Update to 26.08

[jolorunyomi]

This PR updates the repository to version 26.08.

This is part of the 26.06 release burndown process.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores

  • Version bumped from 26.06 to 26.08 across all packages and dependencies.
  • Updated CI/CD workflows to use latest shared workflow versions and container images.
  • Updated development container configurations for CUDA 12.9 and 13.2 environments.
  • Updated conda environment dependency pins and Python package requirements.

• Documentation

  • Updated Java CI documentation with current version references.

Walkthrough

This PR bumps RAPIDS components from version 26.06 to 26.08 across the entire codebase, updates CI workflow references from pinned @cuda-13.2.0 to @main, and synchronizes devcontainer and container image tags accordingly. All dependency declarations, environment specifications, and build metadata are updated consistently.

Changes

RAPIDS 26.06 → 26.08 version bump and CI infrastructure update

Layer / File(s)	Summary
Version identifiers and build metadata VERSION, python/cudf/cudf/VERSION, java/pom.xml	Project version strings updated from 26.06.00 to 26.08.00 across root, Python cudf, and Java Maven modules.
Devcontainer base images and feature versions .devcontainer/cuda12.9-conda/devcontainer.json, .devcontainer/cuda12.9-pip/devcontainer.json, .devcontainer/cuda13.2-conda/devcontainer.json, .devcontainer/cuda13.2-pip/devcontainer.json	Base RAPIDS devcontainer images bumped from 26.06 to 26.08; CUDA and rapids-build-utils feature versions bumped from 26.6 to 26.8 in all CUDA variant configurations.
CI workflow shared-workflow references .github/workflows/build.yaml, .github/workflows/test.yaml, .github/workflows/pr.yaml, .github/workflows/compute-sanitizer-run.yaml, .github/workflows/pandas-tests.yaml, .github/workflows/pr_issue_status_automation.yml, .github/workflows/trigger-breaking-change-alert.yaml	Workflow uses: references switched from pinned @cuda-13.2.0 to rolling @main across build, test, and PR job definitions; container images in custom-job-based workflows bumped from 26.06-latest to 26.08-latest.
Generated conda environment version pins conda/environments/all_cuda-129_arch-aarch64.yaml, conda/environments/all_cuda-129_arch-x86_64.yaml, conda/environments/all_cuda-132_arch-aarch64.yaml, conda/environments/all_cuda-132_arch-x86_64.yaml	RAPIDS component version pins (dask-cuda, libkvikio, librmm, rapids-dask-dependency, rapidsmpf, rmm) updated from 26.6.\* to 26.8.\* across all CUDA and architecture combinations.
Dependency declaration and generation configuration dependencies.yaml	Central dependency generator updated to pin all RAPIDS components (libcudf, pylibcudf, cudf, libkvikio, librmm, rmm, dask-cuda, rapidsmpf, and associated packages) to 26.8.\* across conda, pyproject, and CUDA-suffixed wheel variants.
Python package dependency constraints python/cudf/pyproject.toml, python/cudf_kafka/pyproject.toml, python/dask_cudf/pyproject.toml, python/libcudf/pyproject.toml, python/pylibcudf/pyproject.toml, python/cudf_polars/pyproject.toml, python/custreamz/pyproject.toml	Project and build-time dependencies updated from 26.6.\* to 26.8.\* for all RAPIDS GPU libraries in [project].dependencies and [tool.rapids-build-backend].requires sections.
Pre-commit hooks, test dependencies, and documentation .pre-commit-config.yaml, python/cudf/cudf_pandas_tests/third_party_integration_tests/dependencies.yaml, java/ci/README.md	Mypy hook rmm-cu12 dependency bumped to 26.8.\; third-party integration test dependencies (cudf, cuml, cugraph) updated to 26.8.\; Java CI README example artifact version updated to 26.08.0; compute-sanitizer workflow container images bumped to 26.08-latest.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• rapidsai/cudf#22463: Both PRs modify the same CI workflow files and devcontainer configurations with overlapping targets (CUDA 13.2 and shared-workflows uses: references), though this PR bumps versions forward to 26.08-main while the retrieved PR introduces CUDA 13.2.0 pinning.
• rapidsai/cudf#22480: Both PRs modify python/cudf_polars/pyproject.toml dependency pins; main PR bumps rapidsmpf and test extras to 26.8.\*, while retrieved PR removes rapidsmpf extras and NumPy-based test dependencies.

Suggested labels

Python, Java, improvement, non-breaking

Suggested reviewers

• msarahan
• bdice
• gforsyth

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Update to 26.08' directly describes the main change—updating repository version from 26.06 to 26.08 across all configuration files and dependencies.
Description check	✅ Passed	The description clearly states the PR updates the repository to version 26.08 and is part of the release burndown process, which aligns with the extensive version update changes shown in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch version-update-26.08

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/pr.yaml (1)

711-720: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove inputs.* from this push-triggered workflow.

This workflow uses on: push only, but lines 715-717, 737-739, and 756-758 reference inputs.branch, inputs.date, and inputs.sha. These inputs.* expressions are undefined in push-triggered workflows and will cause failures.

Suggested fix

   third-party-integration-tests-cudf-pandas:
@@
     with:
       build_type: pull-request
-      branch: ${{ inputs.branch }}
-      date: ${{ inputs.date }}
-      sha: ${{ inputs.sha }}
       node_type: "gpu-l4-latest-1"
       continue-on-error: true
       container_image: "rapidsai/ci-conda:26.08-latest"
@@
   pandas-tests:
@@
     with:
       build_type: pull-request
-      branch: ${{ inputs.branch }}
-      date: ${{ inputs.date }}
-      sha: ${{ inputs.sha }}
       node_type: "gpu-l4-latest-1"
       container_image: "rapidsai/citestwheel:26.08-latest"
       script: ci/cudf_pandas_scripts/pandas-tests/run.sh pr
@@
   narwhals-tests:
@@
     with:
       build_type: pull-request
-      branch: ${{ inputs.branch }}
-      date: ${{ inputs.date }}
-      sha: ${{ inputs.sha }}
       node_type: "gpu-l4-latest-1"
       container_image: "rapidsai/ci-conda:26.08-latest"
       script: ci/test_narwhals.sh

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr.yaml around lines 711 - 720, The workflow references
undefined inputs (inputs.branch, inputs.date, inputs.sha) in the job using
rapidsai/shared-workflows/.github/workflows/custom-job.yaml@main; replace these
push-only invalid expressions with appropriate GitHub context values: use
github.ref_name (or extract branch from github.ref) instead of inputs.branch,
use github.sha instead of inputs.sha, and use github.event.head_commit.timestamp
(or github.run_id/github.run_number if preferred) instead of inputs.date; update
the with: block entries for branch, date, and sha accordingly so the job runs
under push triggers without undefined inputs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yaml:
- Line 60: Replace all reusable workflow references that currently use the
mutable suffix "@main" with immutable commit SHAs for reproducible CI: update
the occurrences referencing conda-cpp-build.yaml, conda-python-build.yaml,
conda-upload-packages.yaml, custom-job.yaml, wheels-build.yaml, and
wheels-publish.yaml so each "uses: rapidsai/shared-workflows/...@main" becomes
"uses: rapidsai/shared-workflows/...@<commit-sha>" (choose and insert the
appropriate immutable SHA for each referenced workflow); ensure every repeated
reference to the same workflow file is pinned consistently and commit the
change.

In @.github/workflows/pr_issue_status_automation.yml:
- Line 16: The reusable workflow reference uses a mutable `@main` ref which is
insecure for a privileged pull_request_target workflow (the problematic line is
the uses:
rapidsai/shared-workflows/.github/workflows/project-get-item-id.yaml@main);
update that ref to an immutable commit SHA or a release tag (e.g., replace `@main`
with @<commit-sha>), and verify the workflow still receives
ADD_TO_PROJECT_GITHUB_TOKEN correctly; apply the same pinning approach to other
rapidsai/shared-workflows references across workflows to fully remediate the
supply-chain risk.

In @.github/workflows/trigger-breaking-change-alert.yaml:
- Line 16: The reusable workflow reference currently uses a mutable ref
"rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@main";
replace the mutable "@main" with an immutable full commit SHA (40 hex chars) of
the target repo to pin the workflow, i.e., update the `uses` value to
"rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@<commit-sha>"
(obtain the SHA from the remote repo or a trusted commit) so the
`pull_request_target` run cannot be changed by updates to main.

