v1.19.0
Breaking Changes📦 huggingface-hubView on GitHub →
⚠ 1 breaking✨ 6 features🐛 3 fixes🔧 11 symbols
Summary
This release introduces major security and usability enhancements, including Keyless CI/CD authentication via OIDC and support for unified `hf://` URIs in CLI upload/download commands. It also exposes job container ports through the public proxy.
⚠️ Breaking Changes
- When using `hf upload` or `hf download` with an `hf://` URI, positional arguments for repo ID, `--repo-type`, or `--revision` are no longer accepted or take precedence. The URI is the single source of truth. If a URI is provided, passing `--repo-type` or `--revision` will raise an error. Additionally, a path specified within the URI cannot be combined with positional filenames (download) or the `path_in_repo` argument (upload).
Migration Steps
- If using Xet functionality, migrate from the old function-based `hf_xet` API to the session-based `XetSession` API (requires `hf-xet >= 1.5.0`).
- If using `hf upload` or `hf download`, consider replacing positional arguments and flags like `--repo-type` and `--revision` with a unified `hf://` URI.
- If running jobs that need external access, use the `--expose <port>` flag or `expose=[port]` parameter.
- If relying on Colab token retrieval, note that `get_token()` now prioritizes explicit login/environment variables over the Colab secrets vault.
✨ New Features
- Introduced Keyless CI/CD authentication using OIDC token exchange via Trusted Publishers. Set `HF_OIDC_RESOURCE` to scope the token; GitHub Actions is supported out-of-the-box.
- CI workflows can now use OIDC tokens for authentication without storing an `HF_TOKEN` secret.
- `hf upload` and `hf download` now accept an `hf://` URI (e.g., `hf://datasets/repo/file@revision/path`) which encapsulates repo type, ID, revision, and path.
- Jobs can now expose container ports through the public jobs proxy using `--expose <port>` (CLI) or `expose=[port]` (Python API). Exposed ports are reachable at `https://<job_id>--<port>.hf.jobs`.
- Job responses now include `expose_urls` in `JobStatus` when ports are exposed.
- Agent harness detection now dynamically fetches the registry from `GET /api/agent-harnesses` instead of using a hardcoded list, with caching.
🐛 Bug Fixes
- Fixed `ImportError` on Python 3.15 by removing the private `_MISSING_TYPE` import from the `dataclasses` module.
- Corrected grammar in the ignored-pattern warning message for `hf download` (changed "have being" to "have been").
- Fixed a transient location error during file metadata retrieval by accepting `cdn.hf.co` in addition to `xethub.hf.co` in the redirect URL check.