conf: update konflux requirements using RHOAI 3.3 packages

[raptorsun]

Description

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement
• Benchmarks improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: (e.g., Claude, CodeRabbit, Ollama, etc., N/A if not used)
• Generated by: (e.g., tool name and version; N/A if not used)

Related Tickets & Documents

• Related Issue #
• Closes #

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• Chores
  • Condensed and reorganized pip package lists used in CI.
  • Updated build dependency pins (Python build header, dunamai, hatchling, setuptools, etc.) and cleaned dependency comments.
  • Refreshed lockfile and wheel hashes for deterministic installs and bumped package index to 3.3.
  • Upgraded and added ML/AI and cloud-related libraries (e.g., torch, google-genai, google-cloud-*, kubernetes, grpcio, and related networking/parsing libs).

[coderabbitai]

Walkthrough

Replaced Tekton prefetch pip package lists, updated build requirement pins and comments, regenerated source and wheel lockfile hashes (and bumped wheel index 3.2→3.3), updated override pins (added some new packages), and bumped a script RHOAI index URL.

Changes

Cohort / File(s)	Summary
Tekton configuration .tekton/lightspeed-stack-pull-request.yaml, .tekton/lightspeed-stack-push.yaml	Replaced pip package lists used by prefetch steps: removed many previously listed packages (e.g., accelerate, maturin, tiktoken) and introduced a different set (e.g., docstring-parser, einops, google-cloud-*, kubernetes, urllib3, websockets, starlette, tree-sitter). Surrounding keys unchanged.
Build requirements requirements-build.txt	Reworked build dependency pins and comments: Python autogen header changed (3.13→3.12); multiple pins updated (dunamai, hatchling, setuptools, etc.); many entries removed, commented, or reorganized.
Source hash lockfile requirements.hashes.source.txt	Large-scale regeneration of source lock entries: many package versions and corresponding sha256 hash blocks refreshed, with additions/removals and multiple transitive hash updates.
Wheel hash lockfile requirements.hashes.wheel.txt	Wheel hashes refreshed across the file and the index URL advanced from 3.2→3.3; most --hash entries replaced with updated values.
Override pins requirements.overrides.txt	Updated version pins for several packages (transformers, tokenizers, scipy, pyarrow, pillow, etc.), updated ancillary libs, and added new entries (e.g., google-genai, torch, hf-xet, yarl, grpcio*).
Scripts / index URL scripts/konflux_requirements.sh	Bumped RHOAI_INDEX_URL from 3.2 to 3.3; no logic changes.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating Konflux requirements to use RHOAI 3.3 packages. This is confirmed across multiple files (scripts/konflux_requirements.sh, requirements.hashes.wheel.txt index URL update, and various package updates).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@requirements-build.txt`:
- Around line 29-35: Remove the duplicate conflicting pin for the package by
deleting the older entry "hatchling==1.26.3" and keep only "hatchling==1.29.0"
in requirements-build.txt so dependency resolution uses the single consistent
version; ensure no other duplicate hatchling lines remain.

In `@requirements.overrides.txt`:
- Around line 1-3: The override comment header references the RHOAI wheels index
for version 3.2 while the package pins were updated to 3.3; update the comment
URL by replacing "rhai/rhoai/3.2/cpu-ubi9/simple" with
"rhai/rhoai/3.3/cpu-ubi9/simple" so the header matches the pinned
transformers==4.57.6 and avoids confusion during maintenance (edit the first
comment block in requirements.overrides.txt).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f3d669fa-b2eb-40fc-ab58-7cfc330695f3

📥 Commits

Reviewing files that changed from the base of the PR and between 1f218bd and f6e4d0a.

📒 Files selected for processing (7)

• .tekton/lightspeed-stack-pull-request.yaml
• .tekton/lightspeed-stack-push.yaml
• requirements-build.txt
• requirements.hashes.source.txt
• requirements.hashes.wheel.txt
• requirements.overrides.txt
• scripts/konflux_requirements.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Update the override header URL to 3.3.

