pipeline to build scna and push model engine for sg2.0

[osayandehenry]

Pull Request Summary

CICD for when we mirror llm-engine repo to our gitlab in order to build , scan and push images

Test Plan and Usage Guide

How did you validate that your PR works correctly? How do you run or demo the code? Provide enough detail so a reviewer can reasonably reproduce the testing procedure. Paste example command line invocations if applicable.

Greptile Summary

This PR introduces a GitLab CI/CD pipeline (.gitlab-ci.yml) and a VERSION file to enable building, scanning, and pushing the FIPS-compliant model-engine image to Harbor when the llm-engine repository is mirrored to the internal GitLab instance for the SG2.0 environment.

Key changes:

• New .gitlab-ci.yml that includes scalegov2-pipelines templates for Docker build and Grype scanning, with workflow rules covering MR events, default branch, tags, and manual web triggers.
• A compute-tag job in the .pre stage that generates a semver+datetime+SHA image tag (e.g. 1.0.0-20260401-a1b2c3d4) and exposes it via a dotenv artifact as IMAGE_TAG_OVERRIDE.
• build and build-mr job overrides that inject a docker login for Scale's private Chainguard registry (needed to pull the cgr.dev/scale.com/python-fips base image) while preserving the template's base before_script via !reference.
• New VERSION file seeding the initial version at 1.0.0.

Minor findings (all P2 — non-blocking):

• Both template include entries use ref: main, a floating reference that can silently pick up breaking changes from the upstream scalegov2-pipelines repo. Pinning to a tag or commit SHA is recommended.
• alpine:latest in compute-tag is a mutable tag; pinning to a specific minor version (e.g. alpine:3.21) improves reproducibility.
• apk add --no-cache git is installed in compute-tag's before_script but git is never invoked in the script block — it can be removed to save time and reduce container surface.

Confidence Score: 5/5

Safe to merge — all remaining findings are P2 style/best-practice suggestions that do not affect correctness or runtime behavior.

The pipeline logic is straightforward and well-documented. The three open findings (floating template ref, mutable Alpine tag, unused git package) are all non-blocking cleanup items with no impact on whether the pipeline builds, scans, or pushes images correctly. Per the confidence guidance, a PR with only P2 findings scores 5/5.

No files require special attention beyond the minor P2 suggestions in .gitlab-ci.yml.

Important Files Changed

Filename	Overview
.gitlab-ci.yml	New GitLab CI pipeline for building, scanning, and pushing the FIPS model-engine image to Harbor. Uses floating ref: main for template includes (reproducibility risk), installs an unused git package in the compute-tag job, and uses a mutable alpine:latest image tag — all minor style/best-practice issues.
VERSION	New VERSION file seeding the initial semver at 1.0.0, consumed by the compute-tag job to build image tags.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Pipeline Trigger\nMR / default branch / tag / web] --> B[compute-tag\n.pre stage]
    B -->|reads VERSION file| C[Generate IMAGE_TAG_OVERRIDE\ne.g. 1.0.0-20260401-a1b2c3d4]
    C -->|dotenv artifact: tag.env| D{Trigger source?}
    D -->|merge_request_event| E[build-mr\ndocker login cgr.dev\nbuild image]
    D -->|default branch / tag / web| F[build\ndocker login cgr.dev\nbuild image]
    E --> G[scan\nGrype vulnerability scan]
    F --> G
    G -->|push to Harbor| H[Harbor Registry\napps-dev / model-engine:TAG]

Loading

Prompt To Fix All With AI

This is a comment left during a code review.
Path: .gitlab-ci.yml
Line: 50-52

Comment:
**Unused `git` install in `compute-tag`**

`apk add --no-cache git` is installed in `before_script` but never used in the `script` block — the tag computation only calls `cat`, `tr`, `date`, and `echo`, all of which ship with Alpine's base image. Removing the install saves a few seconds of job runtime and shrinks the attack surface of the ephemeral container.

```suggestion
compute-tag:
  stage: .pre
  image: alpine:latest
```

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: .gitlab-ci.yml
Line: 19-24

Comment:
**Template `ref: main` is a floating reference**

Both includes pin to `ref: main`, meaning the pipeline will silently consume any future breaking change (or unintentional regression) pushed to the `scalegov2-pipelines` main branch. Pinning to a specific commit SHA or a semver tag makes the pipeline reproducible and prevents surprise failures:

```yaml
include:
  - project: 'scalegov/scalegov2-pipelines'
    ref: 'v1.2.3'   # or a pinned commit SHA
    file: '/templates/docker-build.yml'
  - project: 'scalegov/scalegov2-pipelines'
    ref: 'v1.2.3'
    file: '/templates/scan.yml'
```

If the templates are still under active development and intentional tracking of `main` is desired, a comment explaining that choice would help future readers.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: .gitlab-ci.yml
Line: 50

Comment:
**`alpine:latest` is a mutable tag**

Using `latest` means the `compute-tag` job could behave differently across pipeline runs if Alpine releases a breaking change. For a job this simple, pinning to a specific digest or minor version (e.g., `alpine:3.19`) makes the pipeline fully reproducible at no real cost.

```suggestion
  image: alpine:3.21
```

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (5): Last reviewed commit: "Merge branch 'main' into osayandehenry-i..." | Re-trigger Greptile}