diff --git a/.common-ci.yml b/.common-ci.yml index 1057568b..04062b35 100644 --- a/.common-ci.yml +++ b/.common-ci.yml @@ -28,6 +28,7 @@ stages: - test - scan - release + - sign .pipeline-trigger-rules: rules: diff --git a/.nvidia-ci.yml b/.nvidia-ci.yml index 3c216704..cf28f25f 100644 --- a/.nvidia-ci.yml +++ b/.nvidia-ci.yml @@ -419,3 +419,93 @@ release:ngc-rhel9.3: - .dist-rhel9 variables: OUT_DIST: "rhel9.3" + +# Define the external image signing steps for NGC +# Download the ngc cli binary for use in the sign steps +.ngccli-setup: + before_script: + - apt-get update && apt-get install -y curl unzip jq bash make + - export REGCTL_VERSION=v0.4.7 + - mkdir -p bin + - curl -sSLo bin/regctl https://github.com/regclient/regclient/releases/download/${REGCTL_VERSION}/regctl-linux-amd64 + - chmod a+x bin/regctl + - export PATH=$(pwd)/bin:${PATH} + - | + if [ -z "${NGCCLI_VERSION}" ]; then + NGC_VERSION_URL="https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions" + # Extract the latest version from the JSON data using jq + export NGCCLI_VERSION=$(curl -s $NGC_VERSION_URL | jq -r '.recipe.latestVersionIdStr') + fi + echo "NGCCLI_VERSION ${NGCCLI_VERSION}" + - curl -sSLo ngccli_linux.zip https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions/${NGCCLI_VERSION}/files/ngccli_linux.zip + - unzip ngccli_linux.zip + - chmod u+x ngc-cli/ngc + +# .sign forms the base of the deployment jobs which signs images in the CI registry. +# This is extended with the image name and version to be deployed. +.sign:ngc: + image: ubuntu:latest + timeout: 30 minutes + when: always + stage: sign + rules: + - if: $CI_COMMIT_TAG + variables: + DIST: "${SIGN_JOB_NAME}${VERSION}" + variables: + OUT_REGISTRY_USER: "${CI_REGISTRY_USER}" + OUT_REGISTRY_TOKEN: "${CI_REGISTRY_PASSWORD}" + OUT_REGISTRY: "${CI_REGISTRY}" + NGC_CLI_API_KEY: "${NGC_REGISTRY_TOKEN}" + IMAGE_NAME: "${NGC_REGISTRY_IMAGE}" + IMAGE_TAG: "${CI_COMMIT_TAG}" + before_script: + - !reference [.ngccli-setup, before_script] + - 'if [[ "${PRECOMPILED}" != "true" ]]; then echo DRIVER_VERSION: ${DRIVER_VERSION} ; [[ -n "${DRIVER_VERSION}" ]] || exit 1; fi' + - regctl registry login "${OUT_REGISTRY}" -u "${OUT_REGISTRY_USER}" -p "${OUT_REGISTRY_TOKEN}" + - | + if [[ "${PRECOMPILED}" == "true" ]]; then + ./scripts/precompiled.sh version; + source kernel_version.txt + export IMAGE_TAG=${DRIVER_BRANCH}-${KERNEL_VERSION}-${DIST##*_} + else + export IMAGE_TAG=${DRIVER_VERSION}-${DIST##*_} + fi + # We ensure that the IMAGE_NAME and IMAGE_TAG is set + - 'echo Image Name: ${IMAGE_NAME} && [[ -n "${IMAGE_NAME}" ]] || exit 1' + - 'echo Image Tag: ${IMAGE_TAG} && [[ -n "${IMAGE_TAG}" ]] || exit 1' + script: + - 'echo "Signing the image ${IMAGE_NAME}:${IMAGE_TAG}"' + - ngc-cli/ngc registry image publish --source ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG} --public --discoverable --allow-guest --sign --org nvidia + +sign:ngc-precompiled-ubuntu22.04: + extends: + - .driver-versions-precompiled-ubuntu22.04 + - .dist-ubuntu22.04 + - .release-generic + - .release:ngc-variables + - .sign:ngc + variables: + DIST: signed_ubuntu22.04 + BASE_TARGET: jammy + PRECOMPILED: "true" + needs: + - release:ngc-precompiled-ubuntu22.04 + +sign:ngc-ubuntu-rhel-rhcos: + extends: + - .sign:ngc + parallel: + matrix: + - SIGN_JOB_NAME: ["ubuntu"] + VERSION: ["22.04"] + DRIVER_VERSION: ["535.183.06", "550.90.07"] + - SIGN_JOB_NAME: ["ubuntu"] + VERSION: ["20.04"] + DRIVER_VERSION: ["470.256.02", "535.183.06", "550.90.07"] + - SIGN_JOB_NAME: ["rhel"] + VERSION: ["8.6", "8.7", "8.8", "8.9","8.10"] + DRIVER_VERSION: ["470.256.02", "535.183.06", "550.90.07"] + - SIGN_JOB_NAME: ["rhcos"] + VERSION: ["4.9", "4.10", "4.11", "4.12","4.13","4.14","4.15"] + DRIVER_VERSION: ["470.256.02", "535.183.06", "550.90.07"] diff --git a/scripts/precompiled.sh b/scripts/precompiled.sh index 07a078e0..97b5d878 100755 --- a/scripts/precompiled.sh +++ b/scripts/precompiled.sh @@ -104,7 +104,10 @@ case $1 in sourceVersions archiveImage ;; + version) + sourceVersions + ;; *) - echo "Usage: $0 {build|push|pull|archive}" + echo "Usage: $0 {build|push|pull|archive|version}" exit 1 esac