mirror of
https://github.com/azaion/loader.git
synced 2026-04-23 00:56:32 +00:00
[AZ-185][AZ-186] Batch 2
Made-with: Cursor
This commit is contained in:
Oleksandr Bezdieniezhnykh
@@ -0,0 +1,67 @@
|
||||
# CI/CD Artifact Publish
|
||||
|
||||
**Task**: AZ-186_cicd_artifact_publish
|
||||
**Name**: CI/CD Artifact Publish
|
||||
**Description**: Add encrypt-and-publish step to Woodpecker CI/CD pipeline and create a shared publish script usable by both CI/CD and training service
|
||||
**Complexity**: 3 points
|
||||
**Dependencies**: AZ-183
|
||||
**Component**: DevOps
|
||||
**Tracker**: AZ-186
|
||||
**Epic**: AZ-181
|
||||
|
||||
## Problem
|
||||
|
||||
Both CI/CD (for Docker images) and the training service (for AI models) need to encrypt artifacts and publish them to CDN + Resources table. The encryption and publish logic should be shared.
|
||||
|
||||
## Outcome
|
||||
|
||||
- Shared Python publish script that any producer can call
|
||||
- Woodpecker pipeline automatically publishes encrypted Docker archives after build
|
||||
- Training service can publish AI models using the same script
|
||||
- Every artifact gets its own random AES-256 key
|
||||
|
||||
## Scope
|
||||
|
||||
### Included
|
||||
- Shared publish script (Python): generate random AES-256 key, compress (gzip), encrypt (AES-256), SHA-256 hash, upload to S3, write Resources row
|
||||
- Woodpecker pipeline step in build-arm.yml: after docker build+push, also docker save -> publish script
|
||||
- S3 bucket structure: {dev_stage}/{resource_name}-{architecture}-{version}.enc
|
||||
- Documentation for training service integration
|
||||
|
||||
### Excluded
|
||||
- Server-side Resources table (AZ-183, must exist first)
|
||||
- Loader-side download/decrypt (AZ-184)
|
||||
- Training service code changes (their team integrates the script)
|
||||
|
||||
## Acceptance Criteria
|
||||
|
||||
**AC-1: Publish script works end-to-end**
|
||||
Given a local file (Docker archive or AI model)
|
||||
When publish script is called with resource_name, dev_stage, architecture, version
|
||||
Then file is compressed, encrypted with random key, uploaded to S3, and Resources row is written
|
||||
|
||||
**AC-2: Woodpecker publishes after build**
|
||||
Given a push to dev/stage/main branch
|
||||
When Woodpecker build completes
|
||||
Then the Docker image is also published as encrypted archive to CDN with Resources row
|
||||
|
||||
**AC-3: Unique key per artifact**
|
||||
Given two consecutive publishes of the same resource
|
||||
When comparing encryption keys
|
||||
Then each publish used a different random AES-256 key
|
||||
|
||||
**AC-4: SHA-256 consistency**
|
||||
Given a published artifact
|
||||
When SHA-256 of the uploaded S3 object is computed
|
||||
Then it matches the sha256 value in the Resources table
|
||||
|
||||
**AC-5: Training service can use the script**
|
||||
Given the publish script installed as a package or available as a standalone script
|
||||
When the training service calls it after producing a .trt model
|
||||
Then the model is published to CDN + Resources table
|
||||
|
||||
## Constraints
|
||||
|
||||
- Woodpecker runner has access to Docker socket and S3 credentials
|
||||
- Publish script must work on both x86 (CI runner) and arm64 (training server if needed)
|
||||
- S3 credentials and DB connection string passed via environment variables
|
||||
Reference in New Issue
Block a user