# CI/CD Artifact Publish

**Task**: AZ-186_cicd_artifact_publish
**Name**: CI/CD Artifact Publish
**Description**: Add encrypt-and-publish step to Woodpecker CI/CD pipeline and create a shared publish script usable by both CI/CD and training service
**Complexity**: 3 points
**Dependencies**: AZ-183
**Component**: DevOps
**Tracker**: AZ-186
**Epic**: AZ-181

## Problem

Both CI/CD (for Docker images) and the training service (for AI models) need to encrypt artifacts and publish them to CDN + Resources table. The encryption and publish logic should be shared.

## Outcome

- Shared Python publish script that any producer can call
- Woodpecker pipeline automatically publishes encrypted Docker archives after build
- Training service can publish AI models using the same script
- Every artifact gets its own random AES-256 key

## Scope

### Included
- Shared publish script (Python): generate random AES-256 key, compress (gzip), encrypt (AES-256), SHA-256 hash, upload to S3, write Resources row
- Woodpecker pipeline step in build-arm.yml: after docker build+push, also docker save -> publish script
- S3 bucket structure: {dev_stage}/{resource_name}-{architecture}-{version}.enc
- Documentation for training service integration

### Excluded
- Server-side Resources table (AZ-183, must exist first)
- Loader-side download/decrypt (AZ-184)
- Training service code changes (their team integrates the script)

## Acceptance Criteria

**AC-1: Publish script works end-to-end**
Given a local file (Docker archive or AI model)
When publish script is called with resource_name, dev_stage, architecture, version
Then file is compressed, encrypted with random key, uploaded to S3, and Resources row is written

**AC-2: Woodpecker publishes after build**
Given a push to dev/stage/main branch
When Woodpecker build completes
Then the Docker image is also published as encrypted archive to CDN with Resources row

**AC-3: Unique key per artifact**
Given two consecutive publishes of the same resource
When comparing encryption keys
Then each publish used a different random AES-256 key

**AC-4: SHA-256 consistency**
Given a published artifact
When SHA-256 of the uploaded S3 object is computed
Then it matches the sha256 value in the Resources table

**AC-5: Training service can use the script**
Given the publish script installed as a package or available as a standalone script
When the training service calls it after producing a .trt model
Then the model is published to CDN + Resources table

## Constraints

- Woodpecker runner has access to Docker socket and S3 credentials
- Publish script must work on both x86 (CI runner) and arm64 (training server if needed)
- S3 credentials and DB connection string passed via environment variables