-
Notifications
You must be signed in to change notification settings - Fork 34
153 lines (135 loc) · 5.64 KB
/
update-models.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
name: update-models
on:
workflow_dispatch:
inputs:
staging:
description: "push to test registry"
required: false
default: false
type: boolean
models:
description: "models to update"
required: true
default: '["llama-3.2-1b-instruct", "llama-3.2-3b-instruct", "llama-3.1-8b-instruct", "phi-3.5-3.8b-instruct", "gemma-2-2b-instruct", "flux-1-dev"]'
type: string
runtime:
description: "runtime to build"
required: true
default: '["cuda", "applesilicon"]'
type: string
permissions:
contents: write
packages: write
id-token: write
jobs:
update-models:
strategy:
fail-fast: false
matrix:
model: ${{ fromJSON(github.event.inputs.models) }}
runtime: ${{ fromJSON(github.event.inputs.runtime) }}
exclude:
- model: flux-1-dev # requires cuda runtime
runtime: applesilicon
runs-on: ubuntu-latest
timeout-minutes: 360
steps:
- uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
with:
tool-cache: true
android: true
dotnet: true
haskell: true
large-packages: true
docker-images: true
swap-storage: true
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: block
allowed-endpoints: >
auth.docker.io:443
huggingface.co:443
*.huggingface.co:443
*.hf.co:443
fulcio.sigstore.dev:443
gcr.io:443
ghcr.io:443
github.com:443
*.githubusercontent.com:443
production.cloudflare.docker.com:443
registry-1.docker.io:443
rekor.sigstore.dev:443
storage.googleapis.com:443
tuf-repo-cdn.sigstore.dev:443
sertaccdnvs.azureedge.net:443
sertacstoragevs.blob.core.windows.net:443
developer.download.nvidia.com:443
*.ubuntu.com:80
pypi.org:443
files.pythonhosted.org:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
- uses: crazy-max/ghaction-github-runtime@b3a9207c0e1ef41f4cf215303c976869d0c2c1c4 # v3.0.0
- name: Login to GHCR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: parse matrix
run: |
echo "MODEL_NAME=$(echo ${{ matrix.model }} | sed -E 's/^llama-(3\.[1-9])-([0-9]+\.?[0-9]*b)-.*/llama\1/;t; s/^flux-([0-9]+)-dev$/flux\1/;t; s/^phi-(3\.5)-([0-9]+\.?[0-9]*b)-.*/phi\1/;t; s/^([a-z]+)-([0-9]+x[0-9]+b|[0-9]+\.?[0-9]*b)-.*/\1/; s/^([a-z]+)-([0-9]+)-.*/\1\2/; s/^([a-z]+)-([0-9]+\.?[0-9]*b)$/\1/')" >> $GITHUB_ENV
echo "MODEL_SIZE=$(echo ${{ matrix.model }} | sed -E 's/^llama-(3\.[1-9])-([0-9]+\.?[0-9]*b)-.*/\2/;t; s/^flux-[0-9]+-dev$/dev/;t; s/^[a-z]+-([0-9]+x[0-9]+b|[0-9]+\.?[0-9]*b)-.*/\1/; s/^[a-z]+-[0-9]+(\.[0-9]+)?-([0-9]+\.?[0-9]*b).*/\2/; s/^[a-z]+-([0-9]+\.?[0-9]*b)$/\1/')" >> $GITHUB_ENV
echo "MODEL_TYPE=-$(echo ${{ matrix.model }} | sed -n -e 's/^flux-[0-9]+-\(dev\)$/\1/p' -e 's/.*\(chat\).*/\1/p' -e 's/.*\(instruct\).*/\1/p')" >> $GITHUB_ENV
- name: Build and push
run: |
if [ "${MODEL_TYPE}" == "-" ]; then
export MODEL_TYPE=""
echo "MODEL_TYPE=''" >> $GITHUB_ENV
fi
if ${{ inputs.staging }}; then
if [ ${{ matrix.runtime }} == "applesilicon" ]; then
export REGISTRY=ghcr.io/sozercan/test/applesilicon
else
export REGISTRY=ghcr.io/sozercan/test
fi
else
if [ ${{ matrix.runtime }} == "applesilicon" ]; then
export REGISTRY=ghcr.io/sozercan/applesilicon
else
export REGISTRY=ghcr.io/sozercan
fi
fi
export PLATFORMS="linux/amd64,linux/arm64"
if [ ${{ matrix.model }} == "flux-1-dev" ]; then
export PLATFORMS="linux/amd64"
fi
if [ ${{ matrix.runtime }} == "applesilicon" ]; then
export PLATFORMS="linux/arm64"
fi
if [ ${{ matrix.runtime }} == "applesilicon" ]; then
export BUILD_ARGS="--build-arg runtime=applesilicon"
else
export BUILD_ARGS=""
fi
docker buildx build . \
-t ${REGISTRY}/${MODEL_NAME}:${MODEL_SIZE} \
-t ${REGISTRY}/${MODEL_NAME}:${MODEL_SIZE}${MODEL_TYPE} \
-f models/${{ matrix.model }}.yaml \
--push --progress plain \
--sbom=true --provenance=true \
--platform ${PLATFORMS} ${BUILD_ARGS}
echo "DIGEST=$(cosign triangulate ${REGISTRY}/${MODEL_NAME}:${MODEL_SIZE} --type digest)" >> $GITHUB_ENV
- name: Sign the images with GitHub OIDC Token
if: ${{ !inputs.staging }}
run: cosign sign --yes ${DIGEST}
- name: Verify image signature
if: ${{ !inputs.staging }}
run: |
cosign verify ${DIGEST} \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp 'https://github\.com/sozercan/aikit/\.github/workflows/.+'