-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path.nvidia-ci.yml
144 lines (128 loc) · 3.67 KB
/
.nvidia-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
##
## Variables that control where build artifacts are places for scanning and testing:
## CI_REGISTRY
## CI_REGISTRY_IMAGE
## CI_REGISTRY_USER
## CI_REGISTRY_PASSWORD
##
## Variables to contorl NGC release process:
## NGC_PROD_IMAGE
## NGC_REGISTRY
## NGC_REGISTRY_USER
## NGC_REGISTRY_TOKEN
include:
- local: '.common-ci.yml'
default:
image: docker:stable
services:
- docker:stable-dind
tags:
- type/docker
- docker/privileged
- cnt
- container-dev
- os/linux
variables:
DOCKER_DRIVER: overlay2
DOCKER_HOST: unix:///var/run/docker.sock
DOCKER_TLS_CERTDIR: "/certs"
# project specific variables
GIT_SSL_NO_VERIFY: "true"
TF_VERSION: "0.12.18"
.builddep_setup_template:
dependencies:
- gettags
before_script:
# Install build dependencies
- apk add --no-cache bash findutils libmagic curl make git jq openssh-client libressl-dev
- curl -fsSL https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip -o terraform.zip
- unzip terraform.zip && mv terraform /usr/local/bin/terraform && rm terraform.zip
# Log into docker
- docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}"
# Pull images
- |
for tag in $(cat driver-tags);
do
docker pull $tag
done
# template for setting up build environment, docker login, and docker pull
.dockerbuild_init_template:
dependencies:
- gettags
before_script:
- apk add --no-cache bash findutils libmagic curl make git jq openssh-client libressl-dev
.build:
stage: build
extends: .builddep_setup_template
script:
- make IMAGE="${CI_REGISTRY_IMAGE}" VERSION="${ALL_DRIVER_VERSIONS}" all
- make IMAGE="${CI_REGISTRY_IMAGE}" VERSION="${ALL_DRIVER_VERSIONS}" push
build:
extends: .build
test:
stage: test
before_script:
# Test setup
- apk add --no-cache bash make perl
script:
# Test action ...
- "true" # TODO: write a test!
.scan_template:
stage: scan
extends: .dockerbuild_init_template
except:
variables:
- $CI_COMMIT_MESSAGE =~ /\[skip[ _-]scans?\]/i
- $SKIP_SCANS
script:
# Setup Python for scan
- apk add --no-cache python3 python3-dev py3-pip py3-wheel
# Scan action
- git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab-master.nvidia.com/sectooling/scanning/contamer.git
- cd contamer
- pip3 install -r requirements.txt
- |
if [ -z "$tags" ]; then echo "No tags to scan!" ; exit 1 ; fi
for tag in $tags;
do
docker tag $tag $(basename $tag);
python3 contamer.py -ls --fail-on-non-os --suppress-vulns CVE-2020-14352 CVE-2020-15888 -- $(basename $tag);
done
ubuntu16.04-scan:
extends: .scan_template
variables:
TAGS_REGEX: "$DRIVER_VERSION.*ubuntu16.04"
ubuntu18.04-scan:
extends: .scan_template
variables:
TAGS_REGEX: "$DRIVER_VERSION.*ubuntu18.04"
centos7-scan:
extends: .scan_template
variables:
TAGS_REGEX: "$DRIVER_VERSION.*centos7"
centos8-scan:
extends: .scan_template
variables:
TAGS_REGEX: "$DRIVER_VERSION.*centos8"
rhel-scan:
extends: .scan_template
variables:
TAGS_REGEX: "$DRIVER_VERSION.*rhel"
rhcos-scan:
extends: .scan_template
variables:
TAGS_REGEX: "$DRIVER_VERSION.*rhcos"
release:
stage: release
extends: .builddep_setup_template
only:
refs:
- tags
variables:
- $NGC_REGISTRY
script:
# Login into release registry
- 'echo Commit Tag: $CI_COMMIT_TAG ; [[ -n "$CI_COMMIT_TAG" ]] || exit 1'
- 'docker login -u "${NGC_REGISTRY_USER}" -p "${NGC_REGISTRY_TOKEN}" "${NGC_REGISTRY}"'
# Release Action (build & push)
- make IMAGE="${NGC_PROD_IMAGE}" VERSION="${DRIVER_VERSION}" all