fix: Cherry-pick nightly SDK build fixes to main

[erichare]

Summary

• Cherry-picks abd772f (fix: Build and install the langflow-sdk for lfx (fixes nightly) (#12481)) and 68642a8 (fix: Properly grep for the langflow version (#12486)) from release-1.9.0 to main
• These fixes are needed on main because the scheduled nightly build uses workflow YAML from the default branch (main), even though it checks out the release branch for code
• Without these changes on main, the automated nightly cron job will continue to fail

Changes

• Add SDK build, publish, and cross-platform test support to nightly workflows
• Add grep -v 'langflow-sdk' to all uv tree version extraction to avoid matching langflow-sdk-nightly
• Add src/sdk metadata COPY lines to all Dockerfiles for workspace resolution
• Add skip-nightly-check label support and merge_group bypass for CI nightly gate

Test plan

• Verified on release-1.9.0 via manual nightly workflow dispatch
• CI passes on this PR

Summary by CodeRabbit

Release Notes

• New Features

  • SDK is now built and published separately during nightly and standard releases.

• Chores

  • Enhanced CI/CD pipelines for improved cross-platform testing and automated release management.
  • Docker builds now include SDK configuration alongside main packages.
  • Updated version detection logic across release workflows for better accuracy.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6719921a-3c82-4bda-b678-f25624ef2cf0

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

This pull request adds comprehensive SDK package support to the CI/CD pipeline, introducing nightly tag generation, version management for SDK releases, and Docker build context updates to include SDK metadata alongside existing LFX packages.

Changes

Cohort / File(s)	Summary
GitHub Actions: Version Extraction Filters .github/workflows/docker-build.yml, docker-build-v2.yml, docker-nightly-build.yml, release.yml	Updated uv tree parsing pipelines to exclude langflow-sdk artifacts from main version extraction, preventing SDK entries from influencing derived release versions.
GitHub Actions: CI & Test Configuration .github/workflows/ci.yml, python_test.yml	Expanded ci_success job condition to exclude merge_group events and added skip-nightly-check label opt-out; increased unit test timeout from 12 to 15 minutes.
GitHub Actions: Cross-Platform Test with SDK Artifacts .github/workflows/cross-platform-test.yml	Added optional sdk-artifact-name workflow input and conditional artifact download/installation steps for SDK wheel distribution alongside LFX packages in both stable and experimental jobs.
GitHub Actions: Nightly Build & Tag Generation .github/workflows/nightly_build.yml	Introduced SDK nightly tag generation step via new sdk_nightly_tag.py script; added SDK version update via update_sdk_version.py; extended git commits to include src/sdk/pyproject.toml; propagated sdk_tag to downstream release workflow.
GitHub Actions: Nightly Release Workflow .github/workflows/release_nightly.yml	Added nightly_tag_sdk input parameter; introduced SDK verification, build, and publish jobs (publish-nightly-sdk); updated LFX CLI test to install both SDK and LFX wheels together; integrated SDK artifact uploads and cross-platform test invocation with SDK artifact name.
SDK Version Management Scripts scripts/ci/sdk_nightly_tag.py, scripts/ci/update_sdk_version.py, scripts/ci/update_lfx_version.py, scripts/ci/update_pyproject_name.py	New sdk_nightly_tag.py computes nightly tags by querying PyPI; new update_sdk_version.py updates SDK project metadata for nightly builds; updated update_lfx_version.py to accept SDK tag and modify LFX's SDK dependency; extended update_pyproject_name.py to support langflow-sdk-nightly project name.
Docker Build Context Updates docker/build_and_push_base.Dockerfile, build_and_push_ep.Dockerfile, build_and_push_with_extras.Dockerfile, dev.Dockerfile	Added COPY directives for src/sdk/README.md and src/sdk/pyproject.toml to include SDK workspace metadata during Docker dependency resolution phases.
Build Automation & Makefiles Makefile, src/sdk/Makefile	Root Makefile added delegating targets for SDK package commands (sdk_build, sdk_publish, sdk_test, etc.); new src/sdk/Makefile provides complete SDK developer workflow (init, install, test, format, lint, build, publish, clean) with version extraction and help documentation.
Configuration & Data Updates .secrets.baseline, src/lfx/src/lfx/_assets/component_index.json	Updated line number references in .secrets.baseline and refreshed timestamp; updated google package versions in component index and recalculated SHA256 checksum.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 2 warnings)

Check name	Status	Explanation	Resolution
Test Coverage For New Implementations	❌ Error	PR adds new Python scripts and modifies CI infrastructure without corresponding unit tests, and code review identified bugs.	Add unit tests for new scripts following test_*.py naming convention, covering version logic, edge cases, and dependency updates.
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Quality And Coverage	⚠️ Warning	No unit tests were added for four new/modified Python scripts that perform critical build automation (SDK versioning, nightly tags, dependency updates). Review identified bugs that tests would catch.	Add comprehensive unit tests in tests/scripts/ci/ for all four new CI scripts with coverage of main paths, edge cases, and error handling using mocking for external API calls.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main objective: cherry-picking nightly SDK build fixes from the release branch to main, which is the primary change across all modifications.
Test File Naming And Structure	✅ Passed	This PR contains only workflow, Dockerfile, CI script, and Makefile changes with no test files to assess against naming and structural conventions.
Excessive Mock Usage Warning	✅ Passed	PR modifies only CI/workflow configuration, Docker files, Makefile, and data files. No test files are changed, so excessive mock usage check is not applicable.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cherry-pick/nightly-sdk-fix

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Frontend Unit Test Coverage Report

Coverage Summary

Lines	Statements	Branches	Functions
	24.17% (8626/35678)	16.93% (4757/28093)	16.91% (1264/7474)

Unit Test Results

Tests	Skipped	Failures	Errors	Time
2779	0 💤	0 ❌	0 🔥	46.638s ⏱️

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 38.49%. Comparing base (8dbcbb0) to head (3eee4eb).
⚠️ Report is 8 commits behind head on main.

❌ Your project status has failed because the head coverage (44.41%) is below the target coverage (60.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #12491      +/-   ##
==========================================
- Coverage   38.49%   38.49%   -0.01%     
==========================================
  Files        1630     1630              
  Lines       80456    80453       -3     
  Branches    12152    12152              
==========================================
- Hits        30971    30968       -3     
+ Misses      47735    47734       -1     
- Partials     1750     1751       +1     

Flag	Coverage Δ
backend	57.35% <100.00%> (-0.01%)	⬇️
frontend	21.59% <ø> (ø)
lfx	44.41% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/backend/base/langflow/initial_setup/setup.py	51.04% <100.00%> (-0.90%)	⬇️

... and 5 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (6)

scripts/ci/update_sdk_version.py (1)

29-40: Consider adding type hints for mypy compliance.

Per coding guidelines, mypy type checking should be run on Python code. Adding type hints would improve static analysis coverage.

♻️ Suggested type hints

-def update_sdk_for_nightly(sdk_tag: str):
+def update_sdk_for_nightly(sdk_tag: str) -> None:
     """Update SDK package for nightly build."""
     ...

-def main():
+def main() -> None:
     ...

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/ci/update_sdk_version.py` around lines 29 - 40, The script lacks type
hints for mypy; add annotations to main() (e.g., def main() -> None), type the
local vars (expected_args: int, sdk_tag: str), and annotate any called function
signatures you control such as update_sdk_for_nightly(sdk_tag: str) -> None so
mypy can validate the flow; also import typing primitives if needed and ensure
sys.argv usage is typed/checked before indexing.

scripts/ci/sdk_nightly_tag.py (2)

14-24: HTTP errors other than 404 are not handled.

The function checks for 404 explicitly but doesn't validate other HTTP error codes (e.g., 500, 403, rate limiting). Consider using raise_for_status() for comprehensive error handling.

♻️ Proposed fix to handle all HTTP errors

     res = requests.get(url, timeout=10)
     if res.status_code == requests.codes.not_found:
         msg = "Package not found on PyPI"
         raise requests.RequestException(msg)
+    res.raise_for_status()
 
     try:
         version_str = res.json()["info"]["version"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/ci/sdk_nightly_tag.py` around lines 14 - 24, The code currently only
checks for a 404 response (res.status_code == requests.codes.not_found) but
ignores other HTTP errors; update the request handling in the block that calls
requests.get(...) to call res.raise_for_status() after getting res (or
explicitly check res.ok) so non-2xx responses raise an exception instead of
proceeding to parse JSON; keep the existing 404 handling semantics if you want a
custom message for not_found, but otherwise call res.raise_for_status() before
accessing res.json() and Version(version_str) to ensure HTTP errors (e.g., 500,
403, rate limiting) are surfaced.

