LCORE-2125: Upgrade rag-content to the RHOAI 3.4 index of Python packages

[syedriko]

Description

Upgrade rag-content to the RHOAI 3.4 index of Python packages

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: (e.g., Claude, CodeRabbit, Ollama, etc., N/A if not used)
• Generated by: (e.g., tool name and version; N/A if not used)

Related Tickets & Documents

• Related Issue #
• Closes # https://redhat.atlassian.net/browse/LCORE-2125

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• New Features

  • Added formal CPU/CUDA build profiles and CUDA build support.
  • Introduced a new policy-driven dependency resolver with RHOAI-first + PyPI fallback.

• Updates

  • Bumped key Python packages (llama-stack family, torch/torchvision, docling, etc.) and relaxed some constraints.
  • Updated base container images to v3.4 and refreshed CUDA guidance in the README.

• Chores

  • Regenerated many dependency lock/hash files and simplified hermetic build plumbing.

[coderabbitai]

Caution

Review failed

Failed to post review comments

Walkthrough

Adds a profile-driven Konflux build flow (cpu/cuda), a new RHOAI-first dependency resolver, regenerated hashed/source/wheel lockfiles for RHOAI 3.4, updated Containerfiles for separate builder/runtime stages, and refreshed Tekton prefetch package allowlists and build-args paths.

Changes

Build Infrastructure Modernization

Layer / File(s)	Summary
Konflux profiles and configuration .konflux/profiles.toml, .konflux/pypi_wheel_only.txt, .konflux/build-args-konflux.conf, .konflux/cuda/build-args-konflux.conf	New profile-based configuration (cpu/cuda), wheel-only marker list, and bumped base image build-args.
CUDA RPM dependencies & locks .konflux/cuda/rpms.in.yaml, .konflux/cuda/rpms.lock.yaml, .konflux/rpms.in.yaml	Inserted libxml2-devel/libxslt-devel and updated CUDA RPM lockfiles for aarch64/x86_64.
Profile-aware requirements generation scripts/konflux_requirements.sh, Makefile	Script now accepts `cpu
PEP-compliant dependency resolver scripts/konflux_resolve.py	New ~1300-line resolver implementing PEP 440/503/508 parsing, RHOAI-first/PyPI-fallback resolution, transitive BFS resolver, bucketing, hashed requirements writing, pybuild-deps generation, and Tekton YAML patching.
Build dependency lockfiles .konflux/requirements-build.txt, .konflux/requirements-build.cuda.txt	Regenerated build-time pins; maturin and uv-build bumped; unsafe package lists simplified.
Hashed requirements & overrides .konflux/requirements.hashes.*.txt, .konflux/requirements.hermetic.txt, .konflux/requirements.overrides{,.cuda}.txt	Regenerated wheel/source hash lockfiles using RHOAI 3.4, added PyPI-only wheel outputs, updated hermetic pins (added pdm-backend), and refreshed overrides.
CPU and CUDA Containerfiles Containerfile, Containerfile-cuda	CPU: reordered COPYs, reduced hermetic toolchain, removed arch-specific wheel-hash selection. CUDA: split builder/runtime, added DNF_COMMAND, explicit build-tool installs, and updated hermetic CUDA requirements handling.
Tekton pipeline configuration .tekton/rag-tool-*.yaml, .tekton/rag-tool-cuda-*.yaml	Updated spec.params.prefetch-input pip requirements_files and replaced binary.packages CSV allowlists; CUDA pipelines point at .konflux/cuda/ build-args file.
Project config and docs pyproject.toml, README.md	Relaxed huggingface_hub/docling constraints, bumped llama-stack*, removed some torch/torchvision upper bounds and aiohttp, expanded Ruff ignores, and README updated to RHOAI 3.4 and new script invocation.

Sequence Diagram

sequenceDiagram
  participant User as Developer
  participant KonfluxScript as scripts/konflux_requirements.sh
  participant Resolver as scripts/konflux_resolve.py
  participant RHOAI as RHOAI index (rhoai/3.4)
  participant PyPI as PyPI
  participant Tekton as .tekton/*.yaml
  User->>KonfluxScript: run (profile=cpu|cuda)
  KonfluxScript->>Resolver: invoke uv_resolve / patch files
  Resolver->>RHOAI: prefer RHOAI wheels (find_best)
  Resolver->>PyPI: fallback to PyPI sdist/wheel when needed
  Resolver->>Tekton: patch "packages" allowlist in PipelineRun YAMLs

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related PRs

• lightspeed-core/rag-content#183: Overlaps on Tekton prefetch-input pip.binary.packages allowlist changes.
• lightspeed-core/rag-content#187: Related changes to CUDA Tekton build-args-file and .konflux layout.
• lightspeed-core/rag-content#191: Related Containerfile multi-stage build refactors and build-args updates.

