dependabot[bot] opened a new pull request, #2685: URL: https://github.com/apache/iceberg-rust/pull/2685
Bumps [huggingface-hub](https://github.com/huggingface/huggingface_hub) from 1.18.0 to 1.19.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/huggingface/huggingface_hub/releases">huggingface-hub's releases</a>.</em></p> <blockquote> <h2>[v1.19.0] Trusted Publishers, hf:// URIs, and expose-ports for Jobs</h2> <h2>🔐 Keyless CI/CD auth via OIDC token exchange</h2> <p>CI workflows can now authenticate to the Hub without storing an <code>HF_TOKEN</code> secret, using <a href="https://huggingface.co/docs/hub/trusted-publishers">Trusted Publishers</a>. Set <code>HF_OIDC_RESOURCE</code> to the repo (or username) you want to scope the token to, and <code>huggingface_hub</code> performs the OIDC exchange under the hood — no token, no setup code. GitHub Actions is supported out of the box (with <code>permissions: id-token: write</code>), and other providers can pass a pre-minted ID token via <code>HF_OIDC_ID_TOKEN</code>. Exchanged tokens are short-lived (1 hour), repo-scoped, and cached locally with automatic refresh.</p> <pre lang="yaml"><code># Publish a model without storing any HF_TOKEN secret - name: Push the model env: HF_OIDC_RESOURCE: acme/awesome-model run: hf upload acme/awesome-model ./model . </code></pre> <ul> <li>[Auth] Keyless CI/CD auth via OIDC token exchange by <a href="https://github.com/hanouticelina"><code>@hanouticelina</code></a> in <a href="https://redirect.github.com/huggingface/huggingface_hub/issues/4326">#4326</a></li> </ul> <p>📚 <strong>Documentation:</strong> <a href="https://huggingface.co/docs/hub/trusted-publishers">Trusted Publishers</a></p> <h2>🖥️ hf:// URIs for upload and download</h2> <p><code>hf upload</code> and <code>hf download</code> now accept an <code>hf://</code> URI in place of the positional repo ID. The URI encodes repo type, revision, and file path in a single string following the grammar <code>hf://[<TYPE>/]<ID>[@<REVISION>][/<PATH>]</code>, so you no longer need separate <code>--repo-type</code> and <code>--revision</code> flags. When a URI is provided, it is the single source of truth — passing <code>--repo-type</code> or <code>--revision</code> on top of it raises an error, and a path in the URI cannot be combined with positional filenames (download) or <code>path_in_repo</code> (upload).</p> <pre lang="bash"><code># Download a single file from a dataset at a given revision hf download hf://datasets/HuggingFaceM4/FineVision@refs/pr/1/data/train.parquet <h1>Download an entire repo</h1> <p>hf download hf://datasets/google/fleurs</p> <h1>Upload a file to a dataset on a specific branch</h1> <p>hf upload hf://datasets/Wauplin/my-cool-dataset@my-branch/data/train.csv ./train.csv </code></pre></p> <ul> <li>[CLI] Support hf:// URIs in <code>hf upload</code> and <code>hf download</code> by <a href="https://github.com/Wauplin"><code>@Wauplin</code></a> in <a href="https://redirect.github.com/huggingface/huggingface_hub/issues/4297">#4297</a></li> </ul> <p>📚 <strong>Documentation:</strong> <a href="https://huggingface.co/docs/huggingface_hub/main/en/guides/cli#use-an-hf-uri">CLI guide — hf:// URIs</a> · <a href="https://huggingface.co/docs/huggingface_hub/main/en/guides/download">Download guide</a> · <a href="https://huggingface.co/docs/huggingface_hub/main/en/guides/upload">Upload guide</a></p> <h2>🚀 Expose job ports through the jobs proxy</h2> <p>Jobs can now expose container ports through the public jobs proxy using <code>--expose <port></code> (CLI) or <code>expose=[8000]</code> (Python API). Each exposed port is reachable at <code>https://<job_id>--<port>.hf.jobs</code> and requires an HF token with read access to the job's namespace. This works on <code>hf jobs run</code>, <code>hf jobs uv run</code>, and their scheduled variants. Job responses now surface <code>expose_urls</code> on <code>JobStatus</code>.</p> <pre lang="bash"><code># Expose a web server running on port 8000 > hf jobs run --expose 8000 python:3.12 python -m http.server 8000 ✓ Job started id: 6a2aa7cec4f53f9fc5aa4cff url: https://huggingface.co/jobs/Wauplin/6a2aa7cec4f53f9fc5aa4cff Hint: Exposed ports are reachable at (requires an HF token with read access to the job): https://6a2aa7cec4f53f9fc5aa4cff--8000.hf.jobs Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... </code></pre> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/huggingface/huggingface_hub/commit/b1909eb48ad5c730ebe80f0ff862b3fbd7f9ec3a"><code>b1909eb</code></a> Release: v1.19.0</li> <li><a href="https://github.com/huggingface/huggingface_hub/commit/fe27c47d6eb5878b89b06e0a0c75bc6d47f724f1"><code>fe27c47</code></a> OIDC: Include error_description in HTTP error messages (<a href="https://redirect.github.com/huggingface/huggingface_hub/issues/4341">#4341</a>)</li> <li><a href="https://github.com/huggingface/huggingface_hub/commit/68dd701057aed2dbdb5618a2956ae6178ea7dc37"><code>68dd701</code></a> Release: v1.19.0.rc1</li> <li><a href="https://github.com/huggingface/huggingface_hub/commit/934797e3251abac162216549e33f27f01f8a9952"><code>934797e</code></a> Release: v1.19.0.rc0</li> <li><a href="https://github.com/huggingface/huggingface_hub/commit/69ef7d72d9e29767e601a87c7e1e9dac6db2c02f"><code>69ef7d7</code></a> [Agent] Dynamic agent harness registry (<a href="https://redirect.github.com/huggingface/huggingface_hub/issues/4325">#4325</a>)</li> <li><a href="https://github.com/huggingface/huggingface_hub/commit/f6b439ce1d04a3021c39f970ab7aad2ffc5c9d3d"><code>f6b439c</code></a> [fix] Transient locaion error due to CDN (<a href="https://redirect.github.com/huggingface/huggingface_hub/issues/4339">#4339</a>)</li> <li><a href="https://github.com/huggingface/huggingface_hub/commit/f1f2c43615914bf9b86e4b998ed732f05a12c900"><code>f1f2c43</code></a> Fix ignored-pattern warning grammar in download CLI (<a href="https://redirect.github.com/huggingface/huggingface_hub/issues/4337">#4337</a>)</li> <li><a href="https://github.com/huggingface/huggingface_hub/commit/92009d498c9795bc58d7baaee32cd3d0e9d04f42"><code>92009d4</code></a> [Tests] Add xet/no_xet pytest markers to filter Xet vs non-Xet tests (<a href="https://redirect.github.com/huggingface/huggingface_hub/issues/4336">#4336</a>)</li> <li><a href="https://github.com/huggingface/huggingface_hub/commit/e3b6d5bd8b82dc4fedc046ffbcbf353f9c0c12f7"><code>e3b6d5b</code></a> [Auth] Keyless CI/CD auth via OIDC token exchange (<a href="https://redirect.github.com/huggingface/huggingface_hub/issues/4326">#4326</a>)</li> <li><a href="https://github.com/huggingface/huggingface_hub/commit/8e4ca5c3a24a8286bbe0ed3acf111e5a1ea1fcf9"><code>8e4ca5c</code></a> [CI] Remove .github/workflows/python-prerelease.yml (<a href="https://redirect.github.com/huggingface/huggingface_hub/issues/4335">#4335</a>)</li> <li>Additional commits viewable in <a href="https://github.com/huggingface/huggingface_hub/compare/v1.18.0...v1.19.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
