fix(nightly): unblank CONTAINER_IMAGE in GitLab trigger + forward ARTIFACTORY_REPO_NAME#973
Conversation
…IFACTORY_REPO_NAME
GitHub Actions blanks cross-job outputs whose values contain a repo secret
("Skip output '<name>' since it may contain secret."), so the previous
nightly forwarded an empty CONTAINER_IMAGE to the GitLab compliance
pipeline. Reconstruct the image string in the trigger job from
NGC_STAGING_IMAGE_BASE + container_tag and drop the now-unused job output.
Also forward ARTIFACTORY_REPO_NAME so GitLab no longer has to derive it.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Harrison King Saturley-Hall <hsaturleyhal@nvidia.com>
Try out this PRQuick install: pip install --upgrade --force-reinstall git+https://github.com/ai-dynamo/aiperf.git@6c41c2defd24d7b1ce0dde472ce8081fb5d6c063Recommended with virtual environment (using uv): uv venv --python 3.12 && source .venv/bin/activate
uv pip install --upgrade --force-reinstall git+https://github.com/ai-dynamo/aiperf.git@6c41c2defd24d7b1ce0dde472ce8081fb5d6c063Last updated for commit: |
WalkthroughThe nightly workflow is updated to prevent unintended secret blanking across job outputs. The staging job stops exporting a ChangesNightly Workflow Secret Handling
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/nightly.yml (1)
1025-1031: ⚖️ Poor tradeoffConsider centralizing the non-secret part of the image path.
The literal
aiperf-nightly:${CONTAINER_TAG}here duplicates the same construction instage-nightly-containerat line 889/893/898-900. The repo-name segment and tag are not secrets, so only theNGC_STAGING_IMAGE_BASEprefix is what GitHub Actions blanks on cross-job outputs — you could safely emit the suffix (e.g.,image_suffix: aiperf-nightly:${{ steps.copy.outputs.tag }}or even just rely onneeds.prepare-nightly.outputs.container_tagplus a shared local constant) as astage-nightly-containeroutput so the staging job remains the single source of truth for the NGC repo path. Today, ifaiperf-nightlyis ever renamed (e.g., to track a PyPI dist-name change), both jobs must be updated in lockstep.Not blocking — the comment at lines 902-907 documents the intent, and the duplication is just two short occurrences in the same file.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/nightly.yml around lines 1025 - 1031, Centralize the non-secret image suffix by emitting it from the staging job and using it when reconstructing CONTAINER_IMAGE: add an output (e.g., image_suffix: "aiperf-nightly:${{ steps.copy.outputs.tag }}" or use the existing needs.prepare-nightly.outputs.container_tag combined with a shared constant) in the stage-nightly-container job, then replace the hardcoded "aiperf-nightly:${CONTAINER_TAG}" in the downstream job with that output (referring to CONTAINER_IMAGE, NGC_STAGING_IMAGE_BASE, stage-nightly-container, and container_tag/image_suffix) so the repo-name+tag are defined in one place and only NGC_STAGING_IMAGE_BASE remains secret-prefixed.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/nightly.yml:
- Around line 1025-1031: Centralize the non-secret image suffix by emitting it
from the staging job and using it when reconstructing CONTAINER_IMAGE: add an
output (e.g., image_suffix: "aiperf-nightly:${{ steps.copy.outputs.tag }}" or
use the existing needs.prepare-nightly.outputs.container_tag combined with a
shared constant) in the stage-nightly-container job, then replace the hardcoded
"aiperf-nightly:${CONTAINER_TAG}" in the downstream job with that output
(referring to CONTAINER_IMAGE, NGC_STAGING_IMAGE_BASE, stage-nightly-container,
and container_tag/image_suffix) so the repo-name+tag are defined in one place
and only NGC_STAGING_IMAGE_BASE remains secret-prefixed.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 59f843c9-a08f-4e08-98cc-d0383a92ad96
📒 Files selected for processing (1)
.github/workflows/nightly.yml
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
… trigger Match the existing ARTIFACTORY_PYPI_URL secret naming so the PyPI-repo scoping is explicit in both the GitHub secret reference and the GitLab variable forwarded by the nightly trigger. Follow-up to #973. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: Harrison King Saturley-Hall <hsaturleyhal@nvidia.com>
Summary
CONTAINER_IMAGE.stage-nightly-containerwas emittingcontainer_image="${NGC_STAGING_IMAGE_BASE}/aiperf-nightly:${CONTAINER_TAG}"as a job output; becauseNGC_STAGING_IMAGE_BASEis a secret, GitHub stripped it with the annotationSkip output 'container_image' since it may contain secret.The downstreamtrigger-gitlab-security-scanthen readneeds.stage-nightly-container.outputs.container_imageand got an empty string, so the GitLab POST sentvariables[CONTAINER_IMAGE]=(verified against the env dump from the run:CONTAINER_IMAGE:blank, everything else populated).container_tag. This is the same value, but read directly fromsecrets.NGC_STAGING_IMAGE_BASE(which is masked in logs but not stripped from form-data the way cross-job outputs are).ARTIFACTORY_REPO_NAME(already exists in theautomated-releaseenvironment) so the GitLab side no longer has to derive it fromARTIFACTORY_URL.Test plan
workflow_dispatchfrommainagainst this branch's workflow file (released to main first, or via temporary push to main behind a feature flag).Stage Container (ECR → NGC Staging)job no longer emits theSkip output 'container_image' since it may contain secret.annotation.Trigger GitLab pipelinestep thatCONTAINER_IMAGEresolves to the full<NGC>/aiperf-nightly:<container_tag>string (it will be masked in logs as***/aiperf-nightly:<tag>, which is the expected behavior — only the secret prefix is hidden).CONTAINER_IMAGEandARTIFACTORY_REPO_NAMEvariables.🤖 Generated with Claude Code
Summary by CodeRabbit
Bug Fixes
Chores