Suggested reviewers

• tisnik

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: upgrading rag-content to RHOAI 3.4 Python packages index, which aligns with the comprehensive updates across Tekton YAMLs, Konflux build configuration, and dependency pins.
Docstring Coverage	✅ Passed	Docstring coverage is 90.48% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

scripts/konflux_requirements.sh (1)

118-128: ⚠️ Potential issue | 🟠 Major

Keep per-arch hash files generated or stop consuming them.

The script still leaves requirements.hashes.wheel.cpu.x86_64.txt and requirements.hashes.wheel.cpu.aarch64.txt referenced by both Tekton configs, but this flow no longer writes them. Regenerating requirements can therefore leave stale arch-specific pins in files that hermetic prefetch still consumes. Either regenerate harmless placeholders or remove those files from both requirements_files lists.

🛠️ Minimal placeholder-generation fix

 if grep -qE '^(torch|torchvision|triton)==' "$WHEEL_HASH_FILE"; then
 	awk '
 /^torch==|^torchvision==|^triton==/ { skip=1; next }
 skip && /^[ \t]/ { next }
 skip && /^[a-zA-Z0-9]/ { skip=0 }
 { print }
 ' "$WHEEL_HASH_FILE" > "${WHEEL_HASH_FILE}.strip" && mv "${WHEEL_HASH_FILE}.strip" "$WHEEL_HASH_FILE"
 fi
+for _arch_hash_file in "$WHEEL_HASH_CPU_X86" "$WHEEL_HASH_CPU_AARCH"; do
+	printf '%s\n' "# No architecture-specific wheel pins; generated by konflux_requirements.sh." > "$_arch_hash_file"
+done

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/konflux_requirements.sh` around lines 118 - 128, The script modifies
WHEEL_HASH_FILE but no longer generates per-arch files
(requirements.hashes.wheel.cpu.x86_64.txt and
requirements.hashes.wheel.cpu.aarch64.txt) that Tekton recipes still reference;
either ensure placeholder per-arch files are regenerated after the strip step
(create harmless empty or header-only files named
requirements.hashes.wheel.cpu.x86_64.txt and
requirements.hashes.wheel.cpu.aarch64.txt when WHEEL_HASH_FILE is mutated), or
remove those filenames from the Tekton requirements_files lists so they are not
consumed; update scripts/konflux_requirements.sh to write the placeholders
(using the WHEEL_HASH_FILE basename logic) or update the Tekton configs'
requirements_files entries to stop referencing the arch-specific files, and make
sure references to WHEEL_HASH_FILE and the two arch-specific filenames are
consistent across both Tekton configs.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.tekton/rag-tool-push.yaml:
- Line 64: The binary.packages allowlist is missing "llama-stack-api" while
"llama-stack" and "llama-stack-client" are present and requirements include
llama-stack-api==0.5.0; update the "packages" comma-separated string in the
binary.packages entry (the same list shown in the diff) to include
"llama-stack-api" and apply the same change in the peer pipeline config that has
an identical allowlist (the other .tekton rag-tool file), ensuring the package
name is added exactly as "llama-stack-api".

In `@requirements-build.txt`:
- Around line 23-33: The build requirements file contains conflicting duplicate
pins (e.g., hatchling and setuptools) produced by pip-compile; fix this by
resolving the source dependency conflicts in your
requirements.source.txt.build—identify where hatchling and setuptools are
required with different versions (direct or transitive), choose a single
compatible version (or add an explicit constraint/compatibility marker) in
requirements.source.txt.build, then re-run pip-compile to regenerate
requirements-build.txt so it contains a single pinned entry per package.

In `@requirements.overrides.txt`:
- Around line 21-22: The requirements override pins for torch and torchvision
violate pyproject.toml constraints: change the pinned versions in
requirements.overrides (currently "torch==2.10.0" and "torchvision==0.25.0") to
versions that respect the upper bounds specified in pyproject.toml (e.g.,
upgrade to allowed ranges such as "torch>=2.9.0,<2.10.0" and
"torchvision>=0.24.0,<0.25.0") or alternatively update pyproject.toml to
explicitly allow the newer exact versions; ensure consistency between the
override entries for "torch" and "torchvision" and the version ranges declared
in pyproject.toml.

---

Outside diff comments:
In `@scripts/konflux_requirements.sh`:
- Around line 118-128: The script modifies WHEEL_HASH_FILE but no longer
generates per-arch files (requirements.hashes.wheel.cpu.x86_64.txt and
requirements.hashes.wheel.cpu.aarch64.txt) that Tekton recipes still reference;
either ensure placeholder per-arch files are regenerated after the strip step
(create harmless empty or header-only files named
requirements.hashes.wheel.cpu.x86_64.txt and
requirements.hashes.wheel.cpu.aarch64.txt when WHEEL_HASH_FILE is mutated), or
remove those filenames from the Tekton requirements_files lists so they are not
consumed; update scripts/konflux_requirements.sh to write the placeholders
(using the WHEEL_HASH_FILE basename logic) or update the Tekton configs'
requirements_files entries to stop referencing the arch-specific files, and make
sure references to WHEEL_HASH_FILE and the two arch-specific filenames are
consistent across both Tekton configs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ac2f76b9-682d-4dfd-a7cf-6bd2aa5eca09

📥 Commits

Reviewing files that changed from the base of the PR and between 6946c22 and 55d8a73.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (11)

• .tekton/rag-tool-pull-request.yaml
• .tekton/rag-tool-push.yaml
• README.md
• build-args-konflux.conf
• pyproject.toml
• requirements-build.txt
• requirements.hashes.source.txt
• requirements.hashes.wheel.pypi.txt
• requirements.hashes.wheel.txt
• requirements.overrides.txt
• scripts/konflux_requirements.sh

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Detect duplicate pinned package names in requirements-build.txt.
set -euo pipefail

python - <<'PY'
import re
from collections import defaultdict

fname = "requirements-build.txt"
pat = re.compile(r'^([A-Za-z0-9_.-]+)==([^\s]+)')
seen = defaultdict(list)

with open(fname, encoding="utf-8") as f:
    for i, line in enumerate(f, 1):
        m = pat.match(line.strip())
        if m:
            seen[m.group(1).lower()].append((i, m.group(2)))

dups = {k:v for k,v in seen.items() if len(v) > 1}
if not dups:
    print("No duplicate pinned package names found.")
else:
    print("Duplicate pinned package names:")
    for pkg, rows in sorted(dups.items()):
        print(f"- {pkg}: " + ", ".join([f'line {ln} -> {ver}' for ln, ver in rows]))
PY

Repository: lightspeed-core/rag-content

Length of output: 203

---

🏁 Script executed:

cat -n requirements-build.txt | head -90

Repository: lightspeed-core/rag-content

Length of output: 2561

---

Fix conflicting duplicate package pins in auto-generated build requirements.

This auto-generated file contains multiple unpinned versions of the same packages (hatchling at lines 25 and 29, setuptools at lines 79 and 81). pip-compile should not produce this output. The duplicates indicate unresolved dependency conflicts in your source specification. When pip installs this file, it uses only the last occurrence of each package, silently dropping the others, making the resolution non-deterministic and hiding the underlying constraint conflict.

Fix by resolving the conflicting requirements in your source dependency file (requirements.source.txt.build).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@requirements-build.txt` around lines 23 - 33, The build requirements file
contains conflicting duplicate pins (e.g., hatchling and setuptools) produced by
pip-compile; fix this by resolving the source dependency conflicts in your
requirements.source.txt.build—identify where hatchling and setuptools are
required with different versions (direct or transitive), choose a single
compatible version (or add an explicit constraint/compatibility marker) in
requirements.source.txt.build, then re-run pip-compile to regenerate
requirements-build.txt so it contains a single pinned entry per package.

[red-hat-konflux-kflux-prd-rh02]

Caution

There are some errors in your PipelineRun template.

PipelineRun	Error
rag-tool-cuda-pull-request.yaml	yaml validation error: line 57: found a tab character where an indentation space is expected