+  - `New` - New dependency not in latest nightly
+  - `Unchanged` - Same version as latest nightly
+  - `X → Y` - Version changed from X to Y
+  - `N/A` - No latest nightly to compare against
+- **Diff from Release** - Comparison to latest release:
+  - `New` - New dependency not in latest release
+  - `Unchanged` - Same version as latest release
+  - `X → Y` - Version changed from X to Y
+  - `N/A` - No release snapshot to compare against
+- **Critical** - Yes/No flag for critical dependencies
+- **NVIDIA Product** - Yes/No flag indicating if dependency is an NVIDIA product
+- **Notes** - Additional context
+
+**CSV Sorting:**
+The CSV is sorted to make critical dependencies easy to identify:
+1. By Component (trtllm → vllm → sglang → operator → shared)
+2. By Critical status (Yes before No) within each component
+3. Alphabetically by dependency name
+
+**Extraction Sources:**
+The script extracts dependencies from multiple sources:
+- **Dockerfiles** - Base images and ARG/ENV versions
+- **requirements.txt** - Python packages (main, test, docs, standard)
+- **pyproject.toml** - Project metadata and dependencies
+- **go.mod** - Go module dependencies
+- **shell scripts** - Version variables from install scripts
+- **docker-compose.yml** - Service container versions
+- **Chart.yaml** - Helm chart and dependency versions
+- **rust-toolchain.toml** - Rust compiler version
+- **Cargo.toml** - Rust Git dependencies
+- **K8s recipe YAML** - Git-based pip installs from recipe files
+
+### Critical Dependencies
+
+Critical dependencies are flagged in the CSV to highlight components that require special attention for:
+- Security updates
+- Version compatibility
+- Production stability
+- Compliance requirements
+
+The list of critical dependencies is maintained in `../workflows/extract_dependency_versions_config.yaml` under the `critical_dependencies` section. Examples include:
+- CUDA (compute platform)
+- PyTorch (ML framework)
+- Python (runtime)
+- Kubernetes (orchestration)
+- NATS (message broker)
+- etcd (key-value store)
+
+## Timestamped Versions
+
+Timestamped CSV files (e.g., `dependency_versions_20251009_1924.csv`) are:
+- **Generated** by the nightly workflow
+- **Stored** in GitHub Artifacts (90-day retention)
+- **Not committed** to the repo to avoid clutter
+- **Available** for download from the workflow run page
+
+## Workflows
+
+### Nightly Tracking (`.github/workflows/dependency-extraction-nightly.yml`)
+- **Schedule:** Daily at 2 AM UTC
+- **Trigger:** Can be manually triggered via Actions UI
+- **Output:** Updates `*_latest.csv` files, creates PR when changes detected
+- **Artifacts:** Uploads timestamped CSVs for 90-day retention
+
+### Release Snapshots (`.github/workflows/dependency-extraction-release.yml`)
+- **Trigger:** Automatically when `release/*.*.*` branches are pushed
+- **Output:** Creates permanent `releases/dependency_versions_vX.X.X.csv`
+- **Purpose:** Permanent record of dependencies for each release
+- **Artifacts:** Stored for 365 days (1 year)
+
+## Manual Extraction
+
+To run manually from repository root:
+
+```bash
+# Basic extraction
+python3 .github/workflows/extract_dependency_versions.py
+
+# With options
+python3 .github/workflows/extract_dependency_versions.py \
+  --output .github/reports/dependency_versions_latest.csv \
+  --report-unversioned
+
+# Validate configuration
+python3 .github/workflows/extract_dependency_versions.py --validate
+
+# See all options
+python3 .github/workflows/extract_dependency_versions.py --help
+```
+
+## Files
+
+- 🤖 [Extraction Script](../workflows/extract_dependency_versions.py)
+- ⚙️ [Configuration](../workflows/extract_dependency_versions_config.yaml)
+- 📋 [Nightly Workflow](../workflows/dependency-extraction-nightly.yml)
+- 📸 [Release Workflow](../workflows/dependency-extraction-release.yml)
+
@@ -0,0 +1 @@
+# Release Dependency Snapshots
@@ -0,0 +1,155 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Nightly Dependency Extraction
+
+on:
+  schedule:
+    # Run at 2 AM UTC every day
+    - cron: '0 2 * * *'
+  workflow_dispatch: # Allow manual trigger
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  extract-dependencies:
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Need history for comparison
+      
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      
+      - name: Install dependencies
+        run: pip install pyyaml
+      
+      - name: Run dependency extraction
+        run: |
+          TIMESTAMP=$(date +%Y%m%d_%H%M)
+          
+          # Generate timestamped version (for artifacts)
+          python3 .github/workflows/extract_dependency_versions.py \
+            --output .github/reports/dependency_versions_${TIMESTAMP}.csv \
