forked from mlcommons/GaNDLF
-
Notifications
You must be signed in to change notification settings - Fork 0
135 lines (117 loc) · 5.29 KB
/
docker-image.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: Docker Image CI
on:
push:
branches: [ master ]
tags: [ '*.*.*' ]
pull_request: {}
workflow_dispatch:
inputs:
versionTag:
description: 'Version tag to push to Docker Hub (lowercase, alphanumeric)'
required: true
type: string
jobs:
build_test_push:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
strategy:
fail-fast: false # So that remaining jobs don't instantly quit if one fails (e.g, CPU/ROCm don't upload if CUDA just fails to push to ghcr...)
matrix:
include: # Platform locates Dockerfile ("Dockerfile-{PLATFORM}"), docker tag has to be all lowercase alphanumeric for mysterious docker reasons
- platform: CUDA12.1
dockertag: cuda121
- platform: CUDA11.8
dockertag: cuda118
- platform: CPU
dockertag: cpu
# - platform: ROCm
# dockertag: rocm
steps:
- name: Check out the repository
uses: actions/checkout@v4
with:
lfs: true
submodules: 'recursive'
- name: Log in to Docker Hub (docker.io)
uses: docker/login-action@v2
if: github.event_name != 'pull_request'
with:
username: ${{ secrets.DOCKER_HUB_USER }} # These two fields need to be set on GitHub under Secrets.
password: ${{ secrets.DOCKER_HUB_TOKEN }} # Recommend using a revokable token here.
- name: Docker prune to save space # If you switch to self-hosted runners, this should be removed.
run: echo y | docker system prune -a
# Below steps are for GitHub Packages integration, metadata and signing
# See https://github.com/mlcommons/GaNDLF/new/master?filename=.github%2Fworkflows%2Fdocker-publish.yml&workflow_template=docker-publish
# Install the cosign tool except on PR
# https://github.com/sigstore/cosign-installer
- name: Install cosign
uses: sigstore/[email protected]
- name: Log into GitHub Packages registry (ghcr.io)
if: github.event_name != 'pull_request'
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v3
with:
images: docker.io/mlcommons/gandlf, ghcr.io/mlcommons/gandlf # Push to both registries
flavor: | # Handle prefixing and "latest" generation -- use "tags" property to specify events/tags further
latest=true
suffix=-${{ matrix.dockertag }},onlatest=true
tags: |
type=semver,pattern={{version}}
type=ref,event=branch
type=ref,event=pr
type=ref,event=tag
# Build Docker Image (but don't push yet -- wait for the test step first).
# https://github.com/docker/build-push-action
- name: Build Docker images
id: build
uses: docker/build-push-action@v2
with:
context: .
file: ./Dockerfile-${{ matrix.platform }}
push: false
load: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# Run the image from the base entrypoint as a test
- name: Test container with entrypoint
# Run a tag we generated from the metadata extraction above -- they're all the same image, but echo it regardless just so we know.
run: echo "Running docker.io/mlcommons/gandlf:latest-${{ matrix.dockertag }} ..." && docker run --rm docker.io/mlcommons/gandlf:latest-${{ matrix.dockertag }}
# Push Docker image with Buildx (but don't push on PR)
# https://github.com/docker/build-push-action
# This won't re-build the images fully or anything, they should already exist from the build step and use the cache.
- name: Upload to Docker Hub (docker.io) and GitHub Packages (ghcr.io)
id: upload
if: github.event_name != 'pull_request'
uses: docker/build-push-action@v2
with:
context: .
file: ./Dockerfile-${{ matrix.platform }}
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# Below is for signing images (keyless) with cosign. But this adds confusing sha256-digest.sig tags to the container registry.
# Leave this commented if container signing is not required.
# # Sign the resulting Docker image digest except on PRs.
# # Uses cosign keyless signing: https://github.com/sigstore/cosign/blob/main/KEYLESS.md
# # This will only write to the public Rekor transparency log when the Docker
# # repository is public to avoid leaking data. If you would like to publish
# # transparency data even for private images, pass --force to cosign below.
# # https://github.com/sigstore/cosign
#- name: Sign published Docker image (ghcr.io)
# if: ${{ github.event_name != 'pull_request' }}
# env:
# COSIGN_EXPERIMENTAL: "true"
# # This step uses the identity token to provision an ephemeral certificate
# # against the sigstore community Fulcio instance.
# run: cosign sign ghcr.io/cbica/gandlf@${{ steps.upload.outputs.digest }}