From dba908aa2215b24a7d83d4798341c95ad080a259 Mon Sep 17 00:00:00 2001 From: "chen, suyue" Date: Fri, 30 Aug 2024 11:32:46 +0800 Subject: [PATCH] optimize image scan cd workflow (#699) Signed-off-by: chensuyue --- .github/workflows/_example-workflow.yml | 54 ------------- .github/workflows/container-build.yml | 44 ----------- .github/workflows/docker/docker-compose.yaml | 29 ------- ...al-bom-scan.yml => manual-docker-scan.yml} | 66 ++++++++++++---- .github/workflows/manual-example-workflow.yml | 6 -- .github/workflows/manual-image-build.yml | 78 ------------------- 6 files changed, 49 insertions(+), 228 deletions(-) delete mode 100644 .github/workflows/container-build.yml delete mode 100644 .github/workflows/docker/docker-compose.yaml rename .github/workflows/{manual-bom-scan.yml => manual-docker-scan.yml} (51%) delete mode 100644 .github/workflows/manual-image-build.yml diff --git a/.github/workflows/_example-workflow.yml b/.github/workflows/_example-workflow.yml index 097f0536b2..121d6247d6 100644 --- a/.github/workflows/_example-workflow.yml +++ b/.github/workflows/_example-workflow.yml @@ -20,10 +20,6 @@ on: default: true required: false type: boolean - scan: - default: true - required: false - type: boolean test_compose: default: false required: false @@ -75,56 +71,6 @@ jobs: registry: ${OPEA_IMAGE_REPO}opea tag: ${{ inputs.tag }} -#################################################################################################### -# Trivy Scan -#################################################################################################### - get-image-list: - needs: [build-images] - if: ${{ fromJSON(inputs.scan) && inputs.node == 'gaudi' }} - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.scan-matrix.outputs.matrix }} - steps: - - name: Checkout out Repo - uses: actions/checkout@v4 - - - name: Set Matrix - id: scan-matrix - run: | - pip install yq - compose_path=${{ github.workspace }}/${{ inputs.example }}/docker/docker_build_compose.yaml - echo "matrix=$(cat ${compose_path} | yq -r '.[]' | jq 'keys' | jq -c '.')" >> $GITHUB_OUTPUT - - scan-images: - needs: [get-image-list, build-images] - if: ${{ fromJSON(inputs.scan) && inputs.node == 'gaudi'}} - runs-on: "docker-build-${{ inputs.node }}" - strategy: - matrix: - image: ${{ fromJSON(needs.get-image-list.outputs.matrix) }} - fail-fast: false - steps: - - name: Pull Image - run: | - docker pull ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }} - echo "OPEA_IMAGE_REPO=${OPEA_IMAGE_REPO}" >> $GITHUB_ENV - - - name: Scan Container - uses: opea-project/validation/actions/trivy-scan@main - with: - image-ref: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }} - output: ${{ matrix.image }}-scan.txt - - - name: Cleanup - if: always() - run: docker rmi -f ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }} - - - uses: actions/upload-artifact@v4.3.4 - with: - name: ${{ matrix.image }}-scan - path: ${{ matrix.image }}-scan.txt - overwrite: true - #################################################################################################### # Docker Compose Test #################################################################################################### diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml deleted file mode 100644 index dbbeeb5d80..0000000000 --- a/.github/workflows/container-build.yml +++ /dev/null @@ -1,44 +0,0 @@ -# Copyright (C) 2024 Intel Corporation -# SPDX-License-Identifier: Apache-2.0 - -name: Container Build -permissions: read-all -on: - workflow_dispatch: - schedule: - - cron: "35 1 * * 5" -jobs: - # https://github.com/intel/ai-containers/blob/main/.github/action.yml - build-containers: - runs-on: docker - env: - REGISTRY: ${{ secrets.REGISTRY }} - REPO: ${{ secrets.REPO }} - steps: - - uses: step-security/harden-runner@v2 - with: - egress-policy: audit - - uses: actions/checkout@v4 - - uses: docker/login-action@v3 - with: - registry: ${{ secrets.REGISTRY }} - username: ${{ secrets.REGISTRY_USER }} - password: ${{ secrets.REGISTRY_TOKEN }} - - name: Build Containers - run: | - docker compose -p ${GITHUB_RUN_NUMBER} build --no-cache - working-directory: .github/workflows/docker - - name: Print Containers to Summary - run: | - docker compose -p ${GITHUB_RUN_NUMBER} images --format json | jq -r --arg registry "$REGISTRY" '.