---

53-58: Add a comment to clarify the validation intent.

Line 56 creates a Version object solely for validation (to raise InvalidVersion if malformed). Add a brief comment to clarify this intent or assign to _ to signal the result is intentionally discarded.

📝 Optional: clarify intent

-    packaging.version.Version(new_nightly_version)
+    # Validate the version string is well-formed (raises InvalidVersion if not)
+    packaging.version.Version(new_nightly_version)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/ci/sdk_nightly_tag.py` around lines 53 - 58, The call to
packaging.version.Version(new_nightly_version) is only performed to validate the
version string and its result is intentionally unused; update the code around
the Version(...) invocation (referencing the new_nightly_version variable and
the packaging.version.Version call) to either assign the result to a throwaway
variable like _ or add a concise inline comment such as "# Validate format;
result intentionally unused" to make the validation intent explicit.

.github/workflows/release_nightly.yml (1)

79-91: SDK verification step could fail silently if pyproject.toml structure changes.

The grep | sed pipeline will produce empty strings if the patterns don't match, causing confusing error messages. Consider adding || exit 1 after grep commands or using set -e to fail fast.

♻️ More robust version extraction

       - name: Verify SDK Nightly Name and Version
         if: ${{ inputs.build_lfx }}
         run: |
+          set -e
           name=$(grep '^name = "' src/sdk/pyproject.toml | head -n 1 | sed 's/.*"\(.*\)".*/\1/')
           version=$(grep '^version = "' src/sdk/pyproject.toml | head -n 1 | sed 's/.*"\(.*\)".*/\1/')
+          if [ -z "$name" ] || [ -z "$version" ]; then
+            echo "Failed to extract name or version from src/sdk/pyproject.toml"
+            exit 1
+          fi
           if [ "$name" != "langflow-sdk-nightly" ]; then

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release_nightly.yml around lines 79 - 91, The Verify SDK
Nightly Name and Version step can silently yield empty name/version if the
grep/sed patterns fail; update the shell so the extraction of name and version
from src/sdk/pyproject.toml fails fast and gives a clear error: after the
grep/sed pipelines that set the variables name and version (the current lines
using grep '^name = "' and grep '^version = "'), add explicit checks that the
variables are non-empty and echo a helpful error and exit 1 if empty, or make
the script set -e at the top of the step so failures propagate; ensure the
subsequent comparisons use these validated variables.

docker/build_and_push_base.Dockerfile (1)

50-52: Align the src/sdk workspace assumption with root workspace config.

Line 50 says src/sdk is a workspace member, but the provided root workspace snippet does not include src/sdk. Please either add it to [tool.uv.workspace].members or adjust the comment/intent to avoid drift.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/build_and_push_base.Dockerfile` around lines 50 - 52, The Dockerfile
comment and COPY lines assume src/sdk is a workspace member but the root
workspace config ([tool.uv.workspace].members) does not include it; either add
"src/sdk" to the workspace members in the root pyproject.toml (so the workspace
and Dockerfile agree) or update the Dockerfile comment/COPY usage to reflect
that src/sdk is not a workspace member (e.g., remove the "workspace member"
wording or copy from the correct path). Locate the two COPY lines in
docker/build_and_push_base.Dockerfile and the workspace table
[tool.uv.workspace].members in the root pyproject.toml to make the consistent
change.

src/sdk/Makefile (1)

50-53: Use $(MAKE) for recursive invocations.

Lines 50 and 53 call make directly. Using $(MAKE) preserves parent flags and jobserver behavior in nested invocations.

