[None][infra] Add support to run NGC container scanning in pre-merge

[yuanjingx87]

Summary by CodeRabbit

• New Features

  • Added build options to selectively run specific pipeline stage groups.
  • New toggles let you control whether internal release, CI image, and NGC release builds are executed.

• Bug Fixes

  • Preserved the existing default behavior, so all build stages still run unless a toggle is changed.

Description

Allow generating ngc container in pre-merge and get it scanning through PLC scannning pipeline

Test Coverage

PR Checklist

Please review the following before submitting your PR:

• PR description clearly explains what and why. If using CodeRabbit's summary, please make sure it makes sense.

• PR Follows TRT-LLM CODING GUIDELINES to the best of your knowledge.

• Test cases are provided for new code paths (see test instructions)

• If PR introduces API changes, an appropriate PR label is added - either api-compatible or api-breaking. For api-breaking, include BREAKING in the PR title.

• Any new dependencies have been scanned for license and vulnerabilities

• CODEOWNERS updated if ownership changes

• Documentation updated as needed

• Update tava architecture diagram if there is a significant design change in PR.

• The reviewers assigned automatically/manually are appropriate for the PR.

• Please check this after reviewing the above items as appropriate for this PR.

GitHub Bot Help

To see a list of available CI bot commands, please comment /bot help.

[coderabbitai]

📝 Walkthrough

Walkthrough

The Jenkins Docker image pipeline adds three boolean parameters to control whether internal release, CI image, and NGC release stage groups run. launchBuildJobs builds an enabled stage list from those flags and filters buildConfigs before launching jobs.

Changes

Selective Docker image stage execution

Layer / File(s)	Summary
Pipeline parameters and stage filtering jenkins/BuildDockerImage.groovy	Three boolean pipeline parameters are added with default true values, and launchBuildJobs uses them to filter buildConfigs by enabled stage keys before running jobs.

Sequence Diagram(s)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title matches the main change: enabling pre-merge NGC scanning by selectively running build stages.
Description check	✅ Passed	The description explains the goal and solution, but the Test Coverage section is left blank.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

jenkins/BuildDockerImage.groovy (1)

487-496: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Reduce stage-key duplication to avoid silent drift.

The same stage names are hardcoded in both buildConfigs keys and enabledStages population. Centralizing these key lists avoids breakage when a display name changes.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@jenkins/BuildDockerImage.groovy` around lines 487 - 496, The stage name lists
are duplicated between the build config keys and the enabledStages population,
which can drift if a display name changes. Update the logic in
BuildDockerImage.groovy around enabledStages to derive these values from a
single shared source used by buildConfigs and the params checks, so the names
stay consistent. Refer to the existing buildInternalRelease, buildCiImage, and
buildNgcRelease stage groupings when centralizing the stage-key list.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@jenkins/BuildDockerImage.groovy`:
- Around line 487-499: Guard against empty stage selection in
BuildDockerImage.groovy by checking the filtered buildConfigs right after the
enabledStages selection logic and before pipeline.parallel is invoked in the
buildJobs flow. If buildConfigs is empty because buildInternalRelease,
buildCiImage, and buildNgcRelease are all false, fail fast with a clear error
message instead of calling parallel with no branches. Use the existing
buildConfigs and buildJobs/pipeline.parallel path to place the check so both
affected call sites are protected.

---

Nitpick comments:
In `@jenkins/BuildDockerImage.groovy`:
- Around line 487-496: The stage name lists are duplicated between the build
config keys and the enabledStages population, which can drift if a display name
changes. Update the logic in BuildDockerImage.groovy around enabledStages to
derive these values from a single shared source used by buildConfigs and the
params checks, so the names stay consistent. Refer to the existing
buildInternalRelease, buildCiImage, and buildNgcRelease stage groupings when
centralizing the stage-key list.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ecd2b6a0-eb03-4839-af6f-c9a7b53fd3d8

📥 Commits

Reviewing files that changed from the base of the PR and between bd6db6c and 36982db.

📒 Files selected for processing (1)

• jenkins/BuildDockerImage.groovy

[yuanjingx87]

/bot run --stage-list="NGC-Container-Scaning"

[tensorrt-cicd]

PR_Github #55603 [ run ] triggered by Bot. Commit: 48cbca5 Link to invocation

[tensorrt-cicd]

PR_Github #55603 [ run ] completed with state FAILURE. Commit: 48cbca5
/LLM/main/L0_MergeRequest_PR pipeline #44520 (Partly Tested) completed with status: 'ABORTED'

CI Report

⚠️ Action Required:

• Please check the failed tests and fix your PR
• If you cannot view the failures, ask the CI triggerer to share details
• Once fixed, request an NVIDIA team member to trigger CI again

Link to invocation

[yuanjingx87]

/bot run --stage-list="NGC-Container-Scaning"

[tensorrt-cicd]

PR_Github #55608 [ run ] triggered by Bot. Commit: ed4ee7b Link to invocation

[yuanjingx87]

/bot run --stage-list="NGC-Container-Scaning"

[tensorrt-cicd]

PR_Github #55608 [ run ] completed with state FAILURE. Commit: ed4ee7b
/LLM/main/L0_MergeRequest_PR pipeline #44525 (Partly Tested) completed with status: 'FAILURE'

CI Report

⚠️ Action Required:

• Please check the failed tests and fix your PR
• If you cannot view the failures, ask the CI triggerer to share details
• Once fixed, request an NVIDIA team member to trigger CI again

CI Agent Failure Analysis

Link to invocation

[tensorrt-cicd]

PR_Github #55609 [ run ] triggered by Bot. Commit: 6d71d88 Link to invocation

[tensorrt-cicd]

PR_Github #55609 [ run ] completed with state FAILURE. Commit: 6d71d88
/LLM/main/L0_MergeRequest_PR pipeline #44527 (Partly Tested) completed with status: 'FAILURE'

CI Report

⚠️ Action Required:

• Please check the failed tests and fix your PR
• If you cannot view the failures, ask the CI triggerer to share details
• Once fixed, request an NVIDIA team member to trigger CI again

CI Agent Failure Analysis

Link to invocation