llm-reference-preset: Add workflow to build & push #743

ishaansehgal99 · 2024-12-02T22:38:26Z

This is awesome! There are a couple of things missing, though, like getting the tag for the image, hardening the runner, and scanning the image. Let's take a look at publish-gh-image.yml for reference. By modifying that slightly, the workflow could look something like this:

name: Create, Scan and Publish LLM Reference Image on: workflow_dispatch: inputs: release_version: description: 'tag to be created for this image (i.e. vxx.xx.xx)' required: true permissions: id-token: write contents: write packages: write env: GO_VERSION: '1.22' IMAGE_NAME: 'llm-reference-preset' REGISTRY: ghcr.io jobs: check-tag: runs-on: ubuntu-latest environment: preset-env outputs: tag: ${{ steps.get-tag.outputs.tag }} steps: - name: validate version run: | echo "${{ github.event.inputs.release_version }}" | grep -E 'v[0-9]+\.[0-9]+\.[0-9]+$' - id: get-tag name: Get tag run: | echo "tag=$(echo ${{ github.event.inputs.release_version }})" >> $GITHUB_OUTPUT - name: Harden Runner uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: egress-policy: audit - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - id: check-tag name: Check for Tag run: | TAG="${{ steps.get-tag.outputs.tag }}" if git show-ref --tags --verify --quiet "refs/tags/${TAG}"; then echo "create_tag=$(echo 'false' )" >> $GITHUB_OUTPUT else echo "create_tag=$(echo 'true' )" >> $GITHUB_OUTPUT fi - name: 'Create tag' if: steps.check-tag.outputs.create_tag == 'true' uses: actions/github-script@v7 with: script: | github.rest.git.createRef({ owner: context.repo.owner, repo: context.repo.repo, ref: 'refs/tags/${{ steps.get-tag.outputs.tag }}', sha: context.sha }) build-scan-publish-gh-images: runs-on: ubuntu-latest needs: [ check-tag ] environment: preset-env outputs: registry_repository: ${{ steps.get-registry.outputs.registry_repository }} steps: - id: get-registry run: | # registry must be in lowercase echo "registry_repository=$(echo "${{ env.REGISTRY }}/${{ github.repository }}" | tr [:upper:] [:lower:])" >> $GITHUB_OUTPUT - id: get-tag name: Get tag run: | echo "IMG_TAG=$(echo ${{ needs.check-tag.outputs.tag }} | tr -d v)" >> $GITHUB_ENV - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true fetch-depth: 0 ref: ${{ needs.check-tag.outputs.tag }} - name: Login to ${{ steps.get-registry.outputs.registry_repository }} uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build image run: | make docker-build-llm-reference-preset env: VERSION: ${{ needs.check-tag.outputs.tag }} REGISTRY: ${{ steps.get-registry.outputs.registry_repository }} - name: Scan ${{ steps.get-registry.outputs.registry_repository }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }} uses: aquasecurity/trivy-action@master with: image-ref: ${{ steps.get-registry.outputs.registry_repository }}/${{ env.IMAGE_NAME }}:${{ env.IMG_TAG }} format: 'table' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' timeout: '5m0s' env: TRIVY_USERNAME: ${{ github.actor }} TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

Could you check/take a look at this? Let me know if any further questions

-Original file line number
+Diff line change
@@ -0,0 +1,43 @@
+    name: LLM Reference Preset GHCR Image - Build & Push
+    on:
+      push:
+        tags:
+          - 'v*'
+    jobs:
+      build-and-push:
+        runs-on: ubuntu-latest
+        steps:
+        - name: Checkout the code
+          uses: actions/checkout@v4
+        - name: Log in to GitHub Container Registry
+          uses: docker/login-action@v3
+          with:
+            registry: ghcr.io
+            username: ${{ github.actor }}
+            password: ${{ secrets.GITHUB_TOKEN }}
+        - name: Set up Docker Buildx
+          uses: docker/setup-buildx-action@v3
+        - name: Docker meta
+          id: meta
+          uses: docker/metadata-action@v5
+          with:
+            images: ${{ env.REGISTRY }}/kaito-project/kaito/llm-reference-preset
+            tags: |
+              type=semver,pattern={{version}}
+        - name: Build and push
+          uses: docker/build-push-action@v6
+          with:
+            file: docs/custom-model-integration/Dockerfile.reference
+            push: true
+            build-args: |
+              MODEL_TYPE=text-generation
+              VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
+            tags: ${{ steps.meta.outputs.tags }}
+            labels: ${{ steps.meta.outputs.labels }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

llm-reference-preset: Add workflow to build & push #743

Diff view

Diff view

There are no files selected for viewing

ishaansehgal99 Dec 2, 2024 •

edited

Loading

llm-reference-preset: Add workflow to build & push #743

llm-reference-preset: Add workflow to build & push #743

Diff view

Diff view

There are no files selected for viewing

ishaansehgal99 Dec 2, 2024 • edited Loading

Choose a reason for hiding this comment

ishaansehgal99 Dec 2, 2024 •

edited

Loading