From 34235790be17ab7e95e500968d2991da97b68cfd Mon Sep 17 00:00:00 2001 From: Aaron <29749331+aarnphm@users.noreply.github.com> Date: Sun, 20 Aug 2023 06:52:51 -0400 Subject: [PATCH 1/5] feat(ci): migrate to use official BentoML CI action Signed-off-by: Aaron <29749331+aarnphm@users.noreply.github.com> --- .github/actions/setup-repo/action.yml | 45 --------- .github/workflows/ci.yml | 8 +- .github/workflows/docker-push.yml | 135 ++++++++++++++++++-------- 3 files changed, 101 insertions(+), 87 deletions(-) delete mode 100644 .github/actions/setup-repo/action.yml diff --git a/.github/actions/setup-repo/action.yml b/.github/actions/setup-repo/action.yml deleted file mode 100644 index 836c4e4..0000000 --- a/.github/actions/setup-repo/action.yml +++ /dev/null @@ -1,45 +0,0 @@ -name: Setup repo -description: Setup repo with all features on CI -inputs: - python-version: - description: 'Python version' - required: true - default: '3.9' - architecture: - description: 'Which architecture to run on' - required: true - default: x64 -runs: - using: composite - steps: - - name: Fetch base reference. - shell: bash - run: git fetch origin $GITHUB_BASE_REF - - name: Setup Python - uses: actions/setup-python@v4 - with: - python-version: ${{ inputs.python-version }} - architecture: ${{ inputs.architecture }} - - name: Setup node - uses: actions/setup-node@v3 - with: - node-version: '17' - - name: Get cache key prefix - id: get-cache-key-prefix - shell: bash - run: echo "prefix=${{ runner.os }}-${{ inputs.python-version }}" >> $GITHUB_OUTPUT - - name: Get pip cache dir - id: pip-cache-dir - shell: bash - run: echo "dir=$(pip cache dir)" >> $GITHUB_OUTPUT - - name: Cache pip dependencies - uses: actions/cache@v3 - id: cache-pip - with: - path: ${{ steps.pip-cache-dir.outputs.dir }} - key: ${{ steps.get-cache-key-prefix.outputs.prefix }}-pypi - restore-keys: | - ${{ steps.get-cache-key-prefix.outputs.prefix }}-pypi- - - name: Install dependencies - shell: bash - run: pip install -r requirements/tests.txt diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 04de483..b585b2e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,7 +25,7 @@ jobs: if: ${{ github.event_name == 'pull_request' || github.event_name == 'push' }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3 with: fetch-depth: 0 # fetch all tags and branches - name: Setup CI @@ -54,7 +54,7 @@ jobs: runs-on: ${{ matrix.os }} timeout-minutes: 90 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3 with: fetch-depth: 0 # fetch all tags and branches - name: Setup CI @@ -62,11 +62,11 @@ jobs: with: python-version: ${{ matrix.python-version }} - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # ratchet:docker/setup-qemu-action@v2 if: ${{ matrix.os == 'ubuntu-latest' }} - name: Set up Docker Buildx if: ${{ matrix.os == 'ubuntu-latest' }} id: buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # ratchet:docker/setup-buildx-action@v2 - name: Run tests run: pytest tests -vvv diff --git a/.github/workflows/docker-push.yml b/.github/workflows/docker-push.yml index 00a14b6..403a768 100644 --- a/.github/workflows/docker-push.yml +++ b/.github/workflows/docker-push.yml @@ -1,4 +1,4 @@ -name: push-docker-prebuilt +name: Build prebuilt docker container on: workflow_dispatch: push: @@ -7,60 +7,119 @@ on: env: LINES: 120 COLUMNS: 120 - PYTEST_PLUGINS: bentoml.testing.pytest.plugin - SETUPTOOLS_USE_DISTUTILS: stdlib - BENTOML_BUNDLE_LOCAL_BUILD: True - REGISTRY: ghcr.io # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrun defaults: run: shell: bash --noprofile --norc -exo pipefail {0} concurrency: - group: docker-build-${{ github.event.pull_request.number || github.sha }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true jobs: - build-containerize-push: + images: strategy: fail-fast: false matrix: - tag: [cpu, gpu] + imgtype: [cpu, gpu] runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v3 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3 with: - fetch-depth: 0 # fetch all tags and branches - - name: Setup CI - uses: ./.github/actions/setup-repo + fetch-depth: 0 + - uses: bentoml/setup-bentoml-action@59beefe94e2e8f8ebbedf555fc86bd5d1ae0a708 # ratchet:bentoml/setup-bentoml-action@v1 + with: + bentoml-version: 