Suggested patch

 build_wheel: ## build wheel only
-	`@make` build args="--wheel"
+	@$(MAKE) build args="--wheel"
 
 build_sdist: ## build source distribution only
-	`@make` build args="--sdist"
+	@$(MAKE) build args="--sdist"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/sdk/Makefile` around lines 50 - 53, The Makefile uses literal "make" for
recursive invocations in the build rule and build_sdist target; change those
calls to use the $(MAKE) variable to preserve parent flags and jobserver
behavior—update the lines invoking make for the "build" target and the
"build_sdist" target to call $(MAKE) instead of make.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/nightly_build.yml:
- Line 173: The git add command on the CI step omits the lock file generated by
the src/lfx uv lock step; update the git add invocation (the line containing
"git add pyproject.toml src/backend/base/pyproject.toml src/lfx/pyproject.toml
src/sdk/pyproject.toml uv.lock src/backend/base/uv.lock") to also include
src/lfx/uv.lock so the lock file produced by the "cd src/lfx && uv lock" step is
committed with the other lock files.

In `@scripts/ci/sdk_nightly_tag.py`:
- Around line 45-51: The code assumes current_nightly_version.dev is an int but
it can be None for non-dev releases; update the block guarded by the if (the
check using current_nightly_version, latest_base_version and
nightly_base_version) to coerce None to 0 before incrementing — e.g., compute
dev_index = current_nightly_version.dev if current_nightly_version.dev is not
None else 0 and then set build_number = str(dev_index + 1) so
new_nightly_version concatenation uses a valid integer.

In `@scripts/ci/update_lfx_version.py`:
- Around line 37-50: The update_spi dependency function
update_sdk_dependency_in_lfx currently assumes a "langflow-sdk" entry exists and
raises ValueError if not; change it to either insert the
"langflow-sdk-nightly=={sdk_version}" dependency into the pyproject content when
the pattern is not found (e.g., locate the [tool.poetry.dependencies] or
[project] dependencies block and append/insert the new dependency line) instead
of raising, or alternatively add the missing dependency to the LFX pyproject
TOML file; also add explicit return type annotations -> None to the functions
update_lfx_for_nightly(lfx_tag: str, sdk_tag: str) and main() to satisfy mypy.

In `@scripts/ci/update_pyproject_name.py`:
- Around line 48-50: The branch handling new_project_name ==
"langflow-sdk-nightly" assumes a root pyproject entry "langflow-sdk = {
workspace = true }" which doesn't exist and later causes a ValueError; update
this logic in update_pyproject_name.py to either add a matching "langflow-sdk"
source entry when creating the nightly (so the regex pattern
re.compile(r"langflow-sdk = \{ workspace = true \}") will match) or change the
pattern/lookup to target the actual SDK key used in the root pyproject (for
example detect and replace the existing SDK entry name or try both
"langflow-sdk" and "langflow-sdk-nightly"), and add a safe fallback to avoid
raising ValueError if no match is found (e.g., check for pattern existence
before replacement and raise a clear error or create the expected source entry).

In `@src/lfx/src/lfx/_assets/component_index.json`:
- Line 118490: The sha256 value in component_index.json is stale; run the
generator script to recompute and replace it: execute
scripts/build_component_index.py to regenerate the file (or run the specific
hash/regeneration step the script provides) and update the "sha256" field in
src/lfx/src/lfx/_assets/component_index.json to the newly computed hash so the
runtime integrity check will match the file contents.
- Line 73434: The dependency extraction in dependency_analyzer.py is incorrectly
mapping top-level imports like "google.*" to the non-existent "google"
distribution; update the import-to-distribution resolution (the function that
maps imports to distributions, e.g., the resolve/import mapping routine in
dependency_analyzer.py) to special-case google namespaces: map "google.auth" and
"google.oauth2" (and submodules under google.* that belong to auth) to
"google-auth", map imports coming from the google-api client surface (e.g.,
googleapiclient or googleapiclient.* or documented google.* submodules that
belong to the API client) to "google-api-python-client", and otherwise avoid
emitting the generic "google" package; apply this deterministic mapping wherever
the analyzer produces dependency strings (so all occurrences of the
"google":"2.8.0" output are fixed), and add/adjust unit tests to assert that
google.auth -> google-auth and googleapiclient -> google-api-python-client.

