guardrails-detectors/.github/workflows/build-and-push.yaml at 26222799db2905756f2161ed2d95c1e68eea45af · opendatahub-io/guardrails-detectors · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
name: Build and Push - Detectors
on:
  # Trigger on successful test completion
  workflow_run:
    workflows:
      - "Tier 1 - Built-in detectors unit tests"
      - "Tier 1 - Hugging Face Runtime unit tests"
      - "Tier 1 - LLM Judge unit tests"
    types:
      - completed

  # Direct triggers (tests will run in parallel)
  push:
    branches:
      - main
      - incubation
      - stable
    tags:
      - v*
    paths:
      - 'detectors/*'
      - '.github/workflows/*'
  pull_request:
    paths:
      - 'detectors/*'
    types: [labeled, opened, synchronize, reopened]
jobs:
  # Ensure that tests pass before publishing a new image.
  build-and-push-ci:
    # Only run if:
    # 1. Running in the trustyai-explainability/guardrails-detectors repository, AND
    # 2. Tests completed successfully on target branches (from workflow_run trigger), OR
    # 3. Direct push/PR trigger (tests will run in parallel)
    if: |
      github.repository == 'trustyai-explainability/guardrails-detectors' &&
      ((github.event_name == 'workflow_run' &&
        github.event.workflow_run.conclusion == 'success' &&
        contains(fromJSON('["main", "incubation", "stable"]'), github.event.workflow_run.head_branch)) ||
       (github.event_name != 'workflow_run'))
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    env:
      PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
      GITHUB_REF_NAME: ${{ github.ref_name }}
      QUAY_RELEASE_REPO: ${{ vars.QUAY_RELEASE_REPO }}
      GITHUB_REF: ${{ github.ref }}
      GITHUB_HEAD_REF: ${{ github.head_ref }}
    steps: # Assign context variable for various action contexts (tag, main, CI)
      - name: Assigning CI context
        if: github.head_ref != '' && github.head_ref != 'main' && !startsWith(github.ref, 'refs/tags/v')
        run: echo "BUILD_CONTEXT=ci" >> $GITHUB_ENV
      - name: Assigning tag context
        if: github.head_ref == '' && startsWith(github.ref, 'refs/tags/v')
        run: echo "BUILD_CONTEXT=tag" >> $GITHUB_ENV
      - name: Assigning main context
        if: github.head_ref == '' && github.ref == 'refs/heads/main'
        run: echo "BUILD_CONTEXT=main" >> $GITHUB_ENV
      #
      # Run checkouts
      - uses: mheap/github-action-required-labels@v4
        if: env.BUILD_CONTEXT == 'ci'
        with:
          mode: minimum
          count: 1
          labels: "ok-to-test, lgtm, approved"
      - uses: actions/checkout@v4
        if: env.BUILD_CONTEXT == 'ci'
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          persist-credentials: false
      - uses: actions/checkout@v4
        if: env.BUILD_CONTEXT == 'main' ||  env.BUILD_CONTEXT == 'tag'
        with:
          persist-credentials: false
      #
      # Print variables for debugging
      - name: Log reference variables
        run: |
          echo "CONTEXT: $BUILD_CONTEXT"
          echo "GITHUB.REF: $GITHUB_REF"
          echo "GITHUB.HEAD_REF: $GITHUB_HEAD_REF"
          echo "SHA: $PR_HEAD_SHA"
          echo "MAIN IMAGE AT: $QUAY_RELEASE_REPO:latest"
          echo "CI IMAGE AT: quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:$PR_HEAD_SHA"
          echo "Built-In Detector CI IMAGE AT: quay.io/trustyai/guardrails-detector-built-in-ci:$PR_HEAD_SHA"
          echo "LLM Judge CI IMAGE AT: quay.io/trustyai/guardrails-detector-llm-judge-ci:$PR_HEAD_SHA"

