Skip to content

Luke/sept16 CVE (#4094) #1674

Luke/sept16 CVE (#4094)

Luke/sept16 CVE (#4094) #1674

name: Build And Push Docker Image
on:
push:
branches:
- main
env:
DOCKER_REPOSITORY: quay.io/unstructured-io/unstructured
DOCKER_BUILD_REPOSITORY: quay.io/unstructured-io/build-unstructured
PIP_VERSION: "23.2.1"
PYTHON_VERSION: "3.10"
jobs:
set-short-sha:
runs-on: ubuntu-latest
outputs:
short_sha: ${{ steps.set_short_sha.outputs.short_sha }}
steps:
- name: Set Short SHA
id: set_short_sha
run: echo "short_sha=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT
build-images:
strategy:
matrix:
docker-platform: ["linux/arm64", "linux/amd64"]
runs-on: ubuntu-latest-m
needs: set-short-sha
env:
SHORT_SHA: ${{ needs.set-short-sha.outputs.short_sha }}
steps:
- name: Set up Docker
# Use the `docker` driver for AMD builds because the `docker-container` driver may fail to locally load the built image.
# This could be due to the larger size of the AMD build and the `docker-container` driver needing to load the tarball.
# Use the `docker-container` driver for ARM builds because it may otherwise intermittently fail with: `exec /bin/sh: exec format error`
uses: docker/setup-buildx-action@v1
with:
driver: ${{ matrix.docker-platform == 'linux/amd64' && 'docker' || 'docker-container' }}
- name: Checkout code
uses: actions/checkout@v3
- name: Login to Quay.io
uses: docker/login-action@v2
with:
registry: quay.io
username: ${{ secrets.QUAY_IO_ROBOT_USERNAME }}
password: ${{ secrets.QUAY_IO_ROBOT_TOKEN }}
- name: Build images
run: |
ARCH=$(cut -d "/" -f2 <<< ${{ matrix.docker-platform }})
DOCKER_BUILDKIT=1 docker buildx build --platform=${{ matrix.docker-platform }} --load \
-f Dockerfile \
--build-arg PIP_VERSION=$PIP_VERSION \
--build-arg BUILDKIT_INLINE_CACHE=1 \
--progress plain \
--cache-from $DOCKER_BUILD_REPOSITORY:$ARCH \
-t $DOCKER_BUILD_REPOSITORY:$ARCH-$SHORT_SHA .
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Test images
run: |
echo "UNS_API_KEY=${{ secrets.UNS_API_KEY }}" > uns_test_env_file
echo "UNSTRUCTURED_HF_TOKEN=${{ secrets.HF_TOKEN }}" >> uns_test_env_file
ARCH=$(cut -d "/" -f2 <<< ${{ matrix.docker-platform }})
if [ "$ARCH" = "amd64" ]; then
DOCKER_PLATFORM="${{ matrix.docker-platform }}" DOCKER_IMAGE="$DOCKER_BUILD_REPOSITORY:$ARCH-$SHORT_SHA" \
make docker-test CI=true
else
DOCKER_PLATFORM="${{ matrix.docker-platform }}" DOCKER_IMAGE="$DOCKER_BUILD_REPOSITORY:$ARCH-$SHORT_SHA" \
make docker-test CI=true TEST_FILE=test_unstructured/partition/test_text.py
fi
DOCKER_IMAGE=$DOCKER_BUILD_REPOSITORY:$ARCH-$SHORT_SHA make docker-smoke-test
- name: Push images
run: |
# write to the build repository to cache for the publish-images job
ARCH=$(cut -d "/" -f2 <<< ${{ matrix.docker-platform }})
docker push "$DOCKER_BUILD_REPOSITORY:$ARCH-$SHORT_SHA"
publish-images:
runs-on: ubuntu-latest-m
needs: [set-short-sha, build-images]
env:
SHORT_SHA: ${{ needs.set-short-sha.outputs.short_sha }}
steps:
- uses: docker/setup-buildx-action@v1
- name: Checkout code
uses: actions/checkout@v3
- name: Login to Quay.io
uses: docker/login-action@v1
with:
registry: quay.io
username: ${{ secrets.QUAY_IO_ROBOT_USERNAME }}
password: ${{ secrets.QUAY_IO_ROBOT_TOKEN }}
- name: Pull AMD image
run: |
docker pull $DOCKER_BUILD_REPOSITORY:amd64-$SHORT_SHA
- name: Pull ARM image
run: |
docker pull $DOCKER_BUILD_REPOSITORY:arm64-$SHORT_SHA
- name: Push latest build tags for AMD and ARM
run: |
# these are used to construct the final manifest but also cache-from in subsequent runs
docker tag $DOCKER_BUILD_REPOSITORY:amd64-$SHORT_SHA $DOCKER_BUILD_REPOSITORY:amd64
docker push $DOCKER_BUILD_REPOSITORY:amd64
docker tag $DOCKER_BUILD_REPOSITORY:arm64-$SHORT_SHA $DOCKER_BUILD_REPOSITORY:arm64
docker push $DOCKER_BUILD_REPOSITORY:arm64
- name: Push multiarch manifest
run: |
docker manifest create ${DOCKER_REPOSITORY}:latest $DOCKER_BUILD_REPOSITORY:amd64 $DOCKER_BUILD_REPOSITORY:arm64
docker manifest push $DOCKER_REPOSITORY:latest
docker manifest create ${DOCKER_REPOSITORY}:$SHORT_SHA $DOCKER_BUILD_REPOSITORY:amd64 $DOCKER_BUILD_REPOSITORY:arm64
docker manifest push $DOCKER_REPOSITORY:$SHORT_SHA
VERSION=$(grep -Po '(?<=__version__ = ")[^"]*' unstructured/__version__.py)
docker manifest create ${DOCKER_REPOSITORY}:$VERSION $DOCKER_BUILD_REPOSITORY:amd64 $DOCKER_BUILD_REPOSITORY:arm64
docker manifest push $DOCKER_REPOSITORY:$VERSION