yindo/rocm-automated
1
0
Fork 0
mirror of https://github.com/BillyOutlast/rocm-automated.git synced 2026-02-04 03:51:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

gitea build

Browse Source
This commit is contained in:
John Doe
2026-01-30 19:37:37 -05:00
parent 5f820ad2c4
commit 2a63ccf32f
5 changed files with 987 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

218
.github/workflows/daily-build-gitea.yml vendored Normal file
View File

@@ -0,0 +1,218 @@
name: Daily ROCm Container Build
on:
schedule:
# Run daily at 02:00 UTC
- cron: '0 2 * * *'
workflow_dispatch: # Allow manual triggering
inputs:
push_images:
description: 'Push images to registry'
required: true
default: 'true'
type: boolean
build_all:
description: 'Build all variants'
required: true
default: 'true'
type: boolean
env:
REGISTRY: docker.io
REGISTRY_USER: getterup
jobs:
prepare:
runs-on: ubuntu-latest
outputs:
date: ${{ steps.date.outputs.date }}
sha_short: ${{ steps.vars.outputs.sha_short }}
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Get current date
id: date
run: |
echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
shell: bash
- name: Set variables
id: vars
run: |
echo "sha_short=$(echo ${GITHUB_SHA} | cut -c1-7)" >> $GITHUB_OUTPUT
shell: bash
build-base-images:
runs-on: ubuntu-latest
needs: prepare
strategy:
matrix:
image:
- name: comfyui-rocm7.1
dockerfile: Dockerfile.comfyui-rocm7.1
context: .
- name: stable-diffusion.cpp-rocm7.1
dockerfile: Dockerfile.stable-diffusion.cpp-rocm7.1
context: .
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Set up Docker Buildx
uses: https://gitea.com/actions/setup-docker@v1
with:
buildx: true
- name: Log in to Docker Hub
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true')
run: |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login ${{ env.REGISTRY }} -u ${{ env.REGISTRY_USER }} --password-stdin
shell: bash
- name: Build and push Docker image
run: |
IMAGE_NAME="${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/${{ matrix.image.name }}"
TAGS="${IMAGE_NAME}:latest ${IMAGE_NAME}:${{ needs.prepare.outputs.date }} ${IMAGE_NAME}:${{ needs.prepare.outputs.sha_short }}"
# Build the image
docker buildx build \
--context ${{ matrix.image.context }} \
--file Dockerfiles/${{ matrix.image.dockerfile }} \
--platform linux/amd64 \
--build-arg BUILD_DATE=${{ needs.prepare.outputs.date }} \
--build-arg VCS_REF=${{ needs.prepare.outputs.sha_short }} \
$(for tag in $TAGS; do echo "--tag $tag"; done) \
${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true')) && '--push' || '--load' }} \
.
shell: bash
build-stable-diffusion-variants:
runs-on: ubuntu-latest
needs: prepare
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.build_all == 'true')
strategy:
matrix:
gfx_arch:
- gfx1150 # RDNA 3.5 (Ryzen AI 9 HX 370)
- gfx1151 # RDNA 3.5 (Strix Point/Ryzen AI Max+ 365)
- gfx1200 # RDNA 4 (RX 9070 XT)
- gfx1100 # RDNA 3 (RX 7900 XTX/XT)
- gfx1101 # RDNA 3 (RX 7800 XT/7700 XT)
- gfx1030 # RDNA 2 (RX 6000 series)
- gfx1201 # RDNA 4 (RX 9060 XT/ RX 9070/XT)
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Set up Docker Buildx
uses: https://gitea.com/actions/setup-docker@v1
with:
buildx: true
- name: Log in to Docker Hub
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true')
run: |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login ${{ env.REGISTRY }} -u ${{ env.REGISTRY_USER }} --password-stdin
shell: bash
- name: Build and push GPU variant image
run: |
IMAGE_NAME="${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/stable-diffusion-cpp-${{ matrix.gfx_arch }}"
TAGS="${IMAGE_NAME}:latest ${IMAGE_NAME}:${{ needs.prepare.outputs.date }} ${IMAGE_NAME}:${{ needs.prepare.outputs.sha_short }}"
# Build the GPU-specific image
docker buildx build \
--context . \
--file Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1 \
--platform linux/amd64 \
--build-arg GFX_ARCH=${{ matrix.gfx_arch }} \
--build-arg BUILD_DATE=${{ needs.prepare.outputs.date }} \
--build-arg VCS_REF=${{ needs.prepare.outputs.sha_short }} \
$(for tag in $TAGS; do echo "--tag $tag"; done) \
${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true')) && '--push' || '--load' }} \
.
