From 58808471548f659ce7c1a8ace525a10a05ef8fdd Mon Sep 17 00:00:00 2001 From: Rob Geada Date: Tue, 15 Apr 2025 10:28:53 +0100 Subject: [PATCH 01/12] Add build pipeline for hf detector --- .github/workflows/build-and-push-hf.yaml | 126 +++++++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 .github/workflows/build-and-push-hf.yaml diff --git a/.github/workflows/build-and-push-hf.yaml b/.github/workflows/build-and-push-hf.yaml new file mode 100644 index 0000000..ab5954c --- /dev/null +++ b/.github/workflows/build-and-push-hf.yaml @@ -0,0 +1,126 @@ +name: Build and Push +on: + push: + branches: + - main + tags: + - v* + paths: + - 'detectors/huggingface/*' + - 'detectors/Dockerfile.hf' + pull_request_target: + paths: + - 'detectors/huggingface/*' + - 'detectors/Dockerfile.hf' + types: [labeled, opened, synchronize, reopened] +jobs: + # Ensure that tests pass before publishing a new image. + build-and-push-ci: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + security-events: write + steps: # Assign context variable for various action contexts (tag, main, CI) + - name: Assigning CI context + if: github.head_ref != '' && github.head_ref != 'main' && !startsWith(github.ref, 'refs/tags/v') + run: echo "BUILD_CONTEXT=ci" >> $GITHUB_ENV + - name: Assigning tag context + if: github.head_ref == '' && startsWith(github.ref, 'refs/tags/v') + run: echo "BUILD_CONTEXT=tag" >> $GITHUB_ENV + - name: Assigning main context + if: github.head_ref == '' && github.ref == 'refs/heads/main' + run: echo "BUILD_CONTEXT=main" >> $GITHUB_ENV + # + # Run checkouts + - uses: mheap/github-action-required-labels@v4 + if: env.BUILD_CONTEXT == 'ci' + with: + mode: minimum + count: 1 + labels: "ok-to-test, lgtm, approved" + - uses: actions/checkout@v3 + if: env.BUILD_CONTEXT == 'ci' + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/checkout@v3 + if: env.BUILD_CONTEXT == 'main' || env.BUILD_CONTEXT == 'tag' + # + # Print variables for debugging + - name: Log reference variables + run: | + echo "CONTEXT: ${{ env.BUILD_CONTEXT }}" + echo "GITHUB.REF: ${{ github.ref }}" + echo "GITHUB.HEAD_REF: ${{ github.head_ref }}" + echo "SHA: ${{ github.event.pull_request.head.sha }}" + echo "MAIN IMAGE AT: ${{ vars.QUAY_RELEASE_REPO }}:latest" + echo "CI IMAGE AT: quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:${{ github.event.pull_request.head.sha }}" + + # Set environments depending on context + - name: Set CI environment + if: env.BUILD_CONTEXT == 'ci' + run: | + echo "TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV + echo "IMAGE_NAME=quay.io/trustyai/trustyai-service-ci" >> $GITHUB_ENV + - name: Set main-branch environment + if: env.BUILD_CONTEXT == 'main' + run: | + echo "TAG=latest" >> $GITHUB_ENV + echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV + - name: Set tag environment + if: env.BUILD_CONTEXT == 'tag' + run: | + echo "TAG=${{ github.ref_name }}" >> $GITHUB_ENV + echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV + # + # Run docker commands + - name: Pull prerequisite images + run: | + docker pull $(cat detectors/Dockerfile.hf | grep -o -P '(?<=FROM ).*(?= AS base)') + docker pull $(cat detectors/Dockerfile.hf | grep -o -P '(?<=FROM ).*(?= AS builder)') + - name: Put expiry date on CI-tagged image + if: env.BUILD_CONTEXT == 'ci' + run: echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.hf + - name: Build image + run: cd detectors; docker build -t ${{ env.IMAGE_NAME }}:$TAG Dockerfile.hf + - name: Log in to Quay + run: docker login -u ${{ secrets.QUAY_ROBOT_USERNAME }} -p ${{ secrets.QUAY_ROBOT_SECRET }} quay.io + - name: Push to Quay CI repo + run: docker push ${{ env.IMAGE_NAME }}:$TAG + + # Leave comment + - uses: peter-evans/find-comment@v3 + name: Find Comment + id: fc + with: + issue-number: ${{ github.event.pull_request.number }} + comment-author: 'github-actions[bot]' + body-includes: PR image build and manifest generation completed successfully + - uses: peter-evans/create-or-update-comment@v4 + name: Generate/update success message comment + with: + comment-id: ${{ steps.fc.outputs.comment-id }} + issue-number: ${{ github.event.pull_request.number }} + edit-mode: replace + body: | + PR image build and manifest generation completed successfully! + + 📦 [PR image](quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:${{ github.event.pull_request.head.sha }}): `quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:${{ github.event.pull_request.head.sha }}` + + ``` + - name: Trivy scan + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'image' + image-ref: "${{ env.IMAGE_NAME }}:${{ env.TAG }}" + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'MEDIUM,HIGH,CRITICAL' + exit-code: '0' + ignore-unfixed: false + vuln-type: 'os,library' + + - name: Update Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' From c0f88e6e68cc205152e9c7673b132137f3b1962b Mon Sep 17 00:00:00 2001 From: Rob Geada Date: Tue, 15 Apr 2025 10:30:35 +0100 Subject: [PATCH 02/12] dummy commit for action testing --- detectors/huggingface/dummy.abc | 1 + 1 file changed, 1 insertion(+) create mode 100644 detectors/huggingface/dummy.abc diff --git a/detectors/huggingface/dummy.abc b/detectors/huggingface/dummy.abc new file mode 100644 index 0000000..421376d --- /dev/null +++ b/detectors/huggingface/dummy.abc @@ -0,0 +1 @@ +dummy From e620db9c12dddd9ada385f6147930904032559b4 Mon Sep 17 00:00:00 2001 From: Rob Geada Date: Tue, 15 Apr 2025 10:32:23 +0100 Subject: [PATCH 03/12] Update workflow name --- .github/workflows/build-and-push-hf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-push-hf.yaml b/.github/workflows/build-and-push-hf.yaml index ab5954c..0c1524e 100644 --- a/.github/workflows/build-and-push-hf.yaml +++ b/.github/workflows/build-and-push-hf.yaml @@ -1,4 +1,4 @@ -name: Build and Push +name: Build and Push - Huggingface Detector on: push: branches: From 03d198254d4a876777ff8db02f0cbaa61cd0396a Mon Sep 17 00:00:00 2001 From: Rob Geada Date: Tue, 15 Apr 2025 10:33:18 +0100 Subject: [PATCH 04/12] Update workflow name, remove prerequisite image pull --- .github/workflows/build-and-push-hf.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/build-and-push-hf.yaml b/.github/workflows/build-and-push-hf.yaml index 0c1524e..8a0dc8a 100644 --- a/.github/workflows/build-and-push-hf.yaml +++ b/.github/workflows/build-and-push-hf.yaml @@ -74,10 +74,6 @@ jobs: echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV # # Run docker commands - - name: Pull prerequisite images - run: | - docker pull $(cat detectors/Dockerfile.hf | grep -o -P '(?<=FROM ).*(?= AS base)') - docker pull $(cat detectors/Dockerfile.hf | grep -o -P '(?<=FROM ).*(?= AS builder)') - name: Put expiry date on CI-tagged image if: env.BUILD_CONTEXT == 'ci' run: echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.hf From 15d27ef7819b195f7533d5e920898e05f216d646 Mon Sep 17 00:00:00 2001 From: Rob Geada Date: Tue, 15 Apr 2025 10:35:14 +0100 Subject: [PATCH 05/12] Update workflow image name --- .github/workflows/build-and-push-hf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-push-hf.yaml b/.github/workflows/build-and-push-hf.yaml index 8a0dc8a..a919c3b 100644 --- a/.github/workflows/build-and-push-hf.yaml +++ b/.github/workflows/build-and-push-hf.yaml @@ -78,7 +78,7 @@ jobs: if: env.BUILD_CONTEXT == 'ci' run: echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.hf - name: Build image - run: cd detectors; docker build -t ${{ env.IMAGE_NAME }}:$TAG Dockerfile.hf + run: docker build -t ${{ env.IMAGE_NAME }}:$TAG detectors/Dockerfile.hf - name: Log in to Quay run: docker login -u ${{ secrets.QUAY_ROBOT_USERNAME }} -p ${{ secrets.QUAY_ROBOT_SECRET }} quay.io - name: Push to Quay CI repo From f27ef723fecc152467e0f073c50891f443b052a0 Mon Sep 17 00:00:00 2001 From: Rob Geada Date: Tue, 15 Apr 2025 10:41:11 +0100 Subject: [PATCH 06/12] Update action for correct image name --- .github/workflows/build-and-push-hf.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-push-hf.yaml b/.github/workflows/build-and-push-hf.yaml index a919c3b..41a3272 100644 --- a/.github/workflows/build-and-push-hf.yaml +++ b/.github/workflows/build-and-push-hf.yaml @@ -61,7 +61,7 @@ jobs: if: env.BUILD_CONTEXT == 'ci' run: | echo "TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV - echo "IMAGE_NAME=quay.io/trustyai/trustyai-service-ci" >> $GITHUB_ENV + echo "IMAGE_NAME= quay.io/trustyai/guardrails-detector-huggingface-runtime-ci" >> $GITHUB_ENV - name: Set main-branch environment if: env.BUILD_CONTEXT == 'main' run: | @@ -78,7 +78,9 @@ jobs: if: env.BUILD_CONTEXT == 'ci' run: echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.hf - name: Build image - run: docker build -t ${{ env.IMAGE_NAME }}:$TAG detectors/Dockerfile.hf + run: | + ls + docker build -t ${{ env.IMAGE_NAME }}:$TAG detectors/Dockerfile.hf - name: Log in to Quay run: docker login -u ${{ secrets.QUAY_ROBOT_USERNAME }} -p ${{ secrets.QUAY_ROBOT_SECRET }} quay.io - name: Push to Quay CI repo From 20964c55dadfb2d4532d60dc989a6e778d7e1aca Mon Sep 17 00:00:00 2001 From: Rob Geada Date: Tue, 15 Apr 2025 10:42:47 +0100 Subject: [PATCH 07/12] debug --- .github/workflows/build-and-push-hf.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-and-push-hf.yaml b/.github/workflows/build-and-push-hf.yaml index 41a3272..8f782fe 100644 --- a/.github/workflows/build-and-push-hf.yaml +++ b/.github/workflows/build-and-push-hf.yaml @@ -79,8 +79,9 @@ jobs: run: echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.hf - name: Build image run: | + cd detectors ls - docker build -t ${{ env.IMAGE_NAME }}:$TAG detectors/Dockerfile.hf + docker build -t ${{ env.IMAGE_NAME }}:$TAG Dockerfile.hf - name: Log in to Quay run: docker login -u ${{ secrets.QUAY_ROBOT_USERNAME }} -p ${{ secrets.QUAY_ROBOT_SECRET }} quay.io - name: Push to Quay CI repo From eb71bbf4352fc662f8c22752e834b11f304d4280 Mon Sep 17 00:00:00 2001 From: Rob Geada Date: Tue, 15 Apr 2025 10:47:50 +0100 Subject: [PATCH 08/12] Update action for correct image name --- .github/workflows/build-and-push-hf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-push-hf.yaml b/.github/workflows/build-and-push-hf.yaml index 8f782fe..015fdcc 100644 --- a/.github/workflows/build-and-push-hf.yaml +++ b/.github/workflows/build-and-push-hf.yaml @@ -81,7 +81,7 @@ jobs: run: | cd detectors ls - docker build -t ${{ env.IMAGE_NAME }}:$TAG Dockerfile.hf + docker build -t ${{ env.IMAGE_NAME }}:$TAG "Dockerfile.hf" - name: Log in to Quay run: docker login -u ${{ secrets.QUAY_ROBOT_USERNAME }} -p ${{ secrets.QUAY_ROBOT_SECRET }} quay.io - name: Push to Quay CI repo From dccf39640fa214533697b86106f9e0d9855382b5 Mon Sep 17 00:00:00 2001 From: Rob Geada Date: Tue, 15 Apr 2025 10:54:23 +0100 Subject: [PATCH 09/12] Update action for correct image name --- .github/workflows/build-and-push-hf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-push-hf.yaml b/.github/workflows/build-and-push-hf.yaml index 015fdcc..7c98028 100644 --- a/.github/workflows/build-and-push-hf.yaml +++ b/.github/workflows/build-and-push-hf.yaml @@ -61,7 +61,7 @@ jobs: if: env.BUILD_CONTEXT == 'ci' run: | echo "TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV - echo "IMAGE_NAME= quay.io/trustyai/guardrails-detector-huggingface-runtime-ci" >> $GITHUB_ENV + echo "IMAGE_NAME=quay.io/trustyai/guardrails-detector-huggingface-runtime-ci" >> $GITHUB_ENV - name: Set main-branch environment if: env.BUILD_CONTEXT == 'main' run: | From 1ebec00f4cdb3574a6503938bedb03d6adb67fdb Mon Sep 17 00:00:00 2001 From: Rob Geada Date: Tue, 15 Apr 2025 10:55:31 +0100 Subject: [PATCH 10/12] Update action for correct image name --- .github/workflows/build-and-push-hf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-push-hf.yaml b/.github/workflows/build-and-push-hf.yaml index 7c98028..0c356be 100644 --- a/.github/workflows/build-and-push-hf.yaml +++ b/.github/workflows/build-and-push-hf.yaml @@ -81,7 +81,7 @@ jobs: run: | cd detectors ls - docker build -t ${{ env.IMAGE_NAME }}:$TAG "Dockerfile.hf" + docker build -t ${{ env.IMAGE_NAME }}:$TAG ./Dockerfile.hf - name: Log in to Quay run: docker login -u ${{ secrets.QUAY_ROBOT_USERNAME }} -p ${{ secrets.QUAY_ROBOT_SECRET }} quay.io - name: Push to Quay CI repo From 0e068a37b70efca7a6d6cc5a315b1437941cbe49 Mon Sep 17 00:00:00 2001 From: Rob Geada Date: Tue, 15 Apr 2025 11:08:30 +0100 Subject: [PATCH 11/12] Update action for correct image name --- .github/workflows/build-and-push-hf.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/build-and-push-hf.yaml b/.github/workflows/build-and-push-hf.yaml index 0c356be..856b30a 100644 --- a/.github/workflows/build-and-push-hf.yaml +++ b/.github/workflows/build-and-push-hf.yaml @@ -78,10 +78,7 @@ jobs: if: env.BUILD_CONTEXT == 'ci' run: echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.hf - name: Build image - run: | - cd detectors - ls - docker build -t ${{ env.IMAGE_NAME }}:$TAG ./Dockerfile.hf + run: docker build -t ${{ env.IMAGE_NAME }}:$TAG -f detectors/Dockerfile.hf detectors - name: Log in to Quay run: docker login -u ${{ secrets.QUAY_ROBOT_USERNAME }} -p ${{ secrets.QUAY_ROBOT_SECRET }} quay.io - name: Push to Quay CI repo From 5fe8912a0201cddecd08cfc4670404c313a834b2 Mon Sep 17 00:00:00 2001 From: Rob Geada Date: Tue, 15 Apr 2025 11:17:59 +0100 Subject: [PATCH 12/12] Update comment --- .github/workflows/build-and-push-hf.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-and-push-hf.yaml b/.github/workflows/build-and-push-hf.yaml index 856b30a..9b7b365 100644 --- a/.github/workflows/build-and-push-hf.yaml +++ b/.github/workflows/build-and-push-hf.yaml @@ -99,11 +99,9 @@ jobs: issue-number: ${{ github.event.pull_request.number }} edit-mode: replace body: | - PR image build and manifest generation completed successfully! + PR image build completed successfully! - 📦 [PR image](quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:${{ github.event.pull_request.head.sha }}): `quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:${{ github.event.pull_request.head.sha }}` - - ``` + 📦 [PR image](https://quay.io/repository/trustyai/guardrails-detector-huggingface-runtime-ci?tab=tags): `quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:${{ github.event.pull_request.head.sha }}` - name: Trivy scan uses: aquasecurity/trivy-action@0.28.0 with: