From c3e52f1869ff3d944ef21cd4c8dc9492995a5719 Mon Sep 17 00:00:00 2001 From: Sertac Ozercan Date: Sun, 3 Dec 2023 23:13:07 +0000 Subject: [PATCH] ci: update release process and sign Signed-off-by: Sertac Ozercan --- .github/workflows/pre-release.yaml | 29 +++++++--- .github/workflows/release.yaml | 39 ++++++++++--- .github/workflows/test-docker.yaml | 36 +++++++++--- .github/workflows/update-models.yaml | 58 ++++++++++++++----- ...b-chat.yaml => llama-2-13b-chat-cuda.yaml} | 0 ...7b-chat.yaml => llama-2-7b-chat-cuda.yaml} | 0 .../orca-2-13b.yaml => orca-2-13b-cuda.yaml} | 0 test/aikitfile.yaml | 2 +- 8 files changed, 123 insertions(+), 41 deletions(-) rename models/{cuda/llama-2-13b-chat.yaml => llama-2-13b-chat-cuda.yaml} (100%) rename models/{cuda/llama-2-7b-chat.yaml => llama-2-7b-chat-cuda.yaml} (100%) rename models/{cuda/orca-2-13b.yaml => orca-2-13b-cuda.yaml} (100%) diff --git a/.github/workflows/pre-release.yaml b/.github/workflows/pre-release.yaml index 1ffe70ed..a3d48b01 100644 --- a/.github/workflows/pre-release.yaml +++ b/.github/workflows/pre-release.yaml @@ -8,6 +8,7 @@ on: permissions: contents: write packages: write + id-token: write jobs: release: @@ -18,25 +19,35 @@ jobs: - name: cleanup disk space run: | - df -H docker system prune -f -a --volumes sudo rm -rf /usr/share/dotnet sudo rm -rf /opt/ghc sudo rm -rf "/usr/local/share/boost" sudo rm -rf "$AGENT_TOOLSDIRECTORY" - df -H - - name: Login to ghcr + - name: Install Cosign + uses: sigstore/cosign-installer@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to GHCR uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: create buildx builder - run: docker buildx create --use --name builder --bootstrap - - uses: crazy-max/ghaction-github-runtime@v3 + - name: Build and push + uses: docker/build-push-action@v5 + with: + push: true + tags: | + ghcr.io/sozercan/aikit:dev + cache-from: type=gha,scope=aikit + cache-to: type=gha,scope=aikit,mode=max - - name: Push aikit:dev to GHCR - run: | - docker buildx build -t ghcr.io/sozercan/aikit:dev --push . + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + run: cosign sign --yes "ghcr.io/sozercan/aikit@${DIGEST}" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5cb7f0cd..a1ee4205 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -8,6 +8,7 @@ on: permissions: contents: write packages: write + id-token: write jobs: release: @@ -15,10 +16,23 @@ jobs: timeout-minutes: 360 steps: - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Login to ghcr + - name: cleanup disk space + run: | + docker system prune -f -a --volumes + sudo rm -rf /usr/share/dotnet + sudo rm -rf /opt/ghc + sudo rm -rf "/usr/local/share/boost" + sudo rm -rf "$AGENT_TOOLSDIRECTORY" + + - name: Install Cosign + uses: sigstore/cosign-installer@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - uses: crazy-max/ghaction-github-runtime@v3 + + - name: Login to GHCR uses: docker/login-action@v3 with: registry: ghcr.io @@ -29,10 +43,17 @@ jobs: run: | echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV - - name: Push aikit:latest to GHCR - run: | - docker buildx build . -t ghcr.io/sozercan/aikit:${TAG} -t ghcr.io/sozercan/aikit:latest --push --cache-from=type=gha,scope=aikit --cache-to=type=gha,scope=aikit,mode=max + - name: Build and push + uses: docker/build-push-action@v5 + with: + push: true + tags: | + ghcr.io/sozercan/aikit:${TAG} + ghcr.io/sozercan/aikit:latest + cache-from: type=gha,scope=aikit + cache-to: type=gha,scope=aikit,mode=max - # - name: release llama 2 image - # run: | - # docker buildx build -t ghcr.io/sozercan/llama2:7b -t ghcr.io/sozercan/llama2:7b-chat -t ghcr.io/sozercan/llama2:chat -t ghcr.io/sozercan/llama2:latest -f models/llama-2-chat-7b.yaml --push --cache-from=type=gha,scope=llama-2-7b-chat --cache-to=type=gha,scope=llama-2-7b-chat,mode=max + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + run: cosign sign --yes "ghcr.io/sozercan/aikit@${DIGEST}" diff --git a/.github/workflows/test-docker.yaml b/.github/workflows/test-docker.yaml index e4fc5710..19e31481 100644 --- a/.github/workflows/test-docker.yaml +++ b/.github/workflows/test-docker.yaml @@ -23,23 +23,43 @@ jobs: - name: cleanup disk space run: | - df -H docker system prune -f -a --volumes sudo rm -rf /usr/share/dotnet sudo rm -rf /opt/ghc sudo rm -rf "/usr/local/share/boost" sudo rm -rf "$AGENT_TOOLSDIRECTORY" - df -H - - name: create buildx builder - run: docker buildx create --use --name builder --bootstrap + - uses: crazy-max/ghaction-setup-docker@v2 + with: + daemon-config: | + { + "debug": true, + "features": { + "containerd-snapshotter": true + } + } - uses: crazy-max/ghaction-github-runtime@v3 - - name: build aikit - run: docker buildx build . -t sozercan/aikit:test --load --cache-from=type=gha,scope=aikit --cache-to=type=gha,scope=aikit,mode=max + - name: Build and load aikit + uses: docker/build-push-action@v5 + with: + load: true + tags: aikit:test + cache-from: type=gha,scope=aikit + cache-to: type=gha,scope=aikit,mode=max - - name: build test model - run: docker buildx build . -t sozercan/testmodel:test -f test/aikitfile.yaml --load --cache-from=type=gha,scope=testmodel --cache-to=type=gha,scope=testmodel,mode=max + - name: list images + run: docker images + + - name: Build and load test model + uses: docker/build-push-action@v5 + with: + load: true + pull: false + tags: sozercan/testmodel:test + file: test/aikitfile.yaml + cache-from: type=gha,scope=testmodel + cache-to: type=gha,scope=testmodel,mode=max - name: list images run: docker images diff --git a/.github/workflows/update-models.yaml b/.github/workflows/update-models.yaml index 2d5d3280..4418dbf7 100644 --- a/.github/workflows/update-models.yaml +++ b/.github/workflows/update-models.yaml @@ -6,14 +6,32 @@ on: permissions: contents: write packages: write + id-token: write jobs: update-models: + strategy: + fail-fast: false + matrix: + model: + - llama-2-7b-chat + - llama-2-13b-chat + - orca-2-13b + - llama-2-7b-chat-cuda + - llama-2-13b-chat-cuda + - orca-2-13b-cuda runs-on: ubuntu-latest timeout-minutes: 360 steps: - uses: actions/checkout@v4 + - name: Install Cosign + uses: sigstore/cosign-installer@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - uses: crazy-max/ghaction-github-runtime@v3 + - name: Login to GHCR uses: docker/login-action@v3 with: @@ -21,18 +39,30 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Push llama 2 models to GHCR + - name: parse matrix + run: | + echo "MODEL_NAME=$(echo ${{ matrix.model }} | cut -d'-' -f1-2 | sed 's/-//g')" >> $GITHUB_ENV + echo "MODEL_SIZE=$(echo ${{ matrix.model }} | rev | cut -d'-' -f2 | rev)" >> $GITHUB_ENV + echo "MODEL_RUNTIME=-$(echo ${{ matrix.model }} | rev | cut -d'-' -f1 | rev)" >> $GITHUB_ENV + + - name: Build and push + uses: docker/build-push-action@v5 + with: + push: true + tags: ghcr.io/sozercan/${{ env.MODEL_NAME }}:${{ env.MODEL_SIZE }}${{ env.MODEL_RUNTIME }} + file: models/${{ matrix.model }}.yaml + cache-from: type=gha,scope=${{ env.MODEL_NAME }}:${{ env.MODEL_SIZE }} + cache-to: type=gha,scope=${{ env.MODEL_NAME }}:${{ env.MODEL_SIZE }},mode=max + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + run: cosign sign --yes "ghcr.io/sozercan/${{ env.MODEL_NAME }}:${{ env.MODEL_SIZE }}${{ env.MODEL_RUNTIME }}@${DIGEST}" + + - name: verify image signature + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} run: | - docker buildx create --use --name builder --bootstrap - - # cpu avx - MODELS_PATH=models - docker buildx build . -t ghcr.io/sozercan/llama2:7b -f ${MODELS_PATH}/llama-2-7b-chat.yaml --push - docker buildx build . -t ghcr.io/sozercan/llama2:13b -f ${MODELS_PATH}/llama-2-13b-chat.yaml --push - docker buildx build . -t ghcr.io/sozercan/orca2:13b -f ${MODELS_PATH}/orca-2-13b.yaml --push - - # cuda - CUDA_MODELS_PATH=models/cuda - docker buildx build . -t ghcr.io/sozercan/llama2:7b-cuda -f ${CUDA_MODELS_PATH}/llama-2-7b-chat.yaml --push - docker buildx build . -t ghcr.io/sozercan/llama2:13b-cuda -f ${CUDA_MODELS_PATH}/llama-2-13b-chat.yaml --push - docker buildx build . -t ghcr.io/sozercan/orca2:13b-cuda -f ${CUDA_MODELS_PATH}/orca-2-13b.yaml --push \ No newline at end of file + cosign verify ghcr.io/sozercan/${{ env.MODEL_NAME }}:${{ env.MODEL_SIZE }}${{ env.MODEL_RUNTIME }}@${DIGEST} \ + --certificate-identity https://github.com/sozercan/aikit/.github/workflows/update-models.yaml@refs/heads/main \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq diff --git a/models/cuda/llama-2-13b-chat.yaml b/models/llama-2-13b-chat-cuda.yaml similarity index 100% rename from models/cuda/llama-2-13b-chat.yaml rename to models/llama-2-13b-chat-cuda.yaml diff --git a/models/cuda/llama-2-7b-chat.yaml b/models/llama-2-7b-chat-cuda.yaml similarity index 100% rename from models/cuda/llama-2-7b-chat.yaml rename to models/llama-2-7b-chat-cuda.yaml diff --git a/models/cuda/orca-2-13b.yaml b/models/orca-2-13b-cuda.yaml similarity index 100% rename from models/cuda/orca-2-13b.yaml rename to models/orca-2-13b-cuda.yaml diff --git a/test/aikitfile.yaml b/test/aikitfile.yaml index 856ac72c..d88de38b 100644 --- a/test/aikitfile.yaml +++ b/test/aikitfile.yaml @@ -1,4 +1,4 @@ -#syntax=sozercan/aikit:test +#syntax=aikit:test apiVersion: v1alpha1 debug: true models: