feat(ci): migrate to use official BentoML CI action #53

Workflow file for this run

.github/workflows/docker-push.yml at 4c90c8a

	name: Build prebuilt docker container
	on:
	workflow_dispatch:
	push:
	branches: ['main']
	pull_request:
	env:
	LINES: 120
	COLUMNS: 120
	# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrun
	defaults:
	run:
	shell: bash --noprofile --norc -exo pipefail {0}
	concurrency:
	group: ${{ github.workflow }}-${{ github.event.pull_request.number \|\| github.sha }}
	cancel-in-progress: true
	jobs:
	images:
	permissions:
	contents: write
	packages: write
	# This is used to complete the identity challenge
	# with sigstore/fulcio when running outside of PRs.
	id-token: write
	security-events: write
	strategy:
	fail-fast: false
	matrix:
	imgtype: [cpu, gpu]
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3
	with:
	fetch-depth: 0
	- uses: bentoml/setup-bentoml-action@59beefe94e2e8f8ebbedf555fc86bd5d1ae0a708 # ratchet:bentoml/setup-bentoml-action@v1
	with:
	bentoml-version: 'main'
	python-version: '3.11'
	- name: Install dependencies
	run: pip install -r requirements/pypi.txt
	- name: Inject slug/short variables
	uses: rlespinasse/github-slug-action@102b1a064a9b145e56556e22b18b19c624538d94 # ratchet:rlespinasse/[email protected]
	- name: Set up QEMU
	uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # ratchet:docker/[email protected]
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # ratchet:docker/[email protected]
	with:
	install: true
	driver-opts: \|
	image=moby/buildkit:master
	network=host
	- name: Install cosign
	if: github.event_name != 'pull_request'
	uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # ratchet:sigstore/[email protected]
	with:
	cosign-release: 'v2.1.1'
	- name: Login to GitHub Container Registry
	uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # ratchet:docker/[email protected]
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Extract metadata tags and labels on PRs
	if: github.event_name == 'pull_request'
	id: meta-pr
	uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # ratchet:docker/[email protected]
	with:
	images: ghcr.io/${{ env.GITHUB_REPOSITORY }}
	tags: \|
	type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }}-${{ matrix.imgtype }}
	- name: Extract metadata tags and labels for main, release or tag
	if: github.event_name != 'pull_request'
	id: meta
	uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # ratchet:docker/[email protected]
	with:
	flavor: latest=auto
	images: ghcr.io/${{ env.GITHUB_REPOSITORY }}
	tags: \|
	type=semver,pattern={{version}}-${{ matrix.imgtype }}
	type=semver,pattern={{major}}.{{minor}}-${{ matrix.imgtype }}
	type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
	type=raw,value=${{ matrix.imgtype }},enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
	type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }}-${{ matrix.imgtype }}
	- name: identify bentofile
	id: bentofile-name
	run: \|
	if [ "${{ matrix.imgtype }}" == 'gpu' ]; then
	echo "bentofile=bentofile.gpu.yaml" >> $GITHUB_OUTPUT
	else
	echo "bentofile=bentofile.yaml" >> $GITHUB_OUTPUT
	fi
	- uses: bentoml/build-bento-action@main # ratchet:exclude
	id: bento
	with:
	bentofile: ${{ steps.bentofile-name.outputs.bentofile }}
	- uses: bentoml/containerize-push-action@0301eeef2b03ed9053d7e5900f5d6f0970ea7a40 # ratchet:bentoml/containerize-push-action@v1
	name: Containerize and push for ${{ matrix.imgtype }}
	with:
	bento-tag: '${{ steps.bento.outputs.bento-name }}:${{ steps.bento.outputs.bento-version }}'
	platforms: linux/amd64,linux/arm64
	push: true
	build-args: \|
	GIT_SHA=${{ env.GITHUB_SHA }}
	DOCKER_LABEL=sha-${{ env.GITHUB_SHA_SHORT }}
	tags: ${{ steps.meta.outputs.tags \|\| steps.meta-pr.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels \|\| steps.meta-pr.outputs.labels }}
	- name: Sign the released image
	if: ${{ github.event_name != 'pull_request' }}
	env:
	COSIGN_EXPERIMENTAL: "true"
	run: echo "${{ steps.meta.outputs.tags }}" \| xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }}
	- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
	uses: aquasecurity/trivy-action@559eb1224e654a86c844a795e6702a0742c60c72 # ratchet:aquasecurity/trivy-action@master
	if: ${{ github.event_name != 'pull_request' }}
	with:
	image-ref: 'ghcr.io/${{ env.GITHUB_REPOSITORY }}:sha-${{ env.GITHUB_SHA_SHORT }}'
	format: 'github'
	output: 'dependency-results.sbom.json'
	github-pat: ${{ secrets.UI_GITHUB_TOKEN }}
	scanners: 'vuln'
	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@559eb1224e654a86c844a795e6702a0742c60c72 # ratchet:aquasecurity/trivy-action@master
	if: ${{ github.event_name != 'pull_request' }}
	with:
	image-ref: 'ghcr.io/${{ env.GITHUB_REPOSITORY }}:sha-${{ env.GITHUB_SHA_SHORT }}'
	format: 'sarif'
	output: 'trivy-results.sarif'
	severity: 'CRITICAL'
	scanners: 'vuln'
	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@a09933a12a80f87b87005513f0abb1494c27a716 # ratchet:github/codeql-action/upload-sarif@v2
	if: ${{ github.event_name != 'pull_request' }}
	with:
	sarif_file: 'trivy-results.sarif'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(ci): migrate to use official BentoML CI action #53

Workflow file

feat(ci): migrate to use official BentoML CI action #53

Jobs

Run details

Workflow file for this run