Skip to content

[StepSecurity] Apply security best practices #1

[StepSecurity] Apply security best practices

[StepSecurity] Apply security best practices #1

Workflow file for this run

# Copyright (c) 2024 Intel Corporation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
####################################################################################################
# Secrets
## ACTION_TOKEN
## MLOPS_REF
## MLOPS_REPO
## REGISTRY
## REGISTRY_TOKEN
## REGISTRY_USER
## REPO
####################################################################################################
name: Container CI
permissions: read-all
on:
workflow_dispatch:
inputs:
group_dir:
required: true
description: 'Enter Container Group Directory:'
type: string
env_overrides:
description: 'Enter Bash Env Variable Overrides in `KEY=VAL KEY2=VAL2` format:'
required: false
type: string
ref:
description: 'Enter Git Ref:'
required: true
default: 'main'
type: string
repo:

Check failure on line 43 in .github/workflows/container-ci.yaml

View workflow run for this annotation

GitHub Actions / .github/workflows/container-ci.yaml

Invalid workflow file

You have an error in your yaml syntax on line 43
description: 'Enter Git Repo:
required: true
default: 'intel/ai-containers'
type: string
runner_label:
description: 'Enter Validation Runner Label:'
default: test-runner
required: true
type: string
no_build:
description: No build
default: false
required: true
type: boolean
no_push:
description: Do not push to Registry
required: true
default: false
type: boolean
no_start:
description: No Start
default: false
required: true
type: boolean
workflow_call:
inputs:
group_dir:
required: true
type: string
no_push:
required: false
type: boolean
no_start:
required: false
type: boolean
ref:
required: true
type: string
repo:
required: true
type: string
jobs:
####################################################################################################
# Compose Build
####################################################################################################
setup-build:
outputs:
matrix: ${{ steps.build-matrix.outputs.matrix }}
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
ref: ${{ inputs.ref }}
repo: ${{ inputs.repo }}
- name: Set Matrix
id: build-matrix
run: echo "matrix=$(jq -c . < ${{ inputs.group_dir }}/.actions.json)" >> $GITHUB_OUTPUT
- name: Print Inputs
if: ${{ inputs.env_overrides }}
run: echo "Overrides - ${{ inputs.env_overrides }}" >> $GITHUB_STEP_SUMMARY
build-containers:
needs: [setup-build]
env: ${{ matrix }}
runs-on: k8-runners
strategy:
matrix: ${{ fromJson(needs.setup-build.outputs.matrix) }}
fail-fast: false
outputs:
group: ${{ steps.build-group.outputs.container-group }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
ref: ${{ inputs.ref }}
repo: ${{ inputs.repo }}
if: ${{ !inputs.no_build }}
- uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: ${{ secrets.REGISTRY }}
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_TOKEN }}
if: ${{ !inputs.no_build }}
- name: Build Container Group
if: ${{ !inputs.no_build }}
id: build-group
uses: intel/ai-containers/.github@5d9f53d02bdf065086dffa4ae6d99a412184710c # main
with:
group_dir: ${{ inputs.group_dir }}
env_overrides: ${{ inputs.env_overrides || env.env_overrides || '' }}
registry: ${{ secrets.REGISTRY }}
repo: ${{ secrets.REPO }}
no-push: ${{ inputs.no_push }}
no-start: ${{ inputs.no_start }}
####################################################################################################
# Trivy Scan
####################################################################################################
setup-scan:
needs: [build-containers]
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.scan-matrix.outputs.matrix }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
path: matrix
- name: Set Matrix
id: scan-matrix
run: echo "matrix=$(cat matrix/*-${{ needs.build-containers.outputs.group }}/*.txt | jq -R '.' | jq -sc '. | unique')" >> $GITHUB_OUTPUT
scan-containers:
needs: [setup-scan]
if: ${{ !inputs.no_build }}
runs-on: k8-runners
strategy:
matrix:
container: ${{ fromJSON(needs.setup-scan.outputs.matrix) }}
fail-fast: false
steps:
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
ref: ${{ inputs.ref }}
repo: ${{ inputs.repo }}
- uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: ${{ secrets.REGISTRY }}
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Pull Image
run: docker pull ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }}
- name: Scan Container
uses: intel/ai-containers/.github/scan@5d9f53d02bdf065086dffa4ae6d99a412184710c # main
with:
image-ref: ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }}
output: ${{ matrix.container }}-scan.sarif
- name: Cleanup
if: always()
run: docker rmi -f ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }}
- uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
with:
sarif_file: '${{ matrix.container }}-scan.sarif'
####################################################################################################
# Generic Test Runner
####################################################################################################
setup-test:
needs: [build-containers]
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.test-matrix.outputs.matrix }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
ref: ${{ inputs.ref }}
repo: ${{ inputs.repo }}
- name: Get Recipes
id: test-matrix
run: echo "matrix=$(find ${{ inputs.group_dir }} -type f -name 'tests.yaml' -exec dirname {} \; | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT
test-containers:
needs: [setup-build, setup-test]
if: ${{ needs.setup-test.outputs.matrix != '[]' }}
runs-on: [self-hosted, Linux, "${{ inputs.runner_label || fromJson(needs.setup-build.outputs.matrix).runner_label }}"]
strategy:
matrix:
tests: ${{ fromJson(needs.setup-test.outputs.matrix) }}
experimental: [true]
fail-fast: false
steps:
- uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
ref: ${{ inputs.ref }}
repo: ${{ inputs.repo }}
- uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: ${{ secrets.REGISTRY }}
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Test Container Group
uses: intel/ai-containers/test-runner@5d9f53d02bdf065086dffa4ae6d99a412184710c # main
with:
cache_registry: ${{ secrets.CACHE_REGISTRY }}
recipe_dir: ${{ inputs.group_dir }}
registry: ${{ secrets.REGISTRY }}
repo: ${{ secrets.REPO }}
test_dir: ${{ matrix.tests }}
token: ${{ secrets.ACTION_TOKEN || github.token }}