feat: Publish Toolkit artifacts as OCI images

[m1so]

Summary by CodeRabbit

• New Features
  • Added an automated action to package, validate, and publish OCI-compatible artifacts with manifest verification and customizable annotations.
• Chores
  • CI/CD now publishes per-Python-version toolkit artifacts, conditionally publishes an installer for one Python version, uploads per-version constraint files, and publishes a combined constraints OCI artifact; overall status checks now require both build and constraints publishing to succeed.

[linear-code]

BLU-6079

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 840f5e78-104e-402d-9ec2-9c93d717f307

📥 Commits

Reviewing files that changed from the base of the PR and between 57c29d8 and c43da7d.

📒 Files selected for processing (1)

• .github/workflows/cd.yml

---

📝 Walkthrough

Walkthrough

This PR adds OCI artifact publishing to the CD pipeline. A new composite action (push-oci-artifact) wraps ORAS to push files with standardized OCI annotations. The CD workflow is updated to publish toolkit bundles and installers as OCI artifacts per Python version, add a new job to aggregate toolkit constraints across versions as a single OCI artifact, and update the status job to coordinate success/failure across both publishing pipelines.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Updates Docs	⚠️ Warning	Feature implemented (OCI artifact publishing) but zero mentions in README.md or docs/ configuration files; user-facing documentation not updated.	Add documentation explaining OCI artifact publishing to README.md and/or docs/; update deepnote/deepnote OSS repo and roadmap in deepnote/deepnote-internal.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title clearly summarizes the main change: publishing Toolkit artifacts as OCI images, which aligns with the core additions of the OCI push action and workflow modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📦 Python package built successfully!

• Version: 2.3.0.dev8+ea93dfe
• Wheel: deepnote_toolkit-2.3.0.dev8+ea93dfe-py3-none-any.whl
• Install:

  pip install "deepnote-toolkit @ https://deepnote-staging-runtime-artifactory.s3.amazonaws.com/deepnote-toolkit-packages/2.3.0.dev8%2Bea93dfe/deepnote_toolkit-2.3.0.dev8%2Bea93dfe-py3-none-any.whl"

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.09%. Comparing base (8f9eb45) to head (f74a24a).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #106   +/-   ##
=======================================
  Coverage   74.09%   74.09%           
=======================================
  Files          95       95           
  Lines        5678     5678           
  Branches      843      843           
=======================================
  Hits         4207     4207           
  Misses       1195     1195           
  Partials      276      276           

Flag	Coverage Δ
combined	74.09% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/actions/push-oci-artifact/action.yml:
- Around line 53-56: The debug path is hardcoded to "dist/" which can mislead
callers; update the missing-file handling around the check for ${file_path} to
list the parent directory of the provided file instead of dist/. Use dirname on
${file_path} (e.g., compute parent_dir="$(dirname "${file_path}")") and run ls
-la on that parent_dir (with a fallback message if it doesn't exist) so logs
reflect the actual location passed in; ensure you keep the existing error exit
behavior.

In @.github/workflows/cd.yml:
- Around line 183-187: The hardcoded list under the "files:" key (e.g.,
dist/constraints3.10.txt, dist/constraints3.11.txt, etc.) will drift if the
workflow matrix changes; replace the static list with a dynamic generation tied
to the matrix (use matrix.python-version or a step that iterates over
matrix.python-version to build the list) or at minimum add a clear comment next
to "files:" mentioning the coupling to the matrix defined earlier; update
references to the per-version filenames (dist/constraints3.10.txt etc.) to be
produced from the matrix values so changes to matrix.python-version
automatically update the artifact list.
- Around line 206-213: The current conditional block using the variables
build_result and constraints_result doesn't handle the 'skipped' state and will
treat skipped jobs as failures; update the logic in the if/elif/else block that
starts with if [[ $build_result == "success" && $constraints_result == "success"
]] to explicitly handle 'skipped' (e.g., treat 'skipped' as non-fatal/success or
add an elif branch for skipped) so that when either build_result or
constraints_result is "skipped" you return a clear message and the desired exit
code (likely exit 0) instead of falling through to the failure else branch.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3d7ac127-9952-4896-a261-6acb1dfbb0f2

📥 Commits

Reviewing files that changed from the base of the PR and between 98e2371 and c2e15a7.

📒 Files selected for processing (2)

• .github/actions/push-oci-artifact/action.yml
• .github/workflows/cd.yml

[deepnote-bot]

🚀 Review App Deployment Started

📝 Description	🌐 Link / Info
🌍 Review application	ra-106
🔑 Sign-in URL	Click to sign-in
📊 Application logs	View logs
🔄 Actions	Click to redeploy
🚀 ArgoCD deployment	View deployment
⏰ Last deployed	2026-06-04 12:43:17 (UTC)
📜 Deployed commit	c40e6d8a0218b10576249370d3a1169e39780993
🛠️ Toolkit version	ea93dfe

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/actions/push-oci-artifact/action.yml:
- Around line 56-65: The current loop copies each file to
"${rootfs_dir}/$(basename "${file_path}")", which can silently overwrite files
with the same basename; fix it by preserving the source path under rootfs_dir
(or at minimum detecting collisions) before copying: compute
target_dir="$(dirname "${rootfs_dir}/${file_path}")", mkdir -p "$target_dir",
and cp "${file_path}" "${target_dir}/$(basename "${file_path}")"; alternatively,
if you prefer flat targets, check if the destination exists (using [ -e
"${rootfs_dir}/$(basename "${file_path}")" ]) and exit with an error that
includes both source and existing destination to avoid silent overwrites in the
loop that reads FILES and uses file_path/rootfs_dir.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a46045a1-4d95-46e5-ae7f-97ffcc758fde

📥 Commits

Reviewing files that changed from the base of the PR and between c2e15a7 and 57c29d8.

📒 Files selected for processing (1)

• .github/actions/push-oci-artifact/action.yml