---

Outside diff comments:
In @.github/workflows/pr.yaml:
- Around line 711-720: The workflow references undefined inputs (inputs.branch,
inputs.date, inputs.sha) in the job using
rapidsai/shared-workflows/.github/workflows/custom-job.yaml@main; replace these
push-only invalid expressions with appropriate GitHub context values: use
github.ref_name (or extract branch from github.ref) instead of inputs.branch,
use github.sha instead of inputs.sha, and use github.event.head_commit.timestamp
(or github.run_id/github.run_number if preferred) instead of inputs.date; update
the with: block entries for branch, date, and sha accordingly so the job runs
under push triggers without undefined inputs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9ec764a5-d338-49ef-a788-94ad07178687

📥 Commits

Reviewing files that changed from the base of the PR and between fa59784 and f5b9e9b.

📒 Files selected for processing (29)

• .devcontainer/cuda12.9-conda/devcontainer.json
• .devcontainer/cuda12.9-pip/devcontainer.json
• .devcontainer/cuda13.2-conda/devcontainer.json
• .devcontainer/cuda13.2-pip/devcontainer.json
• .github/workflows/build.yaml
• .github/workflows/compute-sanitizer-run.yaml
• .github/workflows/pandas-tests.yaml
• .github/workflows/pr.yaml
• .github/workflows/pr_issue_status_automation.yml
• .github/workflows/test.yaml
• .github/workflows/trigger-breaking-change-alert.yaml
• .pre-commit-config.yaml
• VERSION
• conda/environments/all_cuda-129_arch-aarch64.yaml
• conda/environments/all_cuda-129_arch-x86_64.yaml
• conda/environments/all_cuda-132_arch-aarch64.yaml
• conda/environments/all_cuda-132_arch-x86_64.yaml
• dependencies.yaml
• java/ci/README.md
• java/pom.xml
• python/cudf/cudf/VERSION
• python/cudf/cudf_pandas_tests/third_party_integration_tests/dependencies.yaml
• python/cudf/pyproject.toml
• python/cudf_kafka/pyproject.toml
• python/cudf_polars/pyproject.toml
• python/custreamz/pyproject.toml
• python/dask_cudf/pyproject.toml
• python/libcudf/pyproject.toml
• python/pylibcudf/pyproject.toml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify all mutable shared-workflow refs in this workflow file
rg -n 'uses:\s*rapidsai/shared-workflows/.+@main' .github/workflows/build.yaml

Repository: rapidsai/cudf

Length of output: 1301

---

Pin all reusable workflow references to immutable commit SHAs.

Using @main for workflow references makes CI behavior mutable and weakens reproducibility. Replace all 15 instances with specific commit SHAs:

• Line 60: conda-cpp-build.yaml
• Lines 77, 95: conda-python-build.yaml
• Line 111: conda-upload-packages.yaml
• Line 130: custom-job.yaml
• Lines 149, 189, 228, 267, 306: wheels-build.yaml
• Lines 169, 210, 249, 289, 328: wheels-publish.yaml

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yaml at line 60, Replace all reusable workflow
references that currently use the mutable suffix "@main" with immutable commit
SHAs for reproducible CI: update the occurrences referencing
conda-cpp-build.yaml, conda-python-build.yaml, conda-upload-packages.yaml,
custom-job.yaml, wheels-build.yaml, and wheels-publish.yaml so each "uses:
rapidsai/shared-workflows/...@main" becomes "uses:
rapidsai/shared-workflows/...@<commit-sha>" (choose and insert the appropriate
immutable SHA for each referenced workflow); ensure every repeated reference to
the same workflow file is pinned consistently and commit the change.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

file=".github/workflows/pr_issue_status_automation.yml"
echo "== pull_request_target + mutable reusable workflow refs =="
rg -n 'pull_request_target|uses:\s*rapidsai/shared-workflows/.+@main' "$file"

Repository: rapidsai/cudf

Length of output: 440

---

🏁 Script executed:

cat -n ".github/workflows/pr_issue_status_automation.yml"

Repository: rapidsai/cudf

Length of output: 4119

---

🏁 Script executed:

#!/bin/bash
# Search for all uses of rapidsai/shared-workflows to see pinning patterns
rg -n 'rapidsai/shared-workflows' --type yaml

