Misc CI improvements

[dagardner-nv]

Description

• Don't install jfrog on the fly, instead use a container that already has it.
• Install a specific version of slack-sdk validated with a sha.

By Submitting this PR I confirm:

• I am familiar with the Contributing Guidelines.
• We require that all contributors "sign-off" on their commits. This certifies that the contribution is your original work, or you have rights to submit it under the same license, or a compatible license.
  • Any contribution which contains commits that are not Signed-Off will not be accepted.
• When the PR is ready for review, new or existing tests cover these changes.
• When the PR is ready for review, the documentation is up to date with these changes.

Summary by CodeRabbit

• Chores
  • Updated CI/CD infrastructure with containerized dependency management for improved reproducibility and reliability
  • Pinned Slack SDK version for consistent builds

[coderabbitai]

Walkthrough

The changes refactor JFrog CLI installation from a runtime script function into a dedicated container image, update the CI job to use this image, pin the Slack SDK version with hash verification, and remove diagnostic environment variable output.

Changes

Cohort / File(s)	Summary
JFrog CLI Containerization .gitlab-ci.yml, ci/scripts/gitlab/artifactory/Dockerfile, ci/scripts/gitlab/artifactory_upload.sh	Moves JFrog CLI installation from a script function to a container image build. CI job now explicitly uses the artifactory container. Removes install_jfrog_cli() function and its invocation from upload script.
Dependency Security ci/scripts/gitlab/common.sh	Pins Slack SDK to version 3.40.1 with SHA-256 hash verification; removes top-level diagnostic printenv output.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Misc CI improvements' is vague and generic, using the non-descriptive term 'Misc' that fails to convey meaningful information about the specific changeset despite clear objectives.	Revise title to be more specific and descriptive, such as 'Pin slack-sdk version and containerize JFrog CLI setup' or similar, clearly identifying the main changes while staying within ~72 characters.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.gitlab-ci.yml (1)

329-329: Replace tag-based image reference with digest pinning for reproducibility and security.

The upload:artifactory job uses a tag-based image reference (:20260413), which is mutable and can be re-applied to different images. Pinning by digest ensures reproducible behavior and prevents tampering.

Suggested change

-  image: $CI_REGISTRY_IMAGE/artifactory:20260413
+  image: $CI_REGISTRY_IMAGE/artifactory@sha256:<immutable_digest>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.gitlab-ci.yml at line 329, The image reference in the upload:artifactory
job currently uses a mutable tag ("image:
$CI_REGISTRY_IMAGE/artifactory:20260413"); update it to a digest-pinned
reference by replacing the tag with the image's SHA256 digest (e.g., "image:
$CI_REGISTRY_IMAGE/artifactory@sha256:<digest>"), ensuring you fetch and insert
the correct digest for that exact artifact so the upload:artifactory job uses an
immutable, reproducible image.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@ci/scripts/gitlab/artifactory/Dockerfile`:
- Around line 16-18: Pin the base image specified in the FROM line to an exact
digest instead of the mutable tag, replace the RUN "curl -fL ... | sh"
invocation in the RUN VERSION=2.99.0 step with a flow that downloads the
installer to a temporary file, fetches/embeds a known-good checksum or
signature, verifies the downloaded installer before executing it, and fail the
build if verification fails, and add creation of a non-root user (e.g., adduser/
groupadd and chown as needed) and a USER directive so subsequent layers run as
that non-root user; locate these changes around the existing FROM and RUN
VERSION=2.99.0 entries to update them.

---

Nitpick comments:
In @.gitlab-ci.yml:
- Line 329: The image reference in the upload:artifactory job currently uses a
mutable tag ("image: $CI_REGISTRY_IMAGE/artifactory:20260413"); update it to a
digest-pinned reference by replacing the tag with the image's SHA256 digest
(e.g., "image: $CI_REGISTRY_IMAGE/artifactory@sha256:<digest>"), ensuring you
fetch and insert the correct digest for that exact artifact so the
upload:artifactory job uses an immutable, reproducible image.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: be711b2d-5b99-4fda-8de8-949b086cd69b

📥 Commits

Reviewing files that changed from the base of the PR and between 92efa43 and f253f17.

📒 Files selected for processing (4)

• .gitlab-ci.yml
• ci/scripts/gitlab/artifactory/Dockerfile
• ci/scripts/gitlab/artifactory_upload.sh
• ci/scripts/gitlab/common.sh

💤 Files with no reviewable changes (1)

• ci/scripts/gitlab/artifactory_upload.sh

[dagardner-nv]

/merge