Merge pull request #1406 from NVIDIA/update-release-ci-on-release-0.17

[no-relnote] update ngc publishing logic for release pipelines

Author: cdesiniotis

.common-ci.yml

@@ -28,6 +28,7 @@ stages:
   - test
   - scan
   - release
+  - ngc-publish
 
 .pipeline-trigger-rules:
   rules:

.nvidia-ci.yml

@@ -101,3 +101,110 @@ image-ubi9:
       - vulns.json
       - policy_evaluation.json
 
+.ngc-publish-variables:
+  variables:
+    PROJECT_NAME: "k8s-device-plugin"
+    VERSIONS_FILE: "build-info-${CI_PIPELINE_ID}.txt"
+  before_script:
+    - |
+      if [ -n "${CI_COMMIT_TAG}" ]; then
+        echo "${CI_COMMIT_SHORT_SHA} ${CI_COMMIT_TAG}" > "${VERSIONS_FILE}"
+      else
+        echo "${CI_COMMIT_SHORT_SHA} publish-${CI_COMMIT_SHORT_SHA}" > "${VERSIONS_FILE}"
+      fi
+
+.update-nspect:
+  stage: ngc-publish
+  needs:
+    - job: release:staging-ubi9
+  extends:
+    - .ngc-publish-variables
+  image:
+    name: "${CNT_NGC_PUBLISH_IMAGE}"
+    pull_policy: always
+  variables:
+    REPO_URL: "https://github.com/NVIDIA/${PROJECT_NAME}.git"
+  script:
+    - |
+      cnt-ngc-publish nspect --versions-file "${VERSIONS_FILE}"
+
+# Update the nspect staging environment to test the nspect publishing logic
+update-nspect-staging:
+  extends:
+    - .update-nspect
+  rules:
+    - if: $CI_COMMIT_TAG == null || $CI_COMMIT_TAG == ""
+  variables:
+    ENV: "stage"
+    RELEASE_VERSION: "test"
+    NSPECT_CLIENT_ID: "${NSPECT_STAGING_CLIENT_ID}"
+    NSPECT_CLIENT_SECRET: "${NSPECT_STAGING_CLIENT_SECRET}"
+
+# Update the nspect production environment with the new release
+update-nspect:
+  extends:
+    - .update-nspect
+  rules:
+    - if: $CI_COMMIT_TAG
+  variables:
+    OSRB_BUG_ID: "${OSRB_BUG_ID}"
+    ENV: "prod"
+    RELEASE_VERSION: "${CI_COMMIT_TAG}"
+    NSPECT_CLIENT_ID: "${NSPECT_PROD_CLIENT_ID}"
+    NSPECT_CLIENT_SECRET: "${NSPECT_PROD_CLIENT_SECRET}"
+
+.publish-images:
+  stage: ngc-publish
+  extends:
+    - .ngc-publish-variables
+  image:
+    name: "${CNT_NGC_PUBLISH_IMAGE}"
+    pull_policy: always
+  variables:
+    GITLAB_ACCESS_TOKEN: "${CNT_GITLAB_TOKEN}"
+    # Allow for setting nspect program version manually.
+    # The default empty string value results in the key
+    # being omitted from the publishing doc (which is
+    # valid).
+    NSPECT_PROGRAM_VERSION: ""
+  script:
+    - |
+      if [ -z "${NGC_PUBLISHING_PROJECT_PATH}" ]; then
+        echo "NGC_PUBLISHING_PROJECT_PATH not set"
+        exit 1
+      fi
+
+      echo "publishing to ${NGC_PUBLISHING_PROJECT_PATH}"
+
+      cnt-ngc-publish render \
+          --project-name "${PROJECT_NAME}" \
+          --versions-file "${VERSIONS_FILE}" \
+          --output "${PROJECT_NAME}.yaml" \
+          --nspect-program-version "${NSPECT_PROGRAM_VERSION}"
+    - cnt-ngc-publish merge-request --files "${PROJECT_NAME}.yaml"
+  artifacts:
+    paths:
+      - "${VERSION_FILE}"
+      - "${PROJECT_NAME}.yaml"
+
+# Raise an MR to publish the image to NGC
+ngc-image-publish:
+  extends:
+    - .publish-images
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs:
+    - job: update-nspect
+  variables:
+    NGC_PUBLISHING_PROJECT_PATH: "${NGC_PUBLISHING_PROD_PROJECT_PATH}"
+
+# Create a dummy MR that exercises the publishing logic
+mock-image-publish:
+  extends:
+    - .publish-images
+  rules:
+    - if: $CI_COMMIT_TAG == null || $CI_COMMIT_TAG == ""
+  needs:
+    - job: update-nspect-staging
+  variables:
+    NGC_PUBLISHING_PROJECT_PATH: "${NGC_PUBLISHING_TEST_PROJECT_PATH}"