The comment still points to the 3.2 index while pins were updated for 3.3, which can cause confusion during manual maintenance.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@requirements.overrides.txt` around lines 1 - 3, The override comment header
references the RHOAI wheels index for version 3.2 while the package pins were
updated to 3.3; update the comment URL by replacing
"rhai/rhoai/3.2/cpu-ubi9/simple" with "rhai/rhoai/3.3/cpu-ubi9/simple" so the
header matches the pinned transformers==4.57.6 and avoids confusion during
maintenance (edit the first comment block in requirements.overrides.txt).

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.tekton/lightspeed-stack-pull-request.yaml (1)

37-57: ⚠️ Potential issue | 🟠 Major

Reconcile "prefetch-problem" comments with configured binary.packages.

Lines 37–40 flag 11 packages as problematic for Hermeto prefetch (requiring cmake, cargo, or special build tools): cryptography, hf-xet, jiter, maturin, pip, pydantic-core, rpds-py, safetensors, tiktoken, tokenizers, uv. However, all 11 are included in the binary.packages list on line 57. This mismatch will confuse CI/build troubleshooting. Either remove these packages from the binary list or update the comments to clarify if the RHOAI 3.3 migration resolves these constraints.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.tekton/lightspeed-stack-pull-request.yaml around lines 37 - 57, The comment
lists 11 Hermeto-prefetch-problem packages (cryptography, hf-xet, jiter,
maturin, pip, pydantic-core, rpds-py, safetensors, tiktoken, tokenizers, uv) but
those same names are present in the binary.packages string under the binary
block in the value payload; reconcile by either (A) removing these package names
from the binary.packages comma-separated list in the binary block so they are
not treated as prebuilt binaries, or (B) updating the explanatory comment above
the value payload to explicitly state that the RHOAI 3.3 migration (or other
mitigation) resolves those build/tooling constraints and they are intentionally
included as binaries—pick one approach and apply it consistently to the
binary.packages string and the comment.

♻️ Duplicate comments (1)

requirements-build.txt (1)

29-35: ⚠️ Potential issue | 🟠 Major

Conflicting duplicate hatchling pins are still present.

Line 29 pins hatchling==1.26.3 while Line 34 pins hatchling==1.29.0. Keep only one version to avoid resolver conflicts.

🩹 Proposed fix

-hatchling==1.26.3
-    # via
-    #   hatch-fancy-pypi-readme
-    #   llama-stack-client
-    #   openai
 hatchling==1.29.0
     # via
     #   a2a-sdk

#!/bin/bash
set -euo pipefail

awk -F'==' '
/^[a-zA-Z0-9_.-]+==[0-9A-Za-z.+-]+$/ {
  pkg=$1; ver=$2
  if (seen[pkg] && seen[pkg] != ver) {
    printf "CONFLICT %s: %s vs %s\n", pkg, seen[pkg], ver
    conflict=1
  } else {
    seen[pkg]=ver
  }
}
END {
  if (conflict) exit 1
  print "No conflicting duplicate pins found."
}
' requirements-build.txt

Expected result: no CONFLICT lines after cleanup.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@requirements-build.txt` around lines 29 - 35, There are two conflicting pins
for hatchling (hatchling==1.26.3 and hatchling==1.29.0); remove the duplicate so
only one exact pin remains (prefer keeping hatchling==1.29.0) by deleting the
other line and any stray duplicate comment lines, commit the cleaned
requirements-build.txt, and re-run the provided conflict-check script to verify
no CONFLICT lines remain.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.tekton/lightspeed-stack-pull-request.yaml:
- Around line 37-57: The comment lists 11 Hermeto-prefetch-problem packages
(cryptography, hf-xet, jiter, maturin, pip, pydantic-core, rpds-py, safetensors,
tiktoken, tokenizers, uv) but those same names are present in the
binary.packages string under the binary block in the value payload; reconcile by
either (A) removing these package names from the binary.packages comma-separated
list in the binary block so they are not treated as prebuilt binaries, or (B)
updating the explanatory comment above the value payload to explicitly state
that the RHOAI 3.3 migration (or other mitigation) resolves those build/tooling
constraints and they are intentionally included as binaries—pick one approach
and apply it consistently to the binary.packages string and the comment.

