forked from Tracer-Cloud/opensre
-
Notifications
You must be signed in to change notification settings - Fork 0
152 lines (139 loc) · 5.75 KB
/
benchmark-image.yml
File metadata and controls
152 lines (139 loc) · 5.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
name: Benchmark image — build + push to ECR
# Builds infra/bench/Dockerfile.bench and pushes the resulting image to the
# opensre-bench ECR repository. The bench container is what
# `Benchmark run (manual)` invokes on AWS Fargate, so this workflow's
# output is the input to that one.
#
# Triggered automatically on changes to the bench code (or the Dockerfile
# itself) and manually via workflow_dispatch.
#
# After the image is pushed, update the task definition by re-applying the
# Terraform with the new tag:
#
# cd infra/bench
# terraform apply -var="image_tag=<TAG>"
#
# (Or wire a follow-up step into this workflow to update task definition
# automatically — out of scope for v1.)
#
# Tag format: short git SHA (`git rev-parse --short HEAD`). Stable, unique
# per commit, recognizable in `aws ecr describe-images` output. ECR is
# IMMUTABLE — a tag pushed once cannot be overwritten, so re-running the
# workflow on the same commit just re-tags (no-op layer push).
on:
workflow_dispatch:
inputs:
tag:
description: Image tag to push (default = short git SHA)
required: false
type: string
push:
branches:
- main
paths:
- "infra/bench/Dockerfile.bench"
- "infra/bench/Dockerfile.bench.dockerignore"
- "pyproject.toml"
- "uv.lock"
- "app/**"
- "tests/benchmarks/**"
- ".github/workflows/bench-image.yml"
permissions:
contents: read
id-token: write # required for AWS OIDC role assumption
concurrency:
# Allow one in-flight build per ref so two pushes in quick succession
# don't race ECR. The newer push cancels the older.
group: bench-image-${{ github.ref }}
cancel-in-progress: true
env:
AWS_REGION: us-east-1
# Account ID is repo-level configuration, not a secret. Set as a GitHub
# repository Variable (Settings > Secrets and variables > Actions >
# Variables) so it doesn't need to be edited in every workflow file
# when the bench moves accounts.
ACCOUNT_ID: ${{ vars.AWS_ACCOUNT_ID }}
ECR_REPOSITORY: opensre-bench
jobs:
build-and-push:
if: github.repository == 'Tracer-Cloud/opensre'
name: build + push
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v5
with:
# Fetch enough history that `git rev-parse --short HEAD` is stable
fetch-depth: 1
- name: Resolve image tag
id: tag
env:
# Route `inputs.tag` through env so the shell treats it as DATA,
# not code. Without this, a workflow_dispatch caller could inject
# shell commands via a crafted `tag` value containing $() or
# backticks. See:
# https://securitylab.github.com/research/github-actions-untrusted-input/
INPUT_TAG: ${{ inputs.tag }}
run: |
if [ -n "$INPUT_TAG" ]; then
TAG="$INPUT_TAG"
else
TAG="$(git rev-parse --short HEAD)"
fi
echo "tag=$TAG" >> "$GITHUB_OUTPUT"
echo "Will push: $ECR_REPOSITORY:$TAG"
- name: Configure AWS credentials (OIDC role assumption)
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/opensre-bench-github-actions
role-session-name: github-actions-bench-image-${{ github.run_id }}
aws-region: us-east-1
- name: Login to Amazon ECR
id: ecr-login
uses: aws-actions/amazon-ecr-login@v2
- name: Set up Docker Buildx
# Buildx adds multi-platform support + better cache control. Even
# for single-platform builds, it's the modern default.
uses: docker/setup-buildx-action@v3
- name: Build and push
id: build
uses: docker/build-push-action@v6
with:
context: .
file: infra/bench/Dockerfile.bench
platforms: linux/amd64
push: true
tags: |
${{ steps.ecr-login.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ steps.tag.outputs.tag }}
# GitHub Actions cache for Docker layers - speeds up rebuilds
# when only the source changes (deps stay in the cached layer).
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: false # smaller manifest; matches ECR's tolerance for OCI
- name: Summarise
# Route step outputs through env so the shell sees them as DATA,
# not code. `steps.tag.outputs.tag` is derived verbatim from the
# `inputs.tag` user input — without env scoping, a workflow_dispatch
# caller could inject shell commands here even though the
# "Resolve image tag" step is hardened. Same risk applies to any
# tag-derived chain.
env:
REGISTRY: ${{ steps.ecr-login.outputs.registry }}
TAG: ${{ steps.tag.outputs.tag }}
DIGEST: ${{ steps.build.outputs.digest }}
run: |
echo "## Image pushed" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "| field | value |" >> "$GITHUB_STEP_SUMMARY"
echo "| --- | --- |" >> "$GITHUB_STEP_SUMMARY"
echo "| Registry | \`$REGISTRY\` |" >> "$GITHUB_STEP_SUMMARY"
echo "| Repository | \`$ECR_REPOSITORY\` |" >> "$GITHUB_STEP_SUMMARY"
echo "| Tag | \`$TAG\` |" >> "$GITHUB_STEP_SUMMARY"
echo "| Digest | \`$DIGEST\` |" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "To deploy this image:" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "\`\`\`bash" >> "$GITHUB_STEP_SUMMARY"
echo "cd infra/bench" >> "$GITHUB_STEP_SUMMARY"
echo "terraform apply -var=\"image_tag=$TAG\"" >> "$GITHUB_STEP_SUMMARY"
echo "\`\`\`" >> "$GITHUB_STEP_SUMMARY"