ci: tidy image-build machinery and pin tap-summary via the manifest

Image-generation cleanup follow-up to the Jenkinsfile pass:

- build-image.sh: fix the stale --push hint (it pointed at the removed
  CI_IMAGE-default scheme; the main pipeline now auto-discovers the tag
  via the content-addressed registry probe). Make --help self-adjust off
  the comment block instead of a hardcoded sed line range that had already
  drifted past the header.
- Dockerfile: drop the duplicate trailing `WORKDIR /workspace`; switch the
  linux-firmware step from `set -eux` to `set -eu` (no self-added -x).
- Pin pcolby/tap-summary's summary.gawk in ci/image-manifest as
  tap_summary_sha, consistent with the other external pins, instead of a
  defaulted Dockerfile ARG. Plumb TAP_SUMMARY_GIT_SHA as a fail-closed
  build-arg through the Dockerfile, build-image.sh (buildx + kaniko
  handoff), and the Jenkinsfile kaniko step. Also drop the generated
  colossus layer's `set -eux` to `set -eu`.

Author: espeer

ci/Dockerfile

@@ -24,8 +24,9 @@
 #                                    root, not just write permission).
 #   RUN_AS_GID=<int>               — primary gid for `builder` and the CI
 #                                    pod (pinned as run_as_gid).
-# Optional build-arg:
-#   TAP_SUMMARY_GIT_SHA=<commit>   — pin pcolby/tap-summary summary.gawk.
+#   TAP_SUMMARY_GIT_SHA=<commit>   — pin pcolby/tap-summary summary.gawk
+#                                    (pinned in ci/image-manifest as
+#                                    tap_summary_sha).
 #
 # Buildroot *sources* live in /opt/buildroot; the build is pre-staged in the
 # image at /opt/buildroot-out (host + target packages, rootfs staging, etc.).
@@ -102,7 +103,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 # TAP summary script (pcolby/tap-summary, MIT): fetch at image build so agents need no runtime download.
 # Upstream: https://github.com/pcolby/tap-summary
-ARG TAP_SUMMARY_GIT_SHA=ec9de3f6393083dd89052d519a23b2999a75be9b
+# Required build-arg from ci/image-manifest (tap_summary_sha=). No default,
+# like the other pins: a missing --build-arg fails the build loudly rather
+# than silently baking in a stale formatter commit.
+ARG TAP_SUMMARY_GIT_SHA
+RUN test -n "${TAP_SUMMARY_GIT_SHA}" || (echo "ERROR: TAP_SUMMARY_GIT_SHA --build-arg is required (pin lives in ci/image-manifest as tap_summary_sha)" >&2 && exit 1)
 RUN mkdir -p /usr/local/share/nova-ci \
     && curl -fsSL -o /usr/local/share/nova-ci/tap-summary.gawk \
         "https://raw.githubusercontent.com/pcolby/tap-summary/${TAP_SUMMARY_GIT_SHA}/summary.gawk" \
@@ -174,7 +179,7 @@ RUN chmod 0700 /opt/nova-overlay/root/.ssh \
 # value: bumping the manifest pin is the only supported way to refresh the
 # firmware blobs in the agent image. Image build fails closed without it.
 ARG LINUX_FIRMWARE_GIT_SHA
-RUN set -eux; \
+RUN set -eu; \
     test -n "${LINUX_FIRMWARE_GIT_SHA}" || (echo "ERROR: LINUX_FIRMWARE_GIT_SHA --build-arg is required (pin lives in ci/image-manifest)" >&2 && exit 1); \
     git clone --no-checkout --no-tags --filter=blob:none --sparse \
         https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git \
@@ -233,5 +238,3 @@ WORKDIR /workspace
 # Colossus CLI is internal and added on top by ci/build-image.sh:
 #   COPY --chmod=0755 colossus /usr/local/bin/colossus
 # The Jenkinsfile expects `colossus` on PATH for Provision.
-
-WORKDIR /workspace

