Merge pull request #118 from nearai/fix/sdk-evidence-collection-mutex #65
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & Deploy | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - "v*" | |
| env: | |
| REGISTRY: docker.io | |
| IMAGE_REPOSITORY: ${{ vars.DOCKER_REGISTRY_USER }}/vllm-proxy-rs | |
| jobs: | |
| reproducible-docker-image: | |
| name: Reproducible Docker Image | |
| permissions: | |
| contents: read | |
| packages: write | |
| attestations: write | |
| id-token: write | |
| runs-on: [self-hosted, infra] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| - name: Log in to Docker registry | |
| uses: docker/login-action@c144859092e8e353f3e118b0b329679a62351c3e | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ vars.DOCKER_REGISTRY_USER }} | |
| password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} | |
| - name: Extract image tag from GitHub ref (branch or tag) | |
| run: | | |
| if [[ "${GITHUB_REF_TYPE}" == 'tag' ]]; then | |
| TAG=${GITHUB_REF_NAME#v} | |
| echo "Using '${TAG}' image tag for ${GITHUB_REF_NAME} tag" | |
| elif [[ "${GITHUB_REF_TYPE}" == 'branch' ]]; then | |
| TAG=$(if [[ "${GITHUB_REF_NAME}" == 'main' ]]; then echo 'latest'; else echo 'dev'; fi) | |
| echo "Using '${TAG}' image tag for ${GITHUB_REF_NAME} branch" | |
| else | |
| echo "Unsupported ref type: ${GITHUB_REF_TYPE}" >&2 | |
| exit 1 | |
| fi | |
| if [ -z "${TAG}" ]; then | |
| echo "Unable to parse image tag from ${GITHUB_REF_TYPE}: ${GITHUB_REF_NAME}" >&2 | |
| exit 1 | |
| fi | |
| echo "IMAGE_REFERENCE=${{ env.REGISTRY }}/${{ env.IMAGE_REPOSITORY }}:${TAG}" >> "$GITHUB_ENV" | |
| - name: Install build dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y skopeo jq | |
| - name: Build and push reproducible image | |
| env: | |
| # Build with the nv-attestation-sdk Cargo feature so the | |
| # runtime image ships libnvat.so. Independent of whether the | |
| # SDK code path is actually used at runtime — that's still | |
| # gated by the USE_NV_ATTESTATION_SDK env var on the CVM. | |
| # Lets a single image flip between Python and SDK backends | |
| # via env-var change, no rebuild. | |
| ENABLE_NV_ATTESTATION_SDK: "1" | |
| run: | | |
| ./build-image.sh --push "${{ env.IMAGE_REFERENCE }}" | |
| - name: Get image digest | |
| run: | | |
| DIGEST=$(skopeo inspect oci-archive:./oci.tar | jq -r '.Digest') | |
| if [ -z "${DIGEST}" ]; then | |
| echo "Failed to get image digest from OCI archive" >&2 | |
| exit 1 | |
| fi | |
| echo "IMAGE_DIGEST=${DIGEST}" >> "$GITHUB_ENV" | |
| - name: Generate artifact attestation | |
| continue-on-error: true | |
| uses: actions/attest-build-provenance@v4 | |
| with: | |
| subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_REPOSITORY }} | |
| subject-digest: ${{ env.IMAGE_DIGEST }} | |
| push-to-registry: true | |
| - name: Generate build summary | |
| run: | | |
| { | |
| echo "## vllm-proxy-rs docker image" | |
| echo "" | |
| echo "- tag: \`${{ env.IMAGE_REFERENCE }}\`" | |
| echo "- digest: \`${{ env.IMAGE_DIGEST }}\`" | |
| echo "- sigstore: https://search.sigstore.dev/?hash=${{ env.IMAGE_DIGEST }}" | |
| } >> "$GITHUB_STEP_SUMMARY" |