Upgrade Trivy action version in security workflow #158
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build PR Container Image | |
| on: | |
| pull_request_target: | |
| branches: [ main ] | |
| env: | |
| REGISTRY: quay.io | |
| ORG: trustyai_testing | |
| IMAGE_NAME: llama-stack-trustyai-fms | |
| MODULE_VERSION: '0.3.2' | |
| jobs: | |
| build-and-push: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Check labels | |
| uses: mheap/github-action-required-labels@v5 | |
| with: | |
| mode: minimum | |
| count: 1 | |
| labels: "ok-to-test, lgtm, approved" | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Log in to Container Registry | |
| uses: redhat-actions/podman-login@v1 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ secrets.QUAY_USERNAME }} | |
| password: ${{ secrets.QUAY_PASSWORD }} | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=ref,event=pr,prefix=pr- | |
| type=sha,format=short | |
| - name: Create temporary build directory | |
| run: | | |
| mkdir -p build-context | |
| - name: Copy provider code to build context | |
| run: | | |
| cp -r llama_stack_provider_trustyai_fms/ build-context/ | |
| cp -r providers.d/ build-context/ | |
| cp run.yaml build-context/ | |
| cp pyproject.toml build-context/ | |
| - name: Create modified Containerfile | |
| run: | | |
| cat > build-context/Containerfile << 'EOF' | |
| FROM registry.access.redhat.com/ubi9/python-312:latest | |
| WORKDIR /opt/app-root | |
| # Copy the local provider code and pyproject.toml to the same directory | |
| COPY llama_stack_provider_trustyai_fms/ /opt/app-root/llama_stack_provider_trustyai_fms/ | |
| COPY pyproject.toml /opt/app-root/ | |
| RUN pip install \ | |
| aiosqlite \ | |
| autoevals \ | |
| datasets \ | |
| fastapi \ | |
| fire \ | |
| httpx \ | |
| kubernetes \ | |
| "openai==1.66.0" \ | |
| opentelemetry-exporter-otlp-proto-http \ | |
| opentelemetry-sdk \ | |
| pandas \ | |
| requests \ | |
| sqlalchemy[asyncio] \ | |
| uvicorn | |
| RUN pip install --index-url https://download.pytorch.org/whl/cpu torch torchvision | |
| RUN pip install --no-deps sentence-transformers | |
| RUN pip install --no-cache llama-stack==0.3.5 | |
| # Install the local provider package | |
| RUN pip install /opt/app-root/ | |
| RUN mkdir -p ${HOME}/.cache | |
| COPY run.yaml ${APP_ROOT}/run.yaml | |
| ENTRYPOINT ["python", "-m", "llama_stack.core.server.server", "/opt/app-root/run.yaml"] | |
| EOF | |
| - name: Build Image | |
| id: build-image | |
| uses: redhat-actions/buildah-build@v2 | |
| with: | |
| image: ${{ env.IMAGE_NAME }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| containerfiles: | | |
| build-context/Containerfile | |
| - name: Push to Image Registry | |
| uses: redhat-actions/push-to-registry@v2 | |
| with: | |
| image: ${{ steps.build-image.outputs.image }} | |
| tags: ${{ steps.build-image.outputs.tags }} | |
| registry: ${{ env.REGISTRY }}/${{ env.ORG }} | |
| username: ${{ secrets.QUAY_USERNAME }} | |
| password: ${{ secrets.QUAY_PASSWORD }} |