Refactor Dockerfile to simplify model weight preloading condition and improve readability. Update GitHub Actions workflows to use specific commit SHA for actions, ensuring consistency and reliability in builds.

Author: lazarevtill

.github/workflows/codeql.yml

@@ -22,13 +22,13 @@ jobs:
         language: [ 'python' ]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38a # v3
         with:
           languages: ${{ matrix.language }}
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38a # v3
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38a # v3
 

.github/workflows/create-release.yml

@@ -13,10 +13,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Create GitHub Release (official)
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
         with:
           script: |
             const { owner, repo } = context.repo;

.github/workflows/docker-publish.yml

@@ -15,18 +15,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Log in to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5
         with:
           images: ghcr.io/${{ github.repository }}
           tags: |
@@ -36,10 +36,10 @@ jobs:
             type=sha
 
       - name: Set up Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3
 
       - name: Build and push (CPU)
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5
         with:
           context: .
           push: true
@@ -49,7 +49,7 @@ jobs:
             TORCH_INDEX_URL=https://download.pytorch.org/whl/cpu
 
       - name: Build and push (GPU)
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5
         with:
           context: .
           push: true
@@ -66,7 +66,7 @@ jobs:
       contents: write
     steps:
       - name: Create Nightly Release (official)
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
         with:
           script: |
             const { owner, repo } = context.repo;

.github/workflows/security.yml

@@ -13,8 +13,8 @@ jobs:
     name: Python dependency audit
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5
         with:
           python-version: '3.10'
       - name: Install deps
@@ -44,15 +44,15 @@ jobs:
           build-args: |
             TORCH_INDEX_URL=https://download.pytorch.org/whl/cpu
       - name: Trivy scan image
-        uses: aquasecurity/trivy-action@0.22.0
+        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # 0.22.0
         with:
           image-ref: lcm:ci-scan
           severity: HIGH,CRITICAL
           ignore-unfixed: true
           format: sarif
           output: trivy-results.sarif
       - name: Upload SARIF
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38a # v3
         with:
           sarif_file: trivy-results.sarif
 

Dockerfile

@@ -42,8 +42,7 @@ USER appuser
 
 # Optional: pre-download model weights to warm cache (increases image size)
 ARG PRELOAD_MODEL=0
-RUN if [ "$PRELOAD_MODEL" = "1" ]; then \
-    python - <<'PY' \
+RUN test "$PRELOAD_MODEL" != "1" || python - <<'PY'
 import os
 import torch
 from diffusers import DiffusionPipeline
@@ -54,10 +53,16 @@ custom_pipeline = os.getenv('LCM_CUSTOM_PIPELINE')
 custom_revision = os.getenv('LCM_CUSTOM_REVISION')
 
 dtype = torch.float16 if torch.cuda.is_available() else torch.float32
-_ = DiffusionPipeline.from_pretrained(model_id, custom_pipeline=custom_pipeline, custom_revision=custom_revision, revision=revision, torch_dtype=dtype, safety_checker=None)
+_ = DiffusionPipeline.from_pretrained(
+    model_id,
+    custom_pipeline=custom_pipeline,
+    custom_revision=custom_revision,
+    revision=revision,
+    torch_dtype=dtype,
+    safety_checker=None,
+)
 print('Model cached')
 PY
-    ; fi
 
 EXPOSE 8000