From 2f561809bcdefbf4de4136f599e2be0099849885 Mon Sep 17 00:00:00 2001 From: OlivierDehaene <23298448+OlivierDehaene@users.noreply.github.com> Date: Mon, 15 May 2023 20:35:40 +0200 Subject: [PATCH] set docker volume --- .github/workflows/build.yaml | 263 ++++++++++++++++++----------------- 1 file changed, 133 insertions(+), 130 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index d24b5ec4..a3ff923f 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -56,132 +56,132 @@ jobs: {"Key": "GitHubRepository", "Value": "${{ github.repository }}"} ] -# build-and-push-image: -# concurrency: -# group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }} -# cancel-in-progress: true -# needs: start-runner # required to start the main job when the runner is ready -# runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner -# permissions: -# contents: write -# packages: write -# # This is used to complete the identity challenge -# # with sigstore/fulcio when running outside of PRs. -# id-token: write -# security-events: write -# steps: -# - name: Checkout repository -# uses: actions/checkout@v3 -# - name: Initialize Docker Buildx -# uses: docker/setup-buildx-action@v2.0.0 -# with: -# install: true -# - name: Inject slug/short variables -# uses: rlespinasse/github-slug-action@v4.4.1 -# - name: Install cosign -# if: github.event_name != 'pull_request' -# uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 -# with: -# cosign-release: 'v1.13.1' -# - name: Tailscale -# uses: tailscale/github-action@7bd8039bf25c23c4ab1b8d6e2cc2da2280601966 -# with: -# authkey: ${{ secrets.TAILSCALE_AUTHKEY }} -# - name: Login to GitHub Container Registry -# if: github.event_name != 'pull_request' -# uses: docker/login-action@v2 -# with: -# registry: ghcr.io -# username: ${{ github.actor }} -# password: ${{ secrets.GITHUB_TOKEN }} -# - name: Login to internal Container Registry -# uses: docker/login-action@v2.1.0 -# with: -# username: ${{ secrets.TAILSCALE_DOCKER_USERNAME }} -# password: ${{ secrets.TAILSCALE_DOCKER_PASSWORD }} -# registry: registry.internal.huggingface.tech -# - name: Login to Azure Container Registry -# if: github.event_name != 'pull_request' -# uses: docker/login-action@v2.1.0 -# with: -# username: ${{ secrets.AZURE_DOCKER_USERNAME }} -# password: ${{ secrets.AZURE_DOCKER_PASSWORD }} -# registry: db4c2190dd824d1f950f5d1555fbadf0.azurecr.io -# # If pull request -# - name: Extract metadata (tags, labels) for Docker -# if: ${{ github.event_name == 'pull_request' }} -# id: meta-pr -# uses: docker/metadata-action@v4.3.0 -# with: -# images: | -# registry.internal.huggingface.tech/api-inference/community/text-generation-inference -# tags: | -# type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }} -# # If main, release or tag -# - name: Extract metadata (tags, labels) for Docker -# if: ${{ github.event_name != 'pull_request' }} -# id: meta -# uses: docker/metadata-action@v4.3.0 -# with: -# flavor: | -# latest=auto -# images: | -# registry.internal.huggingface.tech/api-inference/community/text-generation-inference -# ghcr.io/huggingface/text-generation-inference -# db4c2190dd824d1f950f5d1555fbadf0.azurecr.io/text-generation-inference -# tags: | -# type=semver,pattern={{version}} -# type=semver,pattern={{major}}.{{minor}} -# type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} -# type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }} -# - name: Build and push Docker image -# id: build-and-push -# uses: docker/build-push-action@v4 -# with: -# context: . -# file: Dockerfile -# push: true -# platforms: 'linux/amd64' -# build-args: | -# GIT_SHA=${{ env.GITHUB_SHA }} -# DOCKER_LABEL=sha-${{ env.GITHUB_SHA_SHORT }} -# tags: ${{ steps.meta.outputs.tags ||steps.meta-pr.outputs.tags }} -# labels: ${{ steps.meta.outputs.labels || steps.meta-pr.outputs.labels }} -# cache-from: type=registry,ref=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:cache,mode=max -# cache-to: type=registry,ref=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:cache,mode=max -# # Sign the resulting Docker image digest except on PRs. -# # This will only write to the public Rekor transparency log when the Docker -# # repository is public to avoid leaking data. -# - name: Sign the published Docker image -# if: ${{ github.event_name != 'pull_request' }} -# env: -# COSIGN_EXPERIMENTAL: "true" -# # This step uses the identity token to provision an ephemeral certificate -# # against the sigstore community Fulcio instance. -# run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} -# - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph -# uses: aquasecurity/trivy-action@master -# if: ${{ github.event_name != 'pull_request' }} -# with: -# image-ref: 'ghcr.io/huggingface/text-generation-inference:sha-${{ env.GITHUB_SHA_SHORT }}' -# format: 'github' -# output: 'dependency-results.sbom.json' -# github-pat: ${{ secrets.GITHUB_TOKEN }} -# scanners: 'vuln' -# - name: Run Trivy vulnerability scanner -# uses: aquasecurity/trivy-action@master -# if: ${{ github.event_name != 'pull_request' }} -# with: -# image-ref: 'ghcr.io/huggingface/text-generation-inference:sha-${{ env.GITHUB_SHA_SHORT }}' -# format: 'sarif' -# output: 'trivy-results.sarif' -# severity: 'CRITICAL' -# scanners: 'vuln' -# - name: Upload Trivy scan results to GitHub Security tab -# uses: github/codeql-action/upload-sarif@v2 -# if: ${{ github.event_name != 'pull_request' }} -# with: -# sarif_file: 'trivy-results.sarif' + build-and-push-image: + concurrency: + group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + needs: start-runner # required to start the main job when the runner is ready + runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner + permissions: + contents: write + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v3 + - name: Initialize Docker Buildx + uses: docker/setup-buildx-action@v2.0.0 + with: + install: true + - name: Inject slug/short variables + uses: rlespinasse/github-slug-action@v4.4.1 + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 + with: + cosign-release: 'v1.13.1' + - name: Tailscale + uses: tailscale/github-action@7bd8039bf25c23c4ab1b8d6e2cc2da2280601966 + with: + authkey: ${{ secrets.TAILSCALE_AUTHKEY }} + - name: Login to GitHub Container Registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Login to internal Container Registry + uses: docker/login-action@v2.1.0 + with: + username: ${{ secrets.TAILSCALE_DOCKER_USERNAME }} + password: ${{ secrets.TAILSCALE_DOCKER_PASSWORD }} + registry: registry.internal.huggingface.tech + - name: Login to Azure Container Registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v2.1.0 + with: + username: ${{ secrets.AZURE_DOCKER_USERNAME }} + password: ${{ secrets.AZURE_DOCKER_PASSWORD }} + registry: db4c2190dd824d1f950f5d1555fbadf0.azurecr.io + # If pull request + - name: Extract metadata (tags, labels) for Docker + if: ${{ github.event_name == 'pull_request' }} + id: meta-pr + uses: docker/metadata-action@v4.3.0 + with: + images: | + registry.internal.huggingface.tech/api-inference/community/text-generation-inference + tags: | + type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }} + # If main, release or tag + - name: Extract metadata (tags, labels) for Docker + if: ${{ github.event_name != 'pull_request' }} + id: meta + uses: docker/metadata-action@v4.3.0 + with: + flavor: | + latest=auto + images: | + registry.internal.huggingface.tech/api-inference/community/text-generation-inference + ghcr.io/huggingface/text-generation-inference + db4c2190dd824d1f950f5d1555fbadf0.azurecr.io/text-generation-inference + tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} + type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }} + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@v4 + with: + context: . + file: Dockerfile + push: true + platforms: 'linux/amd64' + build-args: | + GIT_SHA=${{ env.GITHUB_SHA }} + DOCKER_LABEL=sha-${{ env.GITHUB_SHA_SHORT }} + tags: ${{ steps.meta.outputs.tags || steps.meta-pr.outputs.tags }} + labels: ${{ steps.meta.outputs.labels || steps.meta-pr.outputs.labels }} + cache-from: type=registry,ref=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:cache,mode=max + cache-to: type=registry,ref=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:cache,mode=max + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + COSIGN_EXPERIMENTAL: "true" + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} + - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph + uses: aquasecurity/trivy-action@master + if: ${{ github.event_name != 'pull_request' }} + with: + image-ref: 'ghcr.io/huggingface/text-generation-inference:sha-${{ env.GITHUB_SHA_SHORT }}' + format: 'github' + output: 'dependency-results.sbom.json' + github-pat: ${{ secrets.GITHUB_TOKEN }} + scanners: 'vuln' + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + if: ${{ github.event_name != 'pull_request' }} + with: + image-ref: 'ghcr.io/huggingface/text-generation-inference:sha-${{ env.GITHUB_SHA_SHORT }}' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL' + scanners: 'vuln' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: ${{ github.event_name != 'pull_request' }} + with: + sarif_file: 'trivy-results.sarif' integration-tests: concurrency: @@ -189,7 +189,10 @@ jobs: cancel-in-progress: true needs: - start-runner + - build-and-push-image # Wait for the docker image to be built runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner + env: + DOCKER_VOLUME: /cache steps: - uses: actions/checkout@v2 - name: Set up Python @@ -203,15 +206,14 @@ jobs: - name: Prepare disks run: | sudo mkfs -t ext4 /dev/nvme1n1 - sudo mkdir /data - sudo mount /dev/nvme1n1 /data - sudo chown -R $USER:$USER /data + sudo mkdir ${{ env.DOCKER_VOLUME }} + sudo mount /dev/nvme1n1 ${{ env.DOCKER_VOLUME }} - name: Install run: | make install-integration-tests - name: Run tests run: | - export DOCKER_IMAGE=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:sha-65391ba + export DOCKER_IMAGE=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:sha-${{ env.GITHUB_SHA_SHORT }} export HUGGING_FACE_HUB_TOKEN={{ secrets.HUGGING_FACE_HUB_TOKEN }} make integration-tests @@ -219,6 +221,7 @@ jobs: name: Stop self-hosted EC2 runner needs: - start-runner + - build-and-push-image - integration-tests runs-on: ubuntu-latest env: