/var shows as 31G, add logs to see what's inside; remove docker build… #5
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: V1 Security Tests Python Images | ||
|
Check failure on line 1 in .github/workflows/security_tests_python_alibis_v1_copy.yml
|
||
| on: | ||
| push: | ||
| branches: [ master ] | ||
| pull_request: | ||
| # TODO remove release-1.19.0-prep before merge to master | ||
| branches: | ||
| - master | ||
| - release-1.19.0-prep | ||
| workflow_dispatch: | ||
| jobs: | ||
| build-upload-scan-base-images: | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| conda_tar: conda-image.tar | ||
| python_tar: python-image.tar | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Free up disk space (android, haskell, dotnet) | ||
| run: | | ||
| sudo rm -rf /usr/local/lib/android || true | ||
| sudo rm -rf /opt/ghc || true | ||
| sudo rm -rf /usr/share/dotnet || true | ||
| df -h | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
| # Build and scan the Conda base image | ||
| - name: Generate and set docker Conda image tag | ||
| run: | | ||
| TAG_CONDA="sec-tests/conda-base-$(date +%s)-$(openssl rand -hex 4)" | ||
| echo "CONDA_BASE_IMAGE=$TAG_CONDA" >> $GITHUB_ENV | ||
| TAG_PYTHON="sec-tests/python-base-$(date +%s)-$(openssl rand -hex 4)" | ||
| echo "PYTHON_BASE_IMAGE=$TAG_PYTHON" >> $GITHUB_ENV | ||
| echo "Generated tag: PYTHON_BASE_IMAGE" | ||
| - name: Build (Conda Base Image) | ||
| working-directory: ./wrappers/s2i/python | ||
| run: | | ||
| make CONDA_BASE_IMAGE=${{ env.CONDA_BASE_IMAGE}} VERSION=test docker-build-conda-base | ||
| docker save -o /tmp/conda-image.tar ${{ env.CONDA_BASE_IMAGE}}:test | ||
| - name: Scan Conda image | ||
| id: scan-conda | ||
| uses: snyk/actions/docker@master | ||
| continue-on-error: true | ||
| env: | ||
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
| with: | ||
| image: ${{ env.CONDA_BASE_IMAGE}}:test | ||
| args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=wrappers/s2i/python/Dockerfile.conda | ||
| # Build and scan the Python Wrapper base image | ||
| - name: Build (Base Wrapper) | ||
| working-directory: ./wrappers/s2i/python | ||
| run: | | ||
| make CONDA_BASE_IMAGE=${{ env.CONDA_BASE_IMAGE}} VERSION=test IMAGE_NAME=${{ env.PYTHON_BASE_IMAGE}} docker-build PYTHON_VERSION=3.12.12 CONDA_VERSION=25.3.1 BASE_IMAGE=$${{ env.CONDA_BASE_IMAGE }} | ||
| docker save -o /tmp/python-base-image.tar ${{ env.PYTHON_BASE_IMAGE}}:test | ||
| - name: Scan Python base image | ||
| id: scan-python-base | ||
| uses: snyk/actions/docker@master | ||
| continue-on-error: true | ||
| env: | ||
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
| with: | ||
| image: ${{ env.PYTHON_BASE_IMAGE}}:test | ||
| args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=wrappers/s2i/python/Dockerfile | ||
| # Upload base images | ||
| - name: Upload base images | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: base-images | ||
| path: | | ||
| conda-image.tar | ||
| python-image.tar | ||
| build-servers: | ||
| needs: build-upload-scan-base-images | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| server: | ||
| - tfserving_proxy | ||
| - sklearnserver | ||
| - mlflowserver | ||
| - xgboostserver | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/download-artifact@v4 | ||