      # Set environments depending on context
      - name: Set CI environment
        if:  env.BUILD_CONTEXT == 'ci'
        run: |
          echo "TAG=$PR_HEAD_SHA" >> $GITHUB_ENV
          echo "IMAGE_NAME=quay.io/trustyai/guardrails-detector-huggingface-runtime-ci" >> $GITHUB_ENV
          echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in-ci" >> $GITHUB_ENV
          echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge-ci" >> $GITHUB_ENV
          echo "EXPIRY_LABEL=--label quay.expires-after=7d" >> $GITHUB_ENV
      - name: Set main-branch environment
        if:  env.BUILD_CONTEXT == 'main'
        run: |
          echo "TAG=latest" >> $GITHUB_ENV
          echo "IMAGE_NAME=$QUAY_RELEASE_REPO" >> $GITHUB_ENV
          echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in" >> $GITHUB_ENV
          echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV
          echo "EXPIRY_LABEL=" >> $GITHUB_ENV
      - name: Set tag environment
        if: env.BUILD_CONTEXT == 'tag'
        run: |
          echo "TAG=$GITHUB_REF_NAME" >> $GITHUB_ENV
          echo "IMAGE_NAME=$QUAY_RELEASE_REPO" >> $GITHUB_ENV
          echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in" >> $GITHUB_ENV
          echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV
          echo "EXPIRY_LABEL=" >> $GITHUB_ENV
      #
      # Run docker commands
      - name: Build image
        run: docker build -t "$IMAGE_NAME:$TAG" $EXPIRY_LABEL -f detectors/Dockerfile.hf detectors
      - name: Log in to Quay
        env:
          QUAY_ROBOT_USERNAME: ${{ secrets.QUAY_ROBOT_USERNAME }}
          QUAY_ROBOT_SECRET: ${{ secrets.QUAY_ROBOT_SECRET }}
        run: docker login -u "$QUAY_ROBOT_USERNAME" -p "$QUAY_ROBOT_SECRET" quay.io
      - name: Push to Quay CI repo
        run: docker push "$IMAGE_NAME:$TAG"
      - name: Build built-in detector image
        run: docker build -t "$BUILTIN_IMAGE_NAME:$TAG" $EXPIRY_LABEL -f detectors/Dockerfile.builtIn detectors
      - name: Push to Quay CI repo
        run: docker push "$BUILTIN_IMAGE_NAME:$TAG"
      - name: Build LLM Judge detector image
        run: docker build -t "$LLM_JUDGE_IMAGE_NAME:$TAG" $EXPIRY_LABEL -f detectors/Dockerfile.judge detectors
      - name: Push LLM Judge image to Quay CI repo
        run: docker push "$LLM_JUDGE_IMAGE_NAME:$TAG"
      # Leave comment
      - uses: peter-evans/find-comment@v3
        name: Find Comment
        if:  env.BUILD_CONTEXT == 'ci'
        id: fc
        with:
          issue-number: ${{ github.event.pull_request.number }}
          comment-author: 'github-actions[bot]'
          body-includes:  PR image build completed successfully
      - uses: peter-evans/create-or-update-comment@v4
        if:  env.BUILD_CONTEXT == 'ci'
        name: Generate/update success message comment
        with:
          comment-id: ${{ steps.fc.outputs.comment-id }}
          issue-number: ${{ github.event.pull_request.number }}
          edit-mode: replace
          body: |
            PR image build completed successfully!

            📦 [Huggingface PR image](https://quay.io/repository/trustyai/guardrails-detector-huggingface-runtime-ci?tab=tags): `quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:$PR_HEAD_SHA`
            📦 [Built-in PR image](https://quay.io/trustyai/guardrails-detector-built-in-ci?tab=tags): `quay.io/trustyai/guardrails-detector-built-in-ci:$PR_HEAD_SHA`
            📦 [LLM Judge PR image](https://quay.io/trustyai/guardrails-detector-llm-judge-ci?tab=tags): `quay.io/trustyai/guardrails-detector-llm-judge-ci:$PR_HEAD_SHA`