feat(ci): migrate to use official BentoML CI action #49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build prebuilt docker container | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: ['main'] | |
| pull_request: | |
| env: | |
| LINES: 120 | |
| COLUMNS: 120 | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrun | |
| defaults: | |
| run: | |
| shell: bash --noprofile --norc -exo pipefail {0} | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} | |
| cancel-in-progress: true | |
| jobs: | |
| images: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| imgtype: [cpu, gpu] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - uses: bentoml/setup-bentoml-action@59beefe94e2e8f8ebbedf555fc86bd5d1ae0a708 # ratchet:bentoml/setup-bentoml-action@v1 | |
| with: | |
| bentoml-version: 'main' | |
| python-version: '3.11' | |
| - name: Inject slug/short variables | |
| uses: rlespinasse/github-slug-action@102b1a064a9b145e56556e22b18b19c624538d94 # ratchet:rlespinasse/github-slug-action@v4.4.1 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # ratchet:docker/setup-qemu-action@v2.2.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # ratchet:docker/setup-buildx-action@v2.9.1 | |
| with: | |
| install: true | |
| driver-opts: | | |
| image=moby/buildkit:master | |
| network=host | |
| - name: Install cosign | |
| if: github.event_name != 'pull_request' | |
| uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # ratchet:sigstore/cosign-installer@v3.1.1 | |
| with: | |
| cosign-release: 'v2.1.1' | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # ratchet:docker/login-action@v2.2.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata tags and labels on PRs | |
| if: github.event_name == 'pull_request' | |
| id: meta-pr | |
| uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # ratchet:docker/metadata-action@v4.6.0 | |
| with: | |
| images: ghcr.io/bentoml/${{ github.repository }} | |
| tags: | | |
| type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }}-${{ matrix.imgtype }} | |
| - name: Extract metadata tags and labels for main, release or tag | |
| if: github.event_name != 'pull_request' | |
| id: meta | |
| uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # ratchet:docker/metadata-action@v4.6.0 | |
| with: | |
| flavor: latest=auto | |
| images: ghcr.io/bentoml/${{ github.repository }} | |
| tags: | | |
| type=semver,pattern={{version}}-${{ matrix.imgtype }} | |
| type=semver,pattern={{major}}.{{minor}}-${{ matrix.imgtype }} | |
| type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} | |
| type=raw,value=${{ matrix.imgtype }},enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} | |
| type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }}-${{ matrix.imgtype }} | |
| - name: identify bentofile | |
| id: bentofile-name | |
| run: | | |
| if [ "${{ matrix.imgtype }}" == 'gpu' ]; then | |
| echo "bentofile=bentofile.gpu.yaml" >> $GITHUB_OUTPUT | |
| else | |
| echo "bentofile=bentofile.yaml" >> $GITHUB_OUTPUT | |
| fi | |
| - uses: bentoml/build-bento-action@main # ratchet:exclude | |
| id: bento | |
| with: | |
| bentofile: ${{ steps.bentofile-name.outputs.bentofile }} | |
| - uses: bentoml/containerize-push-action@0301eeef2b03ed9053d7e5900f5d6f0970ea7a40 # ratchet:bentoml/containerize-push-action@v1 | |
| name: Containerize and push for ${{ matrix.imgtype }} | |
| with: | |
| bento-tag: '${{ steps.bento.outputs.bento-name }}:${{ steps.bento.outputs.bento-version }}' | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| build-args: | | |
| GIT_SHA=${{ env.GITHUB_SHA }} | |
| DOCKER_LABEL=sha-${{ env.GITHUB_SHA_SHORT }} | |
| tags: ${{ steps.meta.outputs.tags || steps.meta-pr.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels || steps.meta-pr.outputs.labels }} | |
| - name: Sign the released image | |
| if: ${{ github.event_name != 'pull_request' }} | |
| env: | |
| COSIGN_EXPERIMENTAL: "true" | |
| run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }} | |
| - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph | |
| uses: aquasecurity/trivy-action@559eb1224e654a86c844a795e6702a0742c60c72 # ratchet:aquasecurity/trivy-action@master | |
| if: ${{ github.event_name != 'pull_request' }} | |
| with: | |
| image-ref: 'ghcr.io/bentoml/${{ github.repository }}:sha-${{ env.GITHUB_SHA_SHORT }}' | |
| format: 'github' | |
| output: 'dependency-results.sbom.json' | |
| github-pat: ${{ secrets.UI_GITHUB_TOKEN }} | |
| scanners: 'vuln' | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@559eb1224e654a86c844a795e6702a0742c60c72 # ratchet:aquasecurity/trivy-action@master | |
| if: ${{ github.event_name != 'pull_request' }} | |
| with: | |
| image-ref: 'ghcr.io/bentoml/${{ github.repository }}:sha-${{ env.GITHUB_SHA_SHORT }}' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL' | |
| scanners: 'vuln' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@a09933a12a80f87b87005513f0abb1494c27a716 # ratchet:github/codeql-action/upload-sarif@v2 | |
| if: ${{ github.event_name != 'pull_request' }} | |
| with: | |
| sarif_file: 'trivy-results.sarif' |