From cfd59fbfb6427dea0d4594805b9671a0f32e685d Mon Sep 17 00:00:00 2001
From: shiva kumar <shivaku@nvidia.com>
Date: Tue, 2 Jul 2024 20:28:04 +0530
Subject: [PATCH] add ngc signing job for auto signing

Signed-off-by: shiva kumar <shivaku@nvidia.com>
---
 .common-ci.yml |  1 +
 .nvidia-ci.yml | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)

diff --git a/.common-ci.yml b/.common-ci.yml
index c8acaf6..7e60927 100644
--- a/.common-ci.yml
+++ b/.common-ci.yml
@@ -37,6 +37,7 @@ stages:
   - e2e_tests
   - aws_kube_clean
   - release
+  - sign
 
 # Define the distribution targets
 .dist-ubuntu22.04:
diff --git a/.nvidia-ci.yml b/.nvidia-ci.yml
index 6c08cb1..a3db888 100644
--- a/.nvidia-ci.yml
+++ b/.nvidia-ci.yml
@@ -202,3 +202,61 @@ release:ngc-vectoradd-ubi8:
     - .release:ngc
     - .dist-ubi8
     - .sample-vectoradd
+
+# Define the external image signing steps for NGC
+# Download the ngc cli binary for use in the sign steps
+.ngccli-setup:
+  before_script:
+    - apt-get update && apt-get install -y curl unzip jq
+    - |
+      if [ -z "${NGCCLI_VERSION}" ]; then
+        NGC_VERSION_URL="https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions"
+        # Extract the latest version from the JSON data using jq
+        export NGCCLI_VERSION=$(curl -s $NGC_VERSION_URL | jq -r '.recipe.latestVersionIdStr')
+      fi
+      echo "NGCCLI_VERSION ${NGCCLI_VERSION}"
+    - curl -sSLo ngccli_linux.zip https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions/${NGCCLI_VERSION}/files/ngccli_linux.zip
+    - unzip ngccli_linux.zip
+    - chmod u+x ngc-cli/ngc
+
+# .sign forms the base of the deployment jobs which signs images in the CI registry.
+# This is extended with the image name and version to be deployed.
+.sign:ngc:
+  image: ubuntu:latest
+  stage: sign
+  rules:
+    - if: $CI_COMMIT_TAG
+  variables:
+    NGC_CLI_API_KEY: "${NGC_REGISTRY_TOKEN}"
+    IMAGE_NAME: "${NGC_REGISTRY_IMAGE}"
+  retry:
+    max: 2
+  before_script:
+    - !reference [.ngccli-setup, before_script]
+    # We ensure that the IMAGE_NAME and IMAGE_TAG is set
+    - 'echo Image Name: ${IMAGE_NAME} && [[ -n "${IMAGE_NAME}" ]] || exit 1'
+    - 'echo Image Tag: ${IMAGE_TAG} && [[ -n "${IMAGE_TAG}" ]] || exit 1'
+  script:
+    - 'echo "Signing the image ${IMAGE_NAME}:${IMAGE_TAG}"'
+    - ngc-cli/ngc registry image publish --source ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG} --public --discoverable --allow-guest --sign --org nvidia
+
+sign:ngc:
+  extends:
+    - .sign:ngc
+  parallel:
+    matrix:
+      - SIGN_JOB_NAME: ["vectoradd", "devicequery"]
+        DIST: ["", "ubuntu22.04", "ubuntu20.04", "ubi8"]
+  rules:
+    # Rule for jobs with blank DIST
+    - if: '$DIST == ""'
+      variables:
+        IMAGE_TAG: "$SIGN_JOB_NAME-cuda12.5.0"
+      needs:
+        - "release:ngc-$SIGN_JOB_NAME"
+    # Rule for jobs with non-blank DIST
+    - when: always
+      variables:
+        IMAGE_TAG: "$SIGN_JOB_NAME-cuda12.5.0-${DIST}"
+      needs:
+        - "release:ngc-$SIGN_JOB_NAME-$DIST"