shell: bash
test-compose:
runs-on: ubuntu-latest
needs: [prepare, build-base-images]
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Create test directories
run: |
mkdir -p User-Directories/open-webui
mkdir -p User-Directories/ollama
mkdir -p User-Directories/comfyui
shell: bash
- name: Test docker-compose configuration
run: |
# Install docker-compose if not available
if ! command -v docker-compose &> /dev/null; then
sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
fi
# Validate compose file
docker-compose config --quiet
echo "✅ Docker Compose configuration is valid"
shell: bash
- name: Test image availability
run: |
echo "📋 Testing image availability..."
# Check if images exist (without pulling)
docker manifest inspect ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/comfyui-rocm7.1:latest >/dev/null 2>&1 || echo "⚠️ ComfyUI image may not be available yet"
docker manifest inspect ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/stable-diffusion.cpp-rocm7.1:latest >/dev/null 2>&1 || echo "⚠️ Stable Diffusion image may not be available yet"
echo "✅ Image availability check completed"
shell: bash
notify:
runs-on: ubuntu-latest
needs: [prepare, build-base-images, build-stable-diffusion-variants, test-compose]
if: always() && (github.event_name == 'schedule')
steps:
- name: Build summary
run: |
echo "📊 Daily Build Summary - ${{ needs.prepare.outputs.date }}"
echo "=================================="
echo ""
echo "🔧 Job Results:"
echo "- Prepare: ${{ needs.prepare.result }}"
echo "- Base Images: ${{ needs.build-base-images.result }}"
echo "- GPU Variants: ${{ needs.build-stable-diffusion-variants.result }}"
echo "- Compose Test: ${{ needs.test-compose.result }}"
echo ""
if [[ "${{ needs.build-base-images.result }}" == "success" && "${{ needs.build-stable-diffusion-variants.result }}" == "success" ]]; then
echo "✅ All builds completed successfully!"
echo "🐳 Images pushed to ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/"
echo "📋 Docker Compose configuration validated"
else
echo "❌ Some builds failed - please check the logs"
exit 1
fi
shell: bash
cleanup:
runs-on: ubuntu-latest
needs: [build-base-images, build-stable-diffusion-variants]
if: always()
steps:
- name: Clean up Docker resources
run: |
echo "🧹 Cleaning up Docker resources..."
docker system prune -f --volumes || true
docker builder prune -f || true
echo "✅ Cleanup completed"
shell: bash

10
.github/workflows/daily-build.yml vendored
View File

@@ -30,15 +30,19 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: https://github.com/actions/checkout@v4
- name: Get current date - name: Get current date
id: date id: date
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT run: |
echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
shell: bash
- name: Set variables - name: Set variables
id: vars id: vars
run: echo "sha_short=$(echo ${GITHUB_SHA} | cut -c1-7)" >> $GITHUB_OUTPUT run: |
echo "sha_short=$(echo ${GITHUB_SHA} | cut -c1-7)" >> $GITHUB_OUTPUT
shell: bash
build-base-images: build-base-images:
runs-on: ubuntu-latest runs-on: ubuntu-latest

291
.github/workflows/release-gitea.yml vendored Normal file
View File

@@ -0,0 +1,291 @@
name: Release Build (Gitea)
on:
push:
tags:
- 'v*.*.*'
workflow_dispatch:
inputs:
version:
description: 'Release version (e.g., v1.0.0)'
required: true
type: string
create_release:
description: 'Create Gitea release'
required: true
default: true
type: boolean
env:
REGISTRY: docker.io
REGISTRY_USER: getterup
jobs:
validate-release:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.version.outputs.version }}
is_prerelease: ${{ steps.version.outputs.is_prerelease }}
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Validate and extract version
id: version
run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
VERSION="${{ github.event.inputs.version }}"
else
VERSION="${{ github.ref_name }}"
fi
