Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

llm-reference-preset: Add workflow to build & push #743

Conversation

surajssd
Copy link
Contributor

This commit adds an image to build and push image to GHCR for llm-reference-preset, this workflow is triggered when a tag is pushed with v* pattern.

Reason for Change:

To automatically build image on every release for llm-reference-preset.

Issue Fixed:

Fixes #731

Notes for Reviewers:

The image won't be built until there is another release.

This commit adds an image to build and push image
to GHCR for llm-reference-preset, this workflow is
triggered when a tag is pushed with `v*` pattern.

Signed-off-by: Suraj Deshmukh <[email protected]>
@@ -0,0 +1,43 @@
name: LLM Reference Preset GHCR Image - Build & Push
Copy link
Collaborator

@ishaansehgal99 ishaansehgal99 Dec 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is awesome! There are a couple of things missing, though, like getting the tag for the image, hardening the runner, and scanning the image. Let's take a look at publish-gh-image.yml for reference. By modifying that slightly, the workflow could look something like this:

name: Create, Scan and Publish LLM Reference Image
on:
  workflow_dispatch:
    inputs:
      release_version:
        description: 'tag to be created for this image (i.e. vxx.xx.xx)'
        required: true

permissions:
  id-token: write
  contents: write
  packages: write

env:
  GO_VERSION: '1.22'
  IMAGE_NAME: 'llm-reference-preset'
  REGISTRY: ghcr.io

jobs:
  check-tag:
    runs-on: ubuntu-latest
    environment: preset-env
    outputs:
      tag: ${{ steps.get-tag.outputs.tag }}
    steps:
      - name: validate version
        run: |
          echo "${{ github.event.inputs.release_version }}" | grep -E 'v[0-9]+\.[0-9]+\.[0-9]+$'

      - id: get-tag
        name: Get tag
        run: |
            echo "tag=$(echo ${{ github.event.inputs.release_version }})" >> $GITHUB_OUTPUT

      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

      - id: check-tag
        name: Check for Tag
        run: |
          TAG="${{ steps.get-tag.outputs.tag }}"
          if git show-ref --tags --verify --quiet "refs/tags/${TAG}"; then
            echo "create_tag=$(echo 'false' )" >> $GITHUB_OUTPUT
          else
            echo "create_tag=$(echo 'true' )" >> $GITHUB_OUTPUT
          fi
      - name: 'Create tag'
        if:  steps.check-tag.outputs.create_tag == 'true'
        uses: actions/github-script@v7
        with:
          script: |
            github.rest.git.createRef({
              owner: context.repo.owner,
              repo: context.repo.repo,
              ref: 'refs/tags/${{ steps.get-tag.outputs.tag }}',
              sha: context.sha
            })

  build-scan-publish-gh-images:
    runs-on: ubuntu-latest
    needs: [ check-tag ]
    environment: preset-env
    outputs:
      registry_repository: ${{ steps.get-registry.outputs.registry_repository }}
    steps:
      - id: get-registry
        run: |
          # registry must be in lowercase
          echo "registry_repository=$(echo "${{ env.REGISTRY }}/${{ github.repository }}" | tr [:upper:] [:lower:])" >> $GITHUB_OUTPUT

      - id: get-tag
        name: Get tag
        run: |
          echo "IMG_TAG=$(echo ${{ needs.check-tag.outputs.tag }} | tr -d v)" >> $GITHUB_ENV

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          submodules: true
          fetch-depth: 0
          ref: ${{ needs.check-tag.outputs.tag }}

      - name: Login to ${{ steps.get-registry.outputs.registry_repository }}
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build image
        run: |
          make docker-build-llm-reference-preset
        env:
          VERSION: ${{ needs.check-tag.outputs.tag }}
          REGISTRY: ${{ steps.get-registry.outputs.registry_repository }}

      - name: Scan ${{ steps.get-registry.outputs.registry_repository }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }}
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ steps.get-registry.outputs.registry_repository }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }}
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'
          timeout: '5m0s'
        env:
          TRIVY_USERNAME: ${{ github.actor }}
          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

Could you check/take a look at this? Let me know if any further questions

@surajssd
Copy link
Contributor Author

Closing this, so that I don't hoard it, and others if interested can take it forward.

@surajssd surajssd closed this Dec 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Workflow for Dockerfile.Reference Image
2 participants