From 2a4aa34907845b00641c6f02be7e5ed9d8ce5b29 Mon Sep 17 00:00:00 2001
From: Ryan Roberts <ryan.roberts@arm.com>
Date: Wed, 18 Jun 2025 14:08:51 +0100
Subject: [PATCH] ci: Introduce "Build Container (BC)" type

To comply with security requirements, we must rebuild the benchmark
containers regularly. We will do this using a gitlab scheduled pipeline.
To prepare for that, let's add the concept of a pipeline type via the
PIPELINE_TYPE variable. The existing type is now called "Continuous
Integration (CI)" and we introduce "Build Container (BC)", which when
invoked, will build a specified container tagged with the specified
version.

The scheduled pipelines will be setup to invoke this new type.

Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
---
 .gitlab-ci.yml | 43 ++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 38 insertions(+), 5 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 51b0674..900ff4f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -5,6 +5,18 @@ default:
 variables:
   KUBERNETES_CPU_REQUEST: 2
   KUBERNETES_MEMORY_REQUEST: 8Gi
+  PIPELINE_TYPE:
+    value: "Continuous Integration (CI)"
+    options:
+      - "Build Container (BC)"
+      - "Continuous Integration (CI)"
+    description: "The purpose for which the pipeline should execute"
+  BC_CONTAINER_NAME:
+    value: ""
+    description: "Name of the container image to build. Follows the name of the directory within ./containers"
+  BC_CONTAINER_VERSION:
+    value: ""
+    description: "Version tag for the container image. By convention, of the form vX.Y"
 
 stages:
   - build
@@ -16,6 +28,12 @@ build-docker-image:
     KUBERNETES_CPU_REQUEST: 32
     KUBERNETES_MEMORY_REQUEST: 16Gi
   stage: build
+  rules:
+    - if: '$PIPELINE_TYPE == "Build Container (BC)"'
+    - if: '$PIPELINE_TYPE == "Continuous Integration (CI)"'
+      variables:
+        BC_CONTAINER_NAME: "ci"
+        BC_CONTAINER_VERSION: "private-${CI_PIPELINE_IID}"
   image:
     name: gcr.io/kaniko-project/executor:v1.23.2-debug
     entrypoint: [""]
@@ -32,22 +50,35 @@ build-docker-image:
     - echo "{\"auths\":{\"${CI_REGISTRY_IMAGE}\":{\"auth\":\"$(printf "%s:%s" "${CI_REGISTRY_USER}" "${CI_REGISTRY_PASSWORD}" | base64 | tr -d '\n')\"}}}" > /kaniko/.docker/config.json
 
     # Build the container image for our arch.
-    - containers/build.sh --driver kaniko --push --registry ${CI_REGISTRY_IMAGE} --version private-${CI_PIPELINE_IID} --name ci
+    - containers/build.sh --driver kaniko --push --registry ${CI_REGISTRY_IMAGE} --version ${BC_CONTAINER_VERSION} --name ${BC_CONTAINER_NAME}
 
 build-docker-manifest:
   stage: build
+  rules:
+    - if: '$PIPELINE_TYPE == "Build Container (BC)"'
+    - if: '$PIPELINE_TYPE == "Continuous Integration (CI)"'
+      variables:
+          BC_CONTAINER_NAME: "ci"
+          BC_CONTAINER_VERSION: "private-${CI_PIPELINE_IID}"
   image: ${CI_REGISTRY_IMAGE}/containers/ci:latest
   needs:
     - build-docker-image
   script:
     # Publish multiarch manifest and remove the temp arch-specific tags.
-    - containers/publish.sh --driver manifest-tool --registry ${CI_REGISTRY_IMAGE} --version private-${CI_PIPELINE_IID} --name ci
+    - containers/publish.sh --driver manifest-tool --registry ${CI_REGISTRY_IMAGE} --version ${BC_CONTAINER_VERSION} --name ${BC_CONTAINER_NAME}
     - regctl registry login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}
-    - regctl tag rm ${CI_REGISTRY_IMAGE}/containers/ci:private-${CI_PIPELINE_IID}-arm64
-    - regctl tag rm ${CI_REGISTRY_IMAGE}/containers/ci:private-${CI_PIPELINE_IID}-amd64
+    - regctl tag rm ${CI_REGISTRY_IMAGE}/containers/${BC_CONTAINER_NAME}:${BC_CONTAINER_VERSION}-arm64
+    - regctl tag rm ${CI_REGISTRY_IMAGE}/containers/${BC_CONTAINER_NAME}:${BC_CONTAINER_VERSION}-amd64
+
+    # If BC_CONTAINER_VERSION != latest, alias the new tag as latest.
+    - if [ $PIPELINE_TYPE = "Build Container (BC)" ] && [ "${BC_CONTAINER_VERSION}" != "latest" ]; then
+    -     regctl image copy ${CI_REGISTRY_IMAGE}/containers/${BC_CONTAINER_NAME}:${BC_CONTAINER_VERSION} ${CI_REGISTRY_IMAGE}/containers/${BC_CONTAINER_NAME}:latest
+    - fi
 
 build-documentation:
   stage: build
+  rules:
+    - if: '$PIPELINE_TYPE == "Continuous Integration (CI)"'
   image: ${CI_REGISTRY_IMAGE}/containers/ci:latest
   script:
     - pip3 install requests
@@ -61,6 +92,8 @@ build-documentation:
 
 test-cli-source-code:
   stage: test
+  rules:
+    - if: '$PIPELINE_TYPE == "Continuous Integration (CI)"'
   # Test in context of private ci image in case of any new dependencies.
   image: ${CI_REGISTRY_IMAGE}/containers/ci:private-${CI_PIPELINE_IID}
   script:
@@ -69,7 +102,7 @@ test-cli-source-code:
 deploy-ci-image:
   stage: deploy
   rules:
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+    - if: '$PIPELINE_TYPE == "Continuous Integration (CI)" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
   image: ${CI_REGISTRY_IMAGE}/containers/ci:latest
   script:
     # If running on main branch, promote the image to "latest" tag.
-- 
GitLab