feat(ci): migrate to use official BentoML CI action

.github/workflows/ci.yml

@@ -24,12 +24,13 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event_name == 'pull_request'  || github.event_name == 'push' }}
     steps:
-      - name: Checkout
-        uses: actions/checkout@v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3
         with:
-          fetch-depth: 0 # fetch all tags and branches
-      - name: Setup CI
-        uses: ./.github/actions/setup-repo
+          fetch-depth: 0
+      - uses: bentoml/setup-bentoml-action@59beefe94e2e8f8ebbedf555fc86bd5d1ae0a708 # ratchet:bentoml/setup-bentoml-action@v1
+        with:
+          bentoml-version: 'main'
+          python-version: '3.11'
       - name: Install dependencies
         run: pip install black isort ruff
       - name: Install pyright
@@ -54,19 +55,21 @@ jobs:
     runs-on: ${{ matrix.os }}
     timeout-minutes: 90
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3
         with:
-          fetch-depth: 0 # fetch all tags and branches
-      - name: Setup CI
-        uses: ./.github/actions/setup-repo
+          fetch-depth: 0
+      - uses: bentoml/setup-bentoml-action@59beefe94e2e8f8ebbedf555fc86bd5d1ae0a708 # ratchet:bentoml/setup-bentoml-action@v1
         with:
+          bentoml-version: 'main'
           python-version: ${{ matrix.python-version }}
+      - name: Install dependencies
+        run: pip install -r requirements/tests.txt
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # ratchet:docker/setup-qemu-action@v2
         if: ${{ matrix.os == 'ubuntu-latest' }}
       - name: Set up Docker Buildx
         if: ${{ matrix.os == 'ubuntu-latest' }}
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # ratchet:docker/setup-buildx-action@v2
       - name: Run tests
         run: pytest tests -vvv

.github/workflows/codeql-analysis.yml

@@ -21,13 +21,13 @@ jobs:
         language: ['python']
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@a09933a12a80f87b87005513f0abb1494c27a716 # ratchet:github/codeql-action/init@v2
         with:
           languages: ${{ matrix.language }}
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@a09933a12a80f87b87005513f0abb1494c27a716 # ratchet:github/codeql-action/autobuild@v2
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@a09933a12a80f87b87005513f0abb1494c27a716 # ratchet:github/codeql-action/analyze@v2

.github/workflows/docker-push.yml

@@ -1,4 +1,4 @@
-name: push-docker-prebuilt
+name: Build prebuilt docker container
 on:
   workflow_dispatch:
   push:
@@ -7,60 +7,128 @@ on:
 env:
   LINES: 120
   COLUMNS: 120
-  PYTEST_PLUGINS: bentoml.testing.pytest.plugin
-  SETUPTOOLS_USE_DISTUTILS: stdlib
-  BENTOML_BUNDLE_LOCAL_BUILD: True
-  REGISTRY: ghcr.io
 # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrun
 defaults:
   run:
     shell: bash --noprofile --norc -exo pipefail {0}
 concurrency:
-  group: docker-build-${{ github.event.pull_request.number || github.sha }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 jobs:
-  build-containerize-push:
+  images:
+    permissions:
+      contents: write
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+      security-events: write
     strategy:
       fail-fast: false
       matrix:
-        tag: [cpu, gpu]
+        imgtype: [cpu, gpu]
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3
         with:
-          fetch-depth: 0 # fetch all tags and branches
-      - name: Setup CI
-        uses: ./.github/actions/setup-repo
+          fetch-depth: 0
+      - uses: bentoml/setup-bentoml-action@59beefe94e2e8f8ebbedf555fc86bd5d1ae0a708 # ratchet:bentoml/setup-bentoml-action@v1
+        with:
+          bentoml-version: 'main'
+          python-version: '3.11'
+      - name: Install dependencies
+        run: pip install -r requirements/pypi.txt
+      - name: Inject slug/short variables
+        uses: rlespinasse/github-slug-action@102b1a064a9b145e56556e22b18b19c624538d94 # ratchet:rlespinasse/[email protected]
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # ratchet:docker/[email protected]
       - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v2
-      - id: repository
-        uses: ASzc/change-string-case-action@v5
+        uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # ratchet:docker/[email protected]
+        with:
+          install: true
+          driver-opts: |
+            image=moby/buildkit:master
+            network=host
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # ratchet:sigstore/[email protected]
+        with:
+          cosign-release: 'v2.1.1'
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # ratchet:docker/[email protected]
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract metadata tags and labels on PRs
+        if: github.event_name == 'pull_request'
+        id: meta-pr
+        uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # ratchet:docker/[email protected]
+        with:
+          images: ghcr.io/${{ env.GITHUB_REPOSITORY }}
+          tags: |
+            type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }}-${{ matrix.imgtype }}
+      - name: Extract metadata tags and labels for main, release or tag
+        if: github.event_name != 'pull_request'
+        id: meta
+        uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # ratchet:docker/[email protected]
         with:
-          string: ${{ github.repository }}
-      - name: Build and containerize
+          flavor: latest=auto
+          images: ghcr.io/${{ env.GITHUB_REPOSITORY }}
+          tags: |
+            type=semver,pattern={{version}}-${{ matrix.imgtype }}
+            type=semver,pattern={{major}}.{{minor}}-${{ matrix.imgtype }}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+            type=raw,value=${{ matrix.imgtype }},enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+            type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }}-${{ matrix.imgtype }}
+      - name: identify bentofile
+        id: bentofile-name
         run: |
-          if [ "${{ matrix.tag }}" == 'gpu' ]; then
-            BENTOFILE='bentofile.gpu.yaml'
-            TAG="$(basename ${{ steps.repository.outputs.lowercase }})-gpu"
+          if [ "${{ matrix.imgtype }}" == 'gpu' ]; then
+            echo "bentofile=bentofile.gpu.yaml" >> $GITHUB_OUTPUT
           else
-            BENTOFILE='bentofile.yaml'
-            TAG="$(basename ${{ steps.repository.outputs.lowercase }})"
+            echo "bentofile=bentofile.yaml" >> $GITHUB_OUTPUT
           fi
-
-          bentoml build -f "${BENTOFILE}" && bentoml containerize "$TAG" --opt progress=plain --image-tag ${{ env.REGISTRY }}/${{ steps.repository.outputs.lowercase }}:${{ matrix.tag }}
-      - name: Check available images
-        run: docker image list
-      - name: Log in to the Container registry
-        uses: docker/login-action@40891eba8c2bcd1309b07ba8b11232f313e86779
+      - uses: bentoml/build-bento-action@main # ratchet:exclude
+        id: bento
         with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Push image to Github Container registry
-        if: '!github.event.repository.fork' # No need to run this actions on fork
-        # if: ${{ !github.event.repository.fork && github.event_name == 'push' }} # No need to run this actions on fork
-        run: docker push ${{ env.REGISTRY }}/${{ steps.repository.outputs.lowercase }}:${{ matrix.tag }}
+          bentofile: ${{ steps.bentofile-name.outputs.bentofile }}
+      - uses: bentoml/containerize-push-action@0301eeef2b03ed9053d7e5900f5d6f0970ea7a40 # ratchet:bentoml/containerize-push-action@v1
+        name: Containerize and push for ${{ matrix.imgtype }}
+        with:
+          bento-tag: '${{ steps.bento.outputs.bento-name }}:${{ steps.bento.outputs.bento-version }}'
+          platforms: linux/amd64,linux/arm64
+          push: true
+          build-args: |
+            GIT_SHA=${{ env.GITHUB_SHA }}
+            DOCKER_LABEL=sha-${{ env.GITHUB_SHA_SHORT }}
+          tags: ${{ steps.meta.outputs.tags || steps.meta-pr.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels || steps.meta-pr.outputs.labels }}
+      - name: Sign the released image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }}
+      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
+        uses: aquasecurity/trivy-action@559eb1224e654a86c844a795e6702a0742c60c72 # ratchet:aquasecurity/trivy-action@master
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          image-ref: 'ghcr.io/${{ env.GITHUB_REPOSITORY }}:sha-${{ env.GITHUB_SHA_SHORT }}'
+          format: 'github'
+          output: 'dependency-results.sbom.json'
+          github-pat: ${{ secrets.UI_GITHUB_TOKEN }}
+          scanners: 'vuln'
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@559eb1224e654a86c844a795e6702a0742c60c72 # ratchet:aquasecurity/trivy-action@master
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          image-ref: 'ghcr.io/${{ env.GITHUB_REPOSITORY }}:sha-${{ env.GITHUB_SHA_SHORT }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL'
+          scanners: 'vuln'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@a09933a12a80f87b87005513f0abb1494c27a716 # ratchet:github/codeql-action/upload-sarif@v2
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          sarif_file: 'trivy-results.sarif'

bentofile.gpu.yaml

@@ -1,5 +1,5 @@
 service: 'service.py:svc'
-name: transformers-nlp-service-gpu
+name: transformers-nlp-service
 labels:
   owner: bentoml-team
   project: transformers-nlp-service

lock

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+set -ex
+
+GIT_ROOT=$(git rev-parse --show-toplevel)
+
+cd "$GIT_ROOT" || exit 1
+
+[[ -x "$(command -v docker)" ]] || (
+    echo "docker not found. Make sure to have docker running to run this job."
+    exit 1
+)
+
+RATCHET_EXP_KEEP_NEWLINES=true find "${GIT_ROOT}/.github/workflows" -type f -iname '*.yml' -exec docker run -it --rm -v "${PWD}":"${PWD}" -w "${PWD}" -e RATCHET_EXP_KEEP_NEWLINES=true ghcr.io/sethvargo/ratchet:0.4.0 pin {} \;