mirror of
https://github.com/NVIDIA/nvidia-container-toolkit
synced 2024-11-22 00:08:11 +00:00
add ngc image signing job for auto signing
Signed-off-by: shiva kumar <shivaku@nvidia.com>
This commit is contained in:
shiva kumar
parent
9fde4b21df
commit
2e947edbe4
@ -33,6 +33,7 @@ stages:
|
|||||||
- test
|
- test
|
||||||
- scan
|
- scan
|
||||||
- release
|
- release
|
||||||
|
- sign
|
||||||
|
|
||||||
.pipeline-trigger-rules:
|
.pipeline-trigger-rules:
|
||||||
rules:
|
rules:
|
||||||
|
|||||||
@ -244,3 +244,62 @@ release:ngc-packaging:
|
|||||||
extends:
|
extends:
|
||||||
- .dist-packaging
|
- .dist-packaging
|
||||||
- .release:ngc
|
- .release:ngc
|
||||||
|
|
||||||
|
# Define the external image signing steps for NGC
|
||||||
|
# Download the ngc cli binary for use in the sign steps
|
||||||
|
.ngccli-setup:
|
||||||
|
before_script:
|
||||||
|
- apt-get update && apt-get install -y curl unzip jq
|
||||||
|
- |
|
||||||
|
if [ -z "${NGCCLI_VERSION}" ]; then
|
||||||
|
NGC_VERSION_URL="https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions"
|
||||||
|
# Extract the latest version from the JSON data using jq
|
||||||
|
export NGCCLI_VERSION=$(curl -s $NGC_VERSION_URL | jq -r '.recipe.latestVersionIdStr')
|
||||||
|
fi
|
||||||
|
echo "NGCCLI_VERSION ${NGCCLI_VERSION}"
|
||||||
|
- curl -sSLo ngccli_linux.zip https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions/${NGCCLI_VERSION}/files/ngccli_linux.zip
|
||||||
|
- unzip ngccli_linux.zip
|
||||||
|
- chmod u+x ngc-cli/ngc
|
||||||
|
|
||||||
|
# .sign forms the base of the deployment jobs which signs images in the CI registry.
|
||||||
|
# This is extended with the image name and version to be deployed.
|
||||||
|
.sign:ngc:
|
||||||
|
image: ubuntu:latest
|
||||||
|
stage: sign
|
||||||
|
rules:
|
||||||
|
- if: $CI_COMMIT_TAG
|
||||||
|
variables:
|
||||||
|
NGC_CLI_API_KEY: "${NGC_REGISTRY_TOKEN}"
|
||||||
|
IMAGE_NAME: "${NGC_REGISTRY_IMAGE}"
|
||||||
|
IMAGE_TAG: "${CI_COMMIT_TAG}-${DIST}"
|
||||||
|
retry:
|
||||||
|
max: 2
|
||||||
|
before_script:
|
||||||
|
- !reference [.ngccli-setup, before_script]
|
||||||
|
# We ensure that the IMAGE_NAME and IMAGE_TAG is set
|
||||||
|
- 'echo Image Name: ${IMAGE_NAME} && [[ -n "${IMAGE_NAME}" ]] || exit 1'
|
||||||
|
- 'echo Image Tag: ${IMAGE_TAG} && [[ -n "${IMAGE_TAG}" ]] || exit 1'
|
||||||
|
script:
|
||||||
|
- 'echo "Signing the image ${IMAGE_NAME}:${IMAGE_TAG}"'
|
||||||
|
- ngc-cli/ngc registry image publish --source ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG} --public --discoverable --allow-guest --sign --org nvidia
|
||||||
|
|
||||||
|
sign:ngc-ubuntu20.04:
|
||||||
|
extends:
|
||||||
|
- .dist-ubuntu20.04
|
||||||
|
- .sign:ngc
|
||||||
|
needs:
|
||||||
|
- release:ngc-ubuntu20.04
|
||||||
|
|
||||||
|
sign:ngc-ubi8:
|
||||||
|
extends:
|
||||||
|
- .dist-ubi8
|
||||||
|
- .sign:ngc
|
||||||
|
needs:
|
||||||
|
- release:ngc-ubi8
|
||||||
|
|
||||||
|
sign:ngc-packaging:
|
||||||
|
extends:
|
||||||
|
- .dist-packaging
|
||||||
|
- .sign:ngc
|
||||||
|
needs:
|
||||||
|
- release:ngc-packaging
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user