yindo/rocm-automated
1
0
Fork 0
mirror of https://github.com/BillyOutlast/rocm-automated.git synced 2026-02-04 03:51:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

build fix

Browse Source
This commit is contained in:
John Doe
2026-01-30 19:52:01 -05:00
parent c7f1a05e02
commit ca41b49b87
6 changed files with 21 additions and 780 deletions
Download Patch File Download Diff File Expand all files Collapse all files

218
.github/workflows/daily-build-gitea.yml vendored
View File

@@ -1,218 +0,0 @@
name: Daily ROCm Container Build
on:
schedule:
# Run daily at 02:00 UTC
- cron: '0 2 * * *'
workflow_dispatch: # Allow manual triggering
inputs:
push_images:
description: 'Push images to registry'
required: true
default: 'true'
type: boolean
build_all:
description: 'Build all variants'
required: true
default: 'true'
type: boolean
env:
REGISTRY: docker.io
REGISTRY_USER: getterup
jobs:
prepare:
runs-on: ubuntu-latest
outputs:
date: ${{ steps.date.outputs.date }}
sha_short: ${{ steps.vars.outputs.sha_short }}
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Get current date
id: date
run: |
echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
shell: bash
- name: Set variables
id: vars
run: |
echo "sha_short=$(echo ${GITHUB_SHA} | cut -c1-7)" >> $GITHUB_OUTPUT
shell: bash
build-base-images:
runs-on: ubuntu-latest
needs: prepare
strategy:
matrix:
image:
- name: comfyui-rocm7.1
dockerfile: Dockerfile.comfyui-rocm7.1
context: .
- name: stable-diffusion.cpp-rocm7.1
dockerfile: Dockerfile.stable-diffusion.cpp-rocm7.1
context: .
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Set up Docker Buildx
uses: https://gitea.com/actions/setup-docker@v1
with:
buildx: true
- name: Log in to Docker Hub
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true')
run: |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login ${{ env.REGISTRY }} -u ${{ env.REGISTRY_USER }} --password-stdin
shell: bash
- name: Build and push Docker image
run: |
IMAGE_NAME="${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/${{ matrix.image.name }}"
TAGS="${IMAGE_NAME}:latest ${IMAGE_NAME}:${{ needs.prepare.outputs.date }} ${IMAGE_NAME}:${{ needs.prepare.outputs.sha_short }}"
# Build the image
docker buildx build \
--context ${{ matrix.image.context }} \
--file Dockerfiles/${{ matrix.image.dockerfile }} \
--platform linux/amd64 \
--build-arg BUILD_DATE=${{ needs.prepare.outputs.date }} \
--build-arg VCS_REF=${{ needs.prepare.outputs.sha_short }} \
$(for tag in $TAGS; do echo "--tag $tag"; done) \
${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true')) && '--push' || '--load' }} \
.
shell: bash
build-stable-diffusion-variants:
runs-on: ubuntu-latest
needs: prepare
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.build_all == 'true')
strategy:
matrix:
gfx_arch:
- gfx1150 # RDNA 3.5 (Ryzen AI 9 HX 370)
- gfx1151 # RDNA 3.5 (Strix Point/Ryzen AI Max+ 365)
- gfx1200 # RDNA 4 (RX 9070 XT)
- gfx1100 # RDNA 3 (RX 7900 XTX/XT)
- gfx1101 # RDNA 3 (RX 7800 XT/7700 XT)
- gfx1030 # RDNA 2 (RX 6000 series)
- gfx1201 # RDNA 4 (RX 9060 XT/ RX 9070/XT)
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Set up Docker Buildx
uses: https://gitea.com/actions/setup-docker@v1
with:
buildx: true
- name: Log in to Docker Hub
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true')
run: |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login ${{ env.REGISTRY }} -u ${{ env.REGISTRY_USER }} --password-stdin
shell: bash
- name: Build and push GPU variant image
run: |
IMAGE_NAME="${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/stable-diffusion-cpp-${{ matrix.gfx_arch }}"
TAGS="${IMAGE_NAME}:latest ${IMAGE_NAME}:${{ needs.prepare.outputs.date }} ${IMAGE_NAME}:${{ needs.prepare.outputs.sha_short }}"
# Build the GPU-specific image
docker buildx build \
--context . \
--file Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1 \
--platform linux/amd64 \
--build-arg GFX_ARCH=${{ matrix.gfx_arch }} \
--build-arg BUILD_DATE=${{ needs.prepare.outputs.date }} \
--build-arg VCS_REF=${{ needs.prepare.outputs.sha_short }} \
$(for tag in $TAGS; do echo "--tag $tag"; done) \
${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true')) && '--push' || '--load' }} \
.
shell: bash
test-compose:
runs-on: ubuntu-latest
needs: [prepare, build-base-images]
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Create test directories
run: |
mkdir -p User-Directories/open-webui
mkdir -p User-Directories/ollama
mkdir -p User-Directories/comfyui
shell: bash
- name: Test docker-compose configuration
run: |
# Install docker-compose if not available
if ! command -v docker-compose &> /dev/null; then
sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
fi
# Validate compose file
docker-compose config --quiet
echo "✅ Docker Compose configuration is valid"
shell: bash
- name: Test image availability
run: |
echo "📋 Testing image availability..."
# Check if images exist (without pulling)
docker manifest inspect ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/comfyui-rocm7.1:latest >/dev/null 2>&1 || echo "⚠️ ComfyUI image may not be available yet"
docker manifest inspect ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/stable-diffusion.cpp-rocm7.1:latest >/dev/null 2>&1 || echo "⚠️ Stable Diffusion image may not be available yet"
echo "✅ Image availability check completed"
shell: bash
notify:
runs-on: ubuntu-latest
needs: [prepare, build-base-images, build-stable-diffusion-variants, test-compose]
if: always() && (github.event_name == 'schedule')
steps:
- name: Build summary
run: |
echo "📊 Daily Build Summary - ${{ needs.prepare.outputs.date }}"
echo "=================================="
echo ""
echo "🔧 Job Results:"
echo "- Prepare: ${{ needs.prepare.result }}"
echo "- Base Images: ${{ needs.build-base-images.result }}"
echo "- GPU Variants: ${{ needs.build-stable-diffusion-variants.result }}"
echo "- Compose Test: ${{ needs.test-compose.result }}"
echo ""
if [[ "${{ needs.build-base-images.result }}" == "success" && "${{ needs.build-stable-diffusion-variants.result }}" == "success" ]]; then
echo "✅ All builds completed successfully!"
echo "🐳 Images pushed to ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/"
echo "📋 Docker Compose configuration validated"
else
echo "❌ Some builds failed - please check the logs"
exit 1
fi
shell: bash
cleanup:
runs-on: ubuntu-latest
needs: [build-base-images, build-stable-diffusion-variants]
if: always()
steps:
- name: Clean up Docker resources
run: |
echo "🧹 Cleaning up Docker resources..."
docker system prune -f --volumes || true
docker builder prune -f || true
echo "✅ Cleanup completed"
shell: bash

32
.github/workflows/daily-build-pure-shell.yml vendored
View File

@@ -31,9 +31,10 @@ jobs:
steps:
- name: Manual checkout
run: |
echo "🔄 Manually cloning repository..."
git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo
cd /tmp/repo
echo "🔄 Manually cloning repository for prepare job..."
rm -rf /tmp/repo-prepare
git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo-prepare
cd /tmp/repo-prepare
if [ "${{ github.event_name }}" != "schedule" ]; then
git fetch origin ${{ github.sha }}
git checkout ${{ github.sha }}
@@ -69,9 +70,10 @@ jobs:
steps:
- name: Manual checkout
run: |
echo "🔄 Manually cloning repository..."
git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo
cd /tmp/repo
echo "🔄 Manually cloning repository for build-base-images job..."
rm -rf /tmp/repo-build-base
git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo-build-base
cd /tmp/repo-build-base
if [ "${{ github.event_name }}" != "schedule" ]; then
git fetch origin ${{ github.sha }}
git checkout ${{ github.sha }}
@@ -127,13 +129,12 @@ jobs:
fi
docker buildx build \
--context ${{ matrix.image.context }} \
--file Dockerfiles/${{ matrix.image.dockerfile }} \
--platform linux/amd64 \
$BUILD_ARGS \
$(for tag in $TAGS; do echo "--tag $tag"; done) \
$PUSH_FLAG \
.
${{ matrix.image.context }}
echo "✅ Build completed for ${{ matrix.image.name }}"
shell: bash
@@ -156,9 +157,10 @@ jobs:
steps:
- name: Manual checkout
run: |
echo "🔄 Manually cloning repository..."
git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo
cd /tmp/repo
echo "🔄 Manually cloning repository for GPU variants job..."
rm -rf /tmp/repo-gpu-variants
git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo-gpu-variants
cd /tmp/repo-gpu-variants
if [ "${{ github.event_name }}" != "schedule" ]; then
git fetch origin ${{ github.sha }}
git checkout ${{ github.sha }}
@@ -215,7 +217,6 @@ jobs:
fi
docker buildx build \
--context . \
--file Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1 \
--platform linux/amd64 \
$BUILD_ARGS \
@@ -234,9 +235,10 @@ jobs:
steps:
- name: Manual checkout
run: |
echo "🔄 Manually cloning repository..."
git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo
cd /tmp/repo
echo "🔄 Manually cloning repository for test-compose job..."
rm -rf /tmp/repo-test-compose
git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo-test-compose
cd /tmp/repo-test-compose
if [ "${{ github.event_name }}" != "schedule" ]; then
git fetch origin ${{ github.sha }}
git checkout ${{ github.sha }}

237
.github/workflows/release.yml vendored
View File

@@ -1,237 +0,0 @@
name: Release Build
on:
push:
tags:
- 'v*.*.*'
workflow_dispatch:
inputs:
version:
description: 'Release version (e.g., v1.0.0)'
required: true
type: string
create_release:
description: 'Create GitHub release'
required: true
default: true
type: boolean
env:
REGISTRY: docker.io
REGISTRY_USER: getterup
jobs:
validate-release:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.version.outputs.version }}
is_prerelease: ${{ steps.version.outputs.is_prerelease }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Validate and extract version
id: version
run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
VERSION="${{ github.event.inputs.version }}"
else
VERSION="${{ github.ref_name }}"
fi
echo "version=${VERSION}" >> $GITHUB_OUTPUT
# Check if this is a pre-release (contains alpha, beta, rc)
if [[ "$VERSION" =~ (alpha|beta|rc) ]]; then
echo "is_prerelease=true" >> $GITHUB_OUTPUT
else
echo "is_prerelease=false" >> $GITHUB_OUTPUT
fi
echo "📋 Release version: $VERSION"
echo "🚀 Pre-release: $([ "${{ steps.version.outputs.is_prerelease }}" == "true" ] && echo "Yes" || echo "No")"
build-release-images:
runs-on: ubuntu-latest
needs: validate-release
strategy:
matrix:
image:
- name: comfyui-rocm7.1
dockerfile: Dockerfile.comfyui-rocm7.1
- name: stable-diffusion.cpp-rocm7.1
dockerfile: Dockerfile.stable-diffusion.cpp-rocