ci: use cargo env token for artifactory publish

[willkill07]

Overview

Fix the scheduled Cargo Artifactory publish job after Cargo 1.93 rejected the deprecated command-line token path for the private sparse registry. The job now exposes the existing Artifactory key through Cargo's per-registry token environment variable before publishing.

• I confirm this contribution is my own work, or I have the right to submit it under this project's license.
• I searched existing issues and open pull requests, and this does not duplicate existing work.

Details

• Export CARGO_REGISTRIES_ARTIFACTORY_TOKEN from NEMO_FLOW_CI_ARTIFACTORY_KEY in publish:artifactory:cargo.
• Remove the deprecated cargo publish --token flag so Cargo reads the Artifactory token through its registry credential environment path.
• Keep the existing Artifactory sparse registry configuration unchanged.

Validation:

• ruby -e 'require "yaml"; YAML.load_file(".gitlab-ci.yml"); puts "yaml-ok"'
• Extracted the publish:artifactory:cargo script block and checked it with bash -n
• git diff --check
• Commit-time pre-commit hooks passed for .gitlab-ci.yml

Where should the reviewer start?

Start with .gitlab-ci.yml, specifically the publish:artifactory:cargo job lines that configure the Cargo registry token and invoke cargo publish.

Related Issues: (use one of the action keywords Closes / Fixes / Resolves / Relates to)

• Relates to: ci: update Cargo Artifactory publishing config #68

Summary by CodeRabbit

• Chores
  • Updated deployment configuration for internal credential handling. No user-facing changes.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: cf882c0a-bb7f-46d5-a17f-55b857e96168

📥 Commits

Reviewing files that changed from the base of the PR and between b62912e and df470cb.

📒 Files selected for processing (1)

• .gitlab-ci.yml

📜 Recent review details

🧰 Additional context used

📓 Path-based instructions (2)

{.github/workflows/*.{yml,yaml},.gitlab-ci.yml}

📄 CodeRabbit inference engine (.agents/skills/maintain-packaging/SKILL.md)

Ensure CI workflow references match local package names and installation methods

Files:

• .gitlab-ci.yml

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}

⚙️ CodeRabbit configuration file

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}: Review automation changes for reproducibility, pinned versions where appropriate, secret handling, and consistency with the documented validation matrix.
Pay attention to commands that need generated native artifacts, FFI libraries, or platform-specific environment variables.

Files:

• .gitlab-ci.yml

🧠 Learnings (2)

📚 Learning: 2026-04-15T18:16:52.951Z

Learnt from: bbednarski9
Repo: NVIDIA/NeMo-Flow PR: 1
File: docs/atof-event-format.md:381-381
Timestamp: 2026-04-15T18:16:52.951Z
Learning: In docs/atof-event-format.md (and when reviewing references to this format across the NeMo-Flow repo), treat `AtifExporter.events_to_steps()` as the intended public/API method name. Do not flag it as inconsistent with internal Rust symbol names (e.g., `event_to_steps` in `crates/core/src/atif.rs`)—the documentation’s public-facing naming may differ intentionally from internal implementation details.

Applied to files:

• .gitlab-ci.yml

📚 Learning: 2026-05-01T13:41:07.485Z

Learnt from: willkill07
Repo: NVIDIA/NeMo-Flow PR: 34
File: .gitlab-ci.yml:95-103
Timestamp: 2026-05-01T13:41:07.485Z
Learning: In NVIDIA/NeMo-Flow’s .gitlab-ci.yml, when listing GitHub Actions runs for a tag-triggered workflow, use `gh run list --branch "$tag"` to filter runs by the tag name. For annotated tag pushes in this repo, GitHub sets `headBranch` to the tag (e.g., `0.1.0-rc.5`), so `--branch "$tag"` returns only the tag-triggered run. Prefer this over `--commit <sha>`, which can be less precise because it may include both the tag run and a main-branch run that share the same commit SHA.

Applied to files:

• .gitlab-ci.yml

🔇 Additional comments (1)

.gitlab-ci.yml (1)

267-270: Good migration to Cargo registry-token env auth.

Line 267 and Line 270 correctly switch from deprecated CLI token passing to CARGO_REGISTRIES_ARTIFACTORY_TOKEN, while keeping the publish loop and registry target intact.

---

Walkthrough

The publish:artifactory:cargo job refactors authentication for three Cargo crates: nemo-flow, nemo-flow-adaptive, and nemo-flow-ffi. The Artifactory token is now exported as an environment variable (CARGO_REGISTRIES_ARTIFACTORY_TOKEN) derived from a CI secret, and per-command --token arguments are removed from the cargo publish loop, allowing Cargo to use the configured registry token automatically.

Changes

Cargo Artifactory Authentication

Layer / File(s)	Summary
Environment and Command Configuration .gitlab-ci.yml	CARGO_REGISTRIES_ARTIFACTORY_TOKEN environment variable is exported from CI secret; cargo publish invocations for three crates remove --token flag and rely on environment-based authentication.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• NVIDIA/NeMo-Flow#68: Prior modification to the same publish:artifactory:cargo CI job's Cargo authentication mechanism.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title follows Conventional Commits format with type 'ci', concise imperative summary, under 72 characters, no trailing period, and directly relates to the main changeset.
Description check	✅ Passed	Description includes all required template sections with detailed context about the fix, validation steps, and clear reviewer guidance.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[willkill07]

/merge