Skip to content

Commit 349a5bc

Browse files
authored
ci: authenticate Cargo Artifactory index fetch (NVIDIA#60)
#### Overview Fix the scheduled Cargo Artifactory publish job so Cargo can authenticate both the registry index fetch and the publish request. - [x] I confirm this contribution is my own work, or I have the right to submit it under this project's license. - [x] I searched existing issues and open pull requests, and this does not duplicate existing work. #### Details - Add `NEMO_FLOW_CI_PYTHON_VERSION` and use uv-managed Python 3.11 for the Cargo publish job's inline metadata parsing. - Remove the apt-installed `python3` dependency from the Cargo publish job. - Install `git`, configure Cargo to fetch the Artifactory registry index with the Git CLI, and write a scoped Git credential entry from the existing Artifactory CI secrets. - Keep the existing Cargo registry token for the publish request itself. #### Where should the reviewer start? Start with `.gitlab-ci.yml`, especially the `publish:artifactory:cargo` job credential setup. #### Related Issues: (use one of the action keywords Closes / Fixes / Resolves / Relates to) - Relates to: none ## Summary by CodeRabbit * **Chores** * Enhanced CI/CD pipeline configuration to strengthen the Cargo package publishing process with improved dependency management * Upgraded Artifactory credential handling with more secure credential configuration and git integration capabilities * Optimized build environment setup for increased reliability, consistency, and automated version tracking across publishing workflows Authors: - Will Killian (https://github.com/willkill07) Approvers: - Bryan Bednarski (https://github.com/bbednarski9) URL: NVIDIA#60
1 parent 696bd99 commit 349a5bc

1 file changed

Lines changed: 33 additions & 2 deletions

File tree

.gitlab-ci.yml

Lines changed: 33 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ variables:
1717
NEMO_FLOW_CI_DEBIAN_VERSION: "trixie"
1818
NEMO_FLOW_CI_JUST_VERSION: "1.40.0"
1919
NEMO_FLOW_CI_NODE_VERSION: "24"
20+
NEMO_FLOW_CI_PYTHON_VERSION: "3.11"
2021
NEMO_FLOW_CI_RUST_VERSION: "1.93.0"
2122
NEMO_FLOW_CI_UV_VERSION: "0.9.28"
2223
NEMO_FLOW_CI_GITHUB_REPOSITORY: "NVIDIA/NeMo-Flow"
@@ -218,11 +219,12 @@ publish:artifactory:cargo:
218219
- job: collect:github-artifacts
219220
artifacts: true
220221
before_script:
221-
- apt-get update -qq && apt-get install -y --no-install-recommends ca-certificates curl nodejs python3 && rm -rf /var/lib/apt/lists/*
222+
- apt-get update -qq && apt-get install -y --no-install-recommends ca-certificates curl git nodejs && rm -rf /var/lib/apt/lists/*
222223
- cargo install just --version "${NEMO_FLOW_CI_JUST_VERSION}" --locked
223224
- curl -LsSf https://astral.sh/uv/install.sh -o /tmp/install-uv.sh
224225
- UV_VERSION="${NEMO_FLOW_CI_UV_VERSION}" sh /tmp/install-uv.sh
225226
- export PATH="${HOME}/.cargo/bin:${HOME}/.local/bin:${PATH}"
227+
- uv python install "${NEMO_FLOW_CI_PYTHON_VERSION}"
226228
- rustc --version
227229
- just --version
228230
- uv --version
@@ -240,13 +242,14 @@ publish:artifactory:cargo:
240242
fi
241243
242244
version="$(
243-
python3 - <<'PY'
245+
uv run --no-project python - <<'PY'
244246
import json
245247
from pathlib import Path
246248
247249
print(json.loads(Path("collected/github-run.json").read_text()).get("tag", ""))
248250
PY
249251
)"
252+
250253
if [ -z "$version" ]; then
251254
echo "Error: failed to extract package version from collected GitHub tag metadata." >&2
252255
exit 1
@@ -256,16 +259,44 @@ publish:artifactory:cargo:
256259
257260
cargo_home="${CARGO_HOME:-${HOME}/.cargo}"
258261
mkdir -p "$cargo_home"
262+
263+
# Cargo fetches this Artifactory registry as an authenticated Git index.
264+
git_credential_url="$(
265+
uv run --no-project python - <<'PY'
266+
import os
267+
from urllib.parse import quote, urlsplit, urlunsplit
268+
269+
url = os.environ["NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL"]
270+
user = quote(os.environ["NEMO_FLOW_CI_ARTIFACTORY_USER"], safe="")
271+
password = quote(os.environ["NEMO_FLOW_CI_ARTIFACTORY_KEY"], safe="")
272+
parts = urlsplit(url)
273+
if not parts.scheme or not parts.netloc:
274+
raise SystemExit("NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL must be an absolute URL")
275+
print(urlunsplit((parts.scheme, f"{user}:{password}@{parts.netloc}", parts.path, parts.query, parts.fragment)))
276+
PY
277+
)"
278+
279+
git config --global credential.helper "store --file=${HOME}/.git-credentials"
280+
git config --global credential.useHttpPath true
281+
printf '%s\n' "$git_credential_url" > "${HOME}/.git-credentials"
282+
chmod 600 "${HOME}/.git-credentials"
283+
259284
cargo_auth="Basic $(printf '%s:%s' "${NEMO_FLOW_CI_ARTIFACTORY_USER}" "${NEMO_FLOW_CI_ARTIFACTORY_KEY}" | base64 | tr -d '\n')"
285+
260286
cat > "${cargo_home}/config.toml" <<EOF
261287
[registries.artifactory]
262288
index = "${NEMO_FLOW_CI_ARTIFACTORY_CARGO_URL}"
263289
credential-provider = "cargo:token"
290+
291+
[net]
292+
git-fetch-with-cli = true
264293
EOF
294+
265295
cat > "${cargo_home}/credentials.toml" <<EOF
266296
[registries.artifactory]
267297
token = "${cargo_auth}"
268298
EOF
299+
269300
chmod 600 "${cargo_home}/credentials.toml"
270301
271302
for crate in nemo-flow nemo-flow-adaptive nemo-flow-ffi; do

0 commit comments

Comments
 (0)