ci/Jenkinsfile

@@ -1024,7 +1024,7 @@ def ensureImage(Map pins) {
 
   // pins were parsed + format-validated by the caller (Phase 1). Here we
   // only assert that every pin the image build consumes is present.
-  ['buildroot_tag', 'linux_firmware_sha', 'colossus_version',
+  ['buildroot_tag', 'linux_firmware_sha', 'tap_summary_sha', 'colossus_version',
    'run_as_uid', 'run_as_gid'].each { k ->
     if (!pins[k]) error("imageBuild: ci/image-manifest is missing required pin '${k}'")
   }
@@ -1099,6 +1099,7 @@ def ensureImage(Map pins) {
           --destination='${imageFull}' \\
           --build-arg BUILDROOT_TAG=${pins.buildroot_tag} \\
           --build-arg LINUX_FIRMWARE_GIT_SHA=${pins.linux_firmware_sha} \\
+          --build-arg TAP_SUMMARY_GIT_SHA=${pins.tap_summary_sha} \\
           --build-arg RUN_AS_UID=${pins.run_as_uid} \\
           --build-arg RUN_AS_GID=${pins.run_as_gid} \\
           --snapshot-mode=redo \\

ci/build-image.sh

@@ -24,18 +24,20 @@
 #       into DIR, ready for `kaniko --context=dir://DIR --dockerfile=DIR/Dockerfile`.
 #       Skips the `docker buildx build`, the smoke check, and the push.
 #
-# Pin resolution: BUILDROOT_TAG, LINUX_FIRMWARE_GIT_SHA, COLOSSUS_VERSION
-# default to the values pinned in ci/image-manifest. They can be overridden
-# via environment variable when iterating locally (e.g. to test a newer
-# linux-firmware sha before updating the pin). The first two are also passed
-# through as --build-arg to docker buildx; the third drives the colossus
-# tarball download and the private-layer COPY in the generated Dockerfile.
+# Pin resolution: BUILDROOT_TAG, LINUX_FIRMWARE_GIT_SHA, TAP_SUMMARY_GIT_SHA,
+# COLOSSUS_VERSION, RUN_AS_UID and RUN_AS_GID default to the values pinned in
+# ci/image-manifest. They can be overridden via environment variable when
+# iterating locally (e.g. to test a newer linux-firmware sha before updating
+# the pin). All but COLOSSUS_VERSION are passed through as --build-arg to
+# docker buildx / kaniko; COLOSSUS_VERSION instead drives the colossus tarball
+# download and the private-layer COPY in the generated Dockerfile.
 #
 # Environment overrides:
 #   REGISTRY            gitlab-master.nvidia.com:5005
 #   REPO                epeer/nova-test/nova-kernel-ci
 #   BUILDROOT_TAG       upstream buildroot tag (default: manifest pin).
 #   LINUX_FIRMWARE_GIT_SHA  linux-firmware commit sha (default: manifest pin).
+#   TAP_SUMMARY_GIT_SHA pcolby/tap-summary summary.gawk commit (default: manifest pin).
 #   COLOSSUS_VERSION    Colossus CLI version to install (default: manifest pin).
 #   RUN_AS_UID          uid for the in-image `builder` user; matches the
 #                       CI pod's runAsUser so the pre-built buildroot tree
@@ -78,7 +80,11 @@ while [[ $# -gt 0 ]]; do
     --stage-only)   STAGE_ONLY_DIR="$2"; shift 2 ;;
     --stage-only=*) STAGE_ONLY_DIR="${1#--stage-only=}"; shift ;;
     -h|--help)
-      sed -n '2,55p' "$0" | sed 's/^# \{0,1\}//'
+      # Print the leading comment header (everything from the line after the
+      # shebang down to the first non-comment line), stripping the "# " prefix.
+      # Driven off the comment block itself so it can't drift out of sync with
+      # the header's length the way a hardcoded line range did.
+      awk 'NR==1{next} /^#/{sub(/^# ?/,"");print;next} /^[[:space:]]*$/{print;next} {exit}' "$0"
