Nightly Pipeline #823
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Nightly Pipeline | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| mode: | |
| description: 'release/nightly, default is nightly' | |
| required: true | |
| default: 'nightly' | |
| type: choice | |
| options: | |
| - nightly | |
| - release | |
| workflow_call: | |
| inputs: | |
| mode: | |
| description: 'release/nightly, default is nightly' | |
| type: string | |
| required: true | |
| default: 'nightly' | |
| schedule: | |
| - cron: '0 13 * * *' | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| build: | |
| uses: ./.github/workflows/docker-nightly-publish.yml | |
| secrets: inherit | |
| with: | |
| mode: ${{ inputs.mode || 'nightly' }} | |
| integration-test: | |
| needs: [build] | |
| uses: ./.github/workflows/integration.yml | |
| secrets: inherit | |
| with: | |
| djl-version: ${{ needs.build.outputs.djl_version }} | |
| tag-suffix: ${{ inputs.mode == 'release' && github.sha || format('{0}-{1}', 'nightly', github.sha) }} | |
| determine_images_to_publish: | |
| if: always() | |
| needs: [ integration-test ] | |
| runs-on: ubuntu-latest | |
| outputs: | |
| images: ${{ steps.generate-images.outputs.images }} | |
| steps: | |
| - name: Generate image list from test results | |
| id: generate-images | |
| run: | | |
| images=() | |
| if [[ "${{ needs.integration-test.outputs.failure_cpu }}" == "0" ]]; then | |
| images+=("cpu") | |
| images+=("cpu-full") | |
| fi | |
| if [[ "${{ needs.integration-test.outputs.failure_gpu }}" == "0" ]]; then | |
| images+=("pytorch-gpu") | |
| fi | |
| if [[ "${{ needs.integration-test.outputs.failure_aarch64 }}" == "0" ]]; then | |
| images+=("aarch64") | |
| fi | |
| if [[ "${{ needs.integration-test.outputs.failure_lmi }}" == "0" ]]; then | |
| images+=("lmi") | |
| fi | |
| if [[ "${{ needs.integration-test.outputs.failure_trtllm }}" == "0" ]]; then | |
| images+=("tensorrt-llm") | |
| fi | |
| json_images=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${images[@]}") | |
| echo "images are ${json_images}" | |
| echo "images=${json_images}" >> "$GITHUB_OUTPUT" | |
| ecr-scan: | |
| if: always() | |
| needs: [determine_images_to_publish, build] | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| arch: ${{ fromJson(needs.determine_images_to_publish.outputs.images) }} | |
| steps: | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: arn:aws:iam::185921645874:role/github-actions-djl-serving | |
| aws-region: us-east-1 | |
| - name: Get image tag | |
| id: get-tag | |
| run: | | |
| SERVING_VERSION=$(echo "${{ needs.build.outputs.djl_version }}") | |
| mode=${{ inputs.mode }} | |
| if [[ "$mode" != "release" ]]; then | |
| NIGHTLY="-nightly" | |
| fi | |
| IMAGE_TAG="$SERVING_VERSION-${{ matrix.arch }}${NIGHTLY}" | |
| echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_OUTPUT | |
| - name: Get image digest | |
| id: get-digest | |
| run: | | |
| DIGEST=$(aws ecr describe-images \ | |
| --repository-name djl-ci-temp \ | |
| --image-ids imageTag=${{ steps.get-tag.outputs.IMAGE_TAG }} \ | |
| --region us-east-1 \ | |
| --query 'imageDetails[0].imageDigest' \ | |
| --output text) | |
| echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT | |
| - name: Check Inspector findings | |
| run: | | |
| REPO_URI="185921645874.dkr.ecr.us-east-1.amazonaws.com/djl-ci-temp" | |
| RESOURCE_ID="${REPO_URI}@${{ steps.get-digest.outputs.DIGEST }}" | |
| echo "Checking vulnerabilities for: $RESOURCE_ID" | |
| sleep 30 | |
| FINDINGS=$(aws inspector2 list-findings \ | |
| --filter-criteria '{"ecrImageHash":[{"comparison":"EQUALS","value":"${{ steps.get-digest.outputs.DIGEST }}"}]}' \ | |
| --region us-east-1 \ | |
| --output json) | |
| HIGH=$(echo "$FINDINGS" | jq '[.findings[] | select(.severity=="HIGH")] | length') | |
| CRITICAL=$(echo "$FINDINGS" | jq '[.findings[] | select(.severity=="CRITICAL")] | length') | |
| echo "Scan Results for ${{ matrix.arch }}:" | |
| echo "HIGH: $HIGH" | |
| echo "CRITICAL: $CRITICAL" | |
| if [ "$HIGH" -gt 0 ] || [ "$CRITICAL" -gt 0 ]; then | |
| echo "ERROR: Found HIGH or CRITICAL vulnerabilities" | |
| echo "$FINDINGS" | jq '.findings[] | select(.severity=="HIGH" or .severity=="CRITICAL") | {title, severity, description}' | |
| exit 1 | |
| fi | |
| echo "No HIGH or CRITICAL vulnerabilities found" | |
| publish: | |
| if: always() | |
| needs: [determine_images_to_publish, ecr-scan] | |
| uses: ./.github/workflows/docker_publish.yml | |
| secrets: inherit | |
| with: | |
| mode: ${{ inputs.mode || 'nightly' }} | |
| commit_sha: ${{ github.sha }} | |
| arch: ${{ needs.determine_images_to_publish.outputs.images }} |