azaion/loader
1
0
Fork 0
mirror of https://github.com/azaion/loader.git synced 2026-04-22 22:06:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
fb9483c9ae8ba25588a66724b7f147a36228a987
loader/_docs/02_tasks/done/AZ-186_cicd_artifact_publish.md
T
Oleksandr Bezdieniezhnykh 9a0248af72 [AZ-185][AZ-186] Batch 2 
Made-with: Cursor
2026-04-15 07:32:37 +03:00

2.7 KiB
Raw Blame History

CI/CD Artifact Publish

Task: AZ-186_cicd_artifact_publish Name: CI/CD Artifact Publish Description: Add encrypt-and-publish step to Woodpecker CI/CD pipeline and create a shared publish script usable by both CI/CD and training service Complexity: 3 points Dependencies: AZ-183 Component: DevOps Tracker: AZ-186 Epic: AZ-181

Problem

Both CI/CD (for Docker images) and the training service (for AI models) need to encrypt artifacts and publish them to CDN + Resources table. The encryption and publish logic should be shared.

Outcome

  • Shared Python publish script that any producer can call
  • Woodpecker pipeline automatically publishes encrypted Docker archives after build
  • Training service can publish AI models using the same script
  • Every artifact gets its own random AES-256 key

Scope

Included

  • Shared publish script (Python): generate random AES-256 key, compress (gzip), encrypt (AES-256), SHA-256 hash, upload to S3, write Resources row
  • Woodpecker pipeline step in build-arm.yml: after docker build+push, also docker save -> publish script
  • S3 bucket structure: {dev_stage}/{resource_name}-{architecture}-{version}.enc
  • Documentation for training service integration

Excluded

  • Server-side Resources table (AZ-183, must exist first)
  • Loader-side download/decrypt (AZ-184)
  • Training service code changes (their team integrates the script)

Acceptance Criteria

AC-1: Publish script works end-to-end Given a local file (Docker archive or AI model) When publish script is called with resource_name, dev_stage, architecture, version Then file is compressed, encrypted with random key, uploaded to S3, and Resources row is written

AC-2: Woodpecker publishes after build Given a push to dev/stage/main branch When Woodpecker build completes Then the Docker image is also published as encrypted archive to CDN with Resources row

AC-3: Unique key per artifact Given two consecutive publishes of the same resource When comparing encryption keys Then each publish used a different random AES-256 key

AC-4: SHA-256 consistency Given a published artifact When SHA-256 of the uploaded S3 object is computed Then it matches the sha256 value in the Resources table

AC-5: Training service can use the script Given the publish script installed as a package or available as a standalone script When the training service calls it after producing a .trt model Then the model is published to CDN + Resources table

Constraints

  • Woodpecker runner has access to Docker socket and S3 credentials
  • Publish script must work on both x86 (CI runner) and arm64 (training server if needed)
  • S3 credentials and DB connection string passed via environment variables
Reference in New Issue View Git Blame Copy Permalink