       exit 0
       ;;
     *) echo "unknown arg: $1" >&2; exit 2 ;;
@@ -113,10 +119,11 @@ manifest_pin() {
 }
 : "${BUILDROOT_TAG:=$(manifest_pin buildroot_tag)}"
 : "${LINUX_FIRMWARE_GIT_SHA:=$(manifest_pin linux_firmware_sha)}"
+: "${TAP_SUMMARY_GIT_SHA:=$(manifest_pin tap_summary_sha)}"
 : "${COLOSSUS_VERSION:=$(manifest_pin colossus_version)}"
 : "${RUN_AS_UID:=$(manifest_pin run_as_uid)}"
 : "${RUN_AS_GID:=$(manifest_pin run_as_gid)}"
-for v in BUILDROOT_TAG LINUX_FIRMWARE_GIT_SHA COLOSSUS_VERSION RUN_AS_UID RUN_AS_GID; do
+for v in BUILDROOT_TAG LINUX_FIRMWARE_GIT_SHA TAP_SUMMARY_GIT_SHA COLOSSUS_VERSION RUN_AS_UID RUN_AS_GID; do
   if [[ -z "${!v}" ]]; then
     echo "ERROR: ${v} is empty after manifest resolution; check ${MANIFEST}" >&2
     exit 1
@@ -218,7 +225,7 @@ fi
     echo "# --- private layer: colossus CLI ${COLOSSUS_VER} (PyInstaller bundle) ---"
     echo "# Tarball contains a colossus-cli/ directory with colossus + _internal/."
     echo "COPY colossus-cli.tar.gz /tmp/colossus-cli.tar.gz"
-    echo "RUN set -eux; \\"
+    echo "RUN set -eu; \\"
     echo "    mkdir -p /opt; \\"
     echo "    tar -xzf /tmp/colossus-cli.tar.gz -C /opt; \\"
     echo "    chmod -R a+rX /opt/colossus-cli; \\"
@@ -239,6 +246,7 @@ if [[ -n "${STAGE_ONLY_DIR}" ]]; then
   echo "  /kaniko/executor --context=dir://${BUILD_CTX} --dockerfile=${BUILD_CTX}/Dockerfile \\"
   echo "    --build-arg BUILDROOT_TAG=${BUILDROOT_TAG} \\"
   echo "    --build-arg LINUX_FIRMWARE_GIT_SHA=${LINUX_FIRMWARE_GIT_SHA} \\"
+  echo "    --build-arg TAP_SUMMARY_GIT_SHA=${TAP_SUMMARY_GIT_SHA} \\"
   echo "    --build-arg RUN_AS_UID=${RUN_AS_UID} \\"
   echo "    --build-arg RUN_AS_GID=${RUN_AS_GID} \\"
   echo "    --destination=${IMAGE}"
@@ -267,6 +275,7 @@ echo "==> docker build --platform ${PLATFORM} -t ${IMAGE}"
   --load \
   --build-arg "BUILDROOT_TAG=${BUILDROOT_TAG}" \
   --build-arg "LINUX_FIRMWARE_GIT_SHA=${LINUX_FIRMWARE_GIT_SHA}" \
+  --build-arg "TAP_SUMMARY_GIT_SHA=${TAP_SUMMARY_GIT_SHA}" \
   --build-arg "RUN_AS_UID=${RUN_AS_UID}" \
   --build-arg "RUN_AS_GID=${RUN_AS_GID}" \
   -t "${IMAGE}" \
@@ -308,8 +317,9 @@ if [[ "${PUSH}" -eq 1 ]]; then
   "${DOCKER}" push "${IMAGE}"
   echo
   echo "Pushed ${IMAGE}"
-  echo "Bump Jenkinsfile CI_IMAGE default (or pass it via Build with Parameters):"
-  echo "  ${IMAGE}"
+  echo "The main pipeline auto-discovers this tag: Phase 1 hashes ci/image-manifest"
+  echo "+ inputs and, on its next run for these same inputs, the registry probe"
+  echo "hits this tag and skips the kaniko rebuild. No Jenkinsfile edit needed."
 else
   echo
   echo "Built ${IMAGE} (not pushed; pass --push to push)."

ci/image-manifest

@@ -41,6 +41,12 @@ linux_firmware_sha=adb6dceb45b98c4149e1ce68fc1a5f394fd67695
 # folder at the URL above and update this pin.
 colossus_version=2.3.0
 
+# TAP summary formatter (pcolby/tap-summary, MIT). summary.gawk is fetched
+# from raw.githubusercontent.com at this commit inside the Dockerfile and
+# installed to /usr/local/share/nova-ci/tap-summary.gawk. Bump to pull a
+# newer formatter; pinning keeps the agent image reproducible.
+tap_summary_sha=ec9de3f6393083dd89052d519a23b2999a75be9b
+
 # Runtime NIS uid/gid the nova-ci container will run under at CI time
 # (Phase 2 podSpec runAsUser/runAsGroup, also the owner of the NFS
 # /scratch export). The Dockerfile creates the `builder` user with