| with: | ||
| name: base-images | ||
| - name: Load images | ||
| run: | | ||
| docker load -i conda-image.tar | ||
| docker load -i python-image.tar | ||
| - name: Install s2i CLI - needed for building the server images | ||
| uses: redhat-actions/openshift-tools-installer@v1 | ||
| with: | ||
| github_pat: ${{ github.token }} | ||
| source: "github" | ||
| s2i: "latest" | ||
| - name: Build ${{ matrix.server}} | ||
| id: build-${{ matrix.server }} | ||
| continue-on-error: true | ||
| working-directory: ./servers/${{ matrix.server }} | ||
| run: | | ||
| export SERVER_IMAGE_TAG="sec-tests/${{ matrix.server }}-$(date +%s)-$(openssl rand -hex 4)" | ||
| echo "SERVER_IMAGE_TAG=SERVER_IMAGE_TAG" >> $GITHUB_ENV | ||
| make IMAGE_NAME=SERVER_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}}:test docker-build | ||
| - name: Scan Server | ||
| id: scan-${{ matrix.server}} | ||
| if: steps.build-${{ matrix.server }}.outcome == 'success' | ||
| uses: snyk/actions/docker@master | ||
| continue-on-error: true | ||
| env: | ||
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
| with: | ||
| image: ${{ env.SERVER_IMAGE_TAG}}:test | ||
| args: --fail-on=upgradable --app-vulns --severity-threshold=high | ||
| - name: Clean up Docker image | ||
| if: always() | ||
| run: docker rmi ${{ env.SERVER_IMAGE_TAG}}:test | ||
| - name: Build (sklearn) | ||
| id: build-sklearn | ||
| continue-on-error: true | ||
| working-directory: ./servers/sklearnserver | ||
| run: | | ||
| export SKLEARN_IMAGE_TAG="sec-tests/sklearn-$(date +%s)-$(openssl rand -hex 4)" | ||
| echo "SKLEARN_IMAGE_TAG=$SKLEARN_IMAGE_TAG" >> $GITHUB_ENV | ||
| make IMAGE_NAME=$SKLEARN_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}}:test docker-build | ||
| - name: Scan sklearn | ||
| id: scan-sklearn | ||
| if: steps.build-sklearn.outcome == 'success' | ||
| uses: snyk/actions/docker@master | ||
| continue-on-error: true | ||
| env: | ||
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
| with: | ||
| image: ${{ env.SKLEARN_IMAGE_TAG}}:test | ||
| args: --fail-on=upgradable --app-vulns --severity-threshold=high | ||
| - name: Clean up Docker image | ||
| if: always() | ||
| run: docker rmi ${{ env.SKLEARN_IMAGE_TAG}}:test | ||
| - name: Build (mlflow) | ||
| id: build-mlflow | ||
| continue-on-error: true | ||
| working-directory: ./servers/mlflowserver | ||
| run: | | ||
| export MLFLOW_IMAGE_TAG="sec-tests/mlflow-$(date +%s)-$(openssl rand -hex 4)" | ||
| echo "MLFLOW_IMAGE_TAG=$MLFLOW_IMAGE_TAG" >> $GITHUB_ENV | ||
| make IMAGE_NAME=$MLFLOW_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}}:test docker-build | ||
| - name: Scan mlflow | ||
| id: scan-mlflow | ||
| if: steps.build-mlflow.outcome == 'success' | ||
| uses: snyk/actions/docker@master | ||
| continue-on-error: true | ||
| env: | ||
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
| with: | ||
| image: ${{ env.MLFLOW_IMAGE_TAG}}:test | ||
| args: --fail-on=upgradable --app-vulns --severity-threshold=high | ||
| - name: Clean up Docker image | ||
| if: always() | ||
| run: docker rmi ${{ env.MLFLOW_IMAGE_TAG}}:test | ||
| - name: Build (xgboost) | ||
| id: build-xgboost | ||
| continue-on-error: true | ||
| working-directory: ./servers/xgboostserver | ||
| run: | | ||
