Change8

v1.19.0

Breaking Changes
📦 huggingface-hubView on GitHub →
1 breaking6 features🐛 3 fixes🔧 11 symbols

Summary

This release introduces major security and usability enhancements, including Keyless CI/CD authentication via OIDC and support for unified `hf://` URIs in CLI upload/download commands. It also exposes job container ports through the public proxy.

⚠️ Breaking Changes

  • When using `hf upload` or `hf download` with an `hf://` URI, positional arguments for repo ID, `--repo-type`, or `--revision` are no longer accepted or take precedence. The URI is the single source of truth. If a URI is provided, passing `--repo-type` or `--revision` will raise an error. Additionally, a path specified within the URI cannot be combined with positional filenames (download) or the `path_in_repo` argument (upload).

Migration Steps

  1. If using Xet functionality, migrate from the old function-based `hf_xet` API to the session-based `XetSession` API (requires `hf-xet >= 1.5.0`).
  2. If using `hf upload` or `hf download`, consider replacing positional arguments and flags like `--repo-type` and `--revision` with a unified `hf://` URI.
  3. If running jobs that need external access, use the `--expose <port>` flag or `expose=[port]` parameter.
  4. If relying on Colab token retrieval, note that `get_token()` now prioritizes explicit login/environment variables over the Colab secrets vault.

✨ New Features

  • Introduced Keyless CI/CD authentication using OIDC token exchange via Trusted Publishers. Set `HF_OIDC_RESOURCE` to scope the token; GitHub Actions is supported out-of-the-box.
  • CI workflows can now use OIDC tokens for authentication without storing an `HF_TOKEN` secret.
  • `hf upload` and `hf download` now accept an `hf://` URI (e.g., `hf://datasets/repo/file@revision/path`) which encapsulates repo type, ID, revision, and path.
  • Jobs can now expose container ports through the public jobs proxy using `--expose <port>` (CLI) or `expose=[port]` (Python API). Exposed ports are reachable at `https://<job_id>--<port>.hf.jobs`.
  • Job responses now include `expose_urls` in `JobStatus` when ports are exposed.
  • Agent harness detection now dynamically fetches the registry from `GET /api/agent-harnesses` instead of using a hardcoded list, with caching.

🐛 Bug Fixes

  • Fixed `ImportError` on Python 3.15 by removing the private `_MISSING_TYPE` import from the `dataclasses` module.
  • Corrected grammar in the ignored-pattern warning message for `hf download` (changed "have being" to "have been").
  • Fixed a transient location error during file metadata retrieval by accepting `cdn.hf.co` in addition to `xethub.hf.co` in the redirect URL check.

Affected Symbols