-
Notifications
You must be signed in to change notification settings - Fork 3
224 lines (209 loc) · 9.43 KB
/
Copy pathmain.yml
File metadata and controls
224 lines (209 loc) · 9.43 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
# This requires
# vars.DOCKERHUB_USERNAME for the result image account
# secrets.DOCKERHUB_USERNAME for the account that pushes the image
# secrets.DOCKERHUB_TOKEN for the account password that pushes the image
name: Docker
on:
push:
branches:
- main
# We want to monthly update the base image for security
# TODO Can we avoid building the same image?
schedule:
# min hour dom month dow
- cron: '42 3 2 * *'
workflow_dispatch:
jobs:
build:
runs-on: ${{ matrix.platform == 'linux/arm64' && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
strategy:
matrix:
torch: ['2.9.1']
python: ['3.14.2', '3.14.2-slim']
index: [cu126,cpu]
platform: [linux/amd64, linux/arm64]
exclude:
- index: cpu
platform: linux/arm64
- index: cpu
python: '3.14.2-slim'
permissions:
contents: write # For the tag creation on cpu images
id-token: write # Needed for actions/attest-build-provenance build predicate
attestations: write # Needed for actions/attest-build-provenance attestation upload to repository
artifact-metadata: write # Needed for actions/attest-build-provenance artifact metadata storage records
steps:
- id: created
run: echo "created=$(date --utc +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_OUTPUT
- uses: actions/checkout@v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
- name: Log in to Docker Hub
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
if: github.ref == 'refs/heads/main'
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build Tag
id: build-tag
# Tags have limited set of valid character, '+' not included
# https://github.com/opencontainers/distribution-spec/blob/main/spec.md#pulling-manifests
run: |
echo "tag=$(echo -n "${{ matrix.torch }}${{ matrix.index && format('-{0}', matrix.index) || '' }}-${{ matrix.python }}${PLATFORM:+-}${PLATFORM#*/}" | tr -c 'a-zA-Z0-9._-' '[-*]')" >> $GITHUB_OUTPUT
env:
PLATFORM: ${{ matrix.index != 'cpu' && matrix.platform || '' }}
- uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
id: build-push
with:
context: .
push: ${{ github.ref == 'refs/heads/main' }}
build-args: |
CREATED=${{ steps.created.outputs.created }}
SOURCE_COMMIT=${{ github.sha }}
PYTHON=${{ matrix.python }}
TORCH=${{ matrix.torch }}
TORCH_REQUIREMENT=${{ matrix.url || format('torch=={0}', matrix.torch) }}
TORCH_WHEEL_SOURCE=${{ matrix.torch-wheel-tag && format('{0}/torch-wheels:{1}', vars.DOCKERHUB_USERNAME, matrix.torch-wheel-tag) || 'scratch'}}
TORCHVISION_WHEEL_SOURCE=${{ matrix.torchvision && format('{0}/torchvision-wheels:{1}', vars.DOCKERHUB_USERNAME, matrix.torchvision) || 'scratch'}}
EXTRA_INDEX_URL=${{ matrix.extra-index-url || format('https://download.pytorch.org/whl/{0}/', matrix.index) }}
CONSTRAINTS=constraints-${{ matrix.torch }}.txt
# TODO add the latest tag, maybe somehow via docker/metadata-action
tags: |
${{ vars.DOCKERHUB_USERNAME }}/python-torch:${{ steps.build-tag.outputs.tag }}
# https://docs.docker.com/build/ci/github-actions/cache/
cache-from: type=gha,scope=${{ matrix.torch }}-${{ matrix.python }}
cache-to: type=gha,scope=${{ matrix.torch }}-${{ matrix.python }},mode=max
platforms: ${{ matrix.platform }}
- name: Create attestation for the image
uses: actions/attest-build-provenance@v3
with:
subject-name: docker.io/${{ vars.DOCKERHUB_USERNAME }}/python-torch
subject-digest: ${{ steps.build-push.outputs.digest }}
push-to-registry: true
# With org.opencontainers.image.source pointing to this repository Dockerfile FROM updates in pull requests can be scanned
# if the commits have matching tags with the image.
# https://github.blog/changelog/2023-04-13-dependabot-now-supports-fetching-release-notes-and-changelogs-for-docker-images/
# https://octokit.github.io/rest.js/v19#git-create-ref
# https://octokit.github.io/rest.js/v19#git-update-ref
- name: Tag the commit or update tag
if: github.ref == 'refs/heads/main' && matrix.index == 'cpu'
uses: actions/github-script@v9
with:
script: |
try {
await github.rest.git.createRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: 'refs/tags/${{ steps.build-tag.outputs.tag }}',
sha: context.sha,
});
} catch(e) {
if (e.status === 422) {
await github.rest.git.updateRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: 'tags/${{ steps.build-tag.outputs.tag }}',
sha: context.sha,
force: true,
});
}
}
merge:
needs: build
runs-on: ubuntu-latest
strategy:
matrix:
torch: ['2.9.1']
python: ['3.14.2', '3.14.2-slim']
index: [cu126]
permissions:
contents: write # For the tag creation
id-token: write # Needed for actions/attest-build-provenance build predicate
attestations: write # Needed for actions/attest-build-provenance attestation upload to repository
artifact-metadata: write # Needed for actions/attest-build-provenance artifact metadata storage records
steps:
- name: Login to Docker Hub
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Merge platform images using manifest tool
id: manifest
run: |
# This must match the build job tag generation
tag="$(echo -n "${{ matrix.torch }}${{ matrix.index && format('-{0}', matrix.index) || '' }}-${{ matrix.python }}" | tr -c 'a-zA-Z0-9._-' '[-*]')"
echo "tag=$tag" >> $GITHUB_OUTPUT
repository="docker.io/$DOCKERHUB_USERNAME/python-torch"
echo "repository=$repository" >> $GITHUB_OUTPUT
name="$repository:$tag"
echo "name=$name" >> $GITHUB_OUTPUT
verify() {
gh attestation verify oci://$repository@$1 \
--repo $GITHUB_REPOSITORY \
--signer-workflow $GITHUB_WORKFLOW_REF \
--source-digest $GITHUB_SHA
}
amd64_digest=$(docker buildx imagetools inspect "$name-amd64" --format '{{ print .Manifest.Digest }}')
verify $amd64_digest
arm64_digest=$(docker buildx imagetools inspect "$name-arm64" --format '{{ print .Manifest.Digest }}')
verify $arm64_digest
docker buildx imagetools create \
--tag $name \
$repository@$amd64_digest \
$repository@$arm64_digest 2>&1 | tee $RUNNER_TEMP/create_output.txt
# Would be too easy, if create output the digest to stdout directly
digest=$(sed -ne 's/.*pushing \(sha256:[a-f0-9]\+\).*/\1/p' $RUNNER_TEMP/create_output.txt)
echo "digest=$digest" >> $GITHUB_OUTPUT
env:
DOCKERHUB_USERNAME: ${{ vars.DOCKERHUB_USERNAME }}
GH_TOKEN: ${{ github.token }}
- name: Create attestation for the manifest
uses: actions/attest-build-provenance@v3
with:
subject-name: ${{ steps.manifest.outputs.repository }}
subject-digest: ${{ steps.manifest.outputs.digest }}
push-to-registry: true
# With org.opencontainers.image.source pointing to this repository Dockerfile FROM updates in pull requests can be scanned
# if the commits have matching tags with the image.
# https://github.blog/changelog/2023-04-13-dependabot-now-supports-fetching-release-notes-and-changelogs-for-docker-images/
# https://octokit.github.io/rest.js/v19#git-create-ref
# https://octokit.github.io/rest.js/v19#git-update-ref
- name: Tag the commit or update tag
if: github.ref == 'refs/heads/main'
uses: actions/github-script@v9
with:
script: |
try {
await github.rest.git.createRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: 'refs/tags/${{ steps.manifest.outputs.tag }}',
sha: context.sha,
});
} catch(e) {
if (e.status === 422) {
await github.rest.git.updateRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: 'tags/${{ steps.manifest.outputs.tag }}',
sha: context.sha,
force: true,
});
}
}
description:
needs: merge
# https://github.com/actions/runner-images/blob/main/images/ubuntu-slim/ubuntu-slim-Readme.md
runs-on: ubuntu-slim
if: github.ref == 'refs/heads/main'
permissions:
contents: read # To checkout the README.md
steps:
- uses: actions/checkout@v6
# Can not use Personal Access Token to update the README. Returns FORBIDDEN.
- name: Docker Hub Description
uses: peter-evans/dockerhub-description@1b9a80c056b620d92cedb9d9b5a223409c68ddfa # v5.0.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
repository: ${{ vars.DOCKERHUB_USERNAME }}/python-torch