From 74b5416655e0cbe140e06f2a05a81eea9b41e1c5 Mon Sep 17 00:00:00 2001 From: John Doe Date: Fri, 30 Jan 2026 19:32:03 -0500 Subject: [PATCH] automated buolds --- .github/workflows/README.md | 175 ++++++++++++++++++++ .github/workflows/daily-build.yml | 216 +++++++++++++++++++++++++ .github/workflows/release.yml | 237 ++++++++++++++++++++++++++++ .github/workflows/security-scan.yml | 129 +++++++++++++++ README.md | 4 + 5 files changed, 761 insertions(+) create mode 100644 .github/workflows/README.md create mode 100644 .github/workflows/daily-build.yml create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/security-scan.yml diff --git a/.github/workflows/README.md b/.github/workflows/README.md new file mode 100644 index 0000000..32342da --- /dev/null +++ b/.github/workflows/README.md @@ -0,0 +1,175 @@ +# GitHub Actions CI/CD + +This directory contains GitHub Actions workflows for automated building, testing, and releasing of the ROCm 7.1 container environment. + +## ๐Ÿ”ง Workflows + +### 1. Daily Build (`daily-build.yml`) +- **Schedule**: Runs daily at 02:00 UTC +- **Purpose**: Automated builds of all container images +- **Triggers**: + - Daily schedule + - Manual dispatch with options +- **What it builds**: + - Base images (ComfyUI, Stable Diffusion.cpp) + - GPU-specific variants for different AMD architectures + - Tests Docker Compose configuration + +### 2. Release Build (`release.yml`) +- **Triggers**: + - Git tags matching `v*.*.*` + - Manual dispatch with version input +- **Purpose**: Production releases with proper versioning +- **Features**: + - Semantic versioning + - GitHub releases with changelogs + - Multi-architecture GPU support + - Docker Hub image publishing + +### 3. Security Scan (`security-scan.yml`) +- **Schedule**: Weekly on Sundays at 03:00 UTC +- **Purpose**: Security and vulnerability scanning +- **Includes**: + - Dockerfile linting with Hadolint + - Vulnerability scanning with Trivy + - Base image update checking + - Security advisory monitoring + +## ๐Ÿ”‘ Required Secrets + +Add these secrets in your GitHub repository settings: + +| Secret | Description | Required For | +|--------|-------------|--------------| +| `DOCKER_PASSWORD` | Docker Hub password/token | All workflows that push images | + +## ๐Ÿš€ Setup Instructions + +1. **Configure Docker Hub Access**: + ```bash + # Create a Docker Hub access token + # Go to: https://hub.docker.com/settings/security + # Add it as DOCKER_PASSWORD secret in GitHub + ``` + +2. **Update Registry Settings**: + - Edit the `REGISTRY_USER` environment variable in workflow files + - Change from `getterup` to your Docker Hub username + +3. **Enable Workflows**: + - Workflows are automatically enabled when you push them to your repository + - Manual workflows can be triggered from the Actions tab + +## ๐Ÿ“Š Build Matrix + +### Base Images +- `comfyui-rocm7.1` - ComfyUI with ROCm 7.1 support +- `stable-diffusion.cpp-rocm7.1` - Stable Diffusion with ROCm 7.1 + +### GPU Architecture Variants +| GFX Architecture | GPU Series | Build Target | +|-----------------|-------------|--------------| +| `gfx1150` | RDNA 3.5 (Ryzen AI 9 HX 370) | `stable-diffusion-cpp-gfx1150` | +| `gfx1151` | RDNA 3.5 (Strix Point) | `stable-diffusion-cpp-gfx1151` | +| `gfx1200` | RDNA 4 (RX 9070 XT) | `stable-diffusion-cpp-gfx1200` | +| `gfx1100` | RDNA 3 (RX 7900 XTX/XT) | `stable-diffusion-cpp-gfx1100` | +| `gfx1101` | RDNA 3 (RX 7800/7700 XT) | `stable-diffusion-cpp-gfx1101` | +| `gfx1030` | RDNA 2 (RX 6000 series) | `stable-diffusion-cpp-gfx1030` | +| `gfx1201` | RDNA 4 (RX 9060/9070 XT) | `stable-diffusion-cpp-gfx1201` | + +## ๐Ÿท๏ธ Image Tags + +### Daily Builds +- `latest` - Latest daily build +- `YYYY-MM-DD` - Date-specific builds +- `` - Commit-specific builds + +### Releases +- `latest` - Latest stable release +- `v1.2.3` - Specific version +- `v1.2` - Minor version +- `v1` - Major version (for stable releases only) + +## ๐Ÿ› ๏ธ Manual Triggers + +### Daily Build Manual Run +```bash +# Via GitHub CLI +gh workflow run daily-build.yml \ + -f push_images=true \ + -f build_all=true + +# Via GitHub UI +# Go to Actions > Daily ROCm Container Build > Run workflow +``` + +### Release Manual Run +```bash +# Create a release +gh workflow run release.yml \ + -f version=v1.0.0 \ + -f create_release=true +``` + +### Security Scan Manual Run +```bash +# Run security scan +gh workflow run security-scan.yml +``` + +## ๐Ÿ“ˆ Monitoring + +### Build Status +- Check the Actions tab for workflow status +- Failed builds will show detailed logs +- Security scan results appear in the Security tab + +### Docker Hub +- Images are automatically pushed to Docker Hub +- Check pull counts and popularity metrics +- Monitor for automated security scans + +## ๐Ÿ” Troubleshooting + +### Common Issues + +1. **Docker Hub Authentication Failed** + - Verify `DOCKER_PASSWORD` secret is set + - Check that the token has push permissions + - Ensure `REGISTRY_USER` matches your Docker Hub username + +2. **Build Failures** + - Check Dockerfile syntax + - Verify base image availability + - Review build logs for specific errors + +3. **Security Scan Failures** + - Review Trivy scan results + - Update base images if vulnerabilities found + - Fix Hadolint warnings in Dockerfiles + +### Debug Commands +```bash +# Test workflows locally with act +act schedule -j build-base-images + +# Validate Docker Compose +docker-compose config + +# Test Dockerfile syntax +hadolint Dockerfiles/Dockerfile.comfyui-rocm7.1 +``` + +## ๐Ÿ“‹ Maintenance + +### Regular Tasks +- Monitor workflow success rates +- Update base images when security patches are available +- Review and update GPU architecture matrix as new GPUs are released +- Update dependencies in Dockerfiles + +### Quarterly Reviews +- Assess build times and optimize if needed +- Review security scan results and trends +- Update workflow actions to latest versions +- Check for new GitHub Actions features that could improve the pipeline \ No newline at end of file diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml new file mode 100644 index 0000000..1a3cc94 --- /dev/null +++ b/.github/workflows/daily-build.yml @@ -0,0 +1,216 @@ +name: Daily ROCm Container Build + +on: + schedule: + # Run daily at 02:00 UTC + - cron: '0 2 * * *' + workflow_dispatch: # Allow manual triggering + inputs: + push_images: + description: 'Push images to registry' + required: true + default: 'true' + type: boolean + build_all: + description: 'Build all variants' + required: true + default: 'true' + type: boolean + +env: + REGISTRY: docker.io + REGISTRY_USER: getterup + +jobs: + prepare: + runs-on: ubuntu-latest + outputs: + date: ${{ steps.date.outputs.date }} + sha_short: ${{ steps.vars.outputs.sha_short }} + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Set variables + id: vars + run: echo "sha_short=$(echo ${GITHUB_SHA} | cut -c1-7)" >> $GITHUB_OUTPUT + + build-base-images: + runs-on: ubuntu-latest + needs: prepare + strategy: + matrix: + image: + - name: comfyui-rocm7.1 + dockerfile: Dockerfile.comfyui-rocm7.1 + context: . + - name: stable-diffusion.cpp-rocm7.1 + dockerfile: Dockerfile.stable-diffusion.cpp-rocm7.1 + context: . + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + with: + driver-opts: network=host + + - name: Log in to Docker Hub + if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true') + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ env.REGISTRY_USER }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Extract metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/${{ matrix.image.name }} + tags: | + type=raw,value=latest + type=raw,value=${{ needs.prepare.outputs.date }} + type=raw,value=${{ needs.prepare.outputs.sha_short }} + + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: ${{ matrix.image.context }} + file: Dockerfiles/${{ matrix.image.dockerfile }} + push: ${{ github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true') }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + platforms: linux/amd64 + cache-from: type=gha + cache-to: type=gha,mode=max + build-args: | + BUILD_DATE=${{ needs.prepare.outputs.date }} + VCS_REF=${{ needs.prepare.outputs.sha_short }} + + build-stable-diffusion-variants: + runs-on: ubuntu-latest + needs: prepare + if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.build_all == 'true') + strategy: + matrix: + gfx_arch: + - gfx1150 # RDNA 3.5 (Ryzen AI 9 HX 370) + - gfx1151 # RDNA 3.5 (Strix Point/Ryzen AI Max+ 365) + - gfx1200 # RDNA 4 (RX 9070 XT) + - gfx1100 # RDNA 3 (RX 7900 XTX/XT) + - gfx1101 # RDNA 3 (RX 7800 XT/7700 XT) + - gfx1030 # RDNA 2 (RX 6000 series) + - gfx1201 # RDNA 4 (RX 9060 XT/ RX 9070/XT) + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + with: + driver-opts: network=host + + - name: Log in to Docker Hub + if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true') + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ env.REGISTRY_USER }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Extract metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/stable-diffusion-cpp-${{ matrix.gfx_arch }} + tags: | + type=raw,value=latest + type=raw,value=${{ needs.prepare.outputs.date }} + type=raw,value=${{ needs.prepare.outputs.sha_short }} + + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: . + file: Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1 + push: ${{ github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true') }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + platforms: linux/amd64 + cache-from: type=gha,scope=${{ matrix.gfx_arch }} + cache-to: type=gha,mode=max,scope=${{ matrix.gfx_arch }} + build-args: | + GFX_ARCH=${{ matrix.gfx_arch }} + BUILD_DATE=${{ needs.prepare.outputs.date }} + VCS_REF=${{ needs.prepare.outputs.sha_short }} + + test-compose: + runs-on: ubuntu-latest + needs: [prepare, build-base-images] + if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up Docker Compose + run: | + sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose + sudo chmod +x /usr/local/bin/docker-compose + + - name: Create test directories + run: | + mkdir -p User-Directories/open-webui + mkdir -p User-Directories/ollama + mkdir -p User-Directories/comfyui + + - name: Test docker-compose configuration + run: | + docker-compose config --quiet + echo "โœ… Docker Compose configuration is valid" + + - name: Test image pulls (dry-run) + run: | + # Test if images can be pulled (without actually starting services) + docker-compose pull --quiet || echo "โš ๏ธ Some images may not be available yet" + + notify: + runs-on: ubuntu-latest + needs: [prepare, build-base-images, build-stable-diffusion-variants, test-compose] + if: always() && (github.event_name == 'schedule') + + steps: + - name: Notify on success + if: needs.build-base-images.result == 'success' && needs.build-stable-diffusion-variants.result == 'success' + run: | + echo "โœ… Daily build completed successfully on ${{ needs.prepare.outputs.date }}" + echo "๐Ÿณ Base images built and pushed" + echo "๐ŸŽฏ GPU-specific variants built and pushed" + echo "๐Ÿ“‹ Docker Compose configuration validated" + + - name: Notify on failure + if: needs.build-base-images.result == 'failure' || needs.build-stable-diffusion-variants.result == 'failure' + run: | + echo "โŒ Daily build failed on ${{ needs.prepare.outputs.date }}" + echo "Please check the workflow logs for details" + exit 1 + + cleanup: + runs-on: ubuntu-latest + needs: [build-base-images, build-stable-diffusion-variants] + if: always() + + steps: + - name: Clean up Docker cache + run: | + docker system prune -f --volumes + echo "๐Ÿงน Docker cache cleaned up" \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..e4f1fef --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,237 @@ +name: Release Build + +on: + push: + tags: + - 'v*.