forked from trustyai-explainability/guardrails-detectors
-
Notifications
You must be signed in to change notification settings - Fork 2
179 lines (177 loc) · 7.75 KB
/
build-and-push.yaml
File metadata and controls
179 lines (177 loc) · 7.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
name: Build and Push - Detectors
on:
push:
branches:
- main
tags:
- v*
paths:
- 'detectors/*'
- '.github/workflows/*'
pull_request_target:
paths:
- 'detectors/*'
types: [labeled, opened, synchronize, reopened]
jobs:
# Ensure that tests pass before publishing a new image.
build-and-push-ci:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
security-events: write
env:
PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
GITHUB_REF_NAME: ${{ github.ref_name }}
QUAY_RELEASE_REPO: ${{ vars.QUAY_RELEASE_REPO }}
GITHUB_REF: ${{ github.ref }}
GITHUB_HEAD_REF: ${{ github.head_ref }}
steps: # Assign context variable for various action contexts (tag, main, CI)
- name: Assigning CI context
if: github.head_ref != '' && github.head_ref != 'main' && !startsWith(github.ref, 'refs/tags/v')
run: echo "BUILD_CONTEXT=ci" >> $GITHUB_ENV
- name: Assigning tag context
if: github.head_ref == '' && startsWith(github.ref, 'refs/tags/v')
run: echo "BUILD_CONTEXT=tag" >> $GITHUB_ENV
- name: Assigning main context
if: github.head_ref == '' && github.ref == 'refs/heads/main'
run: echo "BUILD_CONTEXT=main" >> $GITHUB_ENV
#
# Run checkouts
- uses: mheap/github-action-required-labels@v4
if: env.BUILD_CONTEXT == 'ci'
with:
mode: minimum
count: 1
labels: "ok-to-test, lgtm, approved"
- uses: actions/checkout@v3
if: env.BUILD_CONTEXT == 'ci'
with:
ref: ${{ github.event.pull_request.head.sha }}
- uses: actions/checkout@v3
if: env.BUILD_CONTEXT == 'main' || env.BUILD_CONTEXT == 'tag'
#
# Print variables for debugging
- name: Log reference variables
run: |
echo "CONTEXT: $BUILD_CONTEXT"
echo "GITHUB.REF: $GITHUB_REF"
echo "GITHUB.HEAD_REF: $GITHUB_HEAD_REF"
echo "SHA: $PR_HEAD_SHA"
echo "MAIN IMAGE AT: $QUAY_RELEASE_REPO:latest"
echo "CI IMAGE AT: quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:$PR_HEAD_SHA"
echo "Built-In Detector CI IMAGE AT: quay.io/trustyai/guardrails-detector-built-in-ci:$PR_HEAD_SHA"
echo "LLM Judge CI IMAGE AT: quay.io/trustyai/guardrails-detector-llm-judge-ci:$PR_HEAD_SHA"
# Set environments depending on context
- name: Set CI environment
if: env.BUILD_CONTEXT == 'ci'
run: |
echo "TAG=$PR_HEAD_SHA" >> $GITHUB_ENV
echo "IMAGE_NAME=quay.io/trustyai/guardrails-detector-huggingface-runtime-ci" >> $GITHUB_ENV
echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in-ci" >> $GITHUB_ENV
echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge-ci" >> $GITHUB_ENV
echo "EXPIRY_LABEL=--label quay.expires-after=7d" >> $GITHUB_ENV
- name: Set main-branch environment
if: env.BUILD_CONTEXT == 'main'
run: |
echo "TAG=latest" >> $GITHUB_ENV
echo "IMAGE_NAME=$QUAY_RELEASE_REPO" >> $GITHUB_ENV
echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in" >> $GITHUB_ENV
echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV
echo "EXPIRY_LABEL=" >> $GITHUB_ENV
- name: Set tag environment
if: env.BUILD_CONTEXT == 'tag'
run: |
echo "TAG=$GITHUB_REF_NAME" >> $GITHUB_ENV
echo "IMAGE_NAME=$QUAY_RELEASE_REPO" >> $GITHUB_ENV
echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in" >> $GITHUB_ENV
echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV
echo "EXPIRY_LABEL=" >> $GITHUB_ENV
#
# Run docker commands
- name: Build image
run: docker build -t "$IMAGE_NAME:$TAG" $EXPIRY_LABEL -f detectors/Dockerfile.hf detectors
- name: Log in to Quay
env:
QUAY_ROBOT_USERNAME: ${{ secrets.QUAY_ROBOT_USERNAME }}
QUAY_ROBOT_SECRET: ${{ secrets.QUAY_ROBOT_SECRET }}
run: docker login -u "$QUAY_ROBOT_USERNAME" -p "$QUAY_ROBOT_SECRET" quay.io
- name: Push to Quay CI repo
run: docker push "$IMAGE_NAME:$TAG"
- name: Build built-in detector image
run: docker build -t "$BUILTIN_IMAGE_NAME:$TAG" $EXPIRY_LABEL -f detectors/Dockerfile.builtIn detectors
- name: Push to Quay CI repo
run: docker push "$BUILTIN_IMAGE_NAME:$TAG"
- name: Build LLM Judge detector image
run: docker build -t "$LLM_JUDGE_IMAGE_NAME:$TAG" $EXPIRY_LABEL -f detectors/Dockerfile.judge detectors
- name: Push LLM Judge image to Quay CI repo
run: docker push "$LLM_JUDGE_IMAGE_NAME:$TAG"
# Leave comment
- uses: peter-evans/find-comment@v3
name: Find Comment
if: env.BUILD_CONTEXT == 'ci'
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: PR image build completed successfully
- uses: peter-evans/create-or-update-comment@v4
if: env.BUILD_CONTEXT == 'ci'
name: Generate/update success message comment
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
edit-mode: replace
body: |
PR image build completed successfully!
📦 [Huggingface PR image](https://quay.io/repository/trustyai/guardrails-detector-huggingface-runtime-ci?tab=tags): `quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:$PR_HEAD_SHA`
📦 [Built-in PR image](https://quay.io/trustyai/guardrails-detector-built-in-ci?tab=tags): `quay.io/trustyai/guardrails-detector-built-in-ci:$PR_HEAD_SHA`
📦 [LLM Judge PR image](https://quay.io/trustyai/guardrails-detector-llm-judge-ci?tab=tags): `quay.io/trustyai/guardrails-detector-llm-judge-ci:$PR_HEAD_SHA`
- name: Trivy scan
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'image'
image-ref: "${{ env.IMAGE_NAME }}:${{ env.TAG }}"
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'MEDIUM,HIGH,CRITICAL'
exit-code: '0'
ignore-unfixed: false
vuln-type: 'os,library'
- name: Trivy scan, built-in image
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'image'
image-ref: "${{ env.BUILTIN_IMAGE_NAME }}:${{ env.TAG }}"
format: 'sarif'
output: 'trivy-results-built-in.sarif'
severity: 'MEDIUM,HIGH,CRITICAL'
exit-code: '0'
ignore-unfixed: false
vuln-type: 'os,library'
- name: Trivy scan, LLM Judge image
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'image'
image-ref: "${{ env.LLM_JUDGE_IMAGE_NAME }}:${{ env.TAG }}"
format: 'sarif'
output: 'trivy-results-llm-judge.sarif'
severity: 'MEDIUM,HIGH,CRITICAL'
exit-code: '0'
ignore-unfixed: false
vuln-type: 'os,library'
- name: Update Security tab - Huggingface
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
category: huggingface
- name: Update Security tab - Built-in
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results-built-in.sarif'
category: built-in
- name: Update Security tab - LLM Judge
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results-llm-judge.sarif'
category: llm-judge