diff --git a/.github/workflows/build-and-push.yaml b/.github/workflows/build-and-push.yaml index 59ccbd0..bf026f8 100644 --- a/.github/workflows/build-and-push.yaml +++ b/.github/workflows/build-and-push.yaml @@ -20,6 +20,12 @@ jobs: contents: read pull-requests: write security-events: write + env: + PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} + GITHUB_REF_NAME: ${{ github.ref_name }} + QUAY_RELEASE_REPO: ${{ vars.QUAY_RELEASE_REPO }} + GITHUB_REF: ${{ github.ref }} + GITHUB_HEAD_REF: ${{ github.head_ref }} steps: # Assign context variable for various action contexts (tag, main, CI) - name: Assigning CI context if: github.head_ref != '' && github.head_ref != 'main' && !startsWith(github.ref, 'refs/tags/v') @@ -48,51 +54,59 @@ jobs: # Print variables for debugging - name: Log reference variables run: | - echo "CONTEXT: ${{ env.BUILD_CONTEXT }}" - echo "GITHUB.REF: ${{ github.ref }}" - echo "GITHUB.HEAD_REF: ${{ github.head_ref }}" - echo "SHA: ${{ github.event.pull_request.head.sha }}" - echo "MAIN IMAGE AT: ${{ vars.QUAY_RELEASE_REPO }}:latest" - echo "CI IMAGE AT: quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:${{ github.event.pull_request.head.sha }}" - echo "Built-In Detector CI IMAGE AT: quay.io/trustyai/guardrails-detector-built-in-ci:${{ github.event.pull_request.head.sha }}" + echo "CONTEXT: $BUILD_CONTEXT" + echo "GITHUB.REF: $GITHUB_REF" + echo "GITHUB.HEAD_REF: $GITHUB_HEAD_REF" + echo "SHA: $PR_HEAD_SHA" + echo "MAIN IMAGE AT: $QUAY_RELEASE_REPO:latest" + echo "CI IMAGE AT: quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:$PR_HEAD_SHA" + echo "Built-In Detector CI IMAGE AT: quay.io/trustyai/guardrails-detector-built-in-ci:$PR_HEAD_SHA" + echo "LLM Judge CI IMAGE AT: quay.io/trustyai/guardrails-detector-llm-judge-ci:$PR_HEAD_SHA" # Set environments depending on context - name: Set CI environment if: env.BUILD_CONTEXT == 'ci' run: | - echo "TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV + echo "TAG=$PR_HEAD_SHA" >> $GITHUB_ENV echo "IMAGE_NAME=quay.io/trustyai/guardrails-detector-huggingface-runtime-ci" >> $GITHUB_ENV echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in-ci" >> $GITHUB_ENV + echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge-ci" >> $GITHUB_ENV + echo "EXPIRY_LABEL=--label quay.expires-after=7d" >> $GITHUB_ENV - name: Set main-branch environment if: env.BUILD_CONTEXT == 'main' run: | echo "TAG=latest" >> $GITHUB_ENV - echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV + echo "IMAGE_NAME=$QUAY_RELEASE_REPO" >> $GITHUB_ENV echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in" >> $GITHUB_ENV + echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV + echo "EXPIRY_LABEL=" >> $GITHUB_ENV - name: Set tag environment if: env.BUILD_CONTEXT == 'tag' run: | - echo "TAG=${{ github.ref_name }}" >> $GITHUB_ENV - echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV + echo "TAG=$GITHUB_REF_NAME" >> $GITHUB_ENV + echo "IMAGE_NAME=$QUAY_RELEASE_REPO" >> $GITHUB_ENV echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in" >> $GITHUB_ENV + echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV + echo "EXPIRY_LABEL=" >> $GITHUB_ENV # # Run docker commands - - name: Put expiry date on CI-tagged image - if: env.BUILD_CONTEXT == 'ci' - run: | - echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.hf - echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.builtIn - name: Build image - run: docker build -t ${{ env.IMAGE_NAME }}:$TAG -f detectors/Dockerfile.hf detectors + run: docker build -t "$IMAGE_NAME:$TAG" $EXPIRY_LABEL -f detectors/Dockerfile.hf detectors - name: Log in to Quay - run: docker login -u ${{ secrets.QUAY_ROBOT_USERNAME }} -p ${{ secrets.QUAY_ROBOT_SECRET }} quay.io + env: + QUAY_ROBOT_USERNAME: ${{ secrets.QUAY_ROBOT_USERNAME }} + QUAY_ROBOT_SECRET: ${{ secrets.QUAY_ROBOT_SECRET }} + run: docker login -u "$QUAY_ROBOT_USERNAME" -p "$QUAY_ROBOT_SECRET" quay.io - name: Push to Quay CI repo - run: docker push ${{ env.IMAGE_NAME }}:$TAG + run: docker push "$IMAGE_NAME:$TAG" - name: Build built-in detector image - run: docker build -t ${{ env.BUILTIN_IMAGE_NAME }}:$TAG -f detectors/Dockerfile.builtIn detectors + run: docker build -t "$BUILTIN_IMAGE_NAME:$TAG" $EXPIRY_LABEL -f detectors/Dockerfile.builtIn detectors - name: Push to Quay CI repo - run: docker push ${{ env.BUILTIN_IMAGE_NAME }}:$TAG - + run: docker push "$BUILTIN_IMAGE_NAME:$TAG" + - name: Build LLM Judge detector image + run: docker build -t "$LLM_JUDGE_IMAGE_NAME:$TAG" $EXPIRY_LABEL -f detectors/Dockerfile.judge detectors + - name: Push LLM Judge image to Quay CI repo + run: docker push "$LLM_JUDGE_IMAGE_NAME:$TAG" # Leave comment - uses: peter-evans/find-comment@v3 name: Find Comment @@ -112,8 +126,9 @@ jobs: body: | PR image build completed successfully! - 📦 [PR image](https://quay.io/repository/trustyai/guardrails-detector-huggingface-runtime-ci?tab=tags): `quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:${{ github.event.pull_request.head.sha }}` - 📦 [PR image](https://quay.io/trustyai/guardrails-detector-built-in-ci?tab=tags): `quay.io/trustyai/guardrails-detector-built-in-ci:${{ github.event.pull_request.head.sha }}` + 📦 [Huggingface PR image](https://quay.io/repository/trustyai/guardrails-detector-huggingface-runtime-ci?tab=tags): `quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:$PR_HEAD_SHA` + 📦 [Built-in PR image](https://quay.io/trustyai/guardrails-detector-built-in-ci?tab=tags): `quay.io/trustyai/guardrails-detector-built-in-ci:$PR_HEAD_SHA` + 📦 [LLM Judge PR image](https://quay.io/trustyai/guardrails-detector-llm-judge-ci?tab=tags): `quay.io/trustyai/guardrails-detector-llm-judge-ci:$PR_HEAD_SHA` - name: Trivy scan uses: aquasecurity/trivy-action@0.28.0 with: @@ -136,6 +151,17 @@ jobs: exit-code: '0' ignore-unfixed: false vuln-type: 'os,library' + - name: Trivy scan, LLM Judge image + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'image' + image-ref: "${{ env.LLM_JUDGE_IMAGE_NAME }}:${{ env.TAG }}" + format: 'sarif' + output: 'trivy-results-llm-judge.sarif' + severity: 'MEDIUM,HIGH,CRITICAL' + exit-code: '0' + ignore-unfixed: false + vuln-type: 'os,library' - name: Update Security tab - Huggingface uses: github/codeql-action/upload-sarif@v3 with: @@ -146,3 +172,8 @@ jobs: with: sarif_file: 'trivy-results-built-in.sarif' category: built-in + - name: Update Security tab - LLM Judge + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results-llm-judge.sarif' + category: llm-judge \ No newline at end of file diff --git a/detectors/llm_judge/deploy/servingruntime.yaml b/detectors/llm_judge/deploy/servingruntime.yaml index e70bb12..0ccf39e 100644 --- a/detectors/llm_judge/deploy/servingruntime.yaml +++ b/detectors/llm_judge/deploy/servingruntime.yaml @@ -17,7 +17,7 @@ spec: name: guardrails-detector-llm-judge containers: - name: kserve-container - image: quay.io/spandraj/guardrails-detector-judge:latest + image: quay.io/trustyai/guardrails-detector-llm-judge:latest command: - uvicorn - detectors.llm_judge.app:app