security(trivy): add trivy to supply chain #667
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build, scan images and deploy | |
| on: | |
| push: | |
| branches: | |
| - main | |
| release: | |
| types: | |
| - published | |
| - edited | |
| workflow_dispatch: | |
| pull_request: | |
| branches: | |
| - main | |
| jobs: | |
| build-opengatellm-api: | |
| name: Build and push OpenGateLLM API image | |
| runs-on: ubuntu-latest | |
| env: | |
| API_IMAGE_NAME: ghcr.io/etalab-ia/opengatellm/api | |
| IMAGE_TAG: ${{ github.event_name == 'release' && github.event.release.tag_name || 'latest' }} | |
| outputs: | |
| commit_title: ${{ steps.get_head_commit_title.outputs.title }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - id: get_head_commit_title | |
| run: echo "title=$(git log --format=%B -n 1 HEAD | head -n 1)" >> $GITHUB_OUTPUT | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build and push OpenGateLLM API image to GitHub | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: ./api/Dockerfile | |
| build-args: BUILD_TARGET=api | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ${{ env.API_IMAGE_NAME }}:${{ env.IMAGE_TAG }} | |
| cache-from: type=registry,ref=${{ env.API_IMAGE_NAME }}:cache | |
| cache-to: type=registry,ref=${{ env.API_IMAGE_NAME }}:cache,mode=max | |
| build-opengatellm-worker: | |
| name: Build and push OpenGateLLM worker image | |
| runs-on: ubuntu-latest | |
| env: | |
| WORKER_IMAGE_NAME: ghcr.io/etalab-ia/opengatellm/worker | |
| IMAGE_TAG: ${{ github.event_name == 'release' && github.event.release.tag_name || 'latest' }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build and push OpenGateLLM worker image to GitHub | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: ./api/Dockerfile | |
| build-args: BUILD_TARGET=worker | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ${{ env.WORKER_IMAGE_NAME }}:${{ env.IMAGE_TAG }} | |
| cache-from: type=registry,ref=${{ env.WORKER_IMAGE_NAME }}:cache | |
| cache-to: type=registry,ref=${{ env.WORKER_IMAGE_NAME }}:cache,mode=max | |
| build-opengatellm-playground: | |
| name: Build and push OpenGateLLM playground image | |
| runs-on: ubuntu-latest | |
| env: | |
| GITHUB_PLAYGROUND_IMAGE_NAME: ghcr.io/etalab-ia/opengatellm/playground | |
| GITLAB_PLAYGROUND_IMAGE_NAME: registry.gitlab.com/${{ secrets.GITLAB_PROJECT_PATH }}/playground | |
| PLAYGROUND_URL: https://albert.playground.env.etalab.gouv.fr | |
| IMAGE_TAG: ${{ github.event_name == 'release' && github.event.release.tag_name || 'latest' }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build and push OpenGateLLM playground image to GitHub | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: ./playground/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ${{ env.GITHUB_PLAYGROUND_IMAGE_NAME }}:${{ env.IMAGE_TAG }} | |
| cache-from: type=registry,ref=${{ env.GITHUB_PLAYGROUND_IMAGE_NAME }}:cache | |
| cache-to: type=registry,ref=${{ env.GITHUB_PLAYGROUND_IMAGE_NAME }}:cache,mode=max | |
| build-albert-playground: | |
| name: Build and push Albert playground image | |
| runs-on: ubuntu-latest | |
| env: | |
| GITLAB_PLAYGROUND_IMAGE_NAME: registry.gitlab.com/${{ secrets.GITLAB_PROJECT_PATH }}/playground | |
| IMAGE_TAG: ${{ github.event_name == 'release' && github.event.release.tag_name || 'latest' }} | |
| strategy: | |
| matrix: | |
| environment: [dev, staging, prod] | |
| include: | |
| - environment: dev | |
| url: https://albert.playground.dev.etalab.gouv.fr | |
| - environment: staging | |
| url: https://albert.playground.staging.etalab.gouv.fr | |
| - environment: prod | |
| url: https://albert.playground.etalab.gouv.fr | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Log in to GitLab Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: registry.gitlab.com | |
| username: ${{ secrets.GITLAB_USERNAME }} | |
| password: ${{ secrets.GITLAB_TOKEN }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build and push Albert playground images to GitLab | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| build-args: | | |
| REFLEX_BACKEND_URL=${{ matrix.url }} | |
| REFLEX_FRONTEND_URL=${{ matrix.url }} | |
| CONFIG_FILE=.github/assets/playground.config.yml | |
| FAVICON=.github/assets/logo.svg | |
| LOGO=.github/assets/logo.svg | |
| file: ./playground/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ${{ env.GITLAB_PLAYGROUND_IMAGE_NAME }}/${{ matrix.environment }}:${{ env.IMAGE_TAG }} | |
| cache-from: type=registry,ref=${{ env.GITHUB_PLAYGROUND_IMAGE_NAME }}:cache | |
| trivy-scan-api: | |
| name: Trivy scan — API | |
| needs: build-opengatellm-api | |
| uses: ./.github/workflows/trivy-scan.yml | |
| with: | |
| image-name: ghcr.io/etalab-ia/opengatellm/api | |
| image-tag: ${{ github.event_name == 'release' && github.event.release.tag_name || 'latest' }} | |
| trivy-scan-playground: | |
| name: Trivy scan — Playground | |
| needs: build-opengatellm-playground | |
| uses: ./.github/workflows/trivy-scan.yml | |
| with: | |
| image-name: ghcr.io/etalab-ia/opengatellm/playground | |
| image-tag: ${{ github.event_name == 'release' && github.event.release.tag_name || 'latest' }} | |
| trivy-scan-worker: | |
| name: Trivy scan — Worker | |
| needs: build-opengatellm-worker | |
| uses: ./.github/workflows/trivy-scan.yml | |
| with: | |
| image-name: ghcr.io/etalab-ia/opengatellm/worker | |
| image-tag: ${{ github.event_name == 'release' && github.event.release.tag_name || 'latest' }} | |
| deploy-dev: | |
| if: github.event_name == 'push' # Only deploy on push to main | |
| name: Deploy from ${{ github.ref_name }}/${{ github.sha }} | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build-opengatellm-api | |
| - build-opengatellm-playground | |
| - build-albert-playground | |
| - trivy-scan-api | |
| - trivy-scan-playground | |
| steps: | |
| - name: Trigger dev deployment | |
| run: | | |
| RESPONSE="$(curl --request POST \ | |
| --form token=${{ secrets.GITLAB_CI_TOKEN }} \ | |
| --form ref=main \ | |
| --form 'variables[pipeline_name]=${{ github.event.repository.name }} - ${{ needs.build-opengatellm-api.outputs.commit_title }}' \ | |
| --form 'variables[docker_image_tag]=latest' \ | |
| --form 'variables[application_to_deploy]=albert-api' \ | |
| --form 'variables[deployment_environment]=dev' \ | |
| 'https://gitlab.com/api/v4/projects/58117805/trigger/pipeline')" | |
| if echo "$RESPONSE" | grep -q '"status":"created"'; then | |
| echo $RESPONSE | |
| else | |
| echo $RESPONSE | |
| exit 1 | |
| fi |