Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add ngc signing job for auto signing #8

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

add ngc signing job for auto signing #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .common-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ stages:
- e2e_tests
- aws_kube_clean
- release
- sign

# Define the distribution targets
.dist-ubuntu22.04:
Expand Down
57 changes: 57 additions & 0 deletions .nvidia-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,3 +233,60 @@ release:ngc-nbody-ubuntu22.04:
- .release:ngc
- .dist-ubuntu22.04
- .sample-nbody

# Define the external image signing steps for NGC
# Download the ngc cli binary for use in the sign steps
.ngccli-setup:
before_script:
- apt-get update && apt-get install -y curl unzip jq
- |
if [ -z "${NGCCLI_VERSION}" ]; then
NGC_VERSION_URL="https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions"
# Extract the latest version from the JSON data using jq
export NGCCLI_VERSION=$(curl -s $NGC_VERSION_URL | jq -r '.recipe.latestVersionIdStr')
fi
echo "NGCCLI_VERSION ${NGCCLI_VERSION}"
- curl -sSLo ngccli_linux.zip https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions/${NGCCLI_VERSION}/files/ngccli_linux.zip
- unzip ngccli_linux.zip
- chmod u+x ngc-cli/ngc

# .sign forms the base of the deployment jobs which signs images in the CI registry.
# This is extended with the image name and version to be deployed.
.sign:ngc:
image: ubuntu:latest
stage: sign
rules:
- if: $CI_COMMIT_TAG
variables:
NGC_CLI_API_KEY: "${NGC_REGISTRY_TOKEN}"
IMAGE_NAME: "${NGC_REGISTRY_IMAGE}"
retry:
max: 2
before_script:
- !reference [.ngccli-setup, before_script]
# We ensure that the IMAGE_NAME and IMAGE_TAG is set
- 'echo Image Name: ${IMAGE_NAME} && [[ -n "${IMAGE_NAME}" ]] || exit 1'
- 'echo Image Tag: ${IMAGE_TAG} && [[ -n "${IMAGE_TAG}" ]] || exit 1'
script:
- 'echo "Signing the image ${IMAGE_NAME}:${IMAGE_TAG}"'
- ngc-cli/ngc registry image publish --source ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG} --public --discoverable --allow-guest --sign --org nvidia

sign:ngc:
extends:
- .sign:ngc
parallel:
matrix:
- SIGN_JOB_NAME: ["vectoradd" ]
DIST: ["", "CI_COMMIT_TAG", "ubuntu22.04", "ubi8"]
- SIGN_JOB_NAME: ["nbody", "devicequery"]
DIST: ["", "CI_COMMIT_TAG", "ubuntu22.04"]
rules:
- if: '$CI_COMMIT_TAG && $DIST == ""'
variables:
IMAGE_TAG: "$SIGN_JOB_NAME"
- if: '$DIST == "CI_COMMIT_TAG"'
variables:
IMAGE_TAG: "$SIGN_JOB_NAME-${CI_COMMIT_TAG}"
- if: '$DIST != "" && $DIST != "CI_COMMIT_TAG"'
variables:
IMAGE_TAG: "$SIGN_JOB_NAME-${CI_COMMIT_TAG}-${DIST}"