From 9c86fef603bab2449fa9216e4516cddb182b41d1 Mon Sep 17 00:00:00 2001 From: saichandrapandraju Date: Sun, 29 Jun 2025 18:03:44 -0400 Subject: [PATCH 1/4] migrate llm-judge detector to TrustyAI --- .github/workflows/build-and-push-judge.yaml | 122 ++++++++++++++++++ .../llm_judge/deploy/servingruntime.yaml | 2 +- 2 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/build-and-push-judge.yaml diff --git a/.github/workflows/build-and-push-judge.yaml b/.github/workflows/build-and-push-judge.yaml new file mode 100644 index 0000000..7f97d1e --- /dev/null +++ b/.github/workflows/build-and-push-judge.yaml @@ -0,0 +1,122 @@ +name: Build and Push - LLM Judge Detector +on: + push: + branches: + - main + tags: + - v* + paths: + - 'detectors/llm_judge/*' + - 'detectors/Dockerfile.judge' + pull_request_target: + paths: + - 'detectors/llm_judge/*' + - 'detectors/Dockerfile.judge' + types: [labeled, opened, synchronize, reopened] +jobs: + # Ensure that tests pass before publishing a new image. + build-and-push-ci: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + security-events: write + steps: # Assign context variable for various action contexts (tag, main, CI) + - name: Assigning CI context + if: github.head_ref != '' && github.head_ref != 'main' && !startsWith(github.ref, 'refs/tags/v') + run: echo "BUILD_CONTEXT=ci" >> $GITHUB_ENV + - name: Assigning tag context + if: github.head_ref == '' && startsWith(github.ref, 'refs/tags/v') + run: echo "BUILD_CONTEXT=tag" >> $GITHUB_ENV + - name: Assigning main context + if: github.head_ref == '' && github.ref == 'refs/heads/main' + run: echo "BUILD_CONTEXT=main" >> $GITHUB_ENV + # + # Run checkouts + - uses: mheap/github-action-required-labels@v4 + if: env.BUILD_CONTEXT == 'ci' + with: + mode: minimum + count: 1 + labels: "ok-to-test, lgtm, approved" + - uses: actions/checkout@v3 + if: env.BUILD_CONTEXT == 'ci' + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/checkout@v3 + if: env.BUILD_CONTEXT == 'main' || env.BUILD_CONTEXT == 'tag' + # + # Print variables for debugging + - name: Log reference variables + run: | + echo "CONTEXT: ${{ env.BUILD_CONTEXT }}" + echo "GITHUB.REF: ${{ github.ref }}" + echo "GITHUB.HEAD_REF: ${{ github.head_ref }}" + echo "SHA: ${{ github.event.pull_request.head.sha }}" + echo "MAIN IMAGE AT: quay.io/trustyai/guardrails-detector-llm-judge:latest" + echo "CI IMAGE AT: quay.io/trustyai/guardrails-detector-llm-judge-ci:${{ github.event.pull_request.head.sha }}" + + # Set environments depending on context + - name: Set CI environment + if: env.BUILD_CONTEXT == 'ci' + run: | + echo "TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV + echo "IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge-ci" >> $GITHUB_ENV + - name: Set main-branch environment + if: env.BUILD_CONTEXT == 'main' + run: | + echo "TAG=latest" >> $GITHUB_ENV + echo "IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV + - name: Set tag environment + if: env.BUILD_CONTEXT == 'tag' + run: | + echo "TAG=${{ github.ref_name }}" >> $GITHUB_ENV + echo "IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV + # + # Run docker commands + - name: Put expiry date on CI-tagged image + if: env.BUILD_CONTEXT == 'ci' + run: echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.judge + - name: Build image + run: docker build -t ${{ env.IMAGE_NAME }}:$TAG -f detectors/Dockerfile.judge detectors + - name: Log in to Quay + run: docker login -u ${{ secrets.QUAY_ROBOT_USERNAME }} -p ${{ secrets.QUAY_ROBOT_SECRET }} quay.io + - name: Push to Quay CI repo + run: docker push ${{ env.IMAGE_NAME }}:$TAG + + # Leave comment + - uses: peter-evans/find-comment@v3 + name: Find Comment + if: env.BUILD_CONTEXT == 'ci' + id: fc + with: + issue-number: ${{ github.event.pull_request.number }} + comment-author: 'github-actions[bot]' + body-includes: PR image build completed successfully + - uses: peter-evans/create-or-update-comment@v4 + if: env.BUILD_CONTEXT == 'ci' + name: Generate/update success message comment + with: + comment-id: ${{ steps.fc.outputs.comment-id }} + issue-number: ${{ github.event.pull_request.number }} + edit-mode: replace + body: | + PR image build completed successfully! + + 📦 [PR image](https://quay.io/repository/trustyai/guardrails-detector-llm-judge-ci?tab=tags): `quay.io/trustyai/guardrails-detector-llm-judge-ci:${{ github.event.pull_request.head.sha }}` + - name: Trivy scan + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'image' + image-ref: "${{ env.IMAGE_NAME }}:${{ env.TAG }}" + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'MEDIUM,HIGH,CRITICAL' + exit-code: '0' + ignore-unfixed: false + vuln-type: 'os,library' + + - name: Update Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/detectors/llm_judge/deploy/servingruntime.yaml b/detectors/llm_judge/deploy/servingruntime.yaml index e70bb12..0ccf39e 100644 --- a/detectors/llm_judge/deploy/servingruntime.yaml +++ b/detectors/llm_judge/deploy/servingruntime.yaml @@ -17,7 +17,7 @@ spec: name: guardrails-detector-llm-judge containers: - name: kserve-container - image: quay.io/spandraj/guardrails-detector-judge:latest + image: quay.io/trustyai/guardrails-detector-llm-judge:latest command: - uvicorn - detectors.llm_judge.app:app From 7292ede439f5d39abb2eab36a2fec136b2be2961 Mon Sep 17 00:00:00 2001 From: saichandrapandraju Date: Fri, 8 Aug 2025 09:39:31 -0400 Subject: [PATCH 2/4] Integrate LLM Judge CI workflow to main build-and-push & reemove old workflow --- .github/workflows/build-and-push-judge.yaml | 122 -------------------- .github/workflows/build-and-push.yaml | 27 ++++- 2 files changed, 26 insertions(+), 123 deletions(-) delete mode 100644 .github/workflows/build-and-push-judge.yaml diff --git a/.github/workflows/build-and-push-judge.yaml b/.github/workflows/build-and-push-judge.yaml deleted file mode 100644 index 7f97d1e..0000000 --- a/.github/workflows/build-and-push-judge.yaml +++ /dev/null @@ -1,122 +0,0 @@ -name: Build and Push - LLM Judge Detector -on: - push: - branches: - - main - tags: - - v* - paths: - - 'detectors/llm_judge/*' - - 'detectors/Dockerfile.judge' - pull_request_target: - paths: - - 'detectors/llm_judge/*' - - 'detectors/Dockerfile.judge' - types: [labeled, opened, synchronize, reopened] -jobs: - # Ensure that tests pass before publishing a new image. - build-and-push-ci: - runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: write - security-events: write - steps: # Assign context variable for various action contexts (tag, main, CI) - - name: Assigning CI context - if: github.head_ref != '' && github.head_ref != 'main' && !startsWith(github.ref, 'refs/tags/v') - run: echo "BUILD_CONTEXT=ci" >> $GITHUB_ENV - - name: Assigning tag context - if: github.head_ref == '' && startsWith(github.ref, 'refs/tags/v') - run: echo "BUILD_CONTEXT=tag" >> $GITHUB_ENV - - name: Assigning main context - if: github.head_ref == '' && github.ref == 'refs/heads/main' - run: echo "BUILD_CONTEXT=main" >> $GITHUB_ENV - # - # Run checkouts - - uses: mheap/github-action-required-labels@v4 - if: env.BUILD_CONTEXT == 'ci' - with: - mode: minimum - count: 1 - labels: "ok-to-test, lgtm, approved" - - uses: actions/checkout@v3 - if: env.BUILD_CONTEXT == 'ci' - with: - ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/checkout@v3 - if: env.BUILD_CONTEXT == 'main' || env.BUILD_CONTEXT == 'tag' - # - # Print variables for debugging - - name: Log reference variables - run: | - echo "CONTEXT: ${{ env.BUILD_CONTEXT }}" - echo "GITHUB.REF: ${{ github.ref }}" - echo "GITHUB.HEAD_REF: ${{ github.head_ref }}" - echo "SHA: ${{ github.event.pull_request.head.sha }}" - echo "MAIN IMAGE AT: quay.io/trustyai/guardrails-detector-llm-judge:latest" - echo "CI IMAGE AT: quay.io/trustyai/guardrails-detector-llm-judge-ci:${{ github.event.pull_request.head.sha }}" - - # Set environments depending on context - - name: Set CI environment - if: env.BUILD_CONTEXT == 'ci' - run: | - echo "TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV - echo "IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge-ci" >> $GITHUB_ENV - - name: Set main-branch environment - if: env.BUILD_CONTEXT == 'main' - run: | - echo "TAG=latest" >> $GITHUB_ENV - echo "IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV - - name: Set tag environment - if: env.BUILD_CONTEXT == 'tag' - run: | - echo "TAG=${{ github.ref_name }}" >> $GITHUB_ENV - echo "IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV - # - # Run docker commands - - name: Put expiry date on CI-tagged image - if: env.BUILD_CONTEXT == 'ci' - run: echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.judge - - name: Build image - run: docker build -t ${{ env.IMAGE_NAME }}:$TAG -f detectors/Dockerfile.judge detectors - - name: Log in to Quay - run: docker login -u ${{ secrets.QUAY_ROBOT_USERNAME }} -p ${{ secrets.QUAY_ROBOT_SECRET }} quay.io - - name: Push to Quay CI repo - run: docker push ${{ env.IMAGE_NAME }}:$TAG - - # Leave comment - - uses: peter-evans/find-comment@v3 - name: Find Comment - if: env.BUILD_CONTEXT == 'ci' - id: fc - with: - issue-number: ${{ github.event.pull_request.number }} - comment-author: 'github-actions[bot]' - body-includes: PR image build completed successfully - - uses: peter-evans/create-or-update-comment@v4 - if: env.BUILD_CONTEXT == 'ci' - name: Generate/update success message comment - with: - comment-id: ${{ steps.fc.outputs.comment-id }} - issue-number: ${{ github.event.pull_request.number }} - edit-mode: replace - body: | - PR image build completed successfully! - - 📦 [PR image](https://quay.io/repository/trustyai/guardrails-detector-llm-judge-ci?tab=tags): `quay.io/trustyai/guardrails-detector-llm-judge-ci:${{ github.event.pull_request.head.sha }}` - - name: Trivy scan - uses: aquasecurity/trivy-action@0.28.0 - with: - scan-type: 'image' - image-ref: "${{ env.IMAGE_NAME }}:${{ env.TAG }}" - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'MEDIUM,HIGH,CRITICAL' - exit-code: '0' - ignore-unfixed: false - vuln-type: 'os,library' - - - name: Update Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/.github/workflows/build-and-push.yaml b/.github/workflows/build-and-push.yaml index 59ccbd0..5f4da02 100644 --- a/.github/workflows/build-and-push.yaml +++ b/.github/workflows/build-and-push.yaml @@ -55,6 +55,7 @@ jobs: echo "MAIN IMAGE AT: ${{ vars.QUAY_RELEASE_REPO }}:latest" echo "CI IMAGE AT: quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:${{ github.event.pull_request.head.sha }}" echo "Built-In Detector CI IMAGE AT: quay.io/trustyai/guardrails-detector-built-in-ci:${{ github.event.pull_request.head.sha }}" + echo "LLM Judge CI IMAGE AT: quay.io/trustyai/guardrails-detector-llm-judge-ci:${{ github.event.pull_request.head.sha }}" # Set environments depending on context - name: Set CI environment @@ -63,18 +64,21 @@ jobs: echo "TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV echo "IMAGE_NAME=quay.io/trustyai/guardrails-detector-huggingface-runtime-ci" >> $GITHUB_ENV echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in-ci" >> $GITHUB_ENV + echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge-ci" >> $GITHUB_ENV - name: Set main-branch environment if: env.BUILD_CONTEXT == 'main' run: | echo "TAG=latest" >> $GITHUB_ENV echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in" >> $GITHUB_ENV + echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV - name: Set tag environment if: env.BUILD_CONTEXT == 'tag' run: | echo "TAG=${{ github.ref_name }}" >> $GITHUB_ENV echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in" >> $GITHUB_ENV + echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV # # Run docker commands - name: Put expiry date on CI-tagged image @@ -82,6 +86,7 @@ jobs: run: | echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.hf echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.builtIn + echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.judge - name: Build image run: docker build -t ${{ env.IMAGE_NAME }}:$TAG -f detectors/Dockerfile.hf detectors - name: Log in to Quay @@ -92,7 +97,10 @@ jobs: run: docker build -t ${{ env.BUILTIN_IMAGE_NAME }}:$TAG -f detectors/Dockerfile.builtIn detectors - name: Push to Quay CI repo run: docker push ${{ env.BUILTIN_IMAGE_NAME }}:$TAG - + - name: Build LLM Judge detector image + run: docker build -t ${{ env.LLM_JUDGE_IMAGE_NAME }}:$TAG -f detectors/Dockerfile.judge detectors + - name: Push LLM Judge image to Quay CI repo + run: docker push ${{ env.LLM_JUDGE_IMAGE_NAME }}:$TAG # Leave comment - uses: peter-evans/find-comment@v3 name: Find Comment @@ -114,6 +122,7 @@ jobs: 📦 [PR image](https://quay.io/repository/trustyai/guardrails-detector-huggingface-runtime-ci?tab=tags): `quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:${{ github.event.pull_request.head.sha }}` 📦 [PR image](https://quay.io/trustyai/guardrails-detector-built-in-ci?tab=tags): `quay.io/trustyai/guardrails-detector-built-in-ci:${{ github.event.pull_request.head.sha }}` + 📦 [PR image](https://quay.io/trustyai/guardrails-detector-llm-judge-ci?tab=tags): `quay.io/trustyai/guardrails-detector-llm-judge-ci:${{ github.event.pull_request.head.sha }}` - name: Trivy scan uses: aquasecurity/trivy-action@0.28.0 with: @@ -136,6 +145,17 @@ jobs: exit-code: '0' ignore-unfixed: false vuln-type: 'os,library' + - name: Trivy scan, LLM Judge image + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'image' + image-ref: "${{ env.LLM_JUDGE_IMAGE_NAME }}:${{ env.TAG }}" + format: 'sarif' + output: 'trivy-results-llm-judge.sarif' + severity: 'MEDIUM,HIGH,CRITICAL' + exit-code: '0' + ignore-unfixed: false + vuln-type: 'os,library' - name: Update Security tab - Huggingface uses: github/codeql-action/upload-sarif@v3 with: @@ -146,3 +166,8 @@ jobs: with: sarif_file: 'trivy-results-built-in.sarif' category: built-in + - name: Update Security tab - LLM Judge + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results-llm-judge.sarif' + category: llm-judge \ No newline at end of file From 63c2c0fe8686e6a562a218ca2e9596c0ad170ea9 Mon Sep 17 00:00:00 2001 From: saichandrapandraju Date: Fri, 8 Aug 2025 10:25:11 -0400 Subject: [PATCH 3/4] address sourcery comment to prevent injection vulnerabilities --- .github/workflows/build-and-push.yaml | 61 +++++++++++++++++---------- 1 file changed, 39 insertions(+), 22 deletions(-) diff --git a/.github/workflows/build-and-push.yaml b/.github/workflows/build-and-push.yaml index 5f4da02..8e13973 100644 --- a/.github/workflows/build-and-push.yaml +++ b/.github/workflows/build-and-push.yaml @@ -47,36 +47,48 @@ jobs: # # Print variables for debugging - name: Log reference variables + env: + GITHUB_REF: ${{ github.ref }} + GITHUB_HEAD_REF: ${{ github.head_ref }} + PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} + QUAY_RELEASE_REPO: ${{ vars.QUAY_RELEASE_REPO }} run: | - echo "CONTEXT: ${{ env.BUILD_CONTEXT }}" - echo "GITHUB.REF: ${{ github.ref }}" - echo "GITHUB.HEAD_REF: ${{ github.head_ref }}" - echo "SHA: ${{ github.event.pull_request.head.sha }}" - echo "MAIN IMAGE AT: ${{ vars.QUAY_RELEASE_REPO }}:latest" - echo "CI IMAGE AT: quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:${{ github.event.pull_request.head.sha }}" - echo "Built-In Detector CI IMAGE AT: quay.io/trustyai/guardrails-detector-built-in-ci:${{ github.event.pull_request.head.sha }}" - echo "LLM Judge CI IMAGE AT: quay.io/trustyai/guardrails-detector-llm-judge-ci:${{ github.event.pull_request.head.sha }}" + echo "CONTEXT: $BUILD_CONTEXT" + echo "GITHUB.REF: $GITHUB_REF" + echo "GITHUB.HEAD_REF: $GITHUB_HEAD_REF" + echo "SHA: $PR_HEAD_SHA" + echo "MAIN IMAGE AT: $QUAY_RELEASE_REPO:latest" + echo "CI IMAGE AT: quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:$PR_HEAD_SHA" + echo "Built-In Detector CI IMAGE AT: quay.io/trustyai/guardrails-detector-built-in-ci:$PR_HEAD_SHA" + echo "LLM Judge CI IMAGE AT: quay.io/trustyai/guardrails-detector-llm-judge-ci:$PR_HEAD_SHA" # Set environments depending on context - name: Set CI environment if: env.BUILD_CONTEXT == 'ci' + env: + PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} run: | - echo "TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV + echo "TAG=$PR_HEAD_SHA" >> $GITHUB_ENV echo "IMAGE_NAME=quay.io/trustyai/guardrails-detector-huggingface-runtime-ci" >> $GITHUB_ENV echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in-ci" >> $GITHUB_ENV echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge-ci" >> $GITHUB_ENV - name: Set main-branch environment if: env.BUILD_CONTEXT == 'main' + env: + QUAY_RELEASE_REPO: ${{ vars.QUAY_RELEASE_REPO }} run: | echo "TAG=latest" >> $GITHUB_ENV - echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV + echo "IMAGE_NAME=$QUAY_RELEASE_REPO" >> $GITHUB_ENV echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in" >> $GITHUB_ENV echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV - name: Set tag environment if: env.BUILD_CONTEXT == 'tag' + env: + GITHUB_REF_NAME: ${{ github.ref_name }} + QUAY_RELEASE_REPO: ${{ vars.QUAY_RELEASE_REPO }} run: | - echo "TAG=${{ github.ref_name }}" >> $GITHUB_ENV - echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV + echo "TAG=$GITHUB_REF_NAME" >> $GITHUB_ENV + echo "IMAGE_NAME=$QUAY_RELEASE_REPO" >> $GITHUB_ENV echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in" >> $GITHUB_ENV echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV # @@ -88,19 +100,22 @@ jobs: echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.builtIn echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.judge - name: Build image - run: docker build -t ${{ env.IMAGE_NAME }}:$TAG -f detectors/Dockerfile.hf detectors + run: docker build -t "$IMAGE_NAME:$TAG" -f detectors/Dockerfile.hf detectors - name: Log in to Quay - run: docker login -u ${{ secrets.QUAY_ROBOT_USERNAME }} -p ${{ secrets.QUAY_ROBOT_SECRET }} quay.io + env: + QUAY_ROBOT_USERNAME: ${{ secrets.QUAY_ROBOT_USERNAME }} + QUAY_ROBOT_SECRET: ${{ secrets.QUAY_ROBOT_SECRET }} + run: docker login -u "$QUAY_ROBOT_USERNAME" -p "$QUAY_ROBOT_SECRET" quay.io - name: Push to Quay CI repo - run: docker push ${{ env.IMAGE_NAME }}:$TAG + run: docker push "$IMAGE_NAME:$TAG" - name: Build built-in detector image - run: docker build -t ${{ env.BUILTIN_IMAGE_NAME }}:$TAG -f detectors/Dockerfile.builtIn detectors + run: docker build -t "$BUILTIN_IMAGE_NAME:$TAG" -f detectors/Dockerfile.builtIn detectors - name: Push to Quay CI repo - run: docker push ${{ env.BUILTIN_IMAGE_NAME }}:$TAG + run: docker push "$BUILTIN_IMAGE_NAME:$TAG" - name: Build LLM Judge detector image - run: docker build -t ${{ env.LLM_JUDGE_IMAGE_NAME }}:$TAG -f detectors/Dockerfile.judge detectors + run: docker build -t "$LLM_JUDGE_IMAGE_NAME:$TAG" -f detectors/Dockerfile.judge detectors - name: Push LLM Judge image to Quay CI repo - run: docker push ${{ env.LLM_JUDGE_IMAGE_NAME }}:$TAG + run: docker push "$LLM_JUDGE_IMAGE_NAME:$TAG" # Leave comment - uses: peter-evans/find-comment@v3 name: Find Comment @@ -113,6 +128,8 @@ jobs: - uses: peter-evans/create-or-update-comment@v4 if: env.BUILD_CONTEXT == 'ci' name: Generate/update success message comment + env: + PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} with: comment-id: ${{ steps.fc.outputs.comment-id }} issue-number: ${{ github.event.pull_request.number }} @@ -120,9 +137,9 @@ jobs: body: | PR image build completed successfully! - 📦 [PR image](https://quay.io/repository/trustyai/guardrails-detector-huggingface-runtime-ci?tab=tags): `quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:${{ github.event.pull_request.head.sha }}` - 📦 [PR image](https://quay.io/trustyai/guardrails-detector-built-in-ci?tab=tags): `quay.io/trustyai/guardrails-detector-built-in-ci:${{ github.event.pull_request.head.sha }}` - 📦 [PR image](https://quay.io/trustyai/guardrails-detector-llm-judge-ci?tab=tags): `quay.io/trustyai/guardrails-detector-llm-judge-ci:${{ github.event.pull_request.head.sha }}` + 📦 [PR image](https://quay.io/repository/trustyai/guardrails-detector-huggingface-runtime-ci?tab=tags): `quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:$PR_HEAD_SHA` + 📦 [PR image](https://quay.io/trustyai/guardrails-detector-built-in-ci?tab=tags): `quay.io/trustyai/guardrails-detector-built-in-ci:$PR_HEAD_SHA` + 📦 [PR image](https://quay.io/trustyai/guardrails-detector-llm-judge-ci?tab=tags): `quay.io/trustyai/guardrails-detector-llm-judge-ci:$PR_HEAD_SHA` - name: Trivy scan uses: aquasecurity/trivy-action@0.28.0 with: From b1e5ac62a5050ce266b1d3f34b827fbf2244958e Mon Sep 17 00:00:00 2001 From: saichandrapandraju Date: Fri, 8 Aug 2025 10:46:19 -0400 Subject: [PATCH 4/4] address sourcery comments regarding repeated env vars + passing --label to docker file + add unique name --- .github/workflows/build-and-push.yaml | 41 ++++++++++----------------- 1 file changed, 15 insertions(+), 26 deletions(-) diff --git a/.github/workflows/build-and-push.yaml b/.github/workflows/build-and-push.yaml index 8e13973..bf026f8 100644 --- a/.github/workflows/build-and-push.yaml +++ b/.github/workflows/build-and-push.yaml @@ -20,6 +20,12 @@ jobs: contents: read pull-requests: write security-events: write + env: + PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} + GITHUB_REF_NAME: ${{ github.ref_name }} + QUAY_RELEASE_REPO: ${{ vars.QUAY_RELEASE_REPO }} + GITHUB_REF: ${{ github.ref }} + GITHUB_HEAD_REF: ${{ github.head_ref }} steps: # Assign context variable for various action contexts (tag, main, CI) - name: Assigning CI context if: github.head_ref != '' && github.head_ref != 'main' && !startsWith(github.ref, 'refs/tags/v') @@ -47,11 +53,6 @@ jobs: # # Print variables for debugging - name: Log reference variables - env: - GITHUB_REF: ${{ github.ref }} - GITHUB_HEAD_REF: ${{ github.head_ref }} - PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} - QUAY_RELEASE_REPO: ${{ vars.QUAY_RELEASE_REPO }} run: | echo "CONTEXT: $BUILD_CONTEXT" echo "GITHUB.REF: $GITHUB_REF" @@ -65,42 +66,32 @@ jobs: # Set environments depending on context - name: Set CI environment if: env.BUILD_CONTEXT == 'ci' - env: - PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} run: | echo "TAG=$PR_HEAD_SHA" >> $GITHUB_ENV echo "IMAGE_NAME=quay.io/trustyai/guardrails-detector-huggingface-runtime-ci" >> $GITHUB_ENV echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in-ci" >> $GITHUB_ENV echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge-ci" >> $GITHUB_ENV + echo "EXPIRY_LABEL=--label quay.expires-after=7d" >> $GITHUB_ENV - name: Set main-branch environment if: env.BUILD_CONTEXT == 'main' - env: - QUAY_RELEASE_REPO: ${{ vars.QUAY_RELEASE_REPO }} run: | echo "TAG=latest" >> $GITHUB_ENV echo "IMAGE_NAME=$QUAY_RELEASE_REPO" >> $GITHUB_ENV echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in" >> $GITHUB_ENV echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV + echo "EXPIRY_LABEL=" >> $GITHUB_ENV - name: Set tag environment if: env.BUILD_CONTEXT == 'tag' - env: - GITHUB_REF_NAME: ${{ github.ref_name }} - QUAY_RELEASE_REPO: ${{ vars.QUAY_RELEASE_REPO }} run: | echo "TAG=$GITHUB_REF_NAME" >> $GITHUB_ENV echo "IMAGE_NAME=$QUAY_RELEASE_REPO" >> $GITHUB_ENV echo "BUILTIN_IMAGE_NAME=quay.io/trustyai/guardrails-detector-built-in" >> $GITHUB_ENV echo "LLM_JUDGE_IMAGE_NAME=quay.io/trustyai/guardrails-detector-llm-judge" >> $GITHUB_ENV + echo "EXPIRY_LABEL=" >> $GITHUB_ENV # # Run docker commands - - name: Put expiry date on CI-tagged image - if: env.BUILD_CONTEXT == 'ci' - run: | - echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.hf - echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.builtIn - echo 'LABEL quay.expires-after=7d#' >> detectors/Dockerfile.judge - name: Build image - run: docker build -t "$IMAGE_NAME:$TAG" -f detectors/Dockerfile.hf detectors + run: docker build -t "$IMAGE_NAME:$TAG" $EXPIRY_LABEL -f detectors/Dockerfile.hf detectors - name: Log in to Quay env: QUAY_ROBOT_USERNAME: ${{ secrets.QUAY_ROBOT_USERNAME }} @@ -109,11 +100,11 @@ jobs: - name: Push to Quay CI repo run: docker push "$IMAGE_NAME:$TAG" - name: Build built-in detector image - run: docker build -t "$BUILTIN_IMAGE_NAME:$TAG" -f detectors/Dockerfile.builtIn detectors + run: docker build -t "$BUILTIN_IMAGE_NAME:$TAG" $EXPIRY_LABEL -f detectors/Dockerfile.builtIn detectors - name: Push to Quay CI repo run: docker push "$BUILTIN_IMAGE_NAME:$TAG" - name: Build LLM Judge detector image - run: docker build -t "$LLM_JUDGE_IMAGE_NAME:$TAG" -f detectors/Dockerfile.judge detectors + run: docker build -t "$LLM_JUDGE_IMAGE_NAME:$TAG" $EXPIRY_LABEL -f detectors/Dockerfile.judge detectors - name: Push LLM Judge image to Quay CI repo run: docker push "$LLM_JUDGE_IMAGE_NAME:$TAG" # Leave comment @@ -128,8 +119,6 @@ jobs: - uses: peter-evans/create-or-update-comment@v4 if: env.BUILD_CONTEXT == 'ci' name: Generate/update success message comment - env: - PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} with: comment-id: ${{ steps.fc.outputs.comment-id }} issue-number: ${{ github.event.pull_request.number }} @@ -137,9 +126,9 @@ jobs: body: | PR image build completed successfully! - 📦 [PR image](https://quay.io/repository/trustyai/guardrails-detector-huggingface-runtime-ci?tab=tags): `quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:$PR_HEAD_SHA` - 📦 [PR image](https://quay.io/trustyai/guardrails-detector-built-in-ci?tab=tags): `quay.io/trustyai/guardrails-detector-built-in-ci:$PR_HEAD_SHA` - 📦 [PR image](https://quay.io/trustyai/guardrails-detector-llm-judge-ci?tab=tags): `quay.io/trustyai/guardrails-detector-llm-judge-ci:$PR_HEAD_SHA` + 📦 [Huggingface PR image](https://quay.io/repository/trustyai/guardrails-detector-huggingface-runtime-ci?tab=tags): `quay.io/trustyai/guardrails-detector-huggingface-runtime-ci:$PR_HEAD_SHA` + 📦 [Built-in PR image](https://quay.io/trustyai/guardrails-detector-built-in-ci?tab=tags): `quay.io/trustyai/guardrails-detector-built-in-ci:$PR_HEAD_SHA` + 📦 [LLM Judge PR image](https://quay.io/trustyai/guardrails-detector-llm-judge-ci?tab=tags): `quay.io/trustyai/guardrails-detector-llm-judge-ci:$PR_HEAD_SHA` - name: Trivy scan uses: aquasecurity/trivy-action@0.28.0 with: