forked from trustyai-explainability/guardrails-detectors
-
Notifications
You must be signed in to change notification settings - Fork 2
148 lines (145 loc) · 6.27 KB
/
build-and-push.yaml
File metadata and controls
148 lines (145 loc) · 6.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: Build and Push - Detectors
on:
push:
branches:
- main
tags:
- v*
paths:
- 'detectors/*'
- '.github/workflows/*'
pull_request_target:
paths:
- 'detectors/*'
types: [labeled, opened, synchronize, reopened]
jobs:
# Ensure that tests pass before publishing a new image.
build-and-push-ci:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
security-events: write
steps: # Assign context variable for various action contexts (tag, main, CI)
- name: Assigning CI context
if: github.head_ref != '' && github.head_ref != 'main' && !startsWith(github.ref, 'refs/tags/v')
run: echo "BUILD_CONTEXT=ci" >> $GITHUB_ENV
- name: Assigning tag context
if: github.head_ref == '' && startsWith(github.ref, 'refs/tags/v')
run: echo "BUILD_CONTEXT=tag" >> $GITHUB_ENV
- name: Assigning main context
if: github.head_ref == '' && github.ref == 'refs/heads/main'
run: echo "BUILD_CONTEXT=main" >> $GITHUB_ENV
#
# Run checkouts
- uses: mheap/github-action-required-labels@v4
if: env.BUILD_CONTEXT == 'ci'
with:
mode: minimum
count: 1
labels: "ok-to-test, lgtm, approved"
- uses: actions/checkout@v3
if: env.BUILD_CONTEXT == 'ci'
with:
ref: ${{ github.event.pull_request.head.sha }}
- uses: actions/checkout@v3
if: env.BUILD_CONTEXT == 'main' || env.BUILD_CONTEXT == 'tag'
#
# Print variables for debugging
- name: Log reference variables
run: |
echo "CONTEXT: ${{ env.BUILD_CONTEXT }}"
echo "GITHUB.REF: ${{ github.ref }}"
echo "GITHUB.HEAD_REF: ${{ github.head_ref }}"
echo "SHA: ${{ github.event.pull_request.head.sha }}"
echo "MAIN IMAGE AT: ${{ vars.QUAY_RELEASE_REPO }}:latest"
echo "CI IMAGE AT: quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:${{ github.event.pull_request.head.sha }}"
echo "Built-In Detector CI IMAGE AT: quay.io/trustyai/guardrails-detector-built-in-ci:${{ github.event.pull_request.head.sha }}"
# Set environments depending on context
- name: Set CI environment
if: env.BUILD_CONTEXT == 'ci'
run: |
echo "TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
echo "IMAGE_NAME=quay.io/trustyai/guardrails-detector-huggingface-runtime-ci" >> $GITHUB_ENV
echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in-ci" >> $GITHUB_ENV
- name: Set main-branch environment
if: env.BUILD_CONTEXT == 'main'
run: |
echo "TAG=latest" >> $GITHUB_ENV
echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV
echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in" >> $GITHUB_ENV
- name: Set tag environment
if: env.BUILD_CONTEXT == 'tag'
run: |
echo "TAG=${{ github.ref_name }}" >> $GITHUB_ENV
echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV
echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in" >> $GITHUB_ENV
#
# Run docker commands
- name: Put expiry date on CI-tagged image
if: env.BUILD_CONTEXT == 'ci'
run: |
echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.hf
echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.builtIn
- name: Build image
run: docker build -t ${{ env.IMAGE_NAME }}:$TAG -f detectors/Dockerfile.hf detectors
- name: Log in to Quay
run: docker login -u ${{ secrets.QUAY_ROBOT_USERNAME }} -p ${{ secrets.QUAY_ROBOT_SECRET }} quay.io
- name: Push to Quay CI repo
run: docker push ${{ env.IMAGE_NAME }}:$TAG
- name: Build built-in detector image
run: docker build -t ${{ env.BUILTIN_IMAGE_NAME }}:$TAG -f detectors/Dockerfile.builtIn detectors
- name: Push to Quay CI repo
run: docker push ${{ env.BUILTIN_IMAGE_NAME }}:$TAG
# Leave comment
- uses: peter-evans/find-comment@v3
name: Find Comment
if: env.BUILD_CONTEXT == 'ci'
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: PR image build completed successfully
- uses: peter-evans/create-or-update-comment@v4
if: env.BUILD_CONTEXT == 'ci'
name: Generate/update success message comment
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
edit-mode: replace
body: |
PR image build completed successfully!
📦 [PR image](https://quay.io/repository/trustyai/guardrails-detector-huggingface-runtime-ci?tab=tags): `quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:${{ github.event.pull_request.head.sha }}`
📦 [PR image](https://quay.io/trustyai/guardrails-detector-built-in-ci?tab=tags): `quay.io/trustyai/guardrails-detector-built-in-ci:${{ github.event.pull_request.head.sha }}`
- name: Trivy scan
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'image'
image-ref: "${{ env.IMAGE_NAME }}:${{ env.TAG }}"
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'MEDIUM,HIGH,CRITICAL'
exit-code: '0'
ignore-unfixed: false
vuln-type: 'os,library'
- name: Trivy scan, built-in image
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'image'
image-ref: "${{ env.BUILTIN_IMAGE_NAME }}:${{ env.TAG }}"
format: 'sarif'
output: 'trivy-results-built-in.sarif'
severity: 'MEDIUM,HIGH,CRITICAL'
exit-code: '0'
ignore-unfixed: false
vuln-type: 'os,library'
- name: Update Security tab - Huggingface
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
category: huggingface
- name: Update Security tab - Built-in
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results-built-in.sarif'
category: built-in