chore: add CD pipeline for nilAI images

.github/workflows/ci.yml → .github/workflows/cicd.yml

@@ -1,10 +1,16 @@
-name: Python Tests
+name: CI/CD
 
 on:
   push:
     branches: [ "main" ]
   pull_request:
-    branches: [ "**"] # Adjust branches as needed
+    branches: [ "**" ] # Adjust branches as needed
+  release:
+    types: [published]
+
+permissions:
+  id-token: write # Required for OIDC
+  contents: read  # Required for checkout
 
 jobs:
   test:
@@ -45,6 +51,7 @@ jobs:
   start-runner:
     name: Start self-hosted EC2 runner
     runs-on: ubuntu-24.04
+    needs: test
     outputs:
       label: ${{ steps.start-ec2-runner.outputs.label }}
       ec2-instances-ids: ${{ steps.start-ec2-runner.outputs.ec2-instances-ids }}
@@ -168,3 +175,50 @@ jobs:
           github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
           label: ${{ needs.start-runner.outputs.label }}
           ec2-instances-ids: ${{ needs.start-runner.outputs.ec2-instances-ids }}
+
+  deploy-images:
+    name: Publish ${{ matrix.component }} to ECR
+    needs: e2e-tests
+    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || github.event_name == 'release'
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - component: vllm
+            docker_build_extra_args: ""
+          - component: attestation
+            docker_build_extra_args: ""
+          - component: api
+            docker_build_extra_args: "--target nilai --platform linux/amd64"
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: "arn:aws:iam::054037142884:role/nilai-github"
+          aws-region: "us-east-1"
+
+      - uses: aws-actions/amazon-ecr-login@v2
+        id: login-ecr
+        with:
+          registry-type: public
+
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Build and push ${{ matrix.component }} image
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          ECR_REGISTRY_ALIAS: k5d9x2g2
+          ECR_REPOSITORY: nilai-${{ matrix.component }}
+          IMAGE_TAG: ${{ github.event_name == 'release' && github.ref_name || github.sha }}
+        run: |
+          ECR_REGISTRY_URL="${ECR_REGISTRY}/${ECR_REGISTRY_ALIAS}/${ECR_REPOSITORY}"
+
+          docker build \
+            --push \
+            -f docker/${{ matrix.component }}.Dockerfile \
+            -t ${ECR_REGISTRY_URL}:${IMAGE_TAG} \
+            ${{ matrix.docker_build_extra_args }} \
+            .
+
+          echo "Pushed ${{ matrix.component }} image: ${ECR_REGISTRY_URL}:${IMAGE_TAG}" >> $GITHUB_STEP_SUMMARY

nilai-api/pyproject.toml

@@ -43,4 +43,6 @@ build-backend = "hatchling.build"
 [tool.uv.sources]
 nilai-common = { workspace = true }
 nuc-helpers = { workspace = true }
-nuc = { git = "https://github.com/NillionNetwork/nuc-py.git", tag = "54c7171e0e30fc9a68ba9e307bb6e92a0690f4d8" }
+
+nuc = { git = "https://github.com/NillionNetwork/nuc-py.git", rev = "4922b5e9354e611cc31322d681eb29da05be584e" }
+

nilai-auth/nuc-helpers/pyproject.toml

@@ -20,4 +20,6 @@ requires = ["hatchling"]
 build-backend = "hatchling.build"
 
 [tool.uv.sources]
-nuc = { git = "https://github.com/NillionNetwork/nuc-py.git", tag = "54c7171e0e30fc9a68ba9e307bb6e92a0690f4d8" }
+
+nuc = { git = "https://github.com/NillionNetwork/nuc-py.git", rev = "4922b5e9354e611cc31322d681eb29da05be584e" }
+