[] | select(.Repository | contains($registry)) | .Tag' >> $GITHUB_STEP_SUMMARY - - name: Push Containers - run: | - docker compose -p ${GITHUB_RUN_NUMBER} push - working-directory: .github/workflows/docker - - name: Un-Tag Containers - run: | - docker compose -p ${GITHUB_RUN_NUMBER} down --rmi all - working-directory: .github/workflows/docker - - name: Remove Containers - if: always() - run: docker system prune --force diff --git a/.github/workflows/docker/docker-compose.yaml b/.github/workflows/docker/docker-compose.yaml deleted file mode 100644 index c0e9c53cf3..0000000000 --- a/.github/workflows/docker/docker-compose.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright (C) 2024 Intel Corporation -# SPDX-License-Identifier: Apache-2.0 - -services: - chatqna-megaservice-server: - build: - args: - http_proxy: ${http_proxy} - https_proxy: ${https_proxy} - no_proxy: ${no_proxy} - context: ../../../ChatQnA/microservice/xeon - dockerfile: docker/Dockerfile - image: ${REGISTRY}/${REPO}:chatqna-megaservice-server - pull_policy: always - chatqna-ui-server: - build: - context: ../../../ChatQnA/ui - extends: chatqna-megaservice-server - image: ${REGISTRY}/${REPO}:chatqna-ui-server - codegen-megaservice-server: - build: - context: ../../../CodeGen/microservice/xeon - extends: chatqna-megaservice-server - image: ${REGISTRY}/${REPO}:codegen-megaservice-server - codegen-ui-server: - build: - context: ../../../CodeGen/ui - extends: chatqna-megaservice-server - image: ${REGISTRY}/${REPO}:codegen-ui-server diff --git a/.github/workflows/manual-bom-scan.yml b/.github/workflows/manual-docker-scan.yml similarity index 51% rename from .github/workflows/manual-bom-scan.yml rename to .github/workflows/manual-docker-scan.yml index ebb13fb3a4..7b26978039 100644 --- a/.github/workflows/manual-bom-scan.yml +++ b/.github/workflows/manual-docker-scan.yml @@ -1,25 +1,40 @@ # Copyright (C) 2024 Intel Corporation # SPDX-License-Identifier: Apache-2.0 -name: Examples docker images BoM scan on manual event +name: Examples docker images BoM/CVE scan on manual event on: workflow_dispatch: inputs: node: default: "gaudi" - description: "Hardware to run test" + description: "Hardware to run scan" required: true type: string examples: default: "ChatQnA" - description: 'List of examples to test [AudioQnA,ChatQnA,CodeGen,CodeTrans,DocSum,FaqGen,SearchQnA,Translation]' + description: 'List of examples to scan [AudioQnA,ChatQnA,CodeGen,CodeTrans,DocSum,FaqGen,SearchQnA,Translation]' required: true type: string + images: + default: "" + description: 'List of images to scan' + required: false + type: string tag: default: "latest" - description: "Tag to apply to images" + description: "Tag for images to scan" required: true type: string + sbom_scan: + default: true + description: 'Scan images for BoM' + required: false + type: boolean + trivy_scan: + default: true + description: 'Scan images for CVE' + required: false + type: boolean permissions: read-all jobs: @@ -34,18 +49,28 @@ jobs: - name: Set Matrix id: scan-matrix run: | - pip install yq - examples=($(echo ${{ inputs.examples }} | tr ',' ' ')) - image_list=[] - for example in ${examples[@]} - do - images=$(cat ${{ github.workspace }}/${example}/docker/docker_build_compose.yaml | yq -r '.[]' | jq 'keys' | jq -c '.') - image_list=$(echo ${image_list} | jq -s '.[0] + .[1] | unique' - <(echo ${images})) - done + if [[ ! -z "${{ inputs.images }}" ]]; then + images=($(echo ${{ inputs.images }} | tr ',' ' ')) + image_list=$(printf '%s\n' "${images[@]}" | sort -u | jq -R '.' | jq -sc '.') + else + pip install yq + examples=($(echo ${{ inputs.examples }} | tr ',' ' ')) + image_list=[] + for example in ${examples[@]} + do + images=$(cat ${{ github.workspace }}/${example}/docker/docker_build_compose.yaml | yq -r '.[]' | jq 'keys' | jq -c '.') + image_list=$(echo ${image_list} | jq -s '.[0] + .[1] | unique' - <(echo ${images})) + done + fi + + echo "print image list..." + echo "$image_list" | jq . | jq -r '.