name: Build Clojure UI on: workflow_dispatch: push: branches: [main] tags: - '*' paths: - 'contrib/clojure/**' - '.github/workflows/clojure-frontend.yml' pull_request: types: [labeled, opened, synchronize, reopened] branches: [main] paths: - 'contrib/clojure/**' - '.github/workflows/clojure-frontend.yml' # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrun defaults: run: shell: bash --noprofile --norc -exo pipefail {0} jobs: get_commit_message: name: Get commit message runs-on: ubuntu-latest if: "github.repository == 'bentoml/OpenLLM'" # Don't run on fork repository outputs: message: ${{ steps.commit_message.outputs.message }} steps: - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # ratchet:actions/checkout@v4 # Gets the correct commit message for pull request with: ref: ${{ github.event.pull_request.head.sha }} - name: Get commit message id: commit_message run: | set -xe COMMIT_MSG=$(git log --no-merges -1 --oneline) echo "message=$COMMIT_MSG" >> $GITHUB_OUTPUT echo github.ref ${{ github.ref }} build-and-push-clojure-ui: name: Build and push Clojure UI image runs-on: ubuntu-latest needs: get_commit_message if: >- contains(needs.get_commit_message.outputs.message, '[clojure-ui build]') || github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, '01 - Clojure Build')) || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && ( ! endsWith(github.ref, 'dev0'))) concurrency: group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: contents: write packages: write # This is used to complete the identity challenge # with sigstore/fulcio when running outside of PRs. id-token: write security-events: write steps: - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # ratchet:actions/checkout@v4 with: fetch-depth: 1 - name: Inject slug/short variables uses: rlespinasse/github-slug-action@102b1a064a9b145e56556e22b18b19c624538d94 # ratchet:rlespinasse/github-slug-action@v4.4.1 - name: Set up QEMU uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # ratchet:docker/setup-qemu-action@v3.0.0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # ratchet:docker/setup-buildx-action@v3.0.0 with: install: true driver-opts: | image=moby/buildkit:master network=host - name: Install cosign if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # ratchet:sigstore/cosign-installer@v3.1.2 with: cosign-release: 'v2.1.1' - name: Login to GitHub Container Registry uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # ratchet:docker/login-action@v3.0.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata tags and labels on PRs if: github.event_name == 'pull_request' id: meta-pr uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # ratchet:docker/metadata-action@v5.0.0 with: images: ghcr.io/bentoml/openllm-ui-clojure tags: type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }} - name: Extract metadata tags and labels for main, release or tag if: github.event_name != 'pull_request' id: meta uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # ratchet:docker/metadata-action@v5.0.0 with: flavor: latest=auto images: ghcr.io/bentoml/openllm-ui-clojure tags: | type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }} - name: Build and push Clojure UI image id: build-and-push uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # ratchet:docker/build-push-action@v5.0.0 with: context: openllm-contrib/clojure file: openllm-contrib/clojure/Dockerfile platforms: linux/amd64,linux/arm64 push: true build-args: | GIT_SHA=${{ env.GITHUB_SHA }} DOCKER_LABEL=sha-${{ env.GITHUB_SHA_SHORT }} tags: ${{ steps.meta.outputs.tags || steps.meta-pr.outputs.tags }} labels: ${{ steps.meta.outputs.labels || steps.meta-pr.outputs.labels }} - name: Sign the released image if: ${{ github.event_name != 'pull_request' }} env: COSIGN_EXPERIMENTAL: 'true' run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }} - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # ratchet:aquasecurity/trivy-action@master if: ${{ github.event_name != 'pull_request' }} with: image-ref: 'ghcr.io/bentoml/openllm-ui-clojure:sha-${{ env.GITHUB_SHA_SHORT }}' format: 'github' output: 'dependency-results.sbom.json' github-pat: ${{ secrets.UI_GITHUB_TOKEN }} scanners: 'vuln' - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # ratchet:aquasecurity/trivy-action@master if: ${{ github.event_name != 'pull_request' }} with: image-ref: 'ghcr.io/bentoml/openllm-ui-clojure:sha-${{ env.GITHUB_SHA_SHORT }}' format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL' scanners: 'vuln' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # ratchet:github/codeql-action/upload-sarif@v2 if: ${{ github.event_name != 'pull_request' }} with: sarif_file: 'trivy-results.sarif'