[None][infra] PLC pipeline update

[yuanjingx87]

Summary by CodeRabbit

Release Notes

• Infrastructure Updates
  • Build environment upgraded to Ubuntu 24.04 for improved performance and security.
  • Enhanced GitHub fork validation ensuring safer pipeline configurations.
  • Improved credential and token handling with stronger validation checks.
  • Optimized Sonar scanner integration for better code quality analysis.

Description

install sonar cli in pipeline
update pod name to be more precise
using ubuntu 24.04
accept fork username instead of full git repo url
hide auth_header

Test Coverage

PR Checklist

Please review the following before submitting your PR:

• PR description clearly explains what and why. If using CodeRabbit's summary, please make sure it makes sense.

• PR Follows TRT-LLM CODING GUIDELINES to the best of your knowledge.

• Test cases are provided for new code paths (see test instructions)

• Any new dependencies have been scanned for license and vulnerabilities

• CODEOWNERS updated if ownership changes

• Documentation updated as needed

• Update tava architecture diagram if there is a significant design change in PR.

• The reviewers assigned automatically/manually are appropriate for the PR.

• Please check this after reviewing the above items as appropriate for this PR.

GitHub Bot Help

/bot [-h] ['run', 'kill', 'skip', 'reuse-pipeline'] ...

Provide a user friendly way for developers to interact with a Jenkins server.

Run /bot [-h|--help] to print this help message.

See details below for each supported subcommand.

Details

run [--reuse-test (optional)pipeline-id --disable-fail-fast --skip-test --stage-list "A10-PyTorch-1, xxx" --gpu-type "A30, H100_PCIe" --test-backend "pytorch, cpp" --add-multi-gpu-test --only-multi-gpu-test --disable-multi-gpu-test --post-merge --extra-stage "H100_PCIe-TensorRT-Post-Merge-1, xxx" --detailed-log --debug(experimental)]

Launch build/test pipelines. All previously running jobs will be killed.

--reuse-test (optional)pipeline-id (OPTIONAL) : Allow the new pipeline to reuse build artifacts and skip successful test stages from a specified pipeline or the last pipeline if no pipeline-id is indicated. If the Git commit ID has changed, this option will be always ignored. The DEFAULT behavior of the bot is to reuse build artifacts and successful test results from the last pipeline.

--disable-reuse-test (OPTIONAL) : Explicitly prevent the pipeline from reusing build artifacts and skipping successful test stages from a previous pipeline. Ensure that all builds and tests are run regardless of previous successes.

--disable-fail-fast (OPTIONAL) : Disable fail fast on build/tests/infra failures.

--skip-test (OPTIONAL) : Skip all test stages, but still run build stages, package stages and sanity check stages. Note: Does NOT update GitHub check status.

--stage-list "A10-PyTorch-1, xxx" (OPTIONAL) : Only run the specified test stages. Examples: "A10-PyTorch-1, xxx". Note: Does NOT update GitHub check status.

--gpu-type "A30, H100_PCIe" (OPTIONAL) : Only run the test stages on the specified GPU types. Examples: "A30, H100_PCIe". Note: Does NOT update GitHub check status.

--test-backend "pytorch, cpp" (OPTIONAL) : Skip test stages which don't match the specified backends. Only support [pytorch, cpp, tensorrt, triton]. Examples: "pytorch, cpp" (does not run test stages with tensorrt or triton backend). Note: Does NOT update GitHub pipeline status.

--only-multi-gpu-test (OPTIONAL) : Only run the multi-GPU tests. Note: Does NOT update GitHub check status.

--disable-multi-gpu-test (OPTIONAL) : Disable the multi-GPU tests. Note: Does NOT update GitHub check status.

--add-multi-gpu-test (OPTIONAL) : Force run the multi-GPU tests in addition to running L0 pre-merge pipeline.

--post-merge (OPTIONAL) : Run the L0 post-merge pipeline instead of the ordinary L0 pre-merge pipeline.

--extra-stage "H100_PCIe-TensorRT-Post-Merge-1, xxx" (OPTIONAL) : Run the ordinary L0 pre-merge pipeline and specified test stages. Examples: --extra-stage "H100_PCIe-TensorRT-Post-Merge-1, xxx".

--detailed-log (OPTIONAL) : Enable flushing out all logs to the Jenkins console. This will significantly increase the log volume and may slow down the job.

--debug (OPTIONAL) : Experimental feature. Enable access to the CI container for debugging purpose. Note: Specify exactly one stage in the stage-list parameter to access the appropriate container environment. Note: Does NOT update GitHub check status.

For guidance on mapping tests to stage names, see docs/source/reference/ci-overview.md
and the scripts/test_to_stage_mapping.py helper.

kill

kill

Kill all running builds associated with pull request.

skip

skip --comment COMMENT

Skip testing for latest commit on pull request. --comment "Reason for skipping build/test" is required. IMPORTANT NOTE: This is dangerous since lack of user care and validation can cause top of tree to break.

reuse-pipeline

reuse-pipeline

Reuse a previous pipeline to validate current commit. This action will also kill all currently running builds associated with the pull request. IMPORTANT NOTE: This is dangerous since lack of user care and validation can cause top of tree to break.

[coderabbitai]

📝 Walkthrough

Walkthrough

Jenkins pipeline updated to replace custom repository flow with GitHub fork support, upgrade container base image from ubuntu:22.04 to ubuntu:24.04, rename container definitions, enhance credential security by preventing direct auth header exposure, and adjust tooling integration for the new container environment.

Changes

Cohort / File(s)	Summary
Container & Pod Configuration jenkins/TensorRT_LLM_PLC.groovy	Updated pod base image from ubuntu:22.04 to ubuntu:24.04; renamed alpine container to cpu; preserved resource requests/limits for updated containers.
GitHub Fork Integration jenkins/TensorRT_LLM_PLC.groovy	Added isValidGithubUser() validation method; introduced forkOwner parameter; updated repoUrlKey choices from custom_repo to github_fork with fork URL construction using validated owner.
Security & Credential Handling jenkins/TensorRT_LLM_PLC.groovy	Removed direct auth header storage in Groovy variable; moved header construction into shell script block; added validation guard for Pulse token presence, throwing exception if missing.
Tooling & Stage Updates jenkins/TensorRT_LLM_PLC.groovy	Updated installTools, checkoutSource, generateLockFiles, and sonar_scan stages to execute within cpu container; integrated local sonar-scanner CLI download; adjusted Pulse scanning environment variable handling.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description provides a clear list of changes but lacks detail and context about the 'why' behind the changes, and the Test Coverage section is incomplete.	Expand the description to explain the rationale behind each change (e.g., why Ubuntu 24.04, why hide auth_header, what security/performance benefits) and document relevant test coverage or validation steps.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title '[None][infra] PLC pipeline update' correctly follows the repository's template format with [None] ticket reference and [infra] type, and clearly identifies the main change as a PLC pipeline update.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

jenkins/TensorRT_LLM_PLC.groovy (1)

161-164: Consider verifying the checksum of the downloaded sonar-scanner archive.

The CLI is downloaded from Maven Central over HTTPS on every run without integrity verification. While the risk is low, adding a SHA-256 check would harden the supply chain for this compliance-critical pipeline.

💡 Example checksum verification

     def sonarScannerCliVer = "8.0.0.6341"
+    def sonarScannerCliSha256 = "<expected_sha256_hash>"
     sh "wget https://repo1.maven.org/maven2/org/sonarsource/scanner/cli/sonar-scanner-cli/${sonarScannerCliVer}/sonar-scanner-cli-${sonarScannerCliVer}.zip"
+    sh "echo '${sonarScannerCliSha256}  sonar-scanner-cli-${sonarScannerCliVer}.zip' | sha256sum -c -"
     sh "unzip sonar-scanner-cli-${sonarScannerCliVer}.zip"
     sh "mv sonar-scanner-${sonarScannerCliVer} ./sonar-scanner"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@jenkins/TensorRT_LLM_PLC.groovy` around lines 161 - 164, Add SHA-256
integrity verification for the downloaded sonar-scanner archive: after the
download of sonar-scanner-cli-${sonarScannerCliVer}.zip (the sh wget call)
introduce a knownChecksum variable (or fetch the expected checksum from a
trusted source), compute the actual checksum with sha256sum on
sonar-scanner-cli-${sonarScannerCliVer}.zip, compare them, and if they differ
call error/exit to fail the build before running unzip/mv; update the block that
uses sonarScannerCliVer and the subsequent sh unzip/mv steps to only run when
the checksum check passes.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@jenkins/TensorRT_LLM_PLC.groovy`:
- Around line 107-110: The shell block that assigns token (the sh(...) call
producing token) uses escaped quotes like \" inside a triple-single-quoted
Groovy string, which are passed literally and break curl arguments; update the
sh script so header flags and the URL use plain double quotes (e.g. --header
"Authorization: Basic $AUTH_HEADER" and --header "Content-Type:
application/x-www-form-urlencoded") instead of \" sequences, and change the
trailing tr -d '\"' to tr -d '"' so only the quote character is removed; keep
the rest of the sh(...) call (AUTH_HEADER generation, curl options, jq
extraction and .trim()) the same.

---

Nitpick comments:
In `@jenkins/TensorRT_LLM_PLC.groovy`:
- Around line 161-164: Add SHA-256 integrity verification for the downloaded
sonar-scanner archive: after the download of
sonar-scanner-cli-${sonarScannerCliVer}.zip (the sh wget call) introduce a
knownChecksum variable (or fetch the expected checksum from a trusted source),
compute the actual checksum with sha256sum on
sonar-scanner-cli-${sonarScannerCliVer}.zip, compare them, and if they differ
call error/exit to fail the build before running unzip/mv; update the block that
uses sonarScannerCliVer and the subsequent sh unzip/mv steps to only run when
the checksum check passes.

[yuanjingx87]

/bot skip --comment "No need to run CI"

[tensorrt-cicd]

PR_Github #36361 [ skip ] triggered by Bot. Commit: 87e95b7 Link to invocation

[tensorrt-cicd]

PR_Github #36361 [ skip ] completed with state SUCCESS. Commit: 87e95b7
Skipping testing for commit 87e95b7

Link to invocation