From 77db3896924ec41db21c988cab9dc222242480e9 Mon Sep 17 00:00:00 2001 From: shiva kumar Date: Wed, 29 May 2024 21:33:09 +0530 Subject: [PATCH] [no-relnote] add ngc image signing job for auto signing Signed-off-by: shiva kumar --- .common-ci.yml | 1 + .nvidia-ci.yml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+) diff --git a/.common-ci.yml b/.common-ci.yml index d99c668e9..c36ec8548 100644 --- a/.common-ci.yml +++ b/.common-ci.yml @@ -28,6 +28,7 @@ stages: - test - scan - release + - sign .pipeline-trigger-rules: rules: diff --git a/.nvidia-ci.yml b/.nvidia-ci.yml index 8d7151409..9ac7c5f3e 100644 --- a/.nvidia-ci.yml +++ b/.nvidia-ci.yml @@ -127,3 +127,63 @@ release:ngc-ubi8: extends: - .release:ngc - .dist-ubi8 + +# Define the external image signing steps for NGC +# Download the ngc cli binary for use in the sign steps +.ngccli-setup: + before_script: + - apt-get update && apt-get install -y curl unzip jq + - | + if [ -z "${NGCCLI_VERSION}" ]; then + NGC_VERSION_URL="https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions" + # Extract the latest version from the JSON data using jq + export NGCCLI_VERSION=$(curl -s $NGC_VERSION_URL | jq -r '.recipe.latestVersionIdStr') + fi + echo "NGCCLI_VERSION ${NGCCLI_VERSION}" + - curl -sSLo ngccli_linux.zip https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions/${NGCCLI_VERSION}/files/ngccli_linux.zip + - unzip ngccli_linux.zip + - chmod u+x ngc-cli/ngc + +# .sign forms the base of the deployment jobs which signs images in the CI registry. +# This is extended with the image name and version to be deployed. +.sign:ngc: + image: ubuntu:latest + stage: sign + rules: + - if: $CI_COMMIT_TAG + variables: + NGC_CLI_API_KEY: "${NGC_REGISTRY_TOKEN}" + IMAGE_NAME: "${NGC_REGISTRY_IMAGE}" + IMAGE_TAG: "${CI_COMMIT_TAG}-${DIST}" + retry: + max: 2 + before_script: + - !reference [.ngccli-setup, before_script] + # We ensure that the IMAGE_NAME and IMAGE_TAG is set + - 'echo Image Name: ${IMAGE_NAME} && [[ -n "${IMAGE_NAME}" ]] || exit 1' + - 'echo Image Tag: ${IMAGE_TAG} && [[ -n "${IMAGE_TAG}" ]] || exit 1' + script: + - 'echo "Signing the image ${IMAGE_NAME}:${IMAGE_TAG}"' + - ngc-cli/ngc registry image publish --source ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG} --public --discoverable --allow-guest --sign --org nvidia + +sign:ngc-short-tag: + extends: + - .sign:ngc + needs: + - release:ngc-ubuntu22.04 + variables: + IMAGE_TAG: "${CI_COMMIT_TAG}" + +sign:ngc-ubuntu22.04: + extends: + - .dist-ubuntu22.04 + - .sign:ngc + needs: + - release:ngc-ubuntu22.04 + +sign:ngc-ubi8: + extends: + - .dist-ubi8 + - .sign:ngc + needs: + - release:ngc-ubi8