Repository: rapidsai/cudf

Length of output: 39

---

🏁 Script executed:

#!/bin/bash
# Broader search for shared-workflows usage
rg 'shared-workflows' --type yaml

Repository: rapidsai/cudf

Length of output: 39

---

🏁 Script executed:

#!/bin/bash
# Find all workflow files and check for shared-workflows references
find .github/workflows -name "*.yml" -o -name "*.yaml" | head -20

Repository: rapidsai/cudf

Length of output: 552

---

🏁 Script executed:

#!/bin/bash
# Search across all workflow files for shared-workflows references
for f in .github/workflows/*.{yml,yaml}; do
  if [ -f "$f" ]; then
    echo "=== $f ==="
    rg 'shared-workflows' "$f" || echo "No matches"
  fi
done

Repository: rapidsai/cudf

Length of output: 5800

---

🏁 Script executed:

#!/bin/bash
# Check if this is a systemic pattern - count `@main` vs other pinning
echo "=== Shared-workflows refs across all workflows ==="
rg 'rapidsai/shared-workflows' .github/workflows/ --no-filename | sort | uniq -c | sort -rn

Repository: rapidsai/cudf

Length of output: 1724

---

🏁 Script executed:

#!/bin/bash
# Check if this is a broader organizational pattern - look at one non-privileged workflow
echo "=== pr.yaml permissions ===" 
head -20 .github/workflows/pr.yaml | grep -A 5 "^permissions"
echo ""
echo "=== pr_issue_status_automation.yml permissions ==="
head -20 .github/workflows/pr_issue_status_automation.yml | grep -A 5 "^permissions"

Repository: rapidsai/cudf

Length of output: 400

---

🏁 Script executed:

#!/bin/bash
# Check if there's any documentation or comments about this pattern
echo "=== Checking for shared-workflows tag/release info ==="
rg 'shared-workflows' .github/ --type md --type txt 2>/dev/null || echo "No docs found"
echo ""
echo "=== Check git to see if rapidsai/shared-workflows is referenced ==="
rg 'shared-workflows' . --type md --type txt 2>/dev/null | head -20

Repository: rapidsai/cudf

Length of output: 706

---

Pin reusable workflow refs to immutable commits in privileged workflows.

This pull_request_target workflow passes ADD_TO_PROJECT_GITHUB_TOKEN secret to reusable workflows referenced with mutable @main branches, creating supply-chain and reproducibility risks. While this pattern is codebase-wide (affecting ~70 references to rapidsai/shared-workflows across multiple workflows), it should be addressed systematically. Note: pinning this file alone is incomplete without addressing the broader organizational pattern.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr_issue_status_automation.yml at line 16, The reusable
workflow reference uses a mutable `@main` ref which is insecure for a privileged
pull_request_target workflow (the problematic line is the uses:
rapidsai/shared-workflows/.github/workflows/project-get-item-id.yaml@main);
update that ref to an immutable commit SHA or a release tag (e.g., replace `@main`
with @<commit-sha>), and verify the workflow still receives
ADD_TO_PROJECT_GITHUB_TOKEN correctly; apply the same pinning approach to other
rapidsai/shared-workflows references across workflows to fully remediate the
supply-chain risk.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

file=".github/workflows/trigger-breaking-change-alert.yaml"
echo "== pull_request_target + mutable reusable workflow refs =="
rg -n 'pull_request_target|uses:\s*rapidsai/shared-workflows/.+@main' "$file"

Repository: rapidsai/cudf

Length of output: 230

---

Pin this reusable workflow to an immutable commit SHA instead of @main.

The pull_request_target trigger grants access to secrets; using a mutable ref (@main) allows unexpected workflow changes to execute with those secrets.

🔒 Suggested fix

-    uses: rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@main
+    uses: rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@<pinned-commit-sha>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/trigger-breaking-change-alert.yaml at line 16, The
reusable workflow reference currently uses a mutable ref
"rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@main";
replace the mutable "@main" with an immutable full commit SHA (40 hex chars) of
the target repo to pin the workflow, i.e., update the `uses` value to
"rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@<commit-sha>"
(obtain the SHA from the remote repo or a trusted commit) so the
`pull_request_target` run cannot be changed by updates to main.