gguf-puller: pull public GGUF repos without the HF token secret#53
Merged
Conversation
The gguf-puller service declared the SOPS-managed `hf_token` Docker secret
(file: ${HOME}/.ai-toolkit/runtime/secrets/hf_token). When that file is absent
— or when its ${HOME} source mis-resolves inside a Hermes/ops-controller
compose subprocess — `docker compose run gguf-puller` aborts before the script
runs, so even public-repo pulls fail.
pull_gguf_models.py already falls back to the HF_TOKEN env var and downloads
public repos anonymously. Swap the file secret for an optional
`HF_TOKEN=${HF_TOKEN:-}` env on gguf-puller only: empty by default (public pulls
work token-free, never hard-fails), set HF_TOKEN in .env for gated repos. The
runtime services (ops-controller, dashboard, comfyui, comfyui-model-puller)
keep the SOPS file secret unchanged.
Validated: `docker compose --profile models run --rm gguf-puller` with no secret
and no HF_TOKEN pulls a public GGUF successfully (exit 0).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
ordo-ai-stack-llamacpp-1crash-looped because its model file was missing; restoring it surfaced thatdocker compose run gguf-pullerhard-fails whenever the SOPS-managedhf_tokensecret file is absent (or its${HOME}source mis-resolves inside a Hermes/ops-controller compose subprocess — the sameis not a valid Windows patherror seen in the audit log). Even public GGUF pulls fail, so the puller couldn't be used to recover.Fix
scripts/pull_gguf_models.pyalready falls back fromHF_TOKEN_FILEto theHF_TOKENenv var and pulls public repos anonymously. So for gguf-puller only:HF_TOKEN_FILE=/run/secrets/hf_token+secrets: [hf_token]with optionalHF_TOKEN=${HF_TOKEN:-}.compose runnever hard-fails. SetHF_TOKENin.envfor gated repos.The runtime services (
ops-controller,dashboard,comfyui,comfyui-model-puller) keep the SOPS file secret unchanged — this is deliberately scoped to the puller, not a stack-wide secrets change.Why not env-provider / a stack-wide change
A
secrets.hf_token.environment: HF_TOKENprovider was tried first — it also hard-fails whenHF_TOKENis unset (environment variable "HF_TOKEN" required by secret … is not set). Compose's only non-fatal mechanism is${VAR:-}on a plain env var. Ripping the secret out of all 5 services would diverge from the SOPS+age design (per repo convention) for no benefit, so this PR touches just the puller.Validation
docker compose --profile models run --rm gguf-pullerwith no secret and no HF_TOKEN pulls a public GGUF successfully (Done., exit 0).docker compose configresolves clean.🤖 Generated with Claude Code