'main' + python-version: '3.11' + - name: Inject slug/short variables + uses: rlespinasse/github-slug-action@102b1a064a9b145e56556e22b18b19c624538d94 # ratchet:rlespinasse/github-slug-action@v4.4.1 - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # ratchet:docker/setup-qemu-action@v2.2.0 - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v2 - - id: repository - uses: ASzc/change-string-case-action@v5 + uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # ratchet:docker/setup-buildx-action@v2.9.1 + with: + install: true + driver-opts: | + image=moby/buildkit:master + network=host + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # ratchet:sigstore/cosign-installer@v3.1.1 + with: + cosign-release: 'v2.1.1' + - name: Login to GitHub Container Registry + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # ratchet:docker/login-action@v2.2.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Extract metadata tags and labels on PRs + if: github.event_name == 'pull_request' + id: meta-pr + uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # ratchet:docker/metadata-action@v4.6.0 + with: + images: ghcr.io/bentoml/${{ github.repository }} + tags: | + type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }}-${{ matrix.imgtype }} + - name: Extract metadata tags and labels for main, release or tag + if: github.event_name != 'pull_request' + id: meta + uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # ratchet:docker/metadata-action@v4.6.0 with: - string: ${{ github.repository }} - - name: Build and containerize + flavor: latest=auto + images: ghcr.io/bentoml/${{ github.repository }} + tags: | + type=semver,pattern={{version}}-${{ matrix.imgtype }} + type=semver,pattern={{major}}.{{minor}}-${{ matrix.imgtype }} + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} + type=raw,value=${{ matrix.imgtype }},enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} + type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }}-${{ matrix.imgtype }} + - name: identify bentofile + id: bentofile-name run: | - if [ "${{ matrix.tag }}" == 'gpu' ]; then - BENTOFILE='bentofile.gpu.yaml' - TAG="$(basename ${{ steps.repository.outputs.lowercase }})-gpu" + if [ "${{ matrix.imgtype }}" == 'gpu' ]; then + echo "bentofile=bentofile.gpu.yaml" >> $GITHUB_OUTPUT else - BENTOFILE='bentofile.yaml' - TAG="$(basename ${{ steps.repository.outputs.lowercase }})" + echo "bentofile=bentofile.yaml" >> $GITHUB_OUTPUT fi - - bentoml build -f "${BENTOFILE}" && bentoml containerize "$TAG" --opt progress=plain --image-tag ${{ env.REGISTRY }}/${{ steps.repository.outputs.lowercase }}:${{ matrix.tag }} - - name: Check available images - run: docker image list - - name: Log in to the Container registry - uses: docker/login-action@40891eba8c2bcd1309b07ba8b11232f313e86779 + - uses: bentoml/build-bento-action@main # ratchet:exclude + id: bento with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Push image to Github Container registry - if: '!github.event.repository.fork' # No need to run this actions on fork - # if: ${{ !github.event.repository.fork && github.event_name == 'push' }} # No need to run this actions on fork - run: docker push ${{ env.REGISTRY }}/${{ steps.repository.outputs.lowercase }}:${{ matrix.tag }} + bentofile: ${{ steps.bentofile-name.outputs.bentofile }} + - uses: bentoml/containerize-push-action@0301eeef2b03ed9053d7e5900f5d6f0970ea7a40 # ratchet:bentoml/containerize-push-action@v1 + name: Containerize and push for ${{ matrix.imgtype }} + with: + bento-tag: '${{ steps.bento.outputs.bento-name }}:${{ steps.bento.outputs.bento-version }}' + platforms: linux/amd64,linux/arm64 + push: true + build-args: | + GIT_SHA=${{ env.GITHUB_SHA }} + DOCKER_LABEL=sha-${{ env.GITHUB_SHA_SHORT }} + tags: ${{ steps.meta.outputs.tags || steps.meta-pr.outputs.tags }} + labels: ${{ steps.meta.outputs.labels || steps.meta-pr.outputs.labels }} + - name: Sign the released image + if: ${{ github.event_name != 'pull_request' }} + env: + COSIGN_EXPERIMENTAL: "true" + run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }} + - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph + uses: aquasecurity/trivy-action@559eb1224e654a86c844a795e6702a0742c60c72 # ratchet:aquasecurity/trivy-action@master + if: ${{ github.event_name != 'pull_request' }} + with: + image-ref: 'ghcr.io/bentoml/${{ github.repository }}:sha-${{ env.GITHUB_SHA_SHORT }}' + format: 'github' + output: 'dependency-results.sbom.json' + github-pat: ${{ secrets.UI_GITHUB_TOKEN }} + scanners: 'vuln' + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@559eb1224e654a86c844a795e6702a0742c60c72 # ratchet:aquasecurity/trivy-action@master + if: ${{ github.event_name != 'pull_request' }} + with: + image-ref: 'ghcr.io/bentoml/${{ github.repository }}:sha-${{ env.GITHUB_SHA_SHORT }}' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL' + scanners: 'vuln' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@a09933a12a80f87b87005513f0abb1494c27a716 # ratchet:github/codeql-action/upload-sarif@v2 + if: ${{ github.event_name != 'pull_request' }} + with: + sarif_file: 'trivy-results.sarif' From 7a359e60088efff01b35761e8bd7f7f174ce592b Mon Sep 17 00:00:00 2001 From: Aaron <29749331+aarnphm@users.noreply.github.com> Date: Sun, 20 Aug 2023 06:57:13 -0400 Subject: [PATCH 2/5] chore: fix action on CI and add permission for build jobs Signed-off-by: Aaron <29749331+aarnphm@users.noreply.github.com> --- .github/workflows/ci.yml | 15 +++++++++------ .github/workflows/docker-push.yml | 7 +++++++ 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b585b2e..17fa418 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,10 +24,13 @@ jobs: runs-on: ubuntu-latest if: ${{ github.event_name == 'pull_request' || github.event_name == 'push' }} steps: - - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3 + with: + fetch-depth: 0 + - uses: bentoml/setup-bentoml-action@59beefe94e2e8f8ebbedf555fc86bd5d1ae0a708 # ratchet:bentoml/setup-bentoml-action@v1 with: - fetch-depth: 0 # fetch all tags and branches + bentoml-version: 'main' + python-version: '3.11' - name: Setup CI uses: ./.github/actions/setup-repo - name: Install dependencies @@ -56,10 +59,10 @@ jobs: steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3 with: - fetch-depth: 0 # fetch all tags and branches - - name: Setup CI - uses: ./.github/actions/setup-repo + fetch-depth: 0 + - uses: bentoml/setup-bentoml-action@59beefe94e2e8f8ebbedf555fc86bd5d1ae0a708 # ratchet:bentoml/setup-bentoml-action@v1 with: + bentoml-version: 'main' python-version: ${{ matrix.python-version }} - name: Set up QEMU uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # ratchet:docker/setup-qemu-action@v2 diff --git a/.github/workflows/docker-push.yml b/.github/workflows/docker-push.yml index 403a768..bf71c7f 100644 --- a/.github/workflows/docker-push.yml +++ b/.github/workflows/docker-push.yml @@ -16,6 +16,13 @@ concurrency: cancel-in-progress: true jobs: images: + permissions: + contents: write + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + security-events: write strategy: fail-fast: false matrix: From a1a4f933d894dfc84b4ac27a0faeae721641951a Mon Sep 17 00:00:00 2001 From: Aaron <29749331+aarnphm@users.noreply.github.com> Date: Sun, 20 Aug 2023 07:00:52 -0400 Subject: [PATCH 3/5] chore: add dependencies requirements Signed-off-by: Aaron <29749331+aarnphm@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 8 ++++---- .github/workflows/docker-push.yml | 2 ++ lock | 14 ++++++++++++++ 3 files changed, 20 insertions(+), 4 deletions(-) create mode 100755 lock diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 09d4fca..a264484 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -21,13 +21,13 @@ jobs: language: ['python'] steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@a09933a12a80f87b87005513f0abb1494c27a716 # ratchet:github/codeql-action/init@v2 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@a09933a12a80f87b87005513f0abb1494c27a716 # ratchet:github/codeql-action/autobuild@v2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@a09933a12a80f87b87005513f0abb1494c27a716 # ratchet:github/codeql-action/analyze@v2 diff --git a/.github/workflows/docker-push.yml b/.github/workflows/docker-push.yml index bf71c7f..78ff8fa 100644 --- a/.github/workflows/docker-push.yml +++ b/.github/workflows/docker-push.yml @@ -36,6 +36,8 @@ jobs: with: bentoml-version: 'main' python-version: '3.11' + - name: Install dependencies + run: pip install -r requirements/pypi.txt - name: Inject slug/short variables uses: rlespinasse/github-slug-action@102b1a064a9b145e56556e22b18b19c624538d94 # ratchet:rlespinasse/github-slug-action@v4.4.1 - name: Set up QEMU diff --git a/lock b/lock new file mode 100755 index 0000000..1ba9a26 --- /dev/null +++ b/lock @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +set -ex + +GIT_ROOT=$(git rev-parse --show-toplevel) + +cd "$GIT_ROOT" || exit 1 + +[[ -x "$(command -v docker)" ]] || ( + echo "docker not found. Make sure to have docker running to run this job." + exit 1 +) + +RATCHET_EXP_KEEP_NEWLINES=true find "${GIT_ROOT}/.github/workflows" -type f -iname '*.yml' -exec docker run -it --rm -v "${PWD}":"${PWD}" -w "${PWD}" -e RATCHET_EXP_KEEP_NEWLINES=true ghcr.io/sethvargo/ratchet:0.4.0 pin {} \; From ea5ff378a9ff49eef9cdd4b27fc1f416f884ad7b Mon Sep 17 00:00:00 2001 From: Aaron <29749331+aarnphm@users.noreply.github.com> Date: Sun, 20 Aug 2023 07:22:53 -0400 Subject: [PATCH 4/5] fix: install deps Signed-off-by: Aaron <29749331+aarnphm@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- .github/workflows/docker-push.yml | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 17fa418..51be2ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,8 +31,6 @@ jobs: with: bentoml-version: 'main' python-version: '3.11' - - name: Setup CI - uses: ./.github/actions/setup-repo - name: Install dependencies run: pip install black isort ruff - name: Install pyright @@ -64,6 +62,8 @@ jobs: with: bentoml-version: 'main' python-version: ${{ matrix.python-version }} + - name: Install dependencies + run: pip install -r requirements/tests.txt - name: Set up QEMU uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # ratchet:docker/setup-qemu-action@v2 if: ${{ matrix.os == 'ubuntu-latest' }} diff --git a/.github/workflows/docker-push.yml b/.github/workflows/docker-push.yml index 78ff8fa..88de192 100644 --- a/.github/workflows/docker-push.yml +++ b/.github/workflows/docker-push.yml @@ -65,7 +65,7 @@ jobs: id: meta-pr uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # ratchet:docker/metadata-action@v4.6.0 with: - images: ghcr.io/bentoml/${{ github.repository }} + images: ghcr.io/${{ env.GITHUB_REPOSITORY }} tags: | type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }}-${{ matrix.imgtype }} - name: Extract metadata tags and labels for main, release or tag @@ -74,7 +74,7 @@ jobs: uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # ratchet:docker/metadata-action@v4.6.0 with: flavor: latest=auto - images: ghcr.io/bentoml/${{ github.repository }} + images: ghcr.io/${{ env.GITHUB_REPOSITORY }} tags: | type=semver,pattern={{version}}-${{ matrix.imgtype }} type=semver,pattern={{major}}.{{minor}}-${{ matrix.imgtype }} @@ -113,7 +113,7 @@ jobs: uses: aquasecurity/trivy-action@559eb1224e654a86c844a795e6702a0742c60c72 # ratchet:aquasecurity/trivy-action@master if: ${{ github.event_name != 'pull_request' }} with: - image-ref: 'ghcr.io/bentoml/${{ github.repository }}:sha-${{ env.GITHUB_SHA_SHORT }}' + image-ref: 'ghcr.io/${{ env.GITHUB_REPOSITORY }}:sha-${{ env.GITHUB_SHA_SHORT }}' format: 'github' output: 'dependency-results.sbom.json' github-pat: ${{ secrets.UI_GITHUB_TOKEN }} @@ -122,7 +122,7 @@ jobs: uses: aquasecurity/trivy-action@559eb1224e654a86c844a795e6702a0742c60c72 # ratchet:aquasecurity/trivy-action@master if: ${{ github.event_name != 'pull_request' }} with: - image-ref: 'ghcr.io/bentoml/${{ github.repository }}:sha-${{ env.GITHUB_SHA_SHORT }}' + image-ref: 'ghcr.io/${{ env.GITHUB_REPOSITORY }}:sha-${{ env.GITHUB_SHA_SHORT }}' format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL' From 4c90c8aef66946e56839de23fc5c8168ec9834fa Mon Sep 17 00:00:00 2001 From: Aaron <29749331+aarnphm@users.noreply.github.com> Date: Sun, 20 Aug 2023 07:29:07 -0400 Subject: [PATCH 5/5] chore: update name for GPU build Signed-off-by: Aaron <29749331+aarnphm@users.noreply.github.com> --- bentofile.gpu.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bentofile.gpu.yaml b/bentofile.gpu.yaml index 780cbef..9956339 100644 --- a/bentofile.gpu.yaml +++ b/bentofile.gpu.yaml @@ -1,5 +1,5 @@ service: 'service.py:svc' -name: transformers-nlp-service-gpu +name: transformers-nlp-service labels: owner: bentoml-team project: transformers-nlp-service