mirror of
https://github.com/bentoml/OpenLLM.git
synced 2026-01-22 06:19:35 -05:00
eb089af0bf
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.21.4 to 2.21.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](a09933a12a...00e563ead9)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
142 lines
6.5 KiB
YAML
142 lines
6.5 KiB
YAML
name: Build Clojure UI
|
|
on:
|
|
workflow_dispatch:
|
|
push:
|
|
branches: [main]
|
|
tags:
|
|
- "*"
|
|
paths:
|
|
- 'openllm-contrib/clojure/**'
|
|
- ".github/workflows/clojure-frontend.yml"
|
|
pull_request:
|
|
types: [labeled, opened, synchronize, reopened]
|
|
branches: [main]
|
|
paths:
|
|
- 'openllm-contrib/clojure/**'
|
|
- ".github/workflows/clojure-frontend.yml"
|
|
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrun
|
|
defaults:
|
|
run:
|
|
shell: bash --noprofile --norc -exo pipefail {0}
|
|
jobs:
|
|
get_commit_message:
|
|
name: Get commit message
|
|
runs-on: ubuntu-latest
|
|
if: "github.repository == 'bentoml/OpenLLM'" # Don't run on fork repository
|
|
outputs:
|
|
message: ${{ steps.commit_message.outputs.message }}
|
|
steps:
|
|
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
|
|
# Gets the correct commit message for pull request
|
|
with:
|
|
ref: ${{ github.event.pull_request.head.sha }}
|
|
- name: Get commit message
|
|
id: commit_message
|
|
run: |
|
|
set -xe
|
|
COMMIT_MSG=$(git log --no-merges -1 --oneline)
|
|
echo "message=$COMMIT_MSG" >> $GITHUB_OUTPUT
|
|
echo github.ref ${{ github.ref }}
|
|
build-and-push-clojure-ui:
|
|
name: Build and push Clojure UI image
|
|
runs-on: ubuntu-latest
|
|
needs: get_commit_message
|
|
if: >-
|
|
contains(needs.get_commit_message.outputs.message, '[clojure-ui build]') || github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, '01 - Clojure Build')) || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && ( ! endsWith(github.ref, 'dev0')))
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
|
|
cancel-in-progress: true
|
|
permissions:
|
|
contents: write
|
|
packages: write
|
|
# This is used to complete the identity challenge
|
|
# with sigstore/fulcio when running outside of PRs.
|
|
id-token: write
|
|
security-events: write
|
|
steps:
|
|
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
|
|
with:
|
|
fetch-depth: 1
|
|
- name: Inject slug/short variables
|
|
uses: rlespinasse/github-slug-action@102b1a064a9b145e56556e22b18b19c624538d94 # ratchet:rlespinasse/github-slug-action@v4.4.1
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # ratchet:docker/setup-qemu-action@v2.2.0
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # ratchet:docker/setup-buildx-action@v2.10.0
|
|
with:
|
|
install: true
|
|
driver-opts: |
|
|
image=moby/buildkit:master
|
|
network=host
|
|
- name: Install cosign
|
|
if: github.event_name != 'pull_request'
|
|
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # ratchet:sigstore/cosign-installer@v3.1.2
|
|
with:
|
|
cosign-release: 'v2.1.1'
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # ratchet:docker/login-action@v2.2.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Extract metadata tags and labels on PRs
|
|
if: github.event_name == 'pull_request'
|
|
id: meta-pr
|
|
uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # ratchet:docker/metadata-action@v4.6.0
|
|
with:
|
|
images: ghcr.io/bentoml/openllm-ui-clojure
|
|
tags: type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }}
|
|
- name: Extract metadata tags and labels for main, release or tag
|
|
if: github.event_name != 'pull_request'
|
|
id: meta
|
|
uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # ratchet:docker/metadata-action@v4.6.0
|
|
with:
|
|
flavor: latest=auto
|
|
images: ghcr.io/bentoml/openllm-ui-clojure
|
|
tags: |
|
|
type=semver,pattern={{version}}
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
|
|
type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }}
|
|
- name: Build and push Clojure UI image
|
|
id: build-and-push
|
|
uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # ratchet:docker/build-push-action@v4
|
|
with:
|
|
context: openllm-contrib/clojure
|
|
file: openllm-contrib/clojure/Dockerfile
|
|
platforms: linux/amd64,linux/arm64
|
|
push: true
|
|
build-args: |
|
|
GIT_SHA=${{ env.GITHUB_SHA }}
|
|
DOCKER_LABEL=sha-${{ env.GITHUB_SHA_SHORT }}
|
|
tags: ${{ steps.meta.outputs.tags || steps.meta-pr.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels || steps.meta-pr.outputs.labels }}
|
|
- name: Sign the released image
|
|
if: ${{ github.event_name != 'pull_request' }}
|
|
env:
|
|
COSIGN_EXPERIMENTAL: "true"
|
|
run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }}
|
|
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
|
|
uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # ratchet:aquasecurity/trivy-action@master
|
|
if: ${{ github.event_name != 'pull_request' }}
|
|
with:
|
|
image-ref: 'ghcr.io/bentoml/openllm-ui-clojure:sha-${{ env.GITHUB_SHA_SHORT }}'
|
|
format: 'github'
|
|
output: 'dependency-results.sbom.json'
|
|
github-pat: ${{ secrets.UI_GITHUB_TOKEN }}
|
|
scanners: 'vuln'
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # ratchet:aquasecurity/trivy-action@master
|
|
if: ${{ github.event_name != 'pull_request' }}
|
|
with:
|
|
image-ref: 'ghcr.io/bentoml/openllm-ui-clojure:sha-${{ env.GITHUB_SHA_SHORT }}'
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
severity: 'CRITICAL'
|
|
scanners: 'vuln'
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # ratchet:github/codeql-action/upload-sarif@v2
|
|
if: ${{ github.event_name != 'pull_request' }}
|
|
with:
|
|
sarif_file: 'trivy-results.sarif'
|