---

Duplicate comments:
In `@requirements-build.txt`:
- Around line 29-35: There are two conflicting pins for hatchling
(hatchling==1.26.3 and hatchling==1.29.0); remove the duplicate so only one
exact pin remains (prefer keeping hatchling==1.29.0) by deleting the other line
and any stray duplicate comment lines, commit the cleaned
requirements-build.txt, and re-run the provided conflict-check script to verify
no CONFLICT lines remain.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4ea81489-4114-4cb6-970c-7b1c0581f6a2

📥 Commits

Reviewing files that changed from the base of the PR and between f6e4d0a and 3837906.

📒 Files selected for processing (7)

• .tekton/lightspeed-stack-pull-request.yaml
• .tekton/lightspeed-stack-push.yaml
• requirements-build.txt
• requirements.hashes.source.txt
• requirements.hashes.wheel.txt
• requirements.overrides.txt
• scripts/konflux_requirements.sh

🚧 Files skipped from review as they are similar to previous changes (2)

• scripts/konflux_requirements.sh
• requirements.overrides.txt

[coderabbitai]

♻️ Duplicate comments (2)

requirements-build.txt (1)

27-33: ⚠️ Potential issue | 🟠 Major

Remove conflicting duplicate hatchling pin.

Line 27 and Line 32 pin different hatchling versions in the same file (1.26.3 and 1.29.0). Keep only one version (the newer pin) to avoid resolver conflicts.

Proposed fix

-hatchling==1.26.3
-    # via
-    #   hatch-fancy-pypi-readme
-    #   llama-stack-client
-    #   openai
 hatchling==1.29.0
     # via
     #   a2a-sdk

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@requirements-build.txt` around lines 27 - 33, The requirements-build.txt
contains duplicate, conflicting pins for the hatchling package
('hatchling==1.26.3' and 'hatchling==1.29.0'); remove the older entry
'hatchling==1.26.3' and keep only 'hatchling==1.29.0' (and any related
comment/metadata above/below the removed line) so there is a single consistent
pin for hatchling.

requirements.overrides.txt (1)

1-3: ⚠️ Potential issue | 🟡 Minor

Update stale RHOAI index URL in override header.

Line 2 still references .../rhoai/3.2/... while this PR updates requirements for 3.3. Please align the header comment to avoid maintenance confusion.

Proposed fix

 # override these package to the version available on RHOAI wheels index:
-# https://console.redhat.com/api/pypi/public-rhai/rhoai/3.2/cpu-ubi9/simple
+# https://console.redhat.com/api/pypi/public-rhai/rhoai/3.3/cpu-ubi9/simple

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@requirements.overrides.txt` around lines 1 - 3, The header comment currently
references the old RHOAI index path '.../rhoai/3.2/...' which is stale for this
PR; update that header comment to reference the correct '.../rhoai/3.3/...'
index so the override note matches the bumped requirements (ensure the string
'rhoai/3.2' in the top comment is replaced with 'rhoai/3.3').

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@requirements-build.txt`:
- Around line 27-33: The requirements-build.txt contains duplicate, conflicting
pins for the hatchling package ('hatchling==1.26.3' and 'hatchling==1.29.0');
remove the older entry 'hatchling==1.26.3' and keep only 'hatchling==1.29.0'
(and any related comment/metadata above/below the removed line) so there is a
single consistent pin for hatchling.

In `@requirements.overrides.txt`:
- Around line 1-3: The header comment currently references the old RHOAI index
path '.../rhoai/3.2/...' which is stale for this PR; update that header comment
to reference the correct '.../rhoai/3.3/...' index so the override note matches
the bumped requirements (ensure the string 'rhoai/3.2' in the top comment is
replaced with 'rhoai/3.3').

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c76a0e38-4d80-4edd-9d8d-88e8a4f6b9e1

📥 Commits

Reviewing files that changed from the base of the PR and between 3837906 and 8b7a97d.