echo "version=${VERSION}" >> $GITHUB_OUTPUT
# Check if this is a pre-release (contains alpha, beta, rc)
if [[ "$VERSION" =~ (alpha|beta|rc) ]]; then
echo "is_prerelease=true" >> $GITHUB_OUTPUT
else
echo "is_prerelease=false" >> $GITHUB_OUTPUT
fi
echo "📋 Release version: $VERSION"
echo "🚀 Pre-release: $([ \"${{ steps.version.outputs.is_prerelease }}\" == \"true\" ] && echo \"Yes\" || echo \"No\")"
shell: bash
build-release-images:
runs-on: ubuntu-latest
needs: validate-release
strategy:
matrix:
image:
- name: comfyui-rocm7.1
dockerfile: Dockerfile.comfyui-rocm7.1
- name: stable-diffusion.cpp-rocm7.1
dockerfile: Dockerfile.stable-diffusion.cpp-rocm7.1
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Set up Docker Buildx
uses: https://gitea.com/actions/setup-docker@v1
with:
buildx: true
- name: Log in to Docker Hub
run: |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login ${{ env.REGISTRY }} -u ${{ env.REGISTRY_USER }} --password-stdin
shell: bash
- name: Build and push release image
run: |
IMAGE_NAME="${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/${{ matrix.image.name }}"
VERSION="${{ needs.validate-release.outputs.version }}"
# Create tags
TAGS="${IMAGE_NAME}:${VERSION}"
# Add latest tag for main releases (not pre-releases)
if [[ "${{ needs.validate-release.outputs.is_prerelease }}" != "true" ]]; then
TAGS="${TAGS} ${IMAGE_NAME}:latest"
fi
# Add semantic version tags for releases
if [[ "$VERSION" =~ ^v([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
MAJOR="${BASH_REMATCH[1]}"
MINOR="${BASH_REMATCH[2]}"
PATCH="${BASH_REMATCH[3]}"
TAGS="${TAGS} ${IMAGE_NAME}:${MAJOR}.${MINOR}.${PATCH}"
TAGS="${TAGS} ${IMAGE_NAME}:${MAJOR}.${MINOR}"
# Only add major version tag for stable releases
if [[ "${{ needs.validate-release.outputs.is_prerelease }}" != "true" ]]; then
TAGS="${TAGS} ${IMAGE_NAME}:${MAJOR}"
fi
fi
echo "🏷️ Building with tags: $TAGS"
# Build and push the image
docker buildx build \
--context . \
--file Dockerfiles/${{ matrix.image.dockerfile }} \
--platform linux/amd64 \
--build-arg VERSION=$VERSION \
--build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
--build-arg VCS_REF=${{ github.sha }} \
$(for tag in $TAGS; do echo "--tag $tag"; done) \
--push \
.
shell: bash
build-gpu-variants:
runs-on: ubuntu-latest
needs: validate-release
strategy:
matrix:
gfx_arch: [gfx1150, gfx1151, gfx1200, gfx1100, gfx1101, gfx1030, gfx1201]
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Set up Docker Buildx
uses: https://gitea.com/actions/setup-docker@v1
with:
buildx: true
- name: Log in to Docker Hub
run: |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login ${{ env.REGISTRY }} -u ${{ env.REGISTRY_USER }} --password-stdin
shell: bash
- name: Build and push GPU variant
run: |
IMAGE_NAME="${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/stable-diffusion-cpp-${{ matrix.gfx_arch }}"
VERSION="${{ needs.validate-release.outputs.version }}"
# Create tags
TAGS="${IMAGE_NAME}:${VERSION}"
# Add latest tag for main releases (not pre-releases)
if [[ "${{ needs.validate-release.outputs.is_prerelease }}" != "true" ]]; then
TAGS="${TAGS} ${IMAGE_NAME}:latest"
fi
# Add semantic version tags
if [[ "$VERSION" =~ ^v([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
MAJOR="${BASH_REMATCH[1]}"
MINOR="${BASH_REMATCH[2]}"
PATCH="${BASH_REMATCH[3]}"
TAGS="${TAGS} ${IMAGE_NAME}:${MAJOR}.${MINOR}.${PATCH}"
TAGS="${TAGS} ${IMAGE_NAME}:${MAJOR}.${MINOR}"
fi
echo "🏷️ Building ${{ matrix.gfx_arch }} variant with tags: $TAGS"
# Build and push the GPU-specific image
docker buildx build \
--context . \
--file Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1 \
--platform linux/amd64 \
--build-arg GFX_ARCH=${{ matrix.gfx_arch }} \
--build-arg VERSION=$VERSION \
--build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
--build-arg VCS_REF=${{ github.sha }} \
$(for tag in $TAGS; do echo "--tag $tag"; done) \
--push \
.
shell: bash
create-release:
runs-on: ubuntu-latest
needs: [validate-release, build-release-images, build-gpu-variants]
if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && github.event.inputs.create_release == 'true')
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Generate release notes
id: release_notes
run: |
VERSION="${{ needs.validate-release.outputs.version }}"
cat > release_notes.md << EOF
## 🚀 ROCm 7.1 Container Release ${VERSION}
### 📦 Container Images Built
**Base Images:**
- \`${{ env.REGISTRY_USER }}/comfyui-rocm7.1:${VERSION}\`
- \`${{ env.REGISTRY_USER }}/stable-diffusion.cpp-rocm7.1:${VERSION}\`
**GPU-Specific Variants:**
- \`${{ env.REGISTRY_USER }}/stable-diffusion-cpp-gfx1150:${VERSION}\` (RDNA 3.5 - Ryzen AI 9 HX 370)
- \`${{ env.REGISTRY_USER }}/stable-diffusion-cpp-gfx1151:${VERSION}\` (RDNA 3.5 - Strix Point)
- \`${{ env.REGISTRY_USER }}/stable-diffusion-cpp-gfx1200:${VERSION}\` (RDNA 4 - RX 9070 XT)
- \`${{ env.REGISTRY_USER }}/stable-diffusion-cpp-gfx1100:${VERSION}\` (RDNA 3 - RX 7900 XTX/XT)
- \`${{ env.REGISTRY_USER }}/stable-diffusion-cpp-gfx1101:${VERSION}\` (RDNA 3 - RX 7800/7700 XT)
- \`${{ env.REGISTRY_USER }}/stable-diffusion-cpp-gfx1030:${VERSION}\` (RDNA 2 - RX 6000 series)
- \`${{ env.REGISTRY_USER }}/stable-diffusion-cpp-gfx1201:${VERSION}\` (RDNA 4 - RX 9060/9070 XT)
### 🔧 Quick Start
\`\`\`bash
# Clone the repository
git clone <your-gitea-repo-url>
cd rocm-automated
# Start the services
docker-compose up -d
# Access Open WebUI
open http://localhost:3000
\`\`\`
### 🛠️ What's New in This Release
- ROCm 7.1 support for AMD GPUs
- Optimized ComfyUI for AI image generation
- Stable Diffusion.cpp with GPU acceleration
- Multi-GPU architecture support
- Docker Compose configuration for easy deployment
- Automated daily builds and security scanning
### 📋 System Requirements
- **AMD GPU**: RDNA 2/3/4 architecture (RX 6000/7000/9000 series)
- **Memory**: 16GB+ system RAM recommended
- **VRAM**: 8GB+ GPU memory for large models
- **OS**: Linux with Docker 24.0+ and Docker Compose 2.20+
### 📖 Documentation
- [Setup Guide](README.md)
- [ComfyUI Setup](OPEN_WEBUI_COMFYUI_SETUP.md)
- [GitHub Actions](/.github/workflows/README.md)
### 🐛 Issues & Support
Please report issues and ask questions in the repository's issue tracker.
---
**Build Information:**
- Build Date: $(date -u +'%Y-%m-%d %H:%M:%S UTC')
- Commit SHA: \`$(echo ${{ github.sha }} | cut -c1-7)\`
- Built with Gitea Actions
EOF
echo "📝 Release notes generated for ${VERSION}"
shell: bash
- name: Create Gitea Release
run: |
VERSION="${{ needs.validate-release.outputs.version }}"
IS_PRERELEASE="${{ needs.validate-release.outputs.is_prerelease }}"
echo "🚀 Creating Gitea release for ${VERSION}"
# Note: This is a placeholder - actual Gitea API calls would depend on your Gitea instance
# You would typically use curl with the Gitea API or a Gitea CLI tool
echo "📋 Release Summary:"
echo "- Version: ${VERSION}"
echo "- Pre-release: ${IS_PRERELEASE}"
echo "- Commit: ${{ github.sha }}"
echo "- Built images: 9 total (2 base + 7 GPU variants)"
# Example of what a Gitea API call might look like:
# curl -X POST "https://your-gitea.com/api/v1/repos/owner/repo/releases" \
# -H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
# -H "Content-Type: application/json" \
# -d @release_payload.json
echo "✅ Release process completed"
echo "🐳 Docker images available at: ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/"
shell: bash

177
.github/workflows/security-scan-gitea.yml vendored Normal file
View File

@@ -0,0 +1,177 @@
name: Security Scan (Gitea)
on:
schedule:
# Run security scans weekly on Sundays at 03:00 UTC
- cron: '0 3 * * 0'
workflow_dispatch:
pull_request:
paths:
- 'Dockerfiles/**'
- '.github/workflows/**'
env:
REGISTRY: docker.io
REGISTRY_USER: getterup
jobs:
dockerfile-security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Install Hadolint
run: |
wget -O /tmp/hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64
chmod +x /tmp/hadolint
sudo mv /tmp/hadolint /usr/local/bin/hadolint
shell: bash
- name: Run Hadolint on ComfyUI Dockerfile
run: |
echo "🔍 Scanning Dockerfile.comfyui-rocm7.1..."
hadolint Dockerfiles/Dockerfile.comfyui-rocm7.1 || echo "⚠️ Warnings found in ComfyUI Dockerfile"
shell: bash
- name: Run Hadolint on Stable Diffusion Dockerfile
run: |
echo "🔍 Scanning Dockerfile.stable-diffusion.cpp-rocm7.1..."
hadolint Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1 || echo "⚠️ Warnings found in Stable Diffusion Dockerfile"
shell: bash
vulnerability-scan:
runs-on: ubuntu-latest
strategy:
matrix:
image:
- name: comfyui-rocm7.1
dockerfile: Dockerfile.comfyui-rocm7.1
- name: stable-diffusion.cpp-rocm7.1
dockerfile: Dockerfile.stable-diffusion.cpp-rocm7.1
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Set up Docker Buildx
uses: https://gitea.com/actions/setup-docker@v1
with:
buildx: true
- name: Build test image
run: |
docker buildx build \
--context . \
--file Dockerfiles/${{ matrix.image.dockerfile }} \
--tag test-${{ matrix.image.name }}:latest \
--load \
.
shell: bash
- name: Install Trivy
run: |
sudo apt-get update
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
shell: bash
- name: Run Trivy vulnerability scanner
run: |
echo "🛡️ Scanning test-${{ matrix.image.name }}:latest for vulnerabilities..."
trivy image --exit-code 1 --severity HIGH,CRITICAL --format table test-${{ matrix.image.name }}:latest || echo "⚠️ Vulnerabilities found in ${{ matrix.image.name }}"
# Generate JSON report for further analysis
trivy image --format json --output trivy-report-${{ matrix.image.name }}.json test-${{ matrix.image.name }}:latest || true
shell: bash
- name: Upload scan results
run: |
if [ -f "trivy-report-${{ matrix.image.name }}.json" ]; then
echo "📄 Trivy scan report generated: trivy-report-${{ matrix.image.name }}.json"
# In a real environment, you might upload this to an artifact store or security system
fi
shell: bash
dependency-check:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Check for base image updates
run: |
echo "🔍 Checking base images for updates..."
# Check common base images used in our Dockerfiles
echo "Checking Ubuntu base images..."
docker pull ubuntu:22.04 2>/dev/null || echo "⚠️ Could not pull ubuntu:22.04"
echo "Checking Python images..."
docker pull python:3.11-slim 2>/dev/null || echo "⚠️ Could not pull python:3.11-slim"
docker pull python:3.12-slim 2>/dev/null || echo "⚠️ Could not pull python:3.12-slim"
echo "✅ Base image check completed"
shell: bash
- name: Security advisory check
run: |
echo "🛡️ Security Advisory Information"
echo "=================================="
echo ""
echo "📋 Please manually review the following for security updates:"
echo "- ROCm security advisories: https://github.com/RadeonOpenCompute/ROCm/security"
echo "- Docker security best practices: https://docs.docker.com/engine/security/"
echo "- Ubuntu security notices: https://ubuntu.com/security/notices"
echo "- Python security advisories: https://python.org/news/security/"
echo ""
echo "💡 Regular monitoring of these sources is recommended for production deployments."