[]' + echo "end of image list..." echo "matrix=$(echo ${image_list} | jq -c '.')" >> $GITHUB_OUTPUT scan-license: needs: get-image-list + if: ${{ fromJSON(inputs.sbom_scan) }} || ${{ fromJSON(inputs.trivy_scan) }} runs-on: "docker-build-${{ inputs.node }}" strategy: matrix: @@ -59,7 +84,7 @@ jobs: - name: SBOM Scan Container uses: anchore/sbom-action@v0.17.1 - if: always() + if: always() && ${{ inputs.sbom_scan }} with: image: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }} output-file: ${{ matrix.image }}-sbom-scan.txt @@ -67,7 +92,7 @@ jobs: - name: Security Scan Container uses: aquasecurity/trivy-action@0.24.0 - if: always() + if: always() && ${{ inputs.trivy_scan }} with: image-ref: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }} output: ${{ matrix.image }}-trivy-scan.txt @@ -82,8 +107,15 @@ jobs: run: docker rmi -f ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }} - uses: actions/upload-artifact@v4.3.4 - if: always() + if: always() && (${{ inputs.sbom_scan }} + with: + name: sbom-scan + path: ${{ matrix.image }}-*-sbom-scan.txt + overwrite: true + + - uses: actions/upload-artifact@v4.3.4 + if: always() && (${{ inputs.trivy_scan }} with: - name: ${{ matrix.image }}-scan - path: ${{ matrix.image }}-*-scan.txt + name: trivy-scan + path: ${{ matrix.image }}-*-trivy-scan.txt overwrite: true diff --git a/.github/workflows/manual-example-workflow.yml b/.github/workflows/manual-example-workflow.yml index 5c70deed2c..03ba728c79 100644 --- a/.github/workflows/manual-example-workflow.yml +++ b/.github/workflows/manual-example-workflow.yml @@ -30,11 +30,6 @@ on: description: 'Build test required images for Examples' required: false type: boolean - scan: - default: true - description: 'Scan all images with Trivy' - required: false - type: boolean test_compose: default: true description: 'Test examples with docker compose' @@ -102,7 +97,6 @@ jobs: example: ${{ matrix.example }} tag: ${{ inputs.tag }} build: ${{ fromJSON(inputs.build) }} - scan: ${{ fromJSON(inputs.scan) }} test_compose: ${{ fromJSON(inputs.test_compose) }} test_k8s: ${{ fromJSON(inputs.test_k8s) }} test_gmc: ${{ fromJSON(inputs.test_gmc) }} diff --git a/.github/workflows/manual-image-build.yml b/.github/workflows/manual-image-build.yml deleted file mode 100644 index 05bc5a96f6..0000000000 --- a/.github/workflows/manual-image-build.yml +++ /dev/null @@ -1,78 +0,0 @@ -# Copyright (C) 2024 Intel Corporation -# SPDX-License-Identifier: Apache-2.0 - -name: Build latest images on manual event - -on: - workflow_dispatch: - inputs: - registry: - default: "" - description: "Registry to store images,e.g., docker.io, default is empty" - required: false - type: string - services: - default: "AudioQnA,ChatQnA,CodeGen,CodeTrans,DocSum,FaqGen,SearchQnA,Translation" - description: "List of examples to build" - required: true - type: string - tag: - default: "latest" - description: "Tag to apply to images" - required: true - type: string - nodes: - default: "docker-build-xeon,docker-build-gaudi" - description: "List of node to run the build on" - required: true - type: string - -jobs: - get-build-matrix: - runs-on: ubuntu-latest - outputs: - services: ${{ steps.get-services.outputs.services }} - nodes: ${{ steps.get-services.outputs.nodes }} - steps: - - name: Get test Services - id: get-services - run: | - set -x - service_list=($(echo ${{ github.event.inputs.services }} | tr ',' ' ')) - services=$(printf '%s\n' "${service_list[@]}" | sort -u | jq -R '.' | jq -sc '.') - echo "services=$services" >> $GITHUB_OUTPUT - node_list=($(echo ${{ github.event.inputs.nodes }} | tr ',' ' ')) - nodes=$(printf '%s\n' "${node_list[@]}" | sort -u | jq -R '.' | jq -sc '.') - echo "nodes=$nodes" >> $GITHUB_OUTPUT - - image-build: - needs: get-build-matrix - strategy: - matrix: - service: ${{ fromJSON(needs.get-build-matrix.outputs.services) }} - node: ${{ fromJSON(needs.get-build-matrix.outputs.nodes) }} - runs-on: ${{ matrix.node }} - continue-on-error: true - steps: - - name: Clean Up Working Directory - run: | - sudo rm -rf ${{github.workspace}}/* - - - name: Checkout out Repo - uses: actions/checkout@v4 - - - name: Config image repo - run: | - if [[ -z "${{ github.event.inputs.registry }}" ]]; then - echo "image_repo=${OPEA_IMAGE_REPO}" >> $GITHUB_ENV - else - echo "image_repo=${{ github.event.inputs.registry }}/" >> $GITHUB_ENV - fi - - - name: Build image - uses: opea-project/validation/actions/image-build@main - with: - work_dir: ${{ github.workspace }}/${{ matrix.service }} - docker_compose_path: ${{ github.workspace }}/.github/workflows/docker/compose/${{ matrix.service }}-compose.yaml - registry: ${{ env.image_repo }}opea - tag: ${{ github.event.inputs.tag }}