📒 Files selected for processing (7)

• .tekton/lightspeed-stack-pull-request.yaml
• .tekton/lightspeed-stack-push.yaml
• requirements-build.txt
• requirements.hashes.source.txt
• requirements.hashes.wheel.txt
• requirements.overrides.txt
• scripts/konflux_requirements.sh

🚧 Files skipped from review as they are similar to previous changes (3)

• .tekton/lightspeed-stack-pull-request.yaml
• scripts/konflux_requirements.sh
• .tekton/lightspeed-stack-push.yaml

[coderabbitai]

♻️ Duplicate comments (2)

requirements.overrides.txt (1)

1-3: ⚠️ Potential issue | 🟡 Minor

Update the override header to the 3.3 wheel index.

Lines 1-2 still point at the 3.2 index, while this file now pins the 3.3 snapshot and requirements.hashes.wheel.txt is compiled against 3.3. Leaving the stale URL here is easy to trip over during the next manual refresh.

🛠️ Proposed fix

-# https://console.redhat.com/api/pypi/public-rhai/rhoai/3.2/cpu-ubi9/simple
+# https://console.redhat.com/api/pypi/public-rhai/rhoai/3.3/cpu-ubi9/simple

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@requirements.overrides.txt` around lines 1 - 3, Update the override header
comment to point to the 3.3 wheel index instead of 3.2: modify the URL in the
top comment (currently referencing the 3.2 RHOAI wheels index) to the 3.3
snapshot index so it matches the pinned transformers==4.57.6 and the compiled
requirements.hashes.wheel.txt; verify the comment text and URL reflect
"rhoai/3.3" (the file is requirements.overrides.txt) to avoid future confusion.

requirements-build.txt (1)

25-30: ⚠️ Potential issue | 🟠 Major

Drop the stale hatchling==1.26.3 pin.

Line 25 is still present next to hatchling==1.29.0 on Line 30, so requirements-build.txt remains internally inconsistent. Since .tekton/lightspeed-stack-push.yaml feeds this file into requirements_build_files, the prefetch/build resolver can still fail on the duplicate version constraint.

🧩 Proposed fix

-hatchling==1.26.3
-    # via
-    #   hatch-fancy-pypi-readme
-    #   llama-stack-client
-    #   openai
 hatchling==1.29.0
     # via
     #   a2a-sdk

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@requirements-build.txt` around lines 25 - 30, Remove the stale duplicate
package pin by deleting the "hatchling==1.26.3" entry so only
"hatchling==1.29.0" remains in requirements-build.txt; ensure there are no other
duplicate hatchling entries and that the file contains a single consistent
version string ("hatchling==1.29.0") to avoid resolver/preflight failures.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@requirements-build.txt`:
- Around line 25-30: Remove the stale duplicate package pin by deleting the
"hatchling==1.26.3" entry so only "hatchling==1.29.0" remains in
requirements-build.txt; ensure there are no other duplicate hatchling entries
and that the file contains a single consistent version string
("hatchling==1.29.0") to avoid resolver/preflight failures.

In `@requirements.overrides.txt`:
- Around line 1-3: Update the override header comment to point to the 3.3 wheel
index instead of 3.2: modify the URL in the top comment (currently referencing
the 3.2 RHOAI wheels index) to the 3.3 snapshot index so it matches the pinned
transformers==4.57.6 and the compiled requirements.hashes.wheel.txt; verify the
comment text and URL reflect "rhoai/3.3" (the file is
requirements.overrides.txt) to avoid future confusion.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: baea6160-9665-45af-bd8f-22068994bf90

📥 Commits

Reviewing files that changed from the base of the PR and between 8b7a97d and 1574280.

📒 Files selected for processing (7)

• .tekton/lightspeed-stack-pull-request.yaml
• .tekton/lightspeed-stack-push.yaml
• requirements-build.txt
• requirements.hashes.source.txt
• requirements.hashes.wheel.txt
• requirements.overrides.txt
• scripts/konflux_requirements.sh

🚧 Files skipped from review as they are similar to previous changes (2)

• scripts/konflux_requirements.sh
• .tekton/lightspeed-stack-pull-request.yaml

[tisnik]

LGTM