scaleapi · osayandehenry · Apr 3, 2026 · Apr 1, 2026 · Apr 1, 2026 · Apr 2, 2026
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -0,0 +1,84 @@
+# ─────────────────────────────────────────────────────────────────────────────
+# Model Engine (LLM Engine) — SG2.0 Build Pipeline
+#
+# Builds the FIPS model-engine image, scans with Grype, pushes to Harbor.
+# Uses the standard scalegov2-pipelines templates with overrides for
+# Chainguard private registry auth.
+#
+# GFD-444 — https://linear.app/scale-epd/issue/GFD-444
+#
+# Required CI/CD Variables (set in GitLab project settings):
+#   HARBOR_USER          — Harbor robot account username
+#                          IMPORTANT: Uncheck "Expand variable reference" if it contains $
+#   HARBOR_PASSWORD      — Harbor robot account token (mask this)
+#   CHAINGUARD_USER      — Chainguard registry username
+#   CHAINGUARD_PASSWORD  — Chainguard registry token (mask this)
+# ─────────────────────────────────────────────────────────────────────────────
+
+include:
+  - project: 'scalegov/scalegov2-pipelines'
+    ref: main
+    file: '/templates/docker-build.yml'
+  - project: 'scalegov/scalegov2-pipelines'
+    ref: main
+    file: '/templates/scan.yml'
+
+workflow:
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+    - if: '$CI_COMMIT_TAG'
+    - if: '$CI_PIPELINE_SOURCE == "web"'
+    - when: never
+
+variables:
+  SERVICE_NAME: "model-engine"
+  # All builds push to apps-dev. Promotion to apps-staging / apps-prod is
+  # handled by the scalegov2-promotion pipeline, not this build pipeline.
+  HARBOR_PROJECT: "apps-dev"
+  DOCKERFILE_PATH: "model-engine/Dockerfile.fips"
+
+# ─────────────────────────────────────────────────────────────────────────────
+# compute-tag — Semver + datetime + commit SHA tag
+#
+# Reads VERSION file and produces tags like: 1.0.0-20260401-a1b2c3d4
+# Sets IMAGE_TAG_OVERRIDE via dotenv artifact so the template's tag
+# computation picks it up (highest precedence).
+# ─────────────────────────────────────────────────────────────────────────────
+compute-tag:
+  stage: .pre
+  image: alpine:latest
+  before_script:
+    - apk add --no-cache git
+  script:
+    - |
+      if [ -f VERSION ]; then
+        SEMVER="$(cat VERSION | tr -d ' \r\n')"
+      else
+        SEMVER="0.0.0"
+      fi
+      DATETIME="$(date -u +%Y%m%d)"
+      SHA_SHORT="${CI_COMMIT_SHORT_SHA:-local}"
+      IMAGE_TAG="${SEMVER}-${DATETIME}-${SHA_SHORT}"
+      echo "IMAGE_TAG_OVERRIDE=${IMAGE_TAG}" > tag.env
+      echo "Computed tag: ${IMAGE_TAG}"
+  artifacts:
+    reports:
+      dotenv: tag.env
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Build job overrides
+#
+# The Dockerfile.fips base image (cgr.dev/scale.com/python-fips) lives in
+# Scale's private Chainguard registry. We extend the template's before_script
+# with a docker login to cgr.dev so the DinD daemon can pull it.
+# ─────────────────────────────────────────────────────────────────────────────
+build:
+  before_script:
+    - !reference [.docker-build-base, before_script]
+    - echo "${CHAINGUARD_PASSWORD}" | docker login -u "${CHAINGUARD_USER}" --password-stdin cgr.dev
+
+build-mr:
+  before_script:
+    - !reference [.docker-build-base, before_script]
+    - echo "${CHAINGUARD_PASSWORD}" | docker login -u "${CHAINGUARD_USER}" --password-stdin cgr.dev
diff --git a/VERSION b/VERSION
@@ -0,0 +1 @@
+1.0.0