Merge pull request #17 from saichandrapandraju/migrate-image-judge

Migrate llm-judge detector to TrustyAI

Author: saichandrapandraju

.github/workflows/build-and-push.yaml

@@ -20,6 +20,12 @@ jobs:
       contents: read
       pull-requests: write
       security-events: write
+    env:
+      PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+      GITHUB_REF_NAME: ${{ github.ref_name }}
+      QUAY_RELEASE_REPO: ${{ vars.QUAY_RELEASE_REPO }}
+      GITHUB_REF: ${{ github.ref }}
+      GITHUB_HEAD_REF: ${{ github.head_ref }}
     steps: # Assign context variable for various action contexts (tag, main, CI)
       - name: Assigning CI context
         if: github.head_ref != '' && github.head_ref != 'main' && !startsWith(github.ref, 'refs/tags/v')
@@ -48,51 +54,59 @@ jobs:
       # Print variables for debugging
       - name: Log reference variables
         run: |
-          echo "CONTEXT: ${{ env.BUILD_CONTEXT }}"
-          echo "GITHUB.REF: ${{ github.ref }}"
-          echo "GITHUB.HEAD_REF: ${{ github.head_ref }}"
-          echo "SHA: ${{ github.event.pull_request.head.sha }}"
-          echo "MAIN IMAGE AT: ${{ vars.QUAY_RELEASE_REPO }}:latest"
-          echo "CI IMAGE AT: quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:${{ github.event.pull_request.head.sha }}"
-          echo "Built-In Detector CI IMAGE AT: quay.io/trustyai/guardrails-detector-built-in-ci:${{ github.event.pull_request.head.sha }}"
+          echo "CONTEXT: $BUILD_CONTEXT"
+          echo "GITHUB.REF: $GITHUB_REF"
+          echo "GITHUB.HEAD_REF: $GITHUB_HEAD_REF"
+          echo "SHA: $PR_HEAD_SHA"
+          echo "MAIN IMAGE AT: $QUAY_RELEASE_REPO:latest"
+          echo "CI IMAGE AT: quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:$PR_HEAD_SHA"
+          echo "Built-In Detector CI IMAGE AT: quay.io/trustyai/guardrails-detector-built-in-ci:$PR_HEAD_SHA"
+          echo "LLM Judge CI IMAGE AT: quay.io/trustyai/guardrails-detector-llm-judge-ci:$PR_HEAD_SHA"
 
       # Set environments depending on context
       - name: Set CI environment
         if:  env.BUILD_CONTEXT == 'ci'
         run: |
-          echo "TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
+          echo "TAG=$PR_HEAD_SHA" >> $GITHUB_ENV
           echo "IMAGE_NAME=quay.io/trustyai/guardrails-detector-huggingface-runtime-ci" >> $GITHUB_ENV
           echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in-ci" >> $GITHUB_ENV
+          echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge-ci" >> $GITHUB_ENV
+          echo "EXPIRY_LABEL=--label quay.expires-after=7d" >> $GITHUB_ENV
       - name: Set main-branch environment
         if:  env.BUILD_CONTEXT == 'main'
         run: |
           echo "TAG=latest" >> $GITHUB_ENV
-          echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV
+          echo "IMAGE_NAME=$QUAY_RELEASE_REPO" >> $GITHUB_ENV
           echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in" >> $GITHUB_ENV
+          echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV
+          echo "EXPIRY_LABEL=" >> $GITHUB_ENV
       - name: Set tag environment
         if: env.BUILD_CONTEXT == 'tag'
         run: |
-          echo "TAG=${{ github.ref_name }}" >> $GITHUB_ENV
-          echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV
+          echo "TAG=$GITHUB_REF_NAME" >> $GITHUB_ENV
+          echo "IMAGE_NAME=$QUAY_RELEASE_REPO" >> $GITHUB_ENV
           echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in" >> $GITHUB_ENV
+          echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV
+          echo "EXPIRY_LABEL=" >> $GITHUB_ENV
       #
       # Run docker commands
-      - name: Put expiry date on CI-tagged image
-        if:  env.BUILD_CONTEXT == 'ci'
-        run: |
-          echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.hf
-          echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.builtIn
       - name: Build image
-        run: docker build -t ${{ env.IMAGE_NAME }}:$TAG -f detectors/Dockerfile.hf detectors
+        run: docker build -t "$IMAGE_NAME:$TAG" $EXPIRY_LABEL -f detectors/Dockerfile.hf detectors
       - name: Log in to Quay
-        run: docker login -u ${{ secrets.QUAY_ROBOT_USERNAME }} -p ${{ secrets.QUAY_ROBOT_SECRET }} quay.io
+        env:
+          QUAY_ROBOT_USERNAME: ${{ secrets.QUAY_ROBOT_USERNAME }}
+          QUAY_ROBOT_SECRET: ${{ secrets.QUAY_ROBOT_SECRET }}
+        run: docker login -u "$QUAY_ROBOT_USERNAME" -p "$QUAY_ROBOT_SECRET" quay.io
       - name: Push to Quay CI repo
-        run: docker push ${{ env.IMAGE_NAME }}:$TAG
+        run: docker push "$IMAGE_NAME:$TAG"
       - name: Build built-in detector image
-        run: docker build -t ${{ env.BUILTIN_IMAGE_NAME }}:$TAG -f detectors/Dockerfile.builtIn detectors
+        run: docker build -t "$BUILTIN_IMAGE_NAME:$TAG" $EXPIRY_LABEL -f detectors/Dockerfile.builtIn detectors
       - name: Push to Quay CI repo
-        run: docker push ${{ env.BUILTIN_IMAGE_NAME }}:$TAG
-
+        run: docker push "$BUILTIN_IMAGE_NAME:$TAG"
+      - name: Build LLM Judge detector image
+        run: docker build -t "$LLM_JUDGE_IMAGE_NAME:$TAG" $EXPIRY_LABEL -f detectors/Dockerfile.judge detectors
+      - name: Push LLM Judge image to Quay CI repo
+        run: docker push "$LLM_JUDGE_IMAGE_NAME:$TAG"
       # Leave comment
       - uses: peter-evans/find-comment@v3
         name: Find Comment
@@ -112,8 +126,9 @@ jobs:
           body: |
             PR image build completed successfully!
             
-            📦 [PR image](https://quay.io/repository/trustyai/guardrails-detector-huggingface-runtime-ci?tab=tags): `quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:${{ github.event.pull_request.head.sha }}`
-            📦 [PR image](https://quay.io/trustyai/guardrails-detector-built-in-ci?tab=tags): `quay.io/trustyai/guardrails-detector-built-in-ci:${{ github.event.pull_request.head.sha }}`
+            📦 [Huggingface PR image](https://quay.io/repository/trustyai/guardrails-detector-huggingface-runtime-ci?tab=tags): `quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:$PR_HEAD_SHA`
+            📦 [Built-in PR image](https://quay.io/trustyai/guardrails-detector-built-in-ci?tab=tags): `quay.io/trustyai/guardrails-detector-built-in-ci:$PR_HEAD_SHA`
+            📦 [LLM Judge PR image](https://quay.io/trustyai/guardrails-detector-llm-judge-ci?tab=tags): `quay.io/trustyai/guardrails-detector-llm-judge-ci:$PR_HEAD_SHA`
       - name: Trivy scan
         uses: aquasecurity/[email protected]
         with:
@@ -136,6 +151,17 @@ jobs:
           exit-code: '0'
           ignore-unfixed: false
           vuln-type: 'os,library'
+      - name: Trivy scan, LLM Judge image
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'image'
+          image-ref: "${{ env.LLM_JUDGE_IMAGE_NAME }}:${{ env.TAG }}"
+          format: 'sarif'
+          output: 'trivy-results-llm-judge.sarif'
+          severity: 'MEDIUM,HIGH,CRITICAL'
+          exit-code: '0'
+          ignore-unfixed: false
+          vuln-type: 'os,library'
       - name: Update Security tab - Huggingface
         uses: github/codeql-action/upload-sarif@v3
         with:
@@ -146,3 +172,8 @@ jobs:
         with:
           sarif_file: 'trivy-results-built-in.sarif'
           category: built-in
+      - name: Update Security tab - LLM Judge
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results-llm-judge.sarif'
+          category: llm-judge

detectors/llm_judge/deploy/servingruntime.yaml

@@ -17,7 +17,7 @@ spec:
       name: guardrails-detector-llm-judge
   containers:
     - name: kserve-container
-      image: quay.io/spandraj/guardrails-detector-judge:latest
+      image: quay.io/trustyai/guardrails-detector-llm-judge:latest
       command:
         - uvicorn
         - detectors.llm_judge.app:app