---

Nitpick comments:
In @.github/workflows/release_nightly.yml:
- Around line 79-91: The Verify SDK Nightly Name and Version step can silently
yield empty name/version if the grep/sed patterns fail; update the shell so the
extraction of name and version from src/sdk/pyproject.toml fails fast and gives
a clear error: after the grep/sed pipelines that set the variables name and
version (the current lines using grep '^name = "' and grep '^version = "'), add
explicit checks that the variables are non-empty and echo a helpful error and
exit 1 if empty, or make the script set -e at the top of the step so failures
propagate; ensure the subsequent comparisons use these validated variables.

In `@docker/build_and_push_base.Dockerfile`:
- Around line 50-52: The Dockerfile comment and COPY lines assume src/sdk is a
workspace member but the root workspace config ([tool.uv.workspace].members)
does not include it; either add "src/sdk" to the workspace members in the root
pyproject.toml (so the workspace and Dockerfile agree) or update the Dockerfile
comment/COPY usage to reflect that src/sdk is not a workspace member (e.g.,
remove the "workspace member" wording or copy from the correct path). Locate the
two COPY lines in docker/build_and_push_base.Dockerfile and the workspace table
[tool.uv.workspace].members in the root pyproject.toml to make the consistent
change.

In `@scripts/ci/sdk_nightly_tag.py`:
- Around line 14-24: The code currently only checks for a 404 response
(res.status_code == requests.codes.not_found) but ignores other HTTP errors;
update the request handling in the block that calls requests.get(...) to call
res.raise_for_status() after getting res (or explicitly check res.ok) so non-2xx
responses raise an exception instead of proceeding to parse JSON; keep the
existing 404 handling semantics if you want a custom message for not_found, but
otherwise call res.raise_for_status() before accessing res.json() and
Version(version_str) to ensure HTTP errors (e.g., 500, 403, rate limiting) are
surfaced.
- Around line 53-58: The call to packaging.version.Version(new_nightly_version)
is only performed to validate the version string and its result is intentionally
unused; update the code around the Version(...) invocation (referencing the
new_nightly_version variable and the packaging.version.Version call) to either
assign the result to a throwaway variable like _ or add a concise inline comment
such as "# Validate format; result intentionally unused" to make the validation
intent explicit.

In `@scripts/ci/update_sdk_version.py`:
- Around line 29-40: The script lacks type hints for mypy; add annotations to
main() (e.g., def main() -> None), type the local vars (expected_args: int,
sdk_tag: str), and annotate any called function signatures you control such as
update_sdk_for_nightly(sdk_tag: str) -> None so mypy can validate the flow; also
import typing primitives if needed and ensure sys.argv usage is typed/checked
before indexing.

In `@src/sdk/Makefile`:
- Around line 50-53: The Makefile uses literal "make" for recursive invocations
in the build rule and build_sdist target; change those calls to use the $(MAKE)
variable to preserve parent flags and jobserver behavior—update the lines
invoking make for the "build" target and the "build_sdist" target to call
$(MAKE) instead of make.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e6a78aef-352f-4939-b00b-3568e7d5a25f

📥 Commits

Reviewing files that changed from the base of the PR and between 65c3139 and 1255c0d.

📒 Files selected for processing (21)

• .github/workflows/ci.yml
• .github/workflows/cross-platform-test.yml
• .github/workflows/docker-build-v2.yml
• .github/workflows/docker-build.yml
• .github/workflows/docker-nightly-build.yml
• .github/workflows/nightly_build.yml
• .github/workflows/python_test.yml
• .github/workflows/release.yml
• .github/workflows/release_nightly.yml
• .secrets.baseline
• Makefile
• docker/build_and_push_base.Dockerfile
• docker/build_and_push_ep.Dockerfile
• docker/build_and_push_with_extras.Dockerfile
• docker/dev.Dockerfile
• scripts/ci/sdk_nightly_tag.py
• scripts/ci/update_lfx_version.py
• scripts/ci/update_pyproject_name.py
• scripts/ci/update_sdk_version.py
• src/lfx/src/lfx/_assets/component_index.json
• src/sdk/Makefile

[erichare]

@jordanrfrazier @mendonk here is the PR that cherrypicks the workflow changes to main, so that when the scheduled nightly runs it will continue to work.

[mendonk]

Approved