+            --report-unversioned
+          
+          # Copy to latest version (for repo tracking)
+          mkdir -p .github/reports
+          cp .github/reports/dependency_versions_${TIMESTAMP}.csv .github/reports/dependency_versions_latest.csv
+          
+          # Copy unversioned report if it exists
+          if [ -f "unversioned_dependencies_${TIMESTAMP}.csv" ]; then
+            cp unversioned_dependencies_${TIMESTAMP}.csv .github/reports/unversioned_dependencies_latest.csv
+          fi
+          
+          echo "TIMESTAMP=${TIMESTAMP}" >> $GITHUB_ENV
+      
+      - name: Check for changes
+        id: check_changes
+        run: |
+          if [[ -n $(git status --porcelain .github/reports/*_latest.csv) ]]; then
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+            
+            # Count dependencies by status from latest
+            new_count=$(grep -c ",New," .github/reports/dependency_versions_latest.csv 2>/dev/null || echo "0")
+            changed_count=$(grep -c ",Changed," .github/reports/dependency_versions_latest.csv 2>/dev/null || echo "0")
+            unchanged_count=$(grep -c ",Unchanged," .github/reports/dependency_versions_latest.csv 2>/dev/null || echo "0")
+            
+            echo "new_deps=$new_count" >> $GITHUB_OUTPUT
+            echo "changed_deps=$changed_count" >> $GITHUB_OUTPUT
+            echo "unchanged_deps=$unchanged_count" >> $GITHUB_OUTPUT
+          else
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          fi
+      
+      - name: Create Pull Request
+        if: steps.check_changes.outputs.has_changes == 'true'
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: 'chore: Update dependency versions [automated]'
+          title: '[Automated] Nightly Dependency Version Update - $(date +%Y-%m-%d)'
+          body: |
+            ## 🤖 Automated Dependency Version Update
+            
+            This PR contains the nightly dependency extraction results.
+            
+            ### 📊 Summary
+            - **New Dependencies:** ${{ steps.check_changes.outputs.new_deps }}
+            - **Changed Versions:** ${{ steps.check_changes.outputs.changed_deps }}
+            - **Unchanged:** ${{ steps.check_changes.outputs.unchanged_deps }}
+            
+            ### 📋 Files Updated
+            - ✅ `.github/reports/dependency_versions_latest.csv` - Latest dependency snapshot
+            - ✅ `.github/reports/unversioned_dependencies_latest.csv` - Unversioned deps report (if applicable)
+            
+            > **Note:** Timestamped versions are stored in GitHub Artifacts (90-day retention) to avoid repo clutter.
+            
+            ### ✔️ Review Checklist
+            - [ ] Review new dependencies for security/licensing concerns
+            - [ ] Check version changes for breaking updates
+            - [ ] Verify unversioned dependencies report
+            - [ ] Update baseline count if increase is expected
+            
+            ---
+            
+            🔗 **Documentation:** [Dependency Extraction Guide](../docs/dependency_extraction.md)
+            📦 **Artifacts:** Download timestamped CSVs from workflow run
+            
+            _Generated by nightly dependency extraction workflow_
+            _Timestamp: ${{ env.TIMESTAMP }}_
+          branch: automated/dependency-extraction-${{ github.run_number }}
+          delete-branch: true
+          labels: |
+            automated
+            dependencies
+            documentation
+      
+      - name: Upload artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-extraction-${{ github.run_number }}
+          path: |
+            .github/reports/dependency_versions_*.csv
+            .github/reports/unversioned_dependencies_*.csv
+          retention-days: 90
+      
+      - name: Summary
+        if: always()
+        run: |
+          echo "## Dependency Extraction Results" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [[ "${{ steps.check_changes.outputs.has_changes }}" == "true" ]]; then
+            echo "✅ **Changes Detected**" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "- New Dependencies: ${{ steps.check_changes.outputs.new_deps }}" >> $GITHUB_STEP_SUMMARY
+            echo "- Changed Versions: ${{ steps.check_changes.outputs.changed_deps }}" >> $GITHUB_STEP_SUMMARY
+            echo "- Unchanged: ${{ steps.check_changes.outputs.unchanged_deps }}" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "📝 A pull request has been created for review." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "ℹ️ **No Changes Detected**" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "All dependencies remain unchanged since the last extraction." >> $GITHUB_STEP_SUMMARY
+          fi
+