Updates pre-merge and post-merge CI (#1118)

# Description

- Improving CI code formatting and readability
- Updated AMI: nvidia-container-toolkit vulnerability fix
- Making Isaac SIM base image an argument in Dockerfile

---------
Co-authored-by: Alexander Poddubny <apoddubny@apoddubny-mlt.client.nvidia.com>
Co-authored-by: David Hoeller <dhoeller@nvidia.com>

.github/workflows/postmerge-ci-buildspec.yml

@@ -3,10 +3,42 @@ version: 0.2
 phases:
   build:
     commands:
-      - echo "Building a docker image"
-      - docker login -u \$oauthtoken -p $NGC_TOKEN nvcr.io
-      - docker build -t $IMAGE_NAME:latest-1.2 --build-arg ISAACSIM_VERSION_ARG=4.2.0 --build-arg ISAACSIM_ROOT_PATH_ARG=/isaac-sim --build-arg ISAACLAB_PATH_ARG=/workspace/isaaclab --build-arg DOCKER_USER_HOME_ARG=/root -f docker/Dockerfile.base .
-      - echo "Pushing the docker image"
-      - docker push $IMAGE_NAME:latest-1.2
-      - docker tag $IMAGE_NAME:latest-1.2 $IMAGE_NAME:latest-1.2-b$CODEBUILD_BUILD_NUMBER
-      - docker push $IMAGE_NAME:latest-1.2-b$CODEBUILD_BUILD_NUMBER
+      - echo "Building and pushing Docker image"
+      - |
+        # Determine branch name or use fallback
+        if [ -n "$CODEBUILD_WEBHOOK_HEAD_REF" ]; then
+          BRANCH_NAME=$(echo $CODEBUILD_WEBHOOK_HEAD_REF | sed 's/refs\/heads\///')
+        elif [ -n "$CODEBUILD_SOURCE_VERSION" ]; then
+          BRANCH_NAME=$CODEBUILD_SOURCE_VERSION
+        else
+          BRANCH_NAME="unknown"
+        fi
+
+        # Replace '/' with '-' and remove any invalid characters for Docker tag
+        SAFE_BRANCH_NAME=$(echo $BRANCH_NAME | sed 's/[^a-zA-Z0-9._-]/-/g')
+
+        # Use "latest" if branch name is empty or only contains invalid characters
+        if [ -z "$SAFE_BRANCH_NAME" ]; then
+          SAFE_BRANCH_NAME="latest"
+        fi
+
+        # Get the git repository short name
+        REPO_SHORT_NAME=$(basename -s .git `git config --get remote.origin.url`)
+        if [ -z "$REPO_SHORT_NAME" ]; then
+          REPO_SHORT_NAME="verification"
+        fi
+
+        # Combine repo short name and branch name for the tag
+        COMBINED_TAG="${REPO_SHORT_NAME}-${SAFE_BRANCH_NAME}"
+
+        docker login -u \$oauthtoken -p $NGC_TOKEN nvcr.io
+        docker build -t $IMAGE_NAME:$COMBINED_TAG \
+          --build-arg ISAACSIM_BASE_IMAGE_ARG=$ISAACSIM_BASE_IMAGE \
+          --build-arg ISAACSIM_VERSION_ARG=4.2.0 \
+          --build-arg ISAACSIM_ROOT_PATH_ARG=/isaac-sim \
+          --build-arg ISAACLAB_PATH_ARG=/workspace/isaaclab \
+          --build-arg DOCKER_USER_HOME_ARG=/root \
+          -f docker/Dockerfile.base .
+        docker push $IMAGE_NAME:$COMBINED_TAG
+        docker tag $IMAGE_NAME:$COMBINED_TAG $IMAGE_NAME:$COMBINED_TAG-b$CODEBUILD_BUILD_NUMBER
+        docker push $IMAGE_NAME:$COMBINED_TAG-b$CODEBUILD_BUILD_NUMBER

.github/workflows/premerge-ci-buildspec.yml

@@ -4,15 +4,39 @@ phases:
   pre_build:
     commands:
       - echo "Launching EC2 instance to run tests"
-      - INSTANCE_ID=$(aws ec2 run-instances --image-id ami-0f7f7fb14ee15d5ae --count 1 --instance-type g5.2xlarge --key-name production/ssh/isaaclab --security-group-ids sg-02617e4b8916794c4 --subnet-id subnet-0907ceaeb40fd9eac --block-device-mappings 'DeviceName=/dev/sda1,Ebs={VolumeSize=500}' --output text --query 'Instances[0].InstanceId')
+      - |
+        INSTANCE_ID=$(aws ec2 run-instances \
+          --image-id ami-0b3a9d48380433e49 \
+          --count 1 \
+          --instance-type g5.2xlarge \
+          --key-name production/ssh/isaaclab \
+          --security-group-ids sg-02617e4b8916794c4 \
+          --subnet-id subnet-0907ceaeb40fd9eac \
+          --block-device-mappings '[{"DeviceName":"/dev/sda1","Ebs":{"VolumeSize":500}}]' \
+          --output text \
+          --query 'Instances[0].InstanceId')
       - aws ec2 wait instance-running --instance-ids $INSTANCE_ID
-      - EC2_INSTANCE_IP=$(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=instance-id,Values=$INSTANCE_ID" --query 'Reservations[*].Instances[*].[PrivateIpAddress]' --output text)
+      - |
+        EC2_INSTANCE_IP=$(aws ec2 describe-instances \
+          --filters "Name=instance-state-name,Values=running" "Name=instance-id,Values=$INSTANCE_ID" \
+          --query 'Reservations[*].Instances[*].[PrivateIpAddress]' \
+          --output text)
       - mkdir -p ~/.ssh
-      - aws ec2 describe-key-pairs --include-public-key --key-name production/ssh/isaaclab --query 'KeyPairs[0].PublicKey' --output text > ~/.ssh/id_rsa.pub
-      - aws secretsmanager get-secret-value --secret-id production/ssh/isaaclab --query SecretString --output text > ~/.ssh/id_rsa
+      - |
+        aws ec2 describe-key-pairs --include-public-key --key-name production/ssh/isaaclab \
+          --query 'KeyPairs[0].PublicKey' --output text > ~/.ssh/id_rsa.pub
+      - |
+        aws secretsmanager get-secret-value --secret-id production/ssh/isaaclab \
+          --query SecretString --output text > ~/.ssh/id_rsa
       - chmod 400 ~/.ssh/id_*
       - echo "Host $EC2_INSTANCE_IP\n\tStrictHostKeyChecking no\n" >> ~/.ssh/config
-      - aws ec2-instance-connect send-ssh-public-key --instance-id $INSTANCE_ID --availability-zone us-west-2a --ssh-public-key file://~/.ssh/id_rsa.pub --instance-os-user ubuntu
+      - |
+        aws ec2-instance-connect send-ssh-public-key \
+          --instance-id $INSTANCE_ID \
+          --availability-zone us-west-2a \
+          --ssh-public-key file://~/.ssh/id_rsa.pub \
+          --instance-os-user ubuntu
+
   build:
     commands:
       - echo "Running tests on EC2 instance"
@@ -40,10 +64,20 @@ phases:
         retry_scp
         '
       - ssh ubuntu@$EC2_INSTANCE_IP "docker login -u \\\$oauthtoken -p $NGC_TOKEN nvcr.io"
-      - ssh ubuntu@$EC2_INSTANCE_IP "cd $SRC_DIR;
-          DOCKER_BUILDKIT=1 docker build -t isaac-lab-dev --build-arg ISAACSIM_VERSION_ARG=4.2.0 --build-arg ISAACSIM_ROOT_PATH_ARG=/isaac-sim --build-arg ISAACLAB_PATH_ARG=/workspace/isaaclab --build-arg DOCKER_USER_HOME_ARG=/root -f docker/Dockerfile.base . ;
-          docker run --rm --entrypoint bash --gpus all --network=host --name isaac-lab-test isaac-lab-dev ./isaaclab.sh -t &&
-          exit $?"
+      - |
+        ssh ubuntu@$EC2_INSTANCE_IP "
+          cd $SRC_DIR
+          DOCKER_BUILDKIT=1 docker build -t isaac-lab-dev \
+            --build-arg ISAACSIM_BASE_IMAGE_ARG=$ISAACSIM_BASE_IMAGE \
+            --build-arg ISAACSIM_VERSION_ARG=4.2.0 \
+            --build-arg ISAACSIM_ROOT_PATH_ARG=/isaac-sim \
+            --build-arg ISAACLAB_PATH_ARG=/workspace/isaaclab \
+            --build-arg DOCKER_USER_HOME_ARG=/root \
+            -f docker/Dockerfile.base .
+          docker run --rm --entrypoint bash --gpus all --network=host \
+            --name isaac-lab-test isaac-lab-dev ./isaaclab.sh -t && exit \$?
+        "
+
   post_build:
     commands:
       - echo "Terminating EC2 instance"

docker/.env.base

@@ -4,6 +4,8 @@
 
 # Accept the NVIDIA Omniverse EULA by default
 ACCEPT_EULA=Y
+# NVIDIA Isaac Sim base image
+ISAACSIM_BASE_IMAGE=nvcr.io/nvidia/isaac-sim
 # NVIDIA Isaac Sim version to use (e.g. 4.2.0)
 ISAACSIM_VERSION=4.2.0
 # Derived from the default path in the NVIDIA provided Isaac Sim container

docker/Dockerfile.base

@@ -7,8 +7,9 @@
 # Please check above link for license information.
 
 # Base image
+ARG ISAACSIM_BASE_IMAGE_ARG
 ARG ISAACSIM_VERSION_ARG
-FROM nvcr.io/nvidia/isaac-sim:${ISAACSIM_VERSION_ARG} AS base
+FROM ${ISAACSIM_BASE_IMAGE_ARG}:${ISAACSIM_VERSION_ARG} AS base
 ENV ISAACSIM_VERSION=${ISAACSIM_VERSION_ARG}
 
 # Set default RUN shell to bash

docker/docker-compose.yaml

@@ -79,6 +79,7 @@ services:
       context: ../
       dockerfile: docker/Dockerfile.base
       args:
+        - ISAACSIM_BASE_IMAGE_ARG=${ISAACSIM_BASE_IMAGE}
         - ISAACSIM_VERSION_ARG=${ISAACSIM_VERSION}
         - ISAACSIM_ROOT_PATH_ARG=${DOCKER_ISAACSIM_ROOT_PATH}
         - ISAACLAB_PATH_ARG=${DOCKER_ISAACLAB_PATH}

tools/run_all_tests.py

@@ -231,14 +231,14 @@ def test_all(
             else:
                 stdout_str = stdout.decode("utf-8")
         else:
-            stdout = ""
+            stdout_str = ""
         if stderr is not None:
             if isinstance(stderr, str):
                 stderr_str = stderr
             else:
                 stderr_str = stderr.decode("utf-8")
         else:
-            stderr = ""
+            stderr_str = ""
 
         # Write to log file
         logging.info(stdout_str)