*.*' + workflow_dispatch: + inputs: + version: + description: 'Release version (e.g., v1.0.0)' + required: true + type: string + create_release: + description: 'Create GitHub release' + required: true + default: true + type: boolean + +env: + REGISTRY: docker.io + REGISTRY_USER: getterup + +jobs: + validate-release: + runs-on: ubuntu-latest + outputs: + version: ${{ steps.version.outputs.version }} + is_prerelease: ${{ steps.version.outputs.is_prerelease }} + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Validate and extract version + id: version + run: | + if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then + VERSION="${{ github.event.inputs.version }}" + else + VERSION="${{ github.ref_name }}" + fi + + echo "version=${VERSION}" >> $GITHUB_OUTPUT + + # Check if this is a pre-release (contains alpha, beta, rc) + if [[ "$VERSION" =~ (alpha|beta|rc) ]]; then + echo "is_prerelease=true" >> $GITHUB_OUTPUT + else + echo "is_prerelease=false" >> $GITHUB_OUTPUT + fi + + echo "๐Ÿ“‹ Release version: $VERSION" + echo "๐Ÿš€ Pre-release: $([ "${{ steps.version.outputs.is_prerelease }}" == "true" ] && echo "Yes" || echo "No")" + + build-release-images: + runs-on: ubuntu-latest + needs: validate-release + strategy: + matrix: + image: + - name: comfyui-rocm7.1 + dockerfile: Dockerfile.comfyui-rocm7.1 + - name: stable-diffusion.cpp-rocm7.1 + dockerfile: Dockerfile.stable-diffusion.cpp-rocm7.1 + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + with: + driver-opts: network=host + + - name: Log in to Docker Hub + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ env.REGISTRY_USER }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Extract metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/${{ matrix.image.name }} + tags: | + type=raw,value=latest,enable={{is_default_branch}} + type=raw,value=${{ needs.validate-release.outputs.version }} + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}},enable=${{ !needs.validate-release.outputs.is_prerelease }} + + - name: Build and push release image + uses: docker/build-push-action@v5 + with: + context: . + file: Dockerfiles/${{ matrix.image.dockerfile }} + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + platforms: linux/amd64 + cache-from: type=gha + cache-to: type=gha,mode=max + build-args: | + VERSION=${{ needs.validate-release.outputs.version }} + BUILD_DATE=${{ github.run_id }} + VCS_REF=${{ github.sha }} + + build-gpu-variants: + runs-on: ubuntu-latest + needs: validate-release + strategy: + matrix: + gfx_arch: [gfx1150, gfx1151, gfx1200, gfx1100, gfx1101, gfx1030, gfx1201] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to Docker Hub + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ env.REGISTRY_USER }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Extract metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/stable-diffusion-cpp-${{ matrix.gfx_arch }} + tags: | + type=raw,value=latest,enable={{is_default_branch}} + type=raw,value=${{ needs.validate-release.outputs.version }} + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + + - name: Build and push GPU variant + uses: docker/build-push-action@v5 + with: + context: . + file: Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1 + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + platforms: linux/amd64 + build-args: | + GFX_ARCH=${{ matrix.gfx_arch }} + VERSION=${{ needs.validate-release.outputs.version }} + BUILD_DATE=${{ github.run_id }} + VCS_REF=${{ github.sha }} + + create-release: + runs-on: ubuntu-latest + needs: [validate-release, build-release-images, build-gpu-variants] + if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && github.event.inputs.create_release == 'true') + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Generate release notes + id: release_notes + run: | + cat > release_notes.md << 'EOF' + ## ๐Ÿš€ ROCm 7.1 Container Release ${{ needs.validate-release.outputs.version }} + + ### ๐Ÿ“ฆ Container Images Built + + **Base Images:** + - `getterup/comfyui-rocm7.1:${{ needs.validate-release.outputs.version }}` + - `getterup/stable-diffusion.cpp-rocm7.1:${{ needs.validate-release.outputs.version }}` + + **GPU-Specific Variants:** + - `getterup/stable-diffusion-cpp-gfx1150:${{ needs.validate-release.outputs.version }}` (RDNA 3.5 - Ryzen AI 9 HX 370) + - `getterup/stable-diffusion-cpp-gfx1151:${{ needs.validate-release.outputs.version }}` (RDNA 3.5 - Strix Point) + - `getterup/stable-diffusion-cpp-gfx1200:${{ needs.validate-release.outputs.version }}` (RDNA 4 - RX 9070 XT) + - `getterup/stable-diffusion-cpp-gfx1100:${{ needs.validate-release.outputs.version }}` (RDNA 3 - RX 7900 XTX/XT) + - `getterup/stable-diffusion-cpp-gfx1101:${{ needs.validate-release.outputs.version }}` (RDNA 3 - RX 7800/7700 XT) + - `getterup/stable-diffusion-cpp-gfx1030:${{ needs.validate-release.outputs.version }}` (RDNA 2 - RX 6000 series) + - `getterup/stable-diffusion-cpp-gfx1201:${{ needs.validate-release.outputs.version }}` (RDNA 4 - RX 9060/9070 XT) + + ### ๐Ÿ”ง Usage + + ```bash + # Quick start with docker-compose + git clone https://github.com/yourusername/rocm-automated.git + cd rocm-automated + docker-compose up -d + ``` + + ### ๐Ÿ› ๏ธ What's Included + + - ROCm 7.1 support for AMD GPUs + - Optimized ComfyUI for AI image generation + - Stable Diffusion.cpp with GPU acceleration + - Multi-GPU architecture support + - Docker Compose configuration for easy deployment + + ### ๐Ÿ“‹ System Requirements + + - AMD GPU with ROCm support (RDNA 2/3/4) + - 16GB+ system RAM + - 8GB+ GPU VRAM for large models + - Linux with Docker 24.0+ + + ### ๐Ÿ”— Links + + - [Docker Hub Repository](https://hub.docker.com/u/getterup) + - [Documentation](README.md) + - [Issues & Support](https://github.com/yourusername/rocm-automated/issues) + EOF + + echo "๐Ÿ“ Release notes generated" + + - name: Create GitHub Release + uses: softprops/action-gh-release@v1 + with: + tag_name: ${{ needs.validate-release.outputs.version }} + name: ROCm 7.1 Container Release ${{ needs.validate-release.outputs.version }} + body_path: release_notes.md + draft: false + prerelease: ${{ needs.validate-release.outputs.is_prerelease }} + generate_release_notes: true + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Update Docker Hub descriptions + run: | + echo "๐Ÿณ Consider updating Docker Hub repository descriptions with:" + echo "- Release version: ${{ needs.validate-release.outputs.version }}" + echo "- Build date: $(date -u +'%Y-%m-%d')" + echo "- Commit SHA: $(echo ${{ github.sha }} | cut -c1-7)" \ No newline at end of file diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml new file mode 100644 index 0000000..91bc375 --- /dev/null +++ b/.github/workflows/security-scan.yml @@ -0,0 +1,129 @@ +name: Security Scan + +on: + schedule: + # Run security scans weekly on Sundays at 03:00 UTC + - cron: '0 3 * * 0' + workflow_dispatch: + pull_request: + paths: + - 'Dockerfiles/**' + - '.github/workflows/**' + +env: + REGISTRY: docker.io + REGISTRY_USER: getterup + +jobs: + dockerfile-security-scan: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Run Hadolint (Dockerfile linter) + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: Dockerfiles/Dockerfile.comfyui-rocm7.1 + failure-threshold: warning + + - name: Run Hadolint on Stable Diffusion Dockerfile + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1 + failure-threshold: warning + + vulnerability-scan: + runs-on: ubuntu-latest + strategy: + matrix: + image: + - name: comfyui-rocm7.1 + dockerfile: Dockerfile.comfyui-rocm7.1 + - name: stable-diffusion.cpp-rocm7.1 + dockerfile: Dockerfile.stable-diffusion.cpp-rocm7.1 + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build test image + uses: docker/build-push-action@v5 + with: + context: . + file: Dockerfiles/${{ matrix.image.dockerfile }} + push: false + tags: test-${{ matrix.image.name }}:latest + load: true + cache-from: type=gha + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: test-${{ matrix.image.name }}:latest + format: 'sarif' + output: 'trivy-results-${{ matrix.image.name }}.sarif' + severity: 'CRITICAL,HIGH,MEDIUM' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results-${{ matrix.image.name }}.sarif' + + dependency-check: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Check for outdated base images + run: | + echo "๐Ÿ” Checking base images for updates..." + + # Check ROCm base images + echo "Checking ROCm images..." + docker pull rocm/rocm-terminal:latest + + # Check Python images (commonly used in AI containers) + echo "Checking Python base images..." + docker pull python:3.11-slim + docker pull python:3.12-slim + + echo "โœ… Base image check completed" + + - name: Check for security advisories + run: | + echo "๐Ÿ›ก๏ธ Checking for relevant security advisories..." + echo "Please review:" + echo "- ROCm security advisories: https://github.com/RadeonOpenCompute/ROCm/security" + echo "- Docker security best practices: https://docs.docker.com/engine/security/" + echo "- NVIDIA CVE database (for GPU-related issues): https://nvidia.com/security" + + notify-security: + runs-on: ubuntu-latest + needs: [dockerfile-security-scan, vulnerability-scan, dependency-check] + if: always() && github.event_name == 'schedule' + + steps: + - name: Security scan summary + run: | + echo "๐Ÿ”’ Weekly security scan completed" + echo "๐Ÿ“Š Results:" + echo "- Dockerfile lint: ${{ needs.dockerfile-security-scan.result }}" + echo "- Vulnerability scan: ${{ needs.vulnerability-scan.result }}" + echo "- Dependency check: ${{ needs.dependency-check.result }}" + + if [ "${{ needs.dockerfile-security-scan.result }}" == "failure" ] || \ + [ "${{ needs.vulnerability-scan.result }}" == "failure" ] || \ + [ "${{ needs.dependency-check.result }}" == "failure" ]; then + echo "โš ๏ธ Security issues detected - please review the logs" + exit 1 + else + echo "โœ… No critical security issues found" + fi \ No newline at end of file diff --git a/README.md b/README.md index fa14b36..f62fa9a 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,10 @@ [![Docker](https://img.shields.io/badge/Docker-supported-blue.svg)](https://www.docker.com/) [![AMD GPU](https://img.shields.io/badge/AMD-GPU-green.svg)](https://www.amd.com/en/graphics) +[![Daily Build](https://github.com/yourusername/rocm-automated/actions/workflows/daily-build.yml/badge.svg)](https://github.com/yourusername/rocm-automated/actions/workflows/daily-build.yml) +[![Security Scan](https://github.com/yourusername/rocm-automated/actions/workflows/security-scan.yml/badge.svg)](https://github.com/yourusername/rocm-automated/actions/workflows/security-scan.yml) +[![Release](https://github.com/yourusername/rocm-automated/actions/workflows/release.yml/badge.svg)](https://github.com/yourusername/rocm-automated/actions/workflows/release.yml) + A comprehensive Docker-based environment for running AI workloads on AMD GPUs with ROCm 7.1 support. This project provides optimized containers for Ollama LLM inference and Stable Diffusion image generation. Sponsored by https://shad-base.com