From 6c87d831ab5d91d28690af52d923c63bc720d6e4 Mon Sep 17 00:00:00 2001 From: Christopher Desiniotis Date: Thu, 4 Sep 2025 12:53:13 -0700 Subject: [PATCH] [no-relnote] update ngc publishing logic for release pipelines Signed-off-by: Christopher Desiniotis --- .common-ci.yml | 1 + .nvidia-ci.yml | 107 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 108 insertions(+) diff --git a/.common-ci.yml b/.common-ci.yml index b2e3c5f4a..9397a37a8 100644 --- a/.common-ci.yml +++ b/.common-ci.yml @@ -28,6 +28,7 @@ stages: - test - scan - release + - ngc-publish .pipeline-trigger-rules: rules: diff --git a/.nvidia-ci.yml b/.nvidia-ci.yml index 85a660bdb..42c449aaf 100644 --- a/.nvidia-ci.yml +++ b/.nvidia-ci.yml @@ -101,3 +101,110 @@ image-ubi9: - vulns.json - policy_evaluation.json +.ngc-publish-variables: + variables: + PROJECT_NAME: "k8s-device-plugin" + VERSIONS_FILE: "build-info-${CI_PIPELINE_ID}.txt" + before_script: + - | + if [ -n "${CI_COMMIT_TAG}" ]; then + echo "${CI_COMMIT_SHORT_SHA} ${CI_COMMIT_TAG}" > "${VERSIONS_FILE}" + else + echo "${CI_COMMIT_SHORT_SHA} publish-${CI_COMMIT_SHORT_SHA}" > "${VERSIONS_FILE}" + fi + +.update-nspect: + stage: ngc-publish + needs: + - job: release:staging-ubi9 + extends: + - .ngc-publish-variables + image: + name: "${CNT_NGC_PUBLISH_IMAGE}" + pull_policy: always + variables: + REPO_URL: "https://github.com/NVIDIA/${PROJECT_NAME}.git" + script: + - | + cnt-ngc-publish nspect --versions-file "${VERSIONS_FILE}" + +# Update the nspect staging environment to test the nspect publishing logic +update-nspect-staging: + extends: + - .update-nspect + rules: + - if: $CI_COMMIT_TAG == null || $CI_COMMIT_TAG == "" + variables: + ENV: "stage" + RELEASE_VERSION: "test" + NSPECT_CLIENT_ID: "${NSPECT_STAGING_CLIENT_ID}" + NSPECT_CLIENT_SECRET: "${NSPECT_STAGING_CLIENT_SECRET}" + +# Update the nspect production environment with the new release +update-nspect: + extends: + - .update-nspect + rules: + - if: $CI_COMMIT_TAG + variables: + OSRB_BUG_ID: "${OSRB_BUG_ID}" + ENV: "prod" + RELEASE_VERSION: "${CI_COMMIT_TAG}" + NSPECT_CLIENT_ID: "${NSPECT_PROD_CLIENT_ID}" + NSPECT_CLIENT_SECRET: "${NSPECT_PROD_CLIENT_SECRET}" + +.publish-images: + stage: ngc-publish + extends: + - .ngc-publish-variables + image: + name: "${CNT_NGC_PUBLISH_IMAGE}" + pull_policy: always + variables: + GITLAB_ACCESS_TOKEN: "${CNT_GITLAB_TOKEN}" + # Allow for setting nspect program version manually. + # The default empty string value results in the key + # being omitted from the publishing doc (which is + # valid). + NSPECT_PROGRAM_VERSION: "" + script: + - | + if [ -z "${NGC_PUBLISHING_PROJECT_PATH}" ]; then + echo "NGC_PUBLISHING_PROJECT_PATH not set" + exit 1 + fi + + echo "publishing to ${NGC_PUBLISHING_PROJECT_PATH}" + + cnt-ngc-publish render \ + --project-name "${PROJECT_NAME}" \ + --versions-file "${VERSIONS_FILE}" \ + --output "${PROJECT_NAME}.yaml" \ + --nspect-program-version "${NSPECT_PROGRAM_VERSION}" + - cnt-ngc-publish merge-request --files "${PROJECT_NAME}.yaml" + artifacts: + paths: + - "${VERSION_FILE}" + - "${PROJECT_NAME}.yaml" + +# Raise an MR to publish the image to NGC +ngc-image-publish: + extends: + - .publish-images + rules: + - if: $CI_COMMIT_TAG + needs: + - job: update-nspect + variables: + NGC_PUBLISHING_PROJECT_PATH: "${NGC_PUBLISHING_PROD_PROJECT_PATH}" + +# Create a dummy MR that exercises the publishing logic +mock-image-publish: + extends: + - .publish-images + rules: + - if: $CI_COMMIT_TAG == null || $CI_COMMIT_TAG == "" + needs: + - job: update-nspect-staging + variables: + NGC_PUBLISHING_PROJECT_PATH: "${NGC_PUBLISHING_TEST_PROJECT_PATH}"