Merge pull request #785 from elezar/cherry-pick-sign

elezar · web-flow · commit 682d9fa1f6ac · 2024-06-25T13:18:22.000+02:00
[no-relnote] add ngc image signing job for auto signing
diff --git a/.common-ci.yml b/.common-ci.yml
@@ -28,6 +28,7 @@ stages:
   - test
   - scan
   - release
+  - sign
 
 .pipeline-trigger-rules:
   rules:
diff --git a/.nvidia-ci.yml b/.nvidia-ci.yml
@@ -127,3 +127,63 @@ release:ngc-ubi8:
   extends:
     - .release:ngc
     - .dist-ubi8
+
+# Define the external image signing steps for NGC
+# Download the ngc cli binary for use in the sign steps
+.ngccli-setup:
+  before_script:
+    - apt-get update && apt-get install -y curl unzip jq
+    - |
+      if [ -z "${NGCCLI_VERSION}" ]; then
+        NGC_VERSION_URL="https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions"
+        # Extract the latest version from the JSON data using jq
+        export NGCCLI_VERSION=$(curl -s $NGC_VERSION_URL | jq -r '.recipe.latestVersionIdStr')
+      fi
+      echo "NGCCLI_VERSION ${NGCCLI_VERSION}"
+    - curl -sSLo ngccli_linux.zip https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions/${NGCCLI_VERSION}/files/ngccli_linux.zip
+    - unzip ngccli_linux.zip
+    - chmod u+x ngc-cli/ngc
+
+# .sign forms the base of the deployment jobs which signs images in the CI registry.
+# This is extended with the image name and version to be deployed.
+.sign:ngc:
+  image: ubuntu:latest
+  stage: sign
+  rules:
+    - if: $CI_COMMIT_TAG
+  variables:
+    NGC_CLI_API_KEY: "${NGC_REGISTRY_TOKEN}"
+    IMAGE_NAME: "${NGC_REGISTRY_IMAGE}"
+    IMAGE_TAG: "${CI_COMMIT_TAG}-${DIST}"
+  retry:
+    max: 2
+  before_script:
+    - !reference [.ngccli-setup, before_script]
+    # We ensure that the IMAGE_NAME and IMAGE_TAG is set
+    - 'echo Image Name: ${IMAGE_NAME} && [[ -n "${IMAGE_NAME}" ]] || exit 1'
+    - 'echo Image Tag: ${IMAGE_TAG} && [[ -n "${IMAGE_TAG}" ]] || exit 1'
+  script:
+    - 'echo "Signing the image ${IMAGE_NAME}:${IMAGE_TAG}"'
+    - ngc-cli/ngc registry image publish --source ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG} --public --discoverable --allow-guest --sign --org nvidia
+
+sign:ngc-short-tag:
+  extends:
+    - .sign:ngc
+  needs:
+    - release:ngc-ubuntu22.04
+  variables:
+    IMAGE_TAG: "${CI_COMMIT_TAG}"
+
+sign:ngc-ubuntu22.04:
+  extends:
+    - .dist-ubuntu22.04
+    - .sign:ngc
+  needs:
+    - release:ngc-ubuntu22.04
+
+sign:ngc-ubi8:
+  extends:
+    - .dist-ubi8
+    - .sign:ngc
+  needs:
+    - release:ngc-ubi8

-Original file line number
+Diff line change
   - test
   - scan
   - release
 +  - sign
 .pipeline-trigger-rules:
   rules: