Skip to content
patch-models

patch-models #47

Sign in to view logs

patch-models

patch-models #47

Workflow file for this run

.github/workflows/patch-models.yaml at 5cfeed5
name: patch-models
on:
# patch weekly
schedule:
- cron: "0 0 * * 0"
workflow_dispatch:
permissions:
contents: read
packages: write
id-token: write
jobs:
patch-models:
runs-on: ubuntu-latest
timeout-minutes: 240
strategy:
fail-fast: false
matrix:
images:
- ghcr.io/sozercan/llama2:7b
- ghcr.io/sozercan/llama2:13b
- ghcr.io/sozercan/llama3:8b
- ghcr.io/sozercan/llama3:70b
- ghcr.io/sozercan/mixtral:8x7b
- ghcr.io/sozercan/phi3:3.8b
- ghcr.io/sozercan/gemma2:2b
- ghcr.io/sozercan/codestral0.1:22b
steps:
- uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
with:
tool-cache: true
android: true
dotnet: true
haskell: true
large-packages: true
docker-images: true
swap-storage: true
- name: Harden Runner
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
with:
egress-policy: block
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
fulcio.sigstore.dev:443
ghcr.io:443
github.com:443
objects.githubusercontent.com:443
pkg-containers.githubusercontent.com:443
production.cloudflare.docker.com:443
proxy.golang.org:443
registry-1.docker.io:443
rekor.sigstore.dev:443
storage.googleapis.com:443
tuf-repo-cdn.sigstore.dev:443
*.ubuntu.com:80
*.blob.core.windows.net:443
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
- name: Login to GHCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Download Trivy
run: |
TRIVY_VERSION=$(
curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | \
grep '"tag_name":' | \
sed -E 's/.*"v([^"]+)".*/\1/'
)
wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
mv trivy /usr/local/bin
rm trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
- name: Download retry
run: |
wget https://github.com/joshdk/retry/releases/download/v${VERSION}/retry-linux-amd64.tar.gz
tar -xf retry-linux-amd64.tar.gz
sudo install retry /usr/bin/retry
env:
VERSION: 1.4.0
- name: Scan with Trivy
run: |
retry -attempts ${ATTEMPTS} -max-time ${MAX_TIME} trivy image --vuln-type os --exit-code 0 --format json --output report.json --timeout ${TRIVY_TIMEOUT} --ignore-unfixed ${{ matrix.images }}
env:
ATTEMPTS: 25
MAX_TIME: 0
TRIVY_TIMEOUT: 60m
- name: Check vulnerability count
id: vuln_count
run: |
cat report.json | jq
vuln_count=$(jq '.Results[0].Vulnerabilities | length' report.json)
echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
- name: Get image tag
run: |
image_tag=$(echo ${{ matrix.images }} | cut -d':' -f2)
echo $image_tag
echo "image_tag=$image_tag" >> $GITHUB_ENV
- name: Copa Action
if: steps.vuln_count.outputs.vuln_count != '0'
id: copa
uses: project-copacetic/copa-action@3843e22efdca421adb37aa8dec103a0f1db68544 # v1.2.1
with:
image: ${{ matrix.images }}
image-report: 'report.json'
patched-tag: ${image_tag}
timeout: 30m
- name: Install Cosign
if: steps.copa.conclusion == 'success'
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
- name: Docker Push Patched Image
id: push
if: steps.copa.conclusion == 'success'
run: |
docker tag ${{ steps.copa.outputs.patched-image }} ${{ matrix.images }}
docker images
docker push ${{ matrix.images }}
echo "DIGEST=$(cosign triangulate ${{ matrix.images }} --type digest)" >> $GITHUB_ENV
- name: Sign the images with GitHub OIDC Token
id: sign
if: steps.push.conclusion == 'success'
run: cosign sign --yes ${DIGEST}
- name: Verify image signature
if: steps.sign.conclusion == 'success'
run: |
cosign verify ${DIGEST} \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp 'https://github\.com/sozercan/aikit/\.github/workflows/.+'