-
Notifications
You must be signed in to change notification settings - Fork 29
144 lines (129 loc) · 5.09 KB
/
patch-models.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
name: patch-models
on:
# patch weekly
schedule:
- cron: "0 0 * * 0"
workflow_dispatch:
permissions:
contents: read
packages: write
id-token: write
jobs:
patch-models:
runs-on: ubuntu-latest
timeout-minutes: 240
strategy:
fail-fast: false
matrix:
images:
- ghcr.io/sozercan/llama3.1:8b
- ghcr.io/sozercan/llama3.1:70b
- ghcr.io/sozercan/mixtral:8x7b
- ghcr.io/sozercan/phi3.5:3.8b
- ghcr.io/sozercan/gemma2:2b
- ghcr.io/sozercan/codestral:22b
- ghcr.io/sozercan/flux1:dev
steps:
- uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
with:
tool-cache: true
android: true
dotnet: true
haskell: true
large-packages: true
docker-images: true
swap-storage: true
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: block
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
fulcio.sigstore.dev:443
ghcr.io:443
github.com:443
objects.githubusercontent.com:443
pkg-containers.githubusercontent.com:443
production.cloudflare.docker.com:443
proxy.golang.org:443
registry-1.docker.io:443
rekor.sigstore.dev:443
storage.googleapis.com:443
tuf-repo-cdn.sigstore.dev:443
*.ubuntu.com:80
*.blob.core.windows.net:443
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
- name: Login to GHCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Download Trivy
run: |
TRIVY_VERSION=$(
curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | \
grep '"tag_name":' | \
sed -E 's/.*"v([^"]+)".*/\1/'
)
wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
mv trivy /usr/local/bin
rm trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
- name: Download retry
run: |
wget https://github.com/joshdk/retry/releases/download/v${VERSION}/retry-linux-amd64.tar.gz
tar -xf retry-linux-amd64.tar.gz
sudo install retry /usr/bin/retry
env:
VERSION: 1.4.0
- name: Scan with Trivy
run: |
retry -attempts ${ATTEMPTS} -max-time ${MAX_TIME} trivy image --pkg-types os --exit-code 0 --format json --output report.json --timeout ${TRIVY_TIMEOUT} --ignore-unfixed ${{ matrix.images }}
env:
ATTEMPTS: 25
MAX_TIME: 0
TRIVY_TIMEOUT: 60m
- name: Check vulnerability count
id: vuln_count
run: |
cat report.json | jq
vuln_count=$(jq '.Results[0].Vulnerabilities | length' report.json)
echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
- name: Get image tag
run: |
image_tag=$(echo ${{ matrix.images }} | cut -d':' -f2)
echo $image_tag
echo "image_tag=$image_tag" >> $GITHUB_ENV
- name: Copa Action
if: steps.vuln_count.outputs.vuln_count != '0'
id: copa
uses: project-copacetic/copa-action@3843e22efdca421adb37aa8dec103a0f1db68544 # v1.2.1
with:
image: ${{ matrix.images }}
image-report: 'report.json'
patched-tag: ${image_tag}
timeout: 30m
- name: Install Cosign
if: steps.copa.conclusion == 'success'
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
- name: Docker Push Patched Image
id: push
if: steps.copa.conclusion == 'success'
run: |
docker tag ${{ steps.copa.outputs.patched-image }} ${{ matrix.images }}
docker images
docker push ${{ matrix.images }}
echo "DIGEST=$(cosign triangulate ${{ matrix.images }} --type digest)" >> $GITHUB_ENV
- name: Sign the images with GitHub OIDC Token
id: sign
if: steps.push.conclusion == 'success'
run: cosign sign --yes ${DIGEST}
- name: Verify image signature
if: steps.sign.conclusion == 'success'
run: |
cosign verify ${DIGEST} \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp 'https://github\.com/sozercan/aikit/\.github/workflows/.+'