yindo/rocm-automated
1
0
Fork 0
mirror of https://github.com/BillyOutlast/rocm-automated.git synced 2026-02-04 03:51:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

gitea build

Browse Source
This commit is contained in:
John Doe
2026-01-30 19:37:37 -05:00
parent 5f820ad2c4
commit 2a63ccf32f
5 changed files with 987 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

218
.github/workflows/daily-build-gitea.yml vendored Normal file
View File

@@ -0,0 +1,218 @@
name: Daily ROCm Container Build
on:
schedule:
# Run daily at 02:00 UTC
- cron: '0 2 * * *'
workflow_dispatch: # Allow manual triggering
inputs:
push_images:
description: 'Push images to registry'
required: true
default: 'true'
type: boolean
build_all:
description: 'Build all variants'
required: true
default: 'true'
type: boolean
env:
REGISTRY: docker.io
REGISTRY_USER: getterup
jobs:
prepare:
runs-on: ubuntu-latest
outputs:
date: ${{ steps.date.outputs.date }}
sha_short: ${{ steps.vars.outputs.sha_short }}
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Get current date
id: date
run: |
echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
shell: bash
- name: Set variables
id: vars
run: |
echo "sha_short=$(echo ${GITHUB_SHA} | cut -c1-7)" >> $GITHUB_OUTPUT
shell: bash
build-base-images:
runs-on: ubuntu-latest
needs: prepare
strategy:
matrix:
image:
- name: comfyui-rocm7.1
dockerfile: Dockerfile.comfyui-rocm7.1
context: .
- name: stable-diffusion.cpp-rocm7.1
dockerfile: Dockerfile.stable-diffusion.cpp-rocm7.1
context: .
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Set up Docker Buildx
uses: https://gitea.com/actions/setup-docker@v1
with:
buildx: true
- name: Log in to Docker Hub
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true')
run: |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login ${{ env.REGISTRY }} -u ${{ env.REGISTRY_USER }} --password-stdin
shell: bash
- name: Build and push Docker image
run: |
IMAGE_NAME="${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/${{ matrix.image.name }}"
TAGS="${IMAGE_NAME}:latest ${IMAGE_NAME}:${{ needs.prepare.outputs.date }} ${IMAGE_NAME}:${{ needs.prepare.outputs.sha_short }}"
# Build the image
docker buildx build \
--context ${{ matrix.image.context }} \
--file Dockerfiles/${{ matrix.image.dockerfile }} \
--platform linux/amd64 \
--build-arg BUILD_DATE=${{ needs.prepare.outputs.date }} \
--build-arg VCS_REF=${{ needs.prepare.outputs.sha_short }} \
$(for tag in $TAGS; do echo "--tag $tag"; done) \
${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true')) && '--push' || '--load' }} \
.
shell: bash
build-stable-diffusion-variants:
runs-on: ubuntu-latest
needs: prepare
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.build_all == 'true')
strategy:
matrix:
gfx_arch:
- gfx1150 # RDNA 3.5 (Ryzen AI 9 HX 370)
- gfx1151 # RDNA 3.5 (Strix Point/Ryzen AI Max+ 365)
- gfx1200 # RDNA 4 (RX 9070 XT)
- gfx1100 # RDNA 3 (RX 7900 XTX/XT)
- gfx1101 # RDNA 3 (RX 7800 XT/7700 XT)
- gfx1030 # RDNA 2 (RX 6000 series)
- gfx1201 # RDNA 4 (RX 9060 XT/ RX 9070/XT)
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Set up Docker Buildx
uses: https://gitea.com/actions/setup-docker@v1
with:
buildx: true
- name: Log in to Docker Hub
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true')
run: |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login ${{ env.REGISTRY }} -u ${{ env.REGISTRY_USER }} --password-stdin
shell: bash
- name: Build and push GPU variant image
run: |
IMAGE_NAME="${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/stable-diffusion-cpp-${{ matrix.gfx_arch }}"
TAGS="${IMAGE_NAME}:latest ${IMAGE_NAME}:${{ needs.prepare.outputs.date }} ${IMAGE_NAME}:${{ needs.prepare.outputs.sha_short }}"
# Build the GPU-specific image
docker buildx build \
--context . \
--file Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1 \
--platform linux/amd64 \
--build-arg GFX_ARCH=${{ matrix.gfx_arch }} \
--build-arg BUILD_DATE=${{ needs.prepare.outputs.date }} \
--build-arg VCS_REF=${{ needs.prepare.outputs.sha_short }} \
$(for tag in $TAGS; do echo "--tag $tag"; done) \
${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true')) && '--push' || '--load' }} \
.
shell: bash
test-compose:
runs-on: ubuntu-latest
needs: [prepare, build-base-images]
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Create test directories
run: |
mkdir -p User-Directories/open-webui
mkdir -p User-Directories/ollama
mkdir -p User-Directories/comfyui
shell: bash
- name: Test docker-compose configuration
run: |
# Install docker-compose if not available
if ! command -v docker-compose &> /dev/null; then
sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
fi
# Validate compose file
docker-compose config --quiet
echo "✅ Docker Compose configuration is valid"
shell: bash
- name: Test image availability
run: |
echo "📋 Testing image availability..."
# Check if images exist (without pulling)
docker manifest inspect ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/comfyui-rocm7.1:latest >/dev/null 2>&1 || echo "⚠️ ComfyUI image may not be available yet"
docker manifest inspect ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/stable-diffusion.cpp-rocm7.1:latest >/dev/null 2>&1 || echo "⚠️ Stable Diffusion image may not be available yet"
echo "✅ Image availability check completed"
shell: bash
notify:
runs-on: ubuntu-latest
needs: [prepare, build-base-images, build-stable-diffusion-variants, test-compose]
if: always() && (github.event_name == 'schedule')
steps:
- name: Build summary
run: |
echo "📊 Daily Build Summary - ${{ needs.prepare.outputs.date }}"
echo "=================================="
echo ""
echo "🔧 Job Results:"
echo "- Prepare: ${{ needs.prepare.result }}"
echo "- Base Images: ${{ needs.build-base-images.result }}"
echo "- GPU Variants: ${{ needs.build-stable-diffusion-variants.result }}"
echo "- Compose Test: ${{ needs.test-compose.result }}"
echo ""
if [[ "${{ needs.build-base-images.result }}" == "success" && "${{ needs.build-stable-diffusion-variants.result }}" == "success" ]]; then
echo "✅ All builds completed successfully!"
echo "🐳 Images pushed to ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/"
echo "📋 Docker Compose configuration validated"
else
echo "❌ Some builds failed - please check the logs"
exit 1
fi
shell: bash
cleanup:
runs-on: ubuntu-latest
needs: [build-base-images, build-stable-diffusion-variants]
if: always()
steps:
- name: Clean up Docker resources
run: |
echo "🧹 Cleaning up Docker resources..."
docker system prune -f --volumes || true
docker builder prune -f || true
echo "✅ Cleanup completed"
shell: bash

10
.github/workflows/daily-build.yml vendored
View File

@@ -30,15 +30,19 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: https://github.com/actions/checkout@v4
- name: Get current date
id: date
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
run: |
echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
shell: bash
- name: Set variables
id: vars
run: echo "sha_short=$(echo ${GITHUB_SHA} | cut -c1-7)" >> $GITHUB_OUTPUT
run: |
echo "sha_short=$(echo ${GITHUB_SHA} | cut -c1-7)" >> $GITHUB_OUTPUT
shell: bash
build-base-images:
runs-on: ubuntu-latest

291
.github/workflows/release-gitea.yml vendored Normal file
View File

@@ -0,0 +1,291 @@
name: Release Build (Gitea)
on:
push:
tags:
- 'v*.*.*'
workflow_dispatch:
inputs:
version:
description: 'Release version (e.g., v1.0.0)'
required: true
type: string
create_release:
description: 'Create Gitea release'
required: true
default: true
type: boolean
env:
REGISTRY: docker.io
REGISTRY_USER: getterup
jobs:
validate-release:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.version.outputs.version }}
is_prerelease: ${{ steps.version.outputs.is_prerelease }}
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Validate and extract version
id: version
run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
VERSION="${{ github.event.inputs.version }}"
else
VERSION="${{ github.ref_name }}"
fi
echo "version=${VERSION}" >> $GITHUB_OUTPUT
# Check if this is a pre-release (contains alpha, beta, rc)
if [[ "$VERSION" =~ (alpha|beta|rc) ]]; then
echo "is_prerelease=true" >> $GITHUB_OUTPUT
else
echo "is_prerelease=false" >> $GITHUB_OUTPUT
fi
echo "📋 Release version: $VERSION"
echo "🚀 Pre-release: $([ \"${{ steps.version.outputs.is_prerelease }}\" == \"true\" ] && echo \"Yes\" || echo \"No\")"
shell: bash
build-release-images:
runs-on: ubuntu-latest
needs: validate-release
strategy:
matrix:
image:
- name: comfyui-rocm7.1
dockerfile: Dockerfile.comfyui-rocm7.1
- name: stable-diffusion.cpp-rocm7.1
dockerfile: Dockerfile.stable-diffusion.cpp-rocm7.1
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Set up Docker Buildx
uses: https://gitea.com/actions/setup-docker@v1
with:
buildx: true
- name: Log in to Docker Hub
run: |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login ${{ env.REGISTRY }} -u ${{ env.REGISTRY_USER }} --password-stdin
shell: bash
- name: Build and push release image
run: |
IMAGE_NAME="${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/${{ matrix.image.name }}"
VERSION="${{ needs.validate-release.outputs.version }}"
# Create tags
TAGS="${IMAGE_NAME}:${VERSION}"
# Add latest tag for main releases (not pre-releases)
if [[ "${{ needs.validate-release.outputs.is_prerelease }}" != "true" ]]; then
TAGS="${TAGS} ${IMAGE_NAME}:latest"
fi
# Add semantic version tags for releases
if [[ "$VERSION" =~ ^v([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
MAJOR="${BASH_REMATCH[1]}"
MINOR="${BASH_REMATCH[2]}"
PATCH="${BASH_REMATCH[3]}"
TAGS="${TAGS} ${IMAGE_NAME}:${MAJOR}.${MINOR}.${PATCH}"
TAGS="${TAGS} ${IMAGE_NAME}:${MAJOR}.${MINOR}"
# Only add major version tag for stable releases
if [[ "${{ needs.validate-release.outputs.is_prerelease }}" != "true" ]]; then
TAGS="${TAGS} ${IMAGE_NAME}:${MAJOR}"
fi
fi
echo "🏷️ Building with tags: $TAGS"
# Build and push the image
docker buildx build \
--context . \
--file Dockerfiles/${{ matrix.image.dockerfile }} \
--platform linux/amd64 \
--build-arg VERSION=$VERSION \
--build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
--build-arg VCS_REF=${{ github.sha }} \
$(for tag in $TAGS; do echo "--tag $tag"; done) \
--push \
.
shell: bash
build-gpu-variants:
runs-on: ubuntu-latest
needs: validate-release
strategy:
matrix:
gfx_arch: [gfx1150, gfx1151, gfx1200, gfx1100, gfx1101, gfx1030, gfx1201]
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Set up Docker Buildx
uses: https://gitea.com/actions/setup-docker@v1
with:
buildx: true
- name: Log in to Docker Hub
run: |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login ${{ env.REGISTRY }} -u ${{ env.REGISTRY_USER }} --password-stdin
shell: bash
- name: Build and push GPU variant
run: |
IMAGE_NAME="${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/stable-diffusion-cpp-${{ matrix.gfx_arch }}"
VERSION="${{ needs.validate-release.outputs.version }}"
# Create tags
TAGS="${IMAGE_NAME}:${VERSION}"
# Add latest tag for main releases (not pre-releases)
if [[ "${{ needs.validate-release.outputs.is_prerelease }}" != "true" ]]; then
TAGS="${TAGS} ${IMAGE_NAME}:latest"
fi
# Add semantic version tags
if [[ "$VERSION" =~ ^v([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
MAJOR="${BASH_REMATCH[1]}"
MINOR="${BASH_REMATCH[2]}"
PATCH="${BASH_REMATCH[3]}"
TAGS="${TAGS} ${IMAGE_NAME}:${MAJOR}.${MINOR}.${PATCH}"
TAGS="${TAGS} ${IMAGE_NAME}:${MAJOR}.${MINOR}"
fi
echo "🏷️ Building ${{ matrix.gfx_arch }} variant with tags: $TAGS"
# Build and push the GPU-specific image
docker buildx build \
--context . \
--file Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1 \
--platform linux/amd64 \
--build-arg GFX_ARCH=${{ matrix.gfx_arch }} \
--build-arg VERSION=$VERSION \
--build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
--build-arg VCS_REF=${{ github.sha }} \
$(for tag in $TAGS; do echo "--tag $tag"; done) \
--push \
.
shell: bash
create-release:
runs-on: ubuntu-latest
needs: [validate-release, build-release-images, build-gpu-variants]
if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && github.event.inputs.create_release == 'true')
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Generate release notes
id: release_notes
run: |
VERSION="${{ needs.validate-release.outputs.version }}"
cat > release_notes.md << EOF
## 🚀 ROCm 7.1 Container Release ${VERSION}
### 📦 Container Images Built
**Base Images:**
- \`${{ env.REGISTRY_USER }}/comfyui-rocm7.1:${VERSION}\`
- \`${{ env.REGISTRY_USER }}/stable-diffusion.cpp-rocm7.1:${VERSION}\`
**GPU-Specific Variants:**
- \`${{ env.REGISTRY_USER }}/stable-diffusion-cpp-gfx1150:${VERSION}\` (RDNA 3.5 - Ryzen AI 9 HX 370)
- \`${{ env.REGISTRY_USER }}/stable-diffusion-cpp-gfx1151:${VERSION}\` (RDNA 3.5 - Strix Point)
- \`${{ env.REGISTRY_USER }}/stable-diffusion-cpp-gfx1200:${VERSION}\` (RDNA 4 - RX 9070 XT)
- \`${{ env.REGISTRY_USER }}/stable-diffusion-cpp-gfx1100:${VERSION}\` (RDNA 3 - RX 7900 XTX/XT)
- \`${{ env.REGISTRY_USER }}/stable-diffusion-cpp-gfx1101:${VERSION}\` (RDNA 3 - RX 7800/7700 XT)
- \`${{ env.REGISTRY_USER }}/stable-diffusion-cpp-gfx1030:${VERSION}\` (RDNA 2 - RX 6000 series)
- \`${{ env.REGISTRY_USER }}/stable-diffusion-cpp-gfx1201:${VERSION}\` (RDNA 4 - RX 9060/9070 XT)
### 🔧 Quick Start
\`\`\`bash
# Clone the repository
git clone <your-gitea-repo-url>
cd rocm-automated
# Start the services
docker-compose up -d
# Access Open WebUI
open http://localhost:3000
\`\`\`
### 🛠️ What's New in This Release
- ROCm 7.1 support for AMD GPUs
- Optimized ComfyUI for AI image generation
- Stable Diffusion.cpp with GPU acceleration
- Multi-GPU architecture support
- Docker Compose configuration for easy deployment
- Automated daily builds and security scanning
### 📋 System Requirements
- **AMD GPU**: RDNA 2/3/4 architecture (RX 6000/7000/9000 series)
- **Memory**: 16GB+ system RAM recommended
- **VRAM**: 8GB+ GPU memory for large models
- **OS**: Linux with Docker 24.0+ and Docker Compose 2.20+
### 📖 Documentation
- [Setup Guide](README.md)
- [ComfyUI Setup](OPEN_WEBUI_COMFYUI_SETUP.md)
- [GitHub Actions](/.github/workflows/README.md)
### 🐛 Issues & Support
Please report issues and ask questions in the repository's issue tracker.
---
**Build Information:**
- Build Date: $(date -u +'%Y-%m-%d %H:%M:%S UTC')
- Commit SHA: \`$(echo ${{ github.sha }} | cut -c1-7)\`
- Built with Gitea Actions
EOF
echo "📝 Release notes generated for ${VERSION}"
shell: bash
- name: Create Gitea Release
run: |
VERSION="${{ needs.validate-release.outputs.version }}"
IS_PRERELEASE="${{ needs.validate-release.outputs.is_prerelease }}"
echo "🚀 Creating Gitea release for ${VERSION}"
# Note: This is a placeholder - actual Gitea API calls would depend on your Gitea instance
# You would typically use curl with the Gitea API or a Gitea CLI tool
echo "📋 Release Summary:"
echo "- Version: ${VERSION}"
echo "- Pre-release: ${IS_PRERELEASE}"
echo "- Commit: ${{ github.sha }}"
echo "- Built images: 9 total (2 base + 7 GPU variants)"
# Example of what a Gitea API call might look like:
# curl -X POST "https://your-gitea.com/api/v1/repos/owner/repo/releases" \
# -H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
# -H "Content-Type: application/json" \
# -d @release_payload.json
echo "✅ Release process completed"
echo "🐳 Docker images available at: ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/"
shell: bash

177
.github/workflows/security-scan-gitea.yml vendored Normal file
View File

@@ -0,0 +1,177 @@
name: Security Scan (Gitea)
on:
schedule:
# Run security scans weekly on Sundays at 03:00 UTC
- cron: '0 3 * * 0'
workflow_dispatch:
pull_request:
paths:
- 'Dockerfiles/**'
- '.github/workflows/**'
env:
REGISTRY: docker.io
REGISTRY_USER: getterup
jobs:
dockerfile-security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Install Hadolint
run: |
wget -O /tmp/hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64
chmod +x /tmp/hadolint
sudo mv /tmp/hadolint /usr/local/bin/hadolint
shell: bash
- name: Run Hadolint on ComfyUI Dockerfile
run: |
echo "🔍 Scanning Dockerfile.comfyui-rocm7.1..."
hadolint Dockerfiles/Dockerfile.comfyui-rocm7.1 || echo "⚠️ Warnings found in ComfyUI Dockerfile"
shell: bash
- name: Run Hadolint on Stable Diffusion Dockerfile
run: |
echo "🔍 Scanning Dockerfile.stable-diffusion.cpp-rocm7.1..."
hadolint Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1 || echo "⚠️ Warnings found in Stable Diffusion Dockerfile"
shell: bash
vulnerability-scan:
runs-on: ubuntu-latest
strategy:
matrix:
image:
- name: comfyui-rocm7.1
dockerfile: Dockerfile.comfyui-rocm7.1
- name: stable-diffusion.cpp-rocm7.1
dockerfile: Dockerfile.stable-diffusion.cpp-rocm7.1
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Set up Docker Buildx
uses: https://gitea.com/actions/setup-docker@v1
with:
buildx: true
- name: Build test image
run: |
docker buildx build \
--context . \
--file Dockerfiles/${{ matrix.image.dockerfile }} \
--tag test-${{ matrix.image.name }}:latest \
--load \
.
shell: bash
- name: Install Trivy
run: |
sudo apt-get update
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
shell: bash
- name: Run Trivy vulnerability scanner
run: |
echo "🛡️ Scanning test-${{ matrix.image.name }}:latest for vulnerabilities..."
trivy image --exit-code 1 --severity HIGH,CRITICAL --format table test-${{ matrix.image.name }}:latest || echo "⚠️ Vulnerabilities found in ${{ matrix.image.name }}"
# Generate JSON report for further analysis
trivy image --format json --output trivy-report-${{ matrix.image.name }}.json test-${{ matrix.image.name }}:latest || true
shell: bash
- name: Upload scan results
run: |
if [ -f "trivy-report-${{ matrix.image.name }}.json" ]; then
echo "📄 Trivy scan report generated: trivy-report-${{ matrix.image.name }}.json"
# In a real environment, you might upload this to an artifact store or security system
fi
shell: bash
dependency-check:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Check for base image updates
run: |
echo "🔍 Checking base images for updates..."
# Check common base images used in our Dockerfiles
echo "Checking Ubuntu base images..."
docker pull ubuntu:22.04 2>/dev/null || echo "⚠️ Could not pull ubuntu:22.04"
echo "Checking Python images..."
docker pull python:3.11-slim 2>/dev/null || echo "⚠️ Could not pull python:3.11-slim"
docker pull python:3.12-slim 2>/dev/null || echo "⚠️ Could not pull python:3.12-slim"
echo "✅ Base image check completed"
shell: bash
- name: Security advisory check
run: |
echo "🛡️ Security Advisory Information"
echo "=================================="
echo ""
echo "📋 Please manually review the following for security updates:"
echo "- ROCm security advisories: https://github.com/RadeonOpenCompute/ROCm/security"
echo "- Docker security best practices: https://docs.docker.com/engine/security/"
echo "- Ubuntu security notices: https://ubuntu.com/security/notices"
echo "- Python security advisories: https://python.org/news/security/"
echo ""
echo "💡 Regular monitoring of these sources is recommended for production deployments."
shell: bash
notify-security:
runs-on: ubuntu-latest
needs: [dockerfile-security-scan, vulnerability-scan, dependency-check]
if: always() && github.event_name == 'schedule'
steps:
- name: Security scan summary
run: |
echo "🔒 Weekly Security Scan Summary"
echo "==============================="
echo ""
echo "📊 Scan Results:"
echo "- Dockerfile Lint: ${{ needs.dockerfile-security-scan.result }}"
echo "- Vulnerability Scan: ${{ needs.vulnerability-scan.result }}"
echo "- Dependency Check: ${{ needs.dependency-check.result }}"
echo ""
FAILED_JOBS=""
if [ "${{ needs.dockerfile-security-scan.result }}" == "failure" ]; then
FAILED_JOBS="$FAILED_JOBS dockerfile-lint"
fi
if [ "${{ needs.vulnerability-scan.result }}" == "failure" ]; then
FAILED_JOBS="$FAILED_JOBS vulnerability-scan"
fi
if [ "${{ needs.dependency-check.result }}" == "failure" ]; then
FAILED_JOBS="$FAILED_JOBS dependency-check"
fi
if [ -n "$FAILED_JOBS" ]; then
echo "❌ Failed jobs:$FAILED_JOBS"
echo "⚠️ Please review the detailed logs above"
echo ""
echo "🔧 Recommended actions:"
echo "- Review Dockerfile best practices"
echo "- Update base images to latest versions"
echo "- Address high/critical vulnerabilities"
exit 1
else
echo "✅ All security scans passed successfully!"
echo "🛡️ No critical security issues detected"
fi
shell: bash