[Snyk] Security upgrade python from 3.13.7-slim to 3.14.2-slim #46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| push: | |
| branches: [main, develop] | |
| tags: | |
| - 'v*' | |
| pull_request: | |
| branches: [main, develop] | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # Set minimal required permissions | |
| permissions: | |
| contents: read | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_PREFIX: ${{ github.repository_owner }}/octollm | |
| jobs: | |
| build-python-services: | |
| name: Build Python Service - ${{ matrix.service }} | |
| runs-on: ubuntu-latest | |
| if: false # Disabled in Phase 0 - no Dockerfiles exist yet (will enable in Phase 1) | |
| permissions: | |
| contents: read | |
| packages: write | |
| strategy: | |
| matrix: | |
| service: | |
| - orchestrator | |
| - planner | |
| - coder | |
| - judge | |
| - retriever | |
| - safety-guardian | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GitHub Container Registry | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-${{ matrix.service }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=sha | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: services/${{ matrix.service }}/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: | | |
| BUILD_DATE=${{ steps.meta.outputs.created }} | |
| VCS_REF=${{ github.sha }} | |
| VERSION=${{ steps.meta.outputs.version }} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-${{ matrix.service }}:${{ steps.meta.outputs.version }} | |
| format: 'sarif' | |
| output: 'trivy-${{ matrix.service }}.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| if: github.event_name != 'pull_request' | |
| continue-on-error: true | |
| - name: Upload Trivy results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: github.event_name != 'pull_request' | |
| with: | |
| sarif_file: 'trivy-${{ matrix.service }}.sarif' | |
| continue-on-error: true | |
| build-rust-services: | |
| name: Build Rust Service - ${{ matrix.service }} | |
| runs-on: ubuntu-latest | |
| if: false # Disabled in Phase 0 - no Dockerfiles exist yet (will enable in Phase 1) | |
| permissions: | |
| contents: read | |
| packages: write | |
| strategy: | |
| matrix: | |
| service: | |
| - reflex-layer | |
| - executor | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GitHub Container Registry | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-${{ matrix.service }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=sha | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: services/${{ matrix.service == 'executor' && 'arms/executor' || matrix.service }}/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: | | |
| BUILD_DATE=${{ steps.meta.outputs.created }} | |
| VCS_REF=${{ github.sha }} | |
| VERSION=${{ steps.meta.outputs.version }} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-${{ matrix.service }}:${{ steps.meta.outputs.version }} | |
| format: 'sarif' | |
| output: 'trivy-${{ matrix.service }}.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| if: github.event_name != 'pull_request' | |
| continue-on-error: true | |
| - name: Upload Trivy results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: github.event_name != 'pull_request' | |
| with: | |
| sarif_file: 'trivy-${{ matrix.service }}.sarif' | |
| continue-on-error: true | |
| build-summary: | |
| name: Build Summary | |
| runs-on: ubuntu-latest | |
| if: always() | |
| steps: | |
| - name: Check build status | |
| run: | | |
| echo "📦 Build Workflow - Phase 0 Status" | |
| echo "" | |
| echo "⏸️ Container builds are DISABLED in Phase 0" | |
| echo "" | |
| echo "Reason: No Dockerfiles exist yet in this architecture/design phase" | |
| echo "" | |
| echo "Planned for Phase 1 (Proof of Concept):" | |
| echo "- Python services: orchestrator, planner, coder, judge, retriever, safety-guardian" | |
| echo "- Rust services: reflex-layer, executor" | |
| echo "- Multi-architecture: linux/amd64, linux/arm64" | |
| echo "- Registry: ghcr.io/${{ github.repository_owner }}/octollm-*" | |
| echo "- Auto-tagging: branch, PR, semver, SHA" | |
| echo "" | |
| echo "To enable: Change 'if: false' to 'if: true' in build jobs after Phase 1" |