Docker #109
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This requires | |
| # vars.DOCKERHUB_USERNAME for the result image account | |
| # secrets.DOCKERHUB_USERNAME for the account that pushes the image | |
| # secrets.DOCKERHUB_TOKEN for the account password that pushes the image | |
| name: Docker | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - 'torch-wheel.Dockerfile' | |
| - '.github/workflows/torch-wheel.yml' | |
| - 'torchvision-wheel.Dockerfile' | |
| - '.github/workflows/torchvision-wheel.yml' | |
| # We want to monthly update the base image for security | |
| # TODO Can we avoid building the same image? | |
| schedule: | |
| # min hour dom month dow | |
| - cron: '42 3 2 * *' | |
| workflow_dispatch: | |
| permissions: | |
| contents: write # For the tag creation | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| include: | |
| # Check torch + torchvision compatibility from https://github.com/pytorch/vision?tab=readme-ov-file#installation | |
| - torch: '2.3.1' | |
| torch-wheel-tag: '2.3.1' | |
| torchvision: '0.18.1' | |
| python: '3.11.9-slim' | |
| platforms: linux/amd64,linux/arm64 | |
| constraints: constraints-2.3.1.txt | |
| - torch: '2.3.1' | |
| torch-wheel-tag: '2.3.1' | |
| torchvision: '0.18.1' | |
| python: '3.11.10' | |
| platforms: linux/amd64,linux/arm64 | |
| constraints: constraints-2.3.1.txt | |
| - torch: '2.3.1' | |
| torch-wheel-tag: '2.3.1' | |
| torchvision: '0.18.1' | |
| python: '3.11.10-slim' | |
| platforms: linux/amd64,linux/arm64 | |
| constraints: constraints-2.3.1.txt | |
| - torch: '2.3.1+cpu' | |
| torch-wheel-tag: '2.3.1' | |
| python: '3.11.10' | |
| extra-index-url: 'https://download.pytorch.org/whl/cpu' | |
| platforms: linux/amd64 | |
| constraints: constraints-2.3.1.txt | |
| steps: | |
| - id: created | |
| run: echo "created=$(date --utc +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_OUTPUT | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | |
| if: github.ref == 'refs/heads/main' | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Build Tag | |
| id: build-tag | |
| # Tags have limited set of valid character, '+' not included | |
| # https://github.com/opencontainers/distribution-spec/blob/main/spec.md#pulling-manifests | |
| run: | | |
| echo "tag=$(echo -n "${{ matrix.torch }}-${{ matrix.python }}" | tr -c 'a-zA-Z0-9._-' '[-*]')" >> $GITHUB_OUTPUT | |
| - uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0 | |
| with: | |
| context: . | |
| push: ${{ github.ref == 'refs/heads/main' }} | |
| build-args: | | |
| CREATED=${{ steps.created.outputs.created }} | |
| SOURCE_COMMIT=${{ github.sha }} | |
| PYTHON=${{ matrix.python }} | |
| TORCH=${{ matrix.torch }} | |
| TORCH_REQUIREMENT=${{ matrix.url || format('torch=={0}', matrix.torch) }} | |
| TORCH_WHEEL_SOURCE=${{ matrix.torch-wheel-tag && format('{0}/torch-wheels:{1}', vars.DOCKERHUB_USERNAME, matrix.torch-wheel-tag) || 'scratch'}} | |
| TORCHVISION_WHEEL_SOURCE=${{ matrix.torchvision && format('{0}/torchvision-wheels:{1}', vars.DOCKERHUB_USERNAME, matrix.torchvision) || 'scratch'}} | |
| EXTRA_INDEX_URL=${{ matrix.extra-index-url }} | |
| ${{ matrix.constraints && format('CONSTRAINTS={0}', matrix.constraints) || '' }} | |
| # TODO add the latest tag, maybe somehow via docker/metadata-action | |
| tags: | | |
| ${{ vars.DOCKERHUB_USERNAME }}/python-torch:${{ steps.build-tag.outputs.tag }} | |
| # https://docs.docker.com/build/ci/github-actions/cache/ | |
| cache-from: type=gha,scope=${{ matrix.torch }}-${{ matrix.python }} | |
| cache-to: type=gha,scope=${{ matrix.torch }}-${{ matrix.python }},mode=max | |
| platforms: ${{ matrix.platforms || 'linux/amd64,linux/arm64' }} | |
| # With org.opencontainers.image.source pointing to this repository Dockerfile FROM updates in pull requests can be scanned | |
| # if the commits have matching tags with the image. | |
| # https://github.blog/changelog/2023-04-13-dependabot-now-supports-fetching-release-notes-and-changelogs-for-docker-images/ | |
| # https://octokit.github.io/rest.js/v19#git-create-ref | |
| # https://octokit.github.io/rest.js/v19#git-update-ref | |
| - name: Tag the commit or update tag | |
| if: github.ref == 'refs/heads/main' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| try { | |
| await github.rest.git.createRef({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| ref: 'refs/tags/${{ steps.build-tag.outputs.tag }}', | |
| sha: context.sha, | |
| }); | |
| } catch(e) { | |
| if (e.status === 422) { | |
| await github.rest.git.updateRef({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| ref: 'tags/${{ steps.build-tag.outputs.tag }}', | |
| sha: context.sha, | |
| force: true, | |
| }); | |
| } | |
| } | |
| # Can not use Personal Access Token to update the README. Returns FORBIDDEN. | |
| describe: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| if: github.ref == 'refs/heads/main' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Docker Hub Description | |
| uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4.0.2 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| repository: ${{ vars.DOCKERHUB_USERNAME }}/python-torch |