Skip to content
SLSA for ML models example

SLSA for ML models example #564

Sign in to view logs

SLSA for ML models example

SLSA for ML models example #564

Workflow file for this run

.github/workflows/slsa_for_ml.yml at 74dedf9
# Copyright 2024 The Sigstore Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: SLSA for ML models example
on:
workflow_dispatch:
inputs:
model_type:
description: Name of the model (implies framework)
required: true
type: choice
options:
- tensorflow_model.keras
- tensorflow_hdf5_model.h5
- tensorflow_hdf5.weights.h5
- pytorch_model.pth
- pytorch_full_model.pth
- pytorch_jitted_model.pt
pull_request:
branches: [main]
types: [opened, synchronize]
paths-ignore:
- '**/*.md'
- '*.md'
permissions: read-all
defaults:
run:
shell: bash
jobs:
train:
name: Train model
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false # Don't cancel other jobs if one fails
matrix:
os: [ubuntu-latest] ## , macos-latest, windows-latest]
include:
#- os: macos-latest
# os_family: Darwin
- os: ubuntu-latest
os_family: Linux
#- os: windows-latest
# os_family: Windows
outputs:
hash-ubuntu-latest: ${{ steps.hash.outputs.hash-ubuntu-latest }}
# hash-macos-latest: ${{ steps.hash.outputs.hash-macos-latest }}
# hash-windows-latest: ${{ steps.hash.outputs.hash-windows-latest }}
steps:
- run: git config --global core.autocrlf input
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
python-version: 3.11
cache: pip
cache-dependency-path: slsa_for_models/install/requirements_${{ matrix.os_family }}.txt
- name: Install dependencies
run: |
set -exuo pipefail
python -m venv venv
.github/workflows/scripts/venv_activate.sh
python -m pip install --require-hashes -r slsa_for_models/install/requirements_${{ matrix.os_family }}.txt
- name: Build model
env:
MODEL_TYPE: ${{ github.event.inputs.model_type || 'pytorch_jitted_model.pt' }}
run: |
set -exuo pipefail
python -m venv venv
.github/workflows/scripts/venv_activate.sh
python slsa_for_models/main.py "$MODEL_TYPE"
- uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
path: ${{ github.event.inputs.model_type || 'pytorch_jitted_model.pt' }}
name: ${{ github.event.inputs.model_type || 'pytorch_jitted_model.pt' }}_${{ matrix.os_family }}
if-no-files-found: error
- id: hash
env:
MODEL: ${{ github.event.inputs.model_type || 'pytorch_jitted_model.pt' }}
run: |
set -euo pipefail
(sha256sum -t "$MODEL" || shasum -a 256 "$MODEL") > checksum
echo "hash-${{ matrix.os }}=$(base64 -w0 checksum || base64 checksum)" >> "${GITHUB_OUTPUT}"
provenance:
# TODO(mihaimaruseac): Don't run on pull requests for now
if: ${{ github.event_name != 'pull_request' }}
needs: [train]
strategy:
fail-fast: false # Don't cancel other jobs if one fails
matrix:
os: [ubuntu-latest] #, macos-latest, windows-latest]
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
with:
base64-subjects: "${{ needs.train.outputs[format('hash-{0}', matrix.os)] }}"
upload-assets: true # NOTE: This does nothing unless 'upload-tag-name' parameter is also set to an existing tag