Phase_01Build · Package · Sign

Build & Package

Convert a trained model into an immutable, reproducible, signed artifact. Every package is content-addressed, dependency-locked, and ready to deploy to any environment without surprises.

Objectives

What this phase guarantees

Reproducibility

Same inputs → same artifact, byte-for-byte. No drifting wheels.

Immutability

Once tagged, the artifact cannot change. Promote, don't rebuild.

Portability

Runs identically on dev laptop, staging cluster, and prod edge.

Provenance

SBOM + signature prove what's inside and who built it.

Build Pipeline

06 deterministic steps

Resolve Source

Checkout the exact git SHA + the trained model checkpoint URI from the registry. No floating refs.

$ git checkout $GIT_SHA && mlflow artifacts download --run-id $RUN_ID

Lock Dependencies

Pin every transitive dependency including CUDA, system libs, and Python wheels. Hash-verified.

$ uv pip compile requirements.in --generate-hashes -o requirements.lock

Containerize

Multi-stage Dockerfile: builder installs deps, runtime copies only what's needed. Non-root user.

$ docker buildx build --platform linux/amd64 -t aegis/model:$SHA .

Generate SBOM

Software Bill of Materials lists every package, version, and license. Required for compliance.

$ syft aegis/model:$SHA -o spdx-json > sbom.json

Scan & Test

Vulnerability scan, smoke-test inference contract, validate input/output schema.

$ trivy image aegis/model:$SHA && pytest tests/contract

Sign & Push

Cosign signs the image with keyless OIDC. Push to the registry under the immutable digest.

$ cosign sign aegis/model@$DIGEST && docker push aegis/model:$SHA

Artifact Anatomy

What's inside a package

Container layout

/app
├── model/
│   ├── weights.safetensors   # frozen checkpoint
│   ├── tokenizer.json
│   └── model_card.md
├── server/
│   ├── handler.py            # inference contract
│   └── healthcheck.py
├── requirements.lock         # hash-verified deps
├── sbom.spdx.json            # bill of materials
└── manifest.yaml             # version, sha, signer

Manifest fields

model_idfraud-detector
versionv4.2.1
git_shaa3f9c01
frameworkpytorch==2.4.0
acceleratorcuda-12.4
signed_bybuild-bot@aegis

Recommended Tools

Build phase stack

Docker / Buildx

Multi-arch container builds with BuildKit caching.

uv / Poetry

Deterministic Python dependency resolution with hashes.

BentoML

Opinionated model packaging with auto-generated serving APIs.

Syft

SBOM generation for containers and filesystems.

Trivy

Vulnerability scanning for OS packages and language deps.

Cosign

Keyless image signing via OIDC + transparency log (Rekor).

Common Pitfalls

What breaks in production

Latest tags

Using :latest produces non-reproducible deploys. Always pin to digest.

Bloated images

Shipping training deps to inference adds GBs and attack surface. Use multi-stage.

Implicit GPU/CUDA

CUDA mismatch between build host and serving node causes silent fallbacks to CPU.

Missing model card

Without a model card, downstream teams can't audit intended use or limitations.

← Back to Lifecycle Phase 02 → Deployment