Changes

Page history
Create Including the Toolbox in a pipeline authored by Grailet Jean-François's avatar Grailet Jean-François
Hide whitespace changes
Inline Side-by-side
pipeline-toolbox.md 0 → 100644
View page @ 5f3cc839
---
title: Including the Toolbox in a pipeline
---
You can use the [Toolbox](https://gitlab.uliege.be/especes/mast/toolbox) to assess model outputs at the end of a CI/CD pipeline. [An example of this approach is available on the Nemo4.2.0-Bamhbi repository.](https://gitlab.uliege.be/especes/mast/nemo4.2.0-bamhbi/-/blob/main/test_cases/lr_cluster/scripts/lr_nic5_assess.sh) To use the Toolbox, you will need to use a suitable environment, featuring Python and the relevant packages, and to clone the [Toolbox repository](https://gitlab.uliege.be/especes/mast/toolbox) within the environment.
## Setting up a CI/CD job using the Toolbox
First of all, in the ``.gitlab-ci.yml`` file, you can define a job using the ``jefgrailet/especes:model-assess`` Docker image available on Docker Hub, with the usual syntax. The next job excerpt defines such a job, whose prerequisite is a ``lr_nic5_run`` job (which may be identical, or pretty close to an example job given in the [Configuring a standard experiment for NIC5](cicd-with-nic5) tutorial).
```
lr_nic5_assess:
stage: assess
image: jefgrailet/especes:model-assess
needs:
- lr_nic5_run
```
Once you have a suitable environment, the main technical hurdle in using the [Toolbox](https://gitlab.uliege.be/especes/mast/toolbox) is to have its code available in said environment. A first solution would be to download it from some location online (e.g., a FTP server), as both ``wget`` and ``curl`` can be used in the ``jefgrailet/especes:model-assess`` environment, but this solution has the obvious problem of having to refresh the code available for download at every update of the Toolbox. A better option is then to use the ``git clone`` command to locally clone the [Toolbox repository](https://gitlab.uliege.be/especes/mast/toolbox), thus always getting the latest version of the code without having to set up a copy of it.
However, since this repository is not public (for the time being), you need to use an _access token_ to be able to clone it with ``git clone``. An access token is a long alphanumeric sequence meant to act as a means of identification to the repository, which only select people have. For security reasons, an access token should never be stored _as is_ in the repository, as anyone having access to the project files (one way or another) may abuse it to browse a repository they should not have access to.
Hopefully, GitLab offers the possibility to store _secret files_, files that cannot be read while browsing the Web interface of GitLab, but which can be copied during a CI/CD job. Such files are listed in **Settings > CI/CD > Secure files** on a repository. To keep this tutorial simple, we will assume a ``Token_Toolbox.txt`` file is already listed in **Settings > CI/CD > Secure files** on a repository (it's the case for the [Nemo4.2.0-Bamhbi repository](https://gitlab.uliege.be/especes/mast/nemo4.2.0-bamhbi)). Go to the Appendix [Creating and securing an access token](pipeline-toolbox#appendix-creating-and-securing-an-access-token) if you need to create and/or secure an access token to clone the Toolbox from a repository where a token is not available yet.
Once a secure file is part of a repository, such as ``Token_Toolbox.txt`` on the [Nemo4.2.0-Bamhbi repository](https://gitlab.uliege.be/especes/mast/nemo4.2.0-bamhbi), any CI/CD job for this repository may use it by copying it at the very start of the ``script:`` part of a job, using the instruction at the end of the next CI/CD job excerpt.
```
lr_nic5_assess:
stage: assess
image: jefgrailet/especes:model-assess
needs:
- lr_nic5_run
variables:
SECURE_FILES_DOWNLOAD_PATH: 'test_cases/lr_cluster/scripts/'
script:
- curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash
```
This instruction comes straight from the [GitLab documentation](https://docs.gitlab.com/ci/secure_files/#with-the-download-secure-files-tool). Note also the ``SECURE_FILES_DOWNLOAD_PATH``. This is the place where the secure file will be copied. Then, during the script used by the job, one can use the next commands to clone the [Toolbox](https://gitlab.uliege.be/especes/mast/toolbox).
```
cp test_cases/lr_cluster/scripts/Token_Toolbox.txt /home/
cd /home
git clone https://cicd:$(cat ./Token_Toolbox.txt)@gitlab.uliege.be/especes/mast/toolbox.git
```
Very similar instructions can be found in [this file from the Nemo4.2.0-Bamhbi repository](https://gitlab.uliege.be/especes/mast/nemo4.2.0-bamhbi/-/blob/main/test_cases/lr_cluster/scripts/lr_nic5_assess.sh).
> **Important remark:** as noted in the [GitLab documentation](https://docs.gitlab.com/ci/secure_files/#with-the-download-secure-files-tool), the secure files are no longer hidden when inside a CI/CD job. In other words, it's possible to print their content using commands within the job, such as ``cat`` (``cat Token_Toolbox.txt`` will print the access token in the standard output), whose outputs will later appear in the job log. **Make sure to never use such commands to keep the files secure, and to silence any command that may inadvertently display the token.**
## Appendix: creating and securing an access token
\ No newline at end of file