Skip to content
update-models

update-models #60

Sign in to view logs

update-models

update-models #60

Workflow file for this run

.github/workflows/update-models.yaml at 2cb6348
name: update-models
on:
workflow_dispatch:
inputs:
staging:
description: 'push to test registry'
required: false
default: false
type: boolean
permissions:
contents: write
packages: write
id-token: write
jobs:
update-models:
strategy:
fail-fast: false
matrix:
model:
- llama-3.1-8b-instruct
- phi-3.5-3.8b-instruct
- gemma-2-2b-instruct
- flux-1-dev
runs-on: ubuntu-latest
timeout-minutes: 360
steps:
- uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
with:
tool-cache: true
android: true
dotnet: true
haskell: true
large-packages: true
docker-images: true
swap-storage: true
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: block
allowed-endpoints: >
auth.docker.io:443
*.huggingface.co:443
fulcio.sigstore.dev:443
gcr.io:443
ghcr.io:443
github.com:443
huggingface.co:443
*.githubusercontent.com:443
production.cloudflare.docker.com:443
registry-1.docker.io:443
rekor.sigstore.dev:443
storage.googleapis.com:443
tuf-repo-cdn.sigstore.dev:443
sertaccdnvs.azureedge.net:443
developer.download.nvidia.com:443
*.ubuntu.com:80
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Install Cosign
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
- uses: crazy-max/ghaction-github-runtime@b3a9207c0e1ef41f4cf215303c976869d0c2c1c4 # v3.0.0
- name: Login to GHCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: parse matrix
run: |
echo "MODEL_NAME=$(echo ${{ matrix.model }} | sed -E 's/^llama-(3\.1)-([0-9]+\.?[0-9]*b)-.*/llama\1/;t; s/^flux-([0-9]+)-dev$/flux\1/;t; s/^phi-(3\.5)-([0-9]+\.?[0-9]*b)-.*/phi\1/;t; s/^([a-z]+)-([0-9]+x[0-9]+b|[0-9]+\.?[0-9]*b)-.*/\1/; s/^([a-z]+)-([0-9]+)-.*/\1\2/; s/^([a-z]+)-([0-9]+\.?[0-9]*b)$/\1/')" >> $GITHUB_ENV
echo "MODEL_SIZE=$(echo ${{ matrix.model }} | sed -E 's/^llama-(3\.1)-([0-9]+\.?[0-9]*b)-.*/\2/;t; s/^flux-[0-9]+-dev$/dev/;t; s/^[a-z]+-([0-9]+x[0-9]+b|[0-9]+\.?[0-9]*b)-.*/\1/; s/^[a-z]+-[0-9]+(\.[0-9]+)?-([0-9]+\.?[0-9]*b).*/\2/; s/^[a-z]+-([0-9]+\.?[0-9]*b)$/\1/')" >> $GITHUB_ENV
echo "MODEL_TYPE=-$(echo ${{ matrix.model }} | sed -n -e 's/^flux-[0-9]+-\(dev\)$/\1/p' -e 's/.*\(chat\).*/\1/p' -e 's/.*\(instruct\).*/\1/p')" >> $GITHUB_ENV
- name: Build and push
run: |
if [ "${MODEL_TYPE}" == "-" ]; then
export MODEL_TYPE=""
echo "MODEL_TYPE=''" >> $GITHUB_ENV
fi
if ${{ inputs.staging }}; then
export REGISTRY=ghcr.io/sozercan/test
else
export REGISTRY=ghcr.io/sozercan
fi
export PLATFORMS="linux/amd64,linux/arm64"
if [ "${MODEL_NAME}" == "flux-1-dev" ]; then
export PLATFORMS="linux/amd64"
fi
docker buildx build . \
-t ${REGISTRY}/${MODEL_NAME}:${MODEL_SIZE} \
-t ${REGISTRY}/${MODEL_NAME}:${MODEL_SIZE}${MODEL_TYPE} \
-f models/${{ matrix.model }}.yaml \
--push --progress plain \
--sbom=true --provenance=true \
--platform ${PLATFORMS}
echo "DIGEST=$(cosign triangulate ${REGISTRY}/${MODEL_NAME}:${MODEL_SIZE} --type digest)" >> $GITHUB_ENV
- name: Sign the images with GitHub OIDC Token
if: ${{ !inputs.staging }}
run: cosign sign --yes ${DIGEST}
- name: Verify image signature
if: ${{ !inputs.staging }}
run: |
cosign verify ${DIGEST} \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp 'https://github\.com/sozercan/aikit/\.github/workflows/.+'