| export XGBOOST_IMAGE_TAG="sec-tests/xgbost-$(date +%s)-$(openssl rand -hex 4)" | ||
| echo "XGBOOST_IMAGE_TAG=$XGBOOST_IMAGE_TAG" >> $GITHUB_ENV | ||
| make IMAGE_NAME=$XGBOOST_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}}:test docker-build | ||
| - name: Scan xgboost | ||
| id: scan-xgboost | ||
| if: steps.build-xgboost.outcome == 'success' | ||
| uses: snyk/actions/docker@master | ||
| continue-on-error: true | ||
| env: | ||
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
| with: | ||
| image: ${{ env.XGBOOST_IMAGE_TAG}}:test | ||
| args: --fail-on=upgradable --app-vulns --severity-threshold=high | ||
| - name: Clean up Docker image | ||
| if: always() | ||
| run: docker rmi ${{ env.XGBOOST_IMAGE_TAG}}:test | ||
| - name: Build (alibi explain) | ||
| id: build-alibi-explain | ||
| continue-on-error: true | ||
| working-directory: ./components/alibi-explain-server | ||
| run: | | ||
| export ALIBI_EXPLAIN_IMAGE_TAG="sec-tests/alibi-explain-$(date +%s)-$(openssl rand -hex 4)" | ||
| echo "ALIBI_EXPLAIN_IMAGE_TAG=$ALIBI_EXPLAIN_IMAGE_TAG" >> $GITHUB_ENV | ||
| make IMAGE=$ALIBI_EXPLAIN_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}} docker-build | ||
| - name: Scan alibi explain | ||
| id: scan-alibi-explain | ||
| if: steps.build-alibi-explain.outcome == 'success' | ||
| uses: snyk/actions/docker@master | ||
| continue-on-error: true | ||
| env: | ||
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
| with: | ||
| image: ${{ env.ALIBI_EXPLAIN_IMAGE_TAG}}:test | ||
| args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=components/alibi-explain-server/Dockerfile | ||
| - name: Clean up Docker image | ||
| if: always() | ||
| run: docker rmi ${{ env.ALIBI_EXPLAIN_IMAGE_TAG}}:test | ||
| - name: Build (alibi detect) | ||
| id: build-alibi-detect | ||
| continue-on-error: true | ||
| working-directory: ./components/alibi-detect-server | ||
| run: | | ||
| export ALIBI_DETECT_IMAGE_TAG="sec-tests/alibi-detect-$(date +%s)-$(openssl rand -hex 4)" | ||
| echo "ALIBI_DETECT_IMAGE_TAG=$ALIBI_DETECT_IMAGE_TAG" >> $GITHUB_ENV | ||
| make IMAGE=$ALIBI_DETECT_IMAGE_TAG VERSION=test BASE_IMAGE=${{ env.PYTHON_BASE_IMAGE}} docker-build | ||
| - name: Scan alibi detect | ||
| if: steps.build-alibi-detect.outcome == 'success' | ||
| uses: snyk/actions/docker@master | ||
| continue-on-error: true | ||
| env: | ||
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
| with: | ||
| image: ${{ env.ALIBI_DETECT_IMAGE_TAG}}:test | ||
| args: --fail-on=upgradable --app-vulns --severity-threshold=high --file=components/alibi-detect-server/Dockerfile | ||
| - name: Check for image scan failures | ||
| if: always() | ||
| run: | | ||
| if [ "${{ steps.scan-alibi-explain.outcome }}" != "success" ] || \ | ||
| [ "${{ steps.scan-alibi-detect.outcome }}" != "success" ] || \ | ||
| [ "${{ steps.scan-xgboost.outcome }}" != "success" ] || \ | ||
| [ "${{ steps.scan-sklearn.outcome }}" != "success" ] || \ | ||
| [ "${{ steps.scan-tfserving-proxy.outcome }}" != "success" ] || \ | ||
| [ "${{ steps.scan-python-base.outcome }}" != "success" ] || \ | ||
| [ "${{ steps.scan-conda.outcome }}" != "success" ] || \ | ||
| [ "${{ steps.scan-mlflow.outcome }}" != "success" ]; then | ||
| echo "One or more docker image scans did not succeed" | ||
| exit 1 | ||
| fi | ||
