Adjust release process after quickstart changes

[schustmi]

Describe changes

The new quickstart doesn't include running on a cloud stack anymore. This PR removes any files/code that was still building Docker images for that purpose.

Note: We still run the quickstart on cloud stacks as part of the release process.

Pre-requisites

Please ensure you have done the following:

• I have read the CONTRIBUTING.md document.
• I have added tests to cover my changes.
• I have based my new branch on develop and the open PR is targeting develop. If your branch wasn't based on develop read Contribution guide on rebasing branch to develop.
• IMPORTANT: I made sure that my changes are reflected properly in the following resources:
  • ZenML Docs
  • Dashboard: Needs to be communicated to the frontend team.
  • Templates: Might need adjustments (that are not reflected in the template tests) in case of non-breaking changes and deprecations.
  • Projects: Depending on the version dependencies, different projects might get affected.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Other (add details above)

[github-actions]

Documentation Link Check Results

❌ Absolute links check failed
There are broken absolute links in the documentation. See workflow logs for details
✅ Relative links check passed
_{Last checked: 2025-10-31 02:51:36 UTC}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	transformers@​4.28.1
	torch@​2.9.0
	transformers@​4.57.1
	setuptools@​80.9.0
	zenml@​0.91.0
	torchvision@​0.24.0
	qwen-agent@​0.0.31
	strands-agents-tools@​0.2.13
	scikit-learn@​1.5.0
	scikit-learn@​1.7.2
	scikit-learn@​1.6.0rc1
	torchaudio@​2.9.0
	semantic-kernel@​1.37.1
	session-info@​1.0.0
	sqlalchemy@​2.0.44
	uvicorn@​0.38.0
	rich@​14.2.0
	tox@​4.32.0
	pyyaml-include@​2.0b2
	tldextract@​5.1.3
	seaborn@​0.13.2
	yamlfix@​1.19.0
	sqlalchemy-utils@​0.42.0
	types-certifi@​2021.10.8.3
	s3fs@​2025.10.0
	requests@​2.32.5
	strands-agents@​1.14.0
	typing-extensions@​4.15.0
	pyyaml@​6.0.3
	types-termcolor@​1.1.6.2
	types-python-slugify@​8.0.2.20240310
	secure@​1.0.1
	types-futures@​3.3.8
See 19 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: pypi transformers has a Deserialization of Untrusted Data vulnerability CVE: GHSA-3863-2447-669p transformers has a Deserialization of Untrusted Data vulnerability (CRITICAL) Affected versions: < 4.36.0 Patched version: 4.36.0 From: ? → pypi/[email protected] ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[bcdurak]

I am quite confused by the current state of this workflow right now. Maybe I am missing something, but this definitely needs to be tested with a dummy release branch before being merged in.

[bcdurak]

I am confused about all this. Maybe you can clear it for me. I see now that we don't even build any quickstart images for the release (which I like). But if that's the case, why do we even need to build them now for testing the release? Isn't ok for us to use the base image to test?

Previously, different quickstarts required a different "pre-specified" list of requirements to run the quickstart. As far as I can see, this is no longer a concern of the new one.

[schustmi]

These image still installed the stack requirements in there, but I don't even understand why that was necessary back then. I removed all of that now though.

[bcdurak]

As far as I can see this used to generate examples/quickstart/requirements_{aws,azure,gcp}.txt files for the quickstart testing script. Since this is now disabled (which was the right call I think), wouldn't the qs_run_release_flow fail?

It has a check:

...
REQS="requirements_${CLOUD}.txt"
...
if [[ ! -f "${REQS}" ]]; then
  echo "Error: Requirements file not found: ${REQS}" >&2
  exit 1
fi
...
``

[bcdurak]

Same script also looks for config files that do not exist.

[bcdurak]

The installation seems a bit weird as well. The runner starts, checks out to the branch, already install ZenML once, passes the branch name to the test script, the test script manually replaces the hard-coded zenml requirement (which is the only requirement), pip installs zenml throught the requirements.txt file again and only then runs the example. This seems like a very complicated and redundant process.

[schustmi]

Yep, this whole thing has been a mess. I removed as much of it as I could now.