[no-relnote] Fix GitLab Pipeline files

Signed-off-by: Carlos Eduardo Arango Gutierrez <[email protected]>
NVIDIA · Feb 26, 2025 · a9cabcf · a9cabcf
1 parent 5474519
commit a9cabcf
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 98 deletions.
diff --git a/.common-ci.yml b/.common-ci.yml
@@ -12,29 +12,23 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 default:
-  image: docker:stable
+  image: docker:24.0.6
   services:
-    - name: docker:dind
+    - name: docker:24.0.6-dind
       command: ["--experimental"]
 
 variables:
   GIT_SUBMODULE_STRATEGY: recursive
-  BUILDIMAGE: "${CI_REGISTRY_IMAGE}/build:${CI_COMMIT_SHORT_SHA}"
-  # TODO: For now we only build amd64 images to speed up development
-  BUILD_MULTI_ARCH_IMAGES: "false"
+  BUILD_MULTI_ARCH_IMAGES: "true"
 
 stages:
   - trigger
-  - image
-  - lint
-  - go-checks
-  - go-build
-  - unit-tests
   - package-build
   - image-build
   - test
   - scan
   - release
+  - sign
 
 .pipeline-trigger-rules:
   rules:
@@ -83,14 +77,10 @@ trigger-pipeline:
 .platform-amd64:
   variables:
     PLATFORM: linux/amd64
-    PLATFORM_ARCH: amd64
 
 .platform-arm64:
   variables:
     PLATFORM: linux/arm64
-    PLATFORM_ARCH: arm64
-  rules:
-    - if: $BUILD_MULTI_ARCH_IMAGES == "true"
 
 # Make buildx available as a docker CLI plugin
 .buildx-setup:
@@ -112,7 +102,10 @@ trigger-pipeline:
   stage: scan
   variables:
     IMAGE: "${CI_REGISTRY_IMAGE}/k8s-dra-driver-gpu:${CI_COMMIT_SHORT_SHA}-${DIST}"
-    IMAGE_ARCHIVE: "k8s-dra-driver-gpu-${CI_COMMIT_SHORT_SHA}-${DIST}-${PLATFORM_ARCH}.tar"
+    IMAGE_ARCHIVE: "k8s-dra-driver-gpu.tar"
+  except:
+    variables:
+      - $SKIP_SCANS && $SKIP_SCANS == "yes"
   before_script:
     - docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}"
     - docker pull --platform="${PLATFORM}" "${IMAGE}"
@@ -209,9 +202,6 @@ scan-ubi9-arm64:
     - if: $CI_COMMIT_BRANCH == $RELEASE_DEVEL_BRANCH
       variables:
         OUT_IMAGE_VERSION: "${DEVEL_RELEASE_IMAGE_VERSION}"
-  needs:
-    - job: unit-tests
-      optional:
 
 release:staging-ubi9:
   extends:

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
diff --git a/.nvidia-ci.yml b/.nvidia-ci.yml
@@ -33,7 +33,7 @@ variables:
   # On the multi-arch builder we don't need the qemu setup.
   SKIP_QEMU_SETUP: "1"
   # Define the public staging registry
-  STAGING_REGISTRY: registry.gitlab.com/nvidia/cloud-native/k8s-dra-driver-gpu/staging
+  STAGING_REGISTRY: ghcr.io/nvidia
   STAGING_VERSION: ${CI_COMMIT_SHORT_SHA}
 
 .image-pull:
@@ -95,7 +95,7 @@ image-ubi9:
     when: always
     expire_in: 1 week
     paths:
-      - pulse-cli.log
+      - pulse-cli.logs
       - licenses.json
       - sbom.json
       - vulns.json
@@ -117,3 +117,56 @@ release:ngc-ubi9:
   extends:
     - .release:ngc
     - .dist-ubi9
+
+# Define the external image signing steps for NGC
+# Download the ngc cli binary for use in the sign steps
+.ngccli-setup:
+  before_script:
+    - apt-get update && apt-get install -y curl unzip jq
+    - |
+      if [ -z "${NGCCLI_VERSION}" ]; then
+        NGC_VERSION_URL="https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions"
+        # Extract the latest version from the JSON data using jq
+        export NGCCLI_VERSION=$(curl -s $NGC_VERSION_URL | jq -r '.recipe.latestVersionIdStr')
+      fi
+      echo "NGCCLI_VERSION ${NGCCLI_VERSION}"
+    - curl -sSLo ngccli_linux.zip https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions/${NGCCLI_VERSION}/files/ngccli_linux.zip
+    - unzip ngccli_linux.zip
+    - chmod u+x ngc-cli/ngc
+
+# .sign forms the base of the deployment jobs which signs images in the CI registry.
+# This is extended with the image name and version to be deployed.
+.sign:ngc:
+  image: ubuntu:latest
+  stage: sign
+  rules:
+    - if: $CI_COMMIT_TAG
+  variables:
+    NGC_CLI_API_KEY: "${NGC_REGISTRY_TOKEN}"
+    IMAGE_NAME: "${NGC_REGISTRY_IMAGE}"
+    IMAGE_TAG: "${CI_COMMIT_TAG}-${DIST}"
+  retry:
+    max: 2
+  before_script:
+    - !reference [.ngccli-setup, before_script]
+    # We ensure that the IMAGE_NAME and IMAGE_TAG is set
+    - 'echo Image Name: ${IMAGE_NAME} && [[ -n "${IMAGE_NAME}" ]] || exit 1'
+    - 'echo Image Tag: ${IMAGE_TAG} && [[ -n "${IMAGE_TAG}" ]] || exit 1'
+  script:
+    - 'echo "Signing the image ${IMAGE_NAME}:${IMAGE_TAG}"'
+    - ngc-cli/ngc registry image publish --source ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG} --public --discoverable --allow-guest --sign --org nvidia
+
+sign:ngc-short-tag:
+  extends:
+    - .sign:ngc
+  needs:
+    - release:ngc-ubi9
+  variables:
+    IMAGE_TAG: "${CI_COMMIT_TAG}"
+
+sign:ngc-ubi9:
+  extends:
+    - .dist-ubi9
+    - .sign:ngc
+  needs:
+    - release:ngc-ubi9