shell: bash
notify-security:
runs-on: ubuntu-latest
needs: [dockerfile-security-scan, vulnerability-scan, dependency-check]
if: always() && github.event_name == 'schedule'
steps:
- name: Security scan summary
run: |
echo "🔒 Weekly Security Scan Summary"
echo "==============================="
echo ""
echo "📊 Scan Results:"
echo "- Dockerfile Lint: ${{ needs.dockerfile-security-scan.result }}"
echo "- Vulnerability Scan: ${{ needs.vulnerability-scan.result }}"
echo "- Dependency Check: ${{ needs.dependency-check.result }}"
echo ""
FAILED_JOBS=""
if [ "${{ needs.dockerfile-security-scan.result }}" == "failure" ]; then
FAILED_JOBS="$FAILED_JOBS dockerfile-lint"
fi
if [ "${{ needs.vulnerability-scan.result }}" == "failure" ]; then
FAILED_JOBS="$FAILED_JOBS vulnerability-scan"
fi
if [ "${{ needs.dependency-check.result }}" == "failure" ]; then
FAILED_JOBS="$FAILED_JOBS dependency-check"
fi
if [ -n "$FAILED_JOBS" ]; then
echo "❌ Failed jobs:$FAILED_JOBS"
echo "⚠️ Please review the detailed logs above"
echo ""
echo "🔧 Recommended actions:"
echo "- Review Dockerfile best practices"
echo "- Update base images to latest versions"
echo "- Address high/critical vulnerabilities"
exit 1
else
echo "✅ All security scans passed successfully!"
echo "🛡️ No critical security issues detected"
fi
shell: bash

294
GITEA_ACTIONS_SETUP.md Normal file
View File

@@ -0,0 +1,294 @@
# Gitea Actions Configuration Guide
This guide explains how to set up and use the Gitea Actions workflows for the ROCm 7.1 container environment.
## 🔧 Gitea Actions Setup
### 1. Enable Gitea Actions
First, ensure Gitea Actions is enabled on your Gitea instance:
```ini
# In app.ini
[actions]
ENABLED = true
DEFAULT_ACTIONS_URL = https://gitea.com
```
### 2. Configure Runners
You need to set up Gitea Actions runners. You can use:
#### Option A: Docker Runner (Recommended)
```bash
# Pull the official runner image
docker pull gitea/act_runner:latest
# Register the runner
docker run --rm -it \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $PWD/runner-config:/data \
gitea/act_runner:latest \
register --instance https://your-gitea.com --token YOUR_REGISTRATION_TOKEN
# Run the runner
docker run -d \
--name gitea-runner \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $PWD/runner-config:/data \
gitea/act_runner:latest
```
#### Option B: Binary Runner
```bash
# Download the runner
wget -O act_runner https://gitea.com/gitea/act_runner/releases/download/v0.2.6/act_runner-0.2.6-linux-amd64
chmod +x act_runner
# Register and run
./act_runner register --instance https://your-gitea.com --token YOUR_REGISTRATION_TOKEN
./act_runner daemon
```
## 📁 Workflow Files
The Gitea-compatible workflow files are:
| File | Purpose | Schedule |
|------|---------|----------|
| `daily-build-gitea.yml` | Daily container builds | 02:00 UTC daily |
| `security-scan-gitea.yml` | Security scanning | 03:00 UTC weekly |
| `release-gitea.yml` | Release builds | On git tags |
## 🔑 Required Secrets
Configure these secrets in your Gitea repository settings (`Settings > Secrets`):
| Secret Name | Description | Example |
|-------------|-------------|---------|
| `DOCKER_PASSWORD` | Docker Hub password or token | `dckr_pat_...` |
## 🚀 Getting Started
### 1. Copy the Workflow Files
Move the Gitea-specific workflow files to your repository:
```bash
# Rename the Gitea workflows to be the primary ones
mv .github/workflows/daily-build-gitea.yml .github/workflows/daily-build.yml
mv .github/workflows/security-scan-gitea.yml .github/workflows/security-scan.yml
mv .github/workflows/release-gitea.yml .github/workflows/release.yml
# Optional: Remove GitHub-specific workflows if not needed
rm .github/workflows/daily-build.yml.bak # if you backed them up
```
### 2. Update Configuration
Edit the workflow files to match your setup:
```yaml
env:
REGISTRY: docker.io
REGISTRY_USER: your-dockerhub-username # Change this
```
### 3. Test the Workflows
#### Manual Test Run
```bash
# Trigger a manual build (via Gitea UI)
# Go to: Repository > Actions > Daily ROCm Container Build > Run workflow
```
#### Test with act (Local Testing)
```bash
# Install act for local testing
curl -s https://raw.githubusercontent.com/nektos/act/master/install.sh | bash
# Test the workflow locally
act workflow_dispatch -j prepare
```
## 🔄 Key Differences from GitHub Actions
### 1. Action References
- **GitHub**: `uses: actions/checkout@v4`
- **Gitea**: `uses: https://gitea.com/actions/checkout@v4`
### 2. Docker Actions
Gitea Actions uses simpler Docker setups:
```yaml
# Instead of complex Docker actions, we use direct docker commands
- name: Build and push Docker image
run: |
docker buildx build \
--tag image:tag \
--push \
.
