Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(ci): migrate to use official BentoML CI action #6

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 0 additions & 45 deletions .github/actions/setup-repo/action.yml

This file was deleted.

25 changes: 14 additions & 11 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,12 +24,13 @@ jobs:
runs-on: ubuntu-latest
if: ${{ github.event_name == 'pull_request' || github.event_name == 'push' }}
steps:
- name: Checkout
uses: actions/checkout@v3
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3
with:
fetch-depth: 0 # fetch all tags and branches
- name: Setup CI
uses: ./.github/actions/setup-repo
fetch-depth: 0
- uses: bentoml/setup-bentoml-action@59beefe94e2e8f8ebbedf555fc86bd5d1ae0a708 # ratchet:bentoml/setup-bentoml-action@v1
with:
bentoml-version: 'main'
python-version: '3.11'
- name: Install dependencies
run: pip install black isort ruff
- name: Install pyright
Expand All @@ -54,19 +55,21 @@ jobs:
runs-on: ${{ matrix.os }}
timeout-minutes: 90
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3
with:
fetch-depth: 0 # fetch all tags and branches
- name: Setup CI
uses: ./.github/actions/setup-repo
fetch-depth: 0
- uses: bentoml/setup-bentoml-action@59beefe94e2e8f8ebbedf555fc86bd5d1ae0a708 # ratchet:bentoml/setup-bentoml-action@v1
with:
bentoml-version: 'main'
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: pip install -r requirements/tests.txt
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # ratchet:docker/setup-qemu-action@v2
if: ${{ matrix.os == 'ubuntu-latest' }}
- name: Set up Docker Buildx
if: ${{ matrix.os == 'ubuntu-latest' }}
id: buildx
uses: docker/setup-buildx-action@v2
uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # ratchet:docker/setup-buildx-action@v2
- name: Run tests
run: pytest tests -vvv
8 changes: 4 additions & 4 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,13 @@ jobs:
language: ['python']
steps:
- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@a09933a12a80f87b87005513f0abb1494c27a716 # ratchet:github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@v2
uses: github/codeql-action/autobuild@a09933a12a80f87b87005513f0abb1494c27a716 # ratchet:github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
uses: github/codeql-action/analyze@a09933a12a80f87b87005513f0abb1494c27a716 # ratchet:github/codeql-action/analyze@v2
144 changes: 106 additions & 38 deletions .github/workflows/docker-push.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: push-docker-prebuilt
name: Build prebuilt docker container
on:
workflow_dispatch:
push:
Expand All @@ -7,60 +7,128 @@ on:
env:
LINES: 120
COLUMNS: 120
PYTEST_PLUGINS: bentoml.testing.pytest.plugin
SETUPTOOLS_USE_DISTUTILS: stdlib
BENTOML_BUNDLE_LOCAL_BUILD: True
REGISTRY: ghcr.io
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrun
defaults:
run:
shell: bash --noprofile --norc -exo pipefail {0}
concurrency:
group: docker-build-${{ github.event.pull_request.number || github.sha }}
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true
jobs:
build-containerize-push:
images:
permissions:
contents: write
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
security-events: write
strategy:
fail-fast: false
matrix:
tag: [cpu, gpu]
imgtype: [cpu, gpu]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # ratchet:actions/checkout@v3
with:
fetch-depth: 0 # fetch all tags and branches
- name: Setup CI
uses: ./.github/actions/setup-repo
fetch-depth: 0
- uses: bentoml/setup-bentoml-action@59beefe94e2e8f8ebbedf555fc86bd5d1ae0a708 # ratchet:bentoml/setup-bentoml-action@v1
with:
bentoml-version: 'main'
python-version: '3.11'
- name: Install dependencies
run: pip install -r requirements/pypi.txt
- name: Inject slug/short variables
uses: rlespinasse/github-slug-action@102b1a064a9b145e56556e22b18b19c624538d94 # ratchet:rlespinasse/[email protected]
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # ratchet:docker/[email protected]
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2
- id: repository
uses: ASzc/change-string-case-action@v5
uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # ratchet:docker/[email protected]
with:
install: true
driver-opts: |
image=moby/buildkit:master
network=host
- name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # ratchet:sigstore/[email protected]
with:
cosign-release: 'v2.1.1'
- name: Login to GitHub Container Registry
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # ratchet:docker/[email protected]
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata tags and labels on PRs
if: github.event_name == 'pull_request'
id: meta-pr
uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # ratchet:docker/[email protected]
with:
images: ghcr.io/${{ env.GITHUB_REPOSITORY }}
tags: |
type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }}-${{ matrix.imgtype }}
- name: Extract metadata tags and labels for main, release or tag
if: github.event_name != 'pull_request'
id: meta
uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # ratchet:docker/[email protected]
with:
string: ${{ github.repository }}
- name: Build and containerize
flavor: latest=auto
images: ghcr.io/${{ env.GITHUB_REPOSITORY }}
tags: |
type=semver,pattern={{version}}-${{ matrix.imgtype }}
type=semver,pattern={{major}}.{{minor}}-${{ matrix.imgtype }}
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
type=raw,value=${{ matrix.imgtype }},enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }}-${{ matrix.imgtype }}
- name: identify bentofile
id: bentofile-name
run: |
if [ "${{ matrix.tag }}" == 'gpu' ]; then
BENTOFILE='bentofile.gpu.yaml'
TAG="$(basename ${{ steps.repository.outputs.lowercase }})-gpu"
if [ "${{ matrix.imgtype }}" == 'gpu' ]; then
echo "bentofile=bentofile.gpu.yaml" >> $GITHUB_OUTPUT
else
BENTOFILE='bentofile.yaml'
TAG="$(basename ${{ steps.repository.outputs.lowercase }})"
echo "bentofile=bentofile.yaml" >> $GITHUB_OUTPUT
fi

bentoml build -f "${BENTOFILE}" && bentoml containerize "$TAG" --opt progress=plain --image-tag ${{ env.REGISTRY }}/${{ steps.repository.outputs.lowercase }}:${{ matrix.tag }}
- name: Check available images
run: docker image list
- name: Log in to the Container registry
uses: docker/login-action@40891eba8c2bcd1309b07ba8b11232f313e86779
- uses: bentoml/build-bento-action@main # ratchet:exclude
id: bento
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push image to Github Container registry
if: '!github.event.repository.fork' # No need to run this actions on fork
# if: ${{ !github.event.repository.fork && github.event_name == 'push' }} # No need to run this actions on fork
run: docker push ${{ env.REGISTRY }}/${{ steps.repository.outputs.lowercase }}:${{ matrix.tag }}
bentofile: ${{ steps.bentofile-name.outputs.bentofile }}
- uses: bentoml/containerize-push-action@0301eeef2b03ed9053d7e5900f5d6f0970ea7a40 # ratchet:bentoml/containerize-push-action@v1
name: Containerize and push for ${{ matrix.imgtype }}
with:
bento-tag: '${{ steps.bento.outputs.bento-name }}:${{ steps.bento.outputs.bento-version }}'
platforms: linux/amd64,linux/arm64
push: true
build-args: |
GIT_SHA=${{ env.GITHUB_SHA }}
DOCKER_LABEL=sha-${{ env.GITHUB_SHA_SHORT }}
tags: ${{ steps.meta.outputs.tags || steps.meta-pr.outputs.tags }}
labels: ${{ steps.meta.outputs.labels || steps.meta-pr.outputs.labels }}
- name: Sign the released image
if: ${{ github.event_name != 'pull_request' }}
env:
COSIGN_EXPERIMENTAL: "true"
run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }}
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
uses: aquasecurity/trivy-action@559eb1224e654a86c844a795e6702a0742c60c72 # ratchet:aquasecurity/trivy-action@master
if: ${{ github.event_name != 'pull_request' }}
with:
image-ref: 'ghcr.io/${{ env.GITHUB_REPOSITORY }}:sha-${{ env.GITHUB_SHA_SHORT }}'
format: 'github'
output: 'dependency-results.sbom.json'
github-pat: ${{ secrets.UI_GITHUB_TOKEN }}
scanners: 'vuln'
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@559eb1224e654a86c844a795e6702a0742c60c72 # ratchet:aquasecurity/trivy-action@master
if: ${{ github.event_name != 'pull_request' }}
with:
image-ref: 'ghcr.io/${{ env.GITHUB_REPOSITORY }}:sha-${{ env.GITHUB_SHA_SHORT }}'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL'
scanners: 'vuln'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@a09933a12a80f87b87005513f0abb1494c27a716 # ratchet:github/codeql-action/upload-sarif@v2
if: ${{ github.event_name != 'pull_request' }}
with:
sarif_file: 'trivy-results.sarif'
2 changes: 1 addition & 1 deletion bentofile.gpu.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
service: 'service.py:svc'
name: transformers-nlp-service-gpu
name: transformers-nlp-service
labels:
owner: bentoml-team
project: transformers-nlp-service
Expand Down
14 changes: 14 additions & 0 deletions lock
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
#!/usr/bin/env bash

set -ex

GIT_ROOT=$(git rev-parse --show-toplevel)

cd "$GIT_ROOT" || exit 1

[[ -x "$(command -v docker)" ]] || (
echo "docker not found. Make sure to have docker running to run this job."
exit 1
)

RATCHET_EXP_KEEP_NEWLINES=true find "${GIT_ROOT}/.github/workflows" -type f -iname '*.yml' -exec docker run -it --rm -v "${PWD}":"${PWD}" -w "${PWD}" -e RATCHET_EXP_KEEP_NEWLINES=true ghcr.io/sethvargo/ratchet:0.4.0 pin {} \;