diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 3be21faa..312c0861 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -56,132 +56,132 @@ jobs: {"Key": "GitHubRepository", "Value": "${{ github.repository }}"} ] - build-and-push-image: - concurrency: - group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }} - cancel-in-progress: true - needs: start-runner # required to start the main job when the runner is ready - runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner - permissions: - contents: write - packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. - id-token: write - security-events: write - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - name: Initialize Docker Buildx - uses: docker/setup-buildx-action@v2.0.0 - with: - install: true - - name: Inject slug/short variables - uses: rlespinasse/github-slug-action@v4.4.1 - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 - with: - cosign-release: 'v1.13.1' - - name: Tailscale - uses: tailscale/github-action@7bd8039bf25c23c4ab1b8d6e2cc2da2280601966 - with: - authkey: ${{ secrets.TAILSCALE_AUTHKEY }} - - name: Login to GitHub Container Registry - if: github.event_name != 'pull_request' - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Login to internal Container Registry - uses: docker/login-action@v2.1.0 - with: - username: ${{ secrets.TAILSCALE_DOCKER_USERNAME }} - password: ${{ secrets.TAILSCALE_DOCKER_PASSWORD }} - registry: registry.internal.huggingface.tech - - name: Login to Azure Container Registry - if: github.event_name != 'pull_request' - uses: docker/login-action@v2.1.0 - with: - username: ${{ secrets.AZURE_DOCKER_USERNAME }} - password: ${{ secrets.AZURE_DOCKER_PASSWORD }} - registry: db4c2190dd824d1f950f5d1555fbadf0.azurecr.io - # If pull request - - name: Extract metadata (tags, labels) for Docker - if: ${{ github.event_name == 'pull_request' }} - id: meta-pr - uses: docker/metadata-action@v4.3.0 - with: - images: | - registry.internal.huggingface.tech/api-inference/community/text-generation-inference - tags: | - type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }} - # If main, release or tag - - name: Extract metadata (tags, labels) for Docker - if: ${{ github.event_name != 'pull_request' }} - id: meta - uses: docker/metadata-action@v4.3.0 - with: - flavor: | - latest=auto - images: | - registry.internal.huggingface.tech/api-inference/community/text-generation-inference - ghcr.io/huggingface/text-generation-inference - db4c2190dd824d1f950f5d1555fbadf0.azurecr.io/text-generation-inference - tags: | - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} - type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }} - - name: Build and push Docker image - id: build-and-push - uses: docker/build-push-action@v4 - with: - context: . - file: Dockerfile - push: true - platforms: 'linux/amd64' - build-args: | - GIT_SHA=${{ env.GITHUB_SHA }} - DOCKER_LABEL=sha-${{ env.GITHUB_SHA_SHORT }} - tags: ${{ steps.meta.outputs.tags ||steps.meta-pr.outputs.tags }} - labels: ${{ steps.meta.outputs.labels || steps.meta-pr.outputs.labels }} - cache-from: type=registry,ref=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:cache,mode=max - cache-to: type=registry,ref=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:cache,mode=max - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - COSIGN_EXPERIMENTAL: "true" - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} - - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph - uses: aquasecurity/trivy-action@master - if: ${{ github.event_name != 'pull_request' }} - with: - image-ref: 'ghcr.io/huggingface/text-generation-inference:sha-${{ env.GITHUB_SHA_SHORT }}' - format: 'github' - output: 'dependency-results.sbom.json' - github-pat: ${{ secrets.GITHUB_TOKEN }} - scanners: 'vuln' - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - if: ${{ github.event_name != 'pull_request' }} - with: - image-ref: 'ghcr.io/huggingface/text-generation-inference:sha-${{ env.GITHUB_SHA_SHORT }}' - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL' - scanners: 'vuln' - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - if: ${{ github.event_name != 'pull_request' }} - with: - sarif_file: 'trivy-results.sarif' +# build-and-push-image: +# concurrency: +# group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }} +# cancel-in-progress: true +# needs: start-runner # required to start the main job when the runner is ready +# runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner +# permissions: +# contents: write +# packages: write +# # This is used to complete the identity challenge +# # with sigstore/fulcio when running outside of PRs. +# id-token: write +# security-events: write +# steps: +# - name: Checkout repository +# uses: actions/checkout@v3 +# - name: Initialize Docker Buildx +# uses: docker/setup-buildx-action@v2.0.0 +# with: +# install: true +# - name: Inject slug/short variables +# uses: rlespinasse/github-slug-action@v4.4.1 +# - name: Install cosign +# if: github.event_name != 'pull_request' +# uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 +# with: +# cosign-release: 'v1.13.1' +# - name: Tailscale +# uses: tailscale/github-action@7bd8039bf25c23c4ab1b8d6e2cc2da2280601966 +# with: +# authkey: ${{ secrets.TAILSCALE_AUTHKEY }} +# - name: Login to GitHub Container Registry +# if: github.event_name != 'pull_request' +# uses: docker/login-action@v2 +# with: +# registry: ghcr.io +# username: ${{ github.actor }} +# password: ${{ secrets.GITHUB_TOKEN }} +# - name: Login to internal Container Registry +# uses: docker/login-action@v2.1.0 +# with: +# username: ${{ secrets.TAILSCALE_DOCKER_USERNAME }} +# password: ${{ secrets.TAILSCALE_DOCKER_PASSWORD }} +# registry: registry.internal.huggingface.tech +# - name: Login to Azure Container Registry +# if: github.event_name != 'pull_request' +# uses: docker/login-action@v2.1.0 +# with: +# username: ${{ secrets.AZURE_DOCKER_USERNAME }} +# password: ${{ secrets.AZURE_DOCKER_PASSWORD }} +# registry: db4c2190dd824d1f950f5d1555fbadf0.azurecr.io +# # If pull request +# - name: Extract metadata (tags, labels) for Docker +# if: ${{ github.event_name == 'pull_request' }} +# id: meta-pr +# uses: docker/metadata-action@v4.3.0 +# with: +# images: | +# registry.internal.huggingface.tech/api-inference/community/text-generation-inference +# tags: | +# type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }} +# # If main, release or tag +# - name: Extract metadata (tags, labels) for Docker +# if: ${{ github.event_name != 'pull_request' }} +# id: meta +# uses: docker/metadata-action@v4.3.0 +# with: +# flavor: | +# latest=auto +# images: | +# registry.internal.huggingface.tech/api-inference/community/text-generation-inference +# ghcr.io/huggingface/text-generation-inference +# db4c2190dd824d1f950f5d1555fbadf0.azurecr.io/text-generation-inference +# tags: | +# type=semver,pattern={{version}} +# type=semver,pattern={{major}}.{{minor}} +# type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} +# type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }} +# - name: Build and push Docker image +# id: build-and-push +# uses: docker/build-push-action@v4 +# with: +# context: . +# file: Dockerfile +# push: true +# platforms: 'linux/amd64' +# build-args: | +# GIT_SHA=${{ env.GITHUB_SHA }} +# DOCKER_LABEL=sha-${{ env.GITHUB_SHA_SHORT }} +# tags: ${{ steps.meta.outputs.tags ||steps.meta-pr.outputs.tags }} +# labels: ${{ steps.meta.outputs.labels || steps.meta-pr.outputs.labels }} +# cache-from: type=registry,ref=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:cache,mode=max +# cache-to: type=registry,ref=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:cache,mode=max +# # Sign the resulting Docker image digest except on PRs. +# # This will only write to the public Rekor transparency log when the Docker +# # repository is public to avoid leaking data. +# - name: Sign the published Docker image +# if: ${{ github.event_name != 'pull_request' }} +# env: +# COSIGN_EXPERIMENTAL: "true" +# # This step uses the identity token to provision an ephemeral certificate +# # against the sigstore community Fulcio instance. +# run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} +# - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph +# uses: aquasecurity/trivy-action@master +# if: ${{ github.event_name != 'pull_request' }} +# with: +# image-ref: 'ghcr.io/huggingface/text-generation-inference:sha-${{ env.GITHUB_SHA_SHORT }}' +# format: 'github' +# output: 'dependency-results.sbom.json' +# github-pat: ${{ secrets.GITHUB_TOKEN }} +# scanners: 'vuln' +# - name: Run Trivy vulnerability scanner +# uses: aquasecurity/trivy-action@master +# if: ${{ github.event_name != 'pull_request' }} +# with: +# image-ref: 'ghcr.io/huggingface/text-generation-inference:sha-${{ env.GITHUB_SHA_SHORT }}' +# format: 'sarif' +# output: 'trivy-results.sarif' +# severity: 'CRITICAL' +# scanners: 'vuln' +# - name: Upload Trivy scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v2 +# if: ${{ github.event_name != 'pull_request' }} +# with: +# sarif_file: 'trivy-results.sarif' integration-tests: concurrency: @@ -189,12 +189,12 @@ jobs: cancel-in-progress: true needs: - start-runner - - build-and-push-image # Wait for the docker image to be built +# - build-and-push-image # Wait for the docker image to be built runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner steps: - uses: actions/checkout@v2 - name: Set up Python - uses: actions/setup-python@4.6 + uses: actions/setup-python@v4 with: python-version: 3.9 - name: Tailscale @@ -212,7 +212,8 @@ jobs: make install-integration-tests - name: Run tests run: | - export DOCKER_IMAGE=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:sha-${{ env.GITHUB_SHA_SHORT }} +# export DOCKER_IMAGE=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:sha-${{ env.GITHUB_SHA_SHORT }} + export DOCKER_IMAGE=registry.internal.huggingface.tech/api-inference/community/text-generation-inference:sha-65391ba export HUGGING_FACE_HUB_TOKEN={{ secrets.HUGGING_FACE_HUB_TOKEN }} make integration-tests @@ -220,7 +221,7 @@ jobs: name: Stop self-hosted EC2 runner needs: - start-runner - - build-and-push-image +# - build-and-push-image - integration-tests runs-on: ubuntu-latest env: