chore: Update dependencies to address CVEs and also update Dockerfile (#15756)

* ci: Remove Dockerfile.stable

Signed-off-by: Charlie Truong <chtruong@nvidia.com>

* Rename Dockerfile.ci to Dockerfile

Signed-off-by: Charlie Truong <chtruong@nvidia.com>

* ci: Rename Dockerfile.ci to Dockerfile

Signed-off-by: Charlie Truong <chtruong@nvidia.com>

* chore: Bump dependencies to address CVEs

Signed-off-by: Charlie Truong <chtruong@nvidia.com>

* Build docker container for release

Signed-off-by: Charlie Truong <chtruong@nvidia.com>

* chore: Update uv.lock

Signed-off-by: Charlie Truong <chtruong@nvidia.com>

---------

Signed-off-by: Charlie Truong <chtruong@nvidia.com>

Author: chtruong814

.github/actions/test-template/action.yml

@@ -121,6 +121,7 @@ runs:
           --name nemo_container_${{ github.run_id }}_${{ inputs.runner }} ${ARG[@]} \
           --shm-size=64g \
           --env TRANSFORMERS_OFFLINE=0 \
+          --env NEMO_HOME="/home/TestData/nemo_home" \
           --env HYDRA_FULL_ERROR=1 \
           --env HF_HOME=/home/TestData/HF_HOME \
           --env RUN_ID=${{ github.run_id }} \

.github/workflows/cicd-main-speech.yml

@@ -38,7 +38,7 @@ jobs:
     uses: ./.github/workflows/_build_container.yml
     with:
       image-name: ${{ inputs.image-name }}
-      dockerfile: docker/Dockerfile.ci
+      dockerfile: docker/Dockerfile
       runner: ${{ inputs.runner }}
 
   unit-tests:

.github/workflows/cicd-main.yml

@@ -176,7 +176,7 @@ jobs:
       && !cancelled()
     with:
       image-name: nemo_container
-      dockerfile: docker/Dockerfile.ci
+      dockerfile: docker/Dockerfile
       runner: ${{ needs.pre-flight.outputs.runner_prefix }}
       registry: ${{ needs.pre-flight.outputs.registry }}
 

.github/workflows/release-freeze.yml

@@ -58,11 +58,6 @@ jobs:
           cd ${{ github.run_id }}
           find tutorials -type f -name "*.ipynb" -exec sed -i "s/BRANCH = 'main'/BRANCH = '${{ needs.code-freeze.outputs.release-branch }}'/g" {} +
 
-      - name: Pin MCore in Dockerfile
-        run: |
-          cd ${{ github.run_id }}
-          sed -i 's/^ARG MCORE_TAG=.*$/ARG MCORE_TAG=${{ inputs.mcore_version }}/' docker/Dockerfile.ci
-
       - name: Show status
         run: |
           cd ${{ github.run_id }}

.github/workflows/update-buildcache.yml

@@ -53,6 +53,7 @@ COPY nemo/__init__.py nemo/package_info.py /workspace/nemo/
 RUN <<"EOF" bash -ex
 uv sync --link-mode copy --locked --extra all --extra cu13 --group test
 EOF
+COPY nemo /workspace/nemo
 
 FROM base-image AS automodel-deps
 ARG GPU_TARGET=h100plus
@@ -188,13 +189,13 @@ EOF
 FROM base-image
 COPY --from=automodel-deps /opt/venv /opt/venv
 
-ENV NEMO_HOME="/home/TestData/nemo_home"
+ENV NVIDIA_BUILD_ID=${NVIDIA_BUILD_ID:-<unknown>}
+LABEL com.nvidia.build.id="${NVIDIA_BUILD_ID}"
+ARG NVIDIA_BUILD_REF
+LABEL com.nvidia.build.ref="${NVIDIA_BUILD_REF}"
+ARG RC_DATE=00.00
+ARG TARGETARCH
 
-ARG IMAGE_LABEL
-LABEL "nemo.library"=${IMAGE_LABEL}
-
-ARG PR_NUMBER
-LABEL "nemo.pr_number"=${PR_NUMBER}
-
-ARG NVIDIA_BUILD_ID
-LABEL "NVIDIA_BUILD_ID"=${NVIDIA_BUILD_ID}
+# NOTICES.txt file points to where the OSS source code is archived
+RUN echo "This distribution includes open source which is archived at the following URL: https://opensource.nvidia.com/oss/teams/nvidia/nemo/${RC_DATE}:linux-${TARGETARCH}/index.html" > NOTICES.txt && \
+    echo "For further inquiries or assistance, contact us at oss-requests@nvidia.com" >> NOTICES.txt

docker/Dockerfile.ci docker/Dockerfiledocker/Dockerfile.ci renamed to docker/Dockerfile

@@ -444,6 +444,11 @@ conflicts = [
 ]
 override-dependencies = [
     "torch==2.12.0+cu132 ; sys_platform == 'linux'",
+    "mlflow>=3.9.0rc0",
+    "cryptography>=46.0.5",
+    "wandb>=0.27.1",
+    "urllib3>=2.6.0",
+    "opencv-python-headless; sys_platform == 'never'"
 ]
 no-binary-package = [
     "causal-conv1d",
@@ -489,7 +494,7 @@ explicit = true
 
 [dependency-groups]
 test = [
-    "black~=24.3",
+    "black>=26.3.1",
     "click>=8.1",
     "coverage",
     "isort>5.1.0,<6.0.0",