```
### 3. Available Actions
Gitea Actions has fewer pre-built actions available, so we:
- Use direct shell commands where possible
- Install tools manually when needed
- Use official Gitea actions when available
## 📊 Workflow Features
### Daily Build (`daily-build-gitea.yml`)
- ✅ Builds base images (ComfyUI, Stable Diffusion)
- ✅ Builds GPU-specific variants (7 architectures)
- ✅ Docker Compose validation
- ✅ Manual trigger support
- ✅ Build notifications
### Security Scan (`security-scan-gitea.yml`)
- ✅ Dockerfile linting with Hadolint
- ✅ Vulnerability scanning with Trivy
- ✅ Base image update checks
- ✅ Weekly automated scans
### Release Build (`release-gitea.yml`)
- ✅ Semantic versioning
- ✅ Multi-architecture builds
- ✅ Release notes generation
- ✅ Pre-release support
## 🛠️ Customization
### Adding New GPU Architectures
Edit the matrix in the workflows:
```yaml
strategy:
matrix:
gfx_arch:
- gfx1150 # RDNA 3.5 (Ryzen AI 9 HX 370)
- gfx1151 # RDNA 3.5 (Strix Point)
- gfx1200 # RDNA 4 (RX 9070 XT)
- gfx1100 # RDNA 3 (RX 7900 XTX/XT)
- gfx1101 # RDNA 3 (RX 7800 XT/7700 XT)
- gfx1030 # RDNA 2 (RX 6000 series)
- gfx1201 # RDNA 4 (RX 9060 XT/ RX 9070/XT)
- gfx1102 # Add new architecture here
```
### Changing Build Schedule
Modify the cron expressions:
```yaml
on:
schedule:
# Daily at 02:00 UTC
- cron: '0 2 * * *'
# Change to twice daily:
# - cron: '0 2,14 * * *'
```
### Custom Notifications
Add notification steps:
```yaml
- name: Send notification
run: |
# Send to webhook, email, etc.
curl -X POST https://your-webhook.com/notify \
-d "Build completed: ${{ github.run_number }}"
```
## 🐛 Troubleshooting
### Common Issues
1. **Runner Not Found**
```
Error: No runners available
```
**Solution**: Ensure you have registered and started a Gitea Actions runner.
2. **Docker Permission Denied**
```
Error: permission denied while trying to connect to Docker
```
**Solution**: Ensure the runner has access to Docker socket:
```bash
sudo usermod -aG docker $USER
```
3. **Action Not Found**
```
Error: Could not find action
```
**Solution**: Use full URLs for actions:
```yaml
uses: https://gitea.com/actions/checkout@v4
```
### Debug Commands
```bash
# Check runner status
docker logs gitea-runner
# Test Docker access
docker info
# Validate workflow syntax
# (You can use GitHub's workflow validator or yamllint)
yamllint .github/workflows/daily-build-gitea.yml
```
## 📈 Monitoring
### View Build Results
- Go to your repository in Gitea
- Click on "Actions" tab
- View workflow runs and logs
### Build Artifacts
Currently, the workflows push directly to Docker Hub. To save build artifacts in Gitea:
```yaml
- name: Save build logs
run: |
# Save build output to file
docker build . > build.log 2>&1 || true
- name: Upload artifacts
# Use Gitea's artifact upload when available
run: |
echo "Build artifacts saved locally"
```
## 🔧 Advanced Configuration
### Private Registry
To use a private Docker registry:
```yaml
env:
REGISTRY: your-private-registry.com
REGISTRY_USER: your-username
# In the login step:
- name: Log in to Private Registry
run: |
echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY }} -u ${{ env.REGISTRY_USER }} --password-stdin
```
### Multi-Platform Builds
For ARM64 support:
```yaml
- name: Set up QEMU
run: |
docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
- name: Build multi-platform
run: |
docker buildx create --use --name multiarch
docker buildx build \
--platform linux/amd64,linux/arm64 \
--push \
.
```
This configuration should get your ROCm container builds working smoothly on Gitea Actions!