Skip to content

Bump peft 0.17.0 to 0.18.1 in torch280 training images#931

Merged
openshift-merge-bot[bot] merged 1 commit into
opendatahub-io:mainfrom
sutaakar:bump-peft-torch280
Jun 25, 2026
Merged

Bump peft 0.17.0 to 0.18.1 in torch280 training images#931
openshift-merge-bot[bot] merged 1 commit into
opendatahub-io:mainfrom
sutaakar:bump-peft-torch280

Conversation

@sutaakar

@sutaakar sutaakar commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Bumps peft from 0.17.0 to 0.18.1 in py312-cuda128-torch280 and py312-rocm64-torch280 training images
  • Fixes ImportError: cannot import name 'HybridCache' from 'transformers' — peft 0.17.0 is incompatible with transformers 5.x shipped in these images
  • All KFTO LLM training tests using torch280 images are broken without this fix

Root cause

peft==0.17.0 imports HybridCache from transformers, which was removed in transformers 5.x. The torch280 images ship transformers ~=5.5.0, causing an immediate crash on from peft import LoraConfig. peft==0.18.1 adds transformers 5.x compatibility — its runtime dependencies are otherwise identical to 0.17.0.

Test plan

  • Verify KFTO LLM training tests pass with the updated CUDA torch280 image
  • Verify KFTO LLM training tests pass with the updated ROCm torch280 image

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated the peft dependency to a newer version in the training runtime environments for both CUDA and ROCm images.

peft 0.17.0 is incompatible with transformers 5.x — it tries to import
HybridCache which was removed. This breaks all KFTO LLM training tests
using the torch280 CUDA and ROCm images.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@openshift-ci openshift-ci Bot requested review from efazal and pawelpaszki June 25, 2026 07:28
@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: db058bc2-1193-4fb9-8499-6e7ae7982075

📥 Commits

Reviewing files that changed from the base of the PR and between 36f9003 and 07ff324.

⛔ Files ignored due to path filters (2)
  • images/runtime/training/py312-cuda128-torch280/Pipfile.lock is excluded by !**/*.lock
  • images/runtime/training/py312-rocm64-torch280/Pipfile.lock is excluded by !**/*.lock
📒 Files selected for processing (2)
  • images/runtime/training/py312-cuda128-torch280/Pipfile
  • images/runtime/training/py312-rocm64-torch280/Pipfile

📝 Walkthrough

Walkthrough

Updated the peft version pin from ==0.17.0 to ==0.18.1 in two training image Pipfile entries: py312-cuda128-torch280 and py312-rocm64-torch280.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 10
✅ Passed checks (10 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly states the dependency bump and target training images.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Contribution Quality And Spam Detection ✅ Passed AI-ish template text and no linked issue are present, but there’s no security/code-quality signal; this is just a small dependency bump.
No Hardcoded Secrets ✅ Passed PASS: Touched Pipfiles only change peft version literals; no API keys/tokens/passwords, embedded creds, or long base64 strings found (CWE-798/CWE-259).
No Weak Cryptography ✅ Passed PASS: Diff only bumps peft and refreshes lock hashes; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, no custom crypto, no secret compares (CWE-327/328/916).
No Injection Vectors ✅ Passed Only Pipfile dependency bumps; no SQL, shell, eval/exec, unsafe deserialization, or HTML injection patterns in touched files.
No Privileged Containers ✅ Passed PASS: PR only updates two Pipfiles; no manifests/Dockerfiles changed and no privileged flags/capabilities (CWE-250/CWE-269) are present in touched files.
No Sensitive Data In Logs ✅ Passed Only Pipfile dependency bumps; no logging code or sensitive-data paths were added, so CWE-200 exposure risk is absent.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.


Comment @coderabbitai help to get the list of available commands.

@sutaakar sutaakar requested review from kapil27 and removed request for efazal and pawelpaszki June 25, 2026 07:28
@sutaakar

Copy link
Copy Markdown
Contributor Author

/approve

@openshift-ci

openshift-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kapil27, sutaakar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot Bot merged commit b9fa0ea into opendatahub-io:main Jun 25, 2026
7 checks passed
@sutaakar sutaakar deleted the bump-peft-torch280 branch June 25, 2026 07:47
@rhods-ci-bot

Copy link
Copy Markdown

@sutaakar: The following test has Failed:

OCI Artifact Browser URL

View in Artifact Browser

Inspecting Test Artifacts Manually

To inspect your test artifacts manually, follow these steps:

  1. Install ORAS (see the ORAS installation guide).
  2. Download artifacts with the following commands:
mkdir -p oras-artifacts
cd oras-artifacts
oras pull quay.io/opendatahub/odh-ci-artifacts:odh-pr-test-distributed-workloads-4xs49

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants