diff --git a/jenkins/BuildDockerImage.groovy b/jenkins/BuildDockerImage.groovy index 595ff8893f2c..809508dbdef4 100644 --- a/jenkins/BuildDockerImage.groovy +++ b/jenkins/BuildDockerImage.groovy @@ -484,6 +484,19 @@ def launchBuildJobs(pipeline, globalVars, imageKeyToTag) { dockerfileStage: "release", ], ] + def enabledStages = [] + if (params.buildInternalRelease) { + enabledStages += ["Build Internal release (x86_64 trtllm)", "Build Internal release (SBSA trtllm)"] + } + if (params.buildCiImage) { + enabledStages += ["Build CI Image (x86_64 tritondevel)", "Build CI Image (SBSA tritondevel)", "Build CI Image (RockyLinux8 Python310)", "Build CI Image (RockyLinux8 Python312)", "Build CI Image (SBSA Ubuntu24.04 Python312)"] + } + if (params.buildNgcRelease) { + enabledStages += ["Build NGC devel And release (x86_64)", "Build NGC devel And release (SBSA)"] + } + buildConfigs = buildConfigs.findAll { key, config -> key in enabledStages } + echo "Running stages: ${buildConfigs.keySet()}" + // Override all fields in build config with default values buildConfigs.each { key, config -> defaultBuildConfig.each { defaultKey, defaultValue -> @@ -552,6 +565,21 @@ pipeline { choices: ["build", "push"], description: "Docker image generation action. build: only perform image build step; push: build docker image and push it to artifacts" ) + booleanParam( + name: "buildInternalRelease", + defaultValue: true, + description: "Build internal release images (x86_64 and SBSA trtllm)" + ) + booleanParam( + name: "buildCiImage", + defaultValue: true, + description: "Build CI images (tritondevel and OS variant images)" + ) + booleanParam( + name: "buildNgcRelease", + defaultValue: true, + description: "Build NGC devel and release images (x86_64 and SBSA)" + ) } options { // Check the valid options at: https://www.jenkins.io/doc/book/pipeline/syntax/ diff --git a/jenkins/L0_MergeRequest.groovy b/jenkins/L0_MergeRequest.groovy index 97f28dca435f..b771f38a3aab 100644 --- a/jenkins/L0_MergeRequest.groovy +++ b/jenkins/L0_MergeRequest.groovy @@ -1458,6 +1458,10 @@ def launchStages(pipeline, reuseBuild, testFilter, enableFailFast, globalVars) echo "Skipping x86_64 tests (GenPostMergeBuilds mode: builds only)" return } + if (testFilter[(TEST_STAGE_LIST)]?.contains("NGC-Container-Scaning")) { + echo "Skipping x86_64 tests (PLC container scanning)" + return + } testStageName = "[Test-x86_64-Single-GPU] Remote Run" def singleGpuTestFailed = false @@ -1571,6 +1575,11 @@ def launchStages(pipeline, reuseBuild, testFilter, enableFailFast, globalVars) return } + if (testFilter[(TEST_STAGE_LIST)]?.contains("NGC-Container-Scaning")) { + echo "Skipping SBSA tests (PLC container scanning)" + return + } + testStageName = "[Test-SBSA-Single-GPU] Remote Run" def singleGpuTestFailed = false stage(testStageName) { @@ -1717,6 +1726,88 @@ def launchStages(pipeline, reuseBuild, testFilter, enableFailFast, globalVars) echo "Build-Docker-Images job is set explicitly. Both x86_64-Linux and SBSA-Linux sub-pipelines will be disabled." } + def plcContainerScanningJob = [ + "PLC Container Scanning": { + script { + stage("[Build-Release-Docker-Images] Remote Run") { + try { + def branch = env.gitlabBranch ? env.gitlabBranch : "main" + if (globalVars[GITHUB_PR_API_URL]) { + branch = "github-pr-" + globalVars[GITHUB_PR_API_URL].split('/').last() + } + + // Force the image tag suffix to be this L0_MergeRequest BUILD_NUMBER + // instead of the BuildDockerImages helper job's own counter. + def shortCommit = env.gitlabCommit ? env.gitlabCommit.substring(0, 7) : "undefined" + def branchTag = branch.replaceAll('/', '_') + def defaultTag = "${shortCommit}-${branchTag}-${env.BUILD_NUMBER}" + + def additionalParameters = [ + 'branch': branch, + 'action': "push", + 'triggerType': "post-merge", + 'runSanityCheck': false, + 'defaultTag': defaultTag, + 'buildInternalRelease': false, + 'buildCiImage': false, + 'artifactPath': ARTIFACT_PATH, + 'nspect_id': "", + 'uploadPath': UPLOAD_PATH + ] + launchJob(pipeline, "/LLM/helpers/BuildDockerImages", false, enableFailFast, globalVars, "x86_64", additionalParameters) + } catch (InterruptedException e) { + throw e + } catch (Exception e) { + if (BUILD_CHECK_CHOICE == STAGE_CHOICE_IGNORE) { + catchError( + buildResult: 'SUCCESS', + stageResult: 'FAILURE') { + error "Build-Docker-Images job failed but ignored due to Jenkins configuration" + } + } else { + throw e + } + } + } + stage("[NGC-Container-Compliance-Check] Run") { + echo "Triggering OSS Compliance (PLC) container scan for ref: " + try { + def params = [ + string(name: 'postMergePipelineName', value: env.JOB_NAME), + string(name: 'postMergeBuildNumber', value: env.BUILD_NUMBER), + string(name: 'scanMode', value: 'pre_merge'), + string(name: 'runSourceCodeScanning', value: 'false'), + string(name: 'runContainerScanning', value: 'true'), + string(name: 'runSonarQube', value: 'false'), + ] + def logger = new Logger(pipeline) + def handle = build( + job: "/LLM/helpers/PLCScanningSetup", + parameters: params, + propagate: false + ) + if (handle.result != "SUCCESS") { + catchError(buildResult: currentBuild.result ?: 'SUCCESS', stageResult: 'UNSTABLE') { + error "Risks detected on NGC Containers" + } + } + } catch (InterruptedException e) { + throw e + } catch (Exception e) { + catchError(buildResult: 'UNSTABLE', stageResult: 'UNSTABLE') { + error "OSS Compliance Check failed: ${e.getMessage()}" + } + } + } + } + } + ] + if (testFilter[(TEST_STAGE_LIST)]?.contains("NGC-Container-Scaning")) { + stages += plcContainerScanningJob + testFilter[(TEST_STAGE_LIST)]?.remove("NGC-Container-Scanning") + echo "Will run job to build ngc containers and running in-pipeline scanning for them" + } + parallelJobs = stages.collectEntries{key, value -> [key, { script { stage(key) {