Updated Dockerfile.hf for multi-arch build for amd64 and s390x #19
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Push - Detectors | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - v* | |
| paths: | |
| - 'detectors/*' | |
| - '.github/workflows/*' | |
| pull_request_target: | |
| paths: | |
| - 'detectors/*' | |
| types: [labeled, opened, synchronize, reopened] | |
| jobs: | |
| # Ensure that tests pass before publishing a new image. | |
| build-and-push-ci: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| security-events: write | |
| env: | |
| PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
| GITHUB_REF_NAME: ${{ github.ref_name }} | |
| QUAY_RELEASE_REPO: ${{ vars.QUAY_RELEASE_REPO }} | |
| GITHUB_REF: ${{ github.ref }} | |
| GITHUB_HEAD_REF: ${{ github.head_ref }} | |
| steps: # Assign context variable for various action contexts (tag, main, CI) | |
| - name: Assigning CI context | |
| if: github.head_ref != '' && github.head_ref != 'main' && !startsWith(github.ref, 'refs/tags/v') | |
| run: echo "BUILD_CONTEXT=ci" >> $GITHUB_ENV | |
| - name: Assigning tag context | |
| if: github.head_ref == '' && startsWith(github.ref, 'refs/tags/v') | |
| run: echo "BUILD_CONTEXT=tag" >> $GITHUB_ENV | |
| - name: Assigning main context | |
| if: github.head_ref == '' && github.ref == 'refs/heads/main' | |
| run: echo "BUILD_CONTEXT=main" >> $GITHUB_ENV | |
| # | |
| # Run checkouts | |
| - uses: mheap/github-action-required-labels@v4 | |
| if: env.BUILD_CONTEXT == 'ci' | |
| with: | |
| mode: minimum | |
| count: 1 | |
| labels: "ok-to-test, lgtm, approved" | |
| - uses: actions/checkout@v3 | |
| if: env.BUILD_CONTEXT == 'ci' | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - uses: actions/checkout@v3 | |
| if: env.BUILD_CONTEXT == 'main' || env.BUILD_CONTEXT == 'tag' | |
| # | |
| # Print variables for debugging | |
| - name: Log reference variables | |
| run: | | |
| echo "CONTEXT: $BUILD_CONTEXT" | |
| echo "GITHUB.REF: $GITHUB_REF" | |
| echo "GITHUB.HEAD_REF: $GITHUB_HEAD_REF" | |
| echo "SHA: $PR_HEAD_SHA" | |
| echo "MAIN IMAGE AT: $QUAY_RELEASE_REPO:latest" | |
| echo "CI IMAGE AT: quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:$PR_HEAD_SHA" | |
| echo "Built-In Detector CI IMAGE AT: quay.io/trustyai/guardrails-detector-built-in-ci:$PR_HEAD_SHA" | |
| echo "LLM Judge CI IMAGE AT: quay.io/trustyai/guardrails-detector-llm-judge-ci:$PR_HEAD_SHA" | |
| # Set environments depending on context | |
| - name: Set CI environment | |
| if: env.BUILD_CONTEXT == 'ci' | |
| run: | | |
| echo "TAG=$PR_HEAD_SHA" >> $GITHUB_ENV | |
| echo "IMAGE_NAME=quay.io/trustyai/guardrails-detector-huggingface-runtime-ci" >> $GITHUB_ENV | |
| echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in-ci" >> $GITHUB_ENV | |
| echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge-ci" >> $GITHUB_ENV | |
| echo "EXPIRY_LABEL=--label quay.expires-after=7d" >> $GITHUB_ENV | |
| - name: Set main-branch environment | |
| if: env.BUILD_CONTEXT == 'main' | |
| run: | | |
| echo "TAG=latest" >> $GITHUB_ENV | |
| echo "IMAGE_NAME=$QUAY_RELEASE_REPO" >> $GITHUB_ENV | |
| echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in" >> $GITHUB_ENV | |
| echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV | |
| echo "EXPIRY_LABEL=" >> $GITHUB_ENV | |
| - name: Set tag environment | |
| if: env.BUILD_CONTEXT == 'tag' | |
| run: | | |
| echo "TAG=$GITHUB_REF_NAME" >> $GITHUB_ENV | |
| echo "IMAGE_NAME=$QUAY_RELEASE_REPO" >> $GITHUB_ENV | |
| echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in" >> $GITHUB_ENV | |
| echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV | |
| echo "EXPIRY_LABEL=" >> $GITHUB_ENV | |
| # | |
| # Run docker commands | |
| - name: Build image | |
| run: docker build -t "$IMAGE_NAME:$TAG" $EXPIRY_LABEL -f detectors/Dockerfile.hf detectors | |
| - name: Log in to Quay | |
| env: | |
| QUAY_ROBOT_USERNAME: ${{ secrets.QUAY_ROBOT_USERNAME }} | |
| QUAY_ROBOT_SECRET: ${{ secrets.QUAY_ROBOT_SECRET }} | |
| run: docker login -u "$QUAY_ROBOT_USERNAME" -p "$QUAY_ROBOT_SECRET" quay.io | |
| - name: Push to Quay CI repo | |
| run: docker push "$IMAGE_NAME:$TAG" | |
| - name: Build built-in detector image | |
| run: docker build -t "$BUILTIN_IMAGE_NAME:$TAG" $EXPIRY_LABEL -f detectors/Dockerfile.builtIn detectors | |
| - name: Push to Quay CI repo | |
| run: docker push "$BUILTIN_IMAGE_NAME:$TAG" | |
| - name: Build LLM Judge detector image | |
| run: docker build -t "$LLM_JUDGE_IMAGE_NAME:$TAG" $EXPIRY_LABEL -f detectors/Dockerfile.judge detectors | |
| - name: Push LLM Judge image to Quay CI repo | |
| run: docker push "$LLM_JUDGE_IMAGE_NAME:$TAG" | |
| # Leave comment | |
| - uses: peter-evans/find-comment@v3 | |
| name: Find Comment | |
| if: env.BUILD_CONTEXT == 'ci' | |
| id: fc | |
| with: | |
| issue-number: ${{ github.event.pull_request.number }} | |
| comment-author: 'github-actions[bot]' | |
| body-includes: PR image build completed successfully | |
| - uses: peter-evans/create-or-update-comment@v4 | |
| if: env.BUILD_CONTEXT == 'ci' | |
| name: Generate/update success message comment | |
| with: | |
| comment-id: ${{ steps.fc.outputs.comment-id }} | |
| issue-number: ${{ github.event.pull_request.number }} | |
| edit-mode: replace | |
| body: | | |
| PR image build completed successfully! | |
| 📦 [Huggingface PR image](https://quay.io/repository/trustyai/guardrails-detector-huggingface-runtime-ci?tab=tags): `quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:$PR_HEAD_SHA` | |
| 📦 [Built-in PR image](https://quay.io/trustyai/guardrails-detector-built-in-ci?tab=tags): `quay.io/trustyai/guardrails-detector-built-in-ci:$PR_HEAD_SHA` | |
| 📦 [LLM Judge PR image](https://quay.io/trustyai/guardrails-detector-llm-judge-ci?tab=tags): `quay.io/trustyai/guardrails-detector-llm-judge-ci:$PR_HEAD_SHA` | |
| - name: Trivy scan | |
| uses: aquasecurity/trivy-action@0.28.0 | |
| with: | |
| scan-type: 'image' | |
| image-ref: "${{ env.IMAGE_NAME }}:${{ env.TAG }}" | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'MEDIUM,HIGH,CRITICAL' | |
| exit-code: '0' | |
| ignore-unfixed: false | |
| vuln-type: 'os,library' | |
| - name: Trivy scan, built-in image | |
| uses: aquasecurity/trivy-action@0.28.0 | |
| with: | |
| scan-type: 'image' | |
| image-ref: "${{ env.BUILTIN_IMAGE_NAME }}:${{ env.TAG }}" | |
| format: 'sarif' | |
| output: 'trivy-results-built-in.sarif' | |
| severity: 'MEDIUM,HIGH,CRITICAL' | |
| exit-code: '0' | |
| ignore-unfixed: false | |
| vuln-type: 'os,library' | |
| - name: Trivy scan, LLM Judge image | |
| uses: aquasecurity/trivy-action@0.28.0 | |
| with: | |
| scan-type: 'image' | |
| image-ref: "${{ env.LLM_JUDGE_IMAGE_NAME }}:${{ env.TAG }}" | |
| format: 'sarif' | |
| output: 'trivy-results-llm-judge.sarif' | |
| severity: 'MEDIUM,HIGH,CRITICAL' | |
| exit-code: '0' | |
| ignore-unfixed: false | |
| vuln-type: 'os,library' | |
| - name: Update Security tab - Huggingface | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| category: huggingface | |
| - name: Update Security tab - Built-in | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-results-built-in.sarif' | |
| category: built-in | |
| - name: Update Security tab - LLM Judge | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-results-llm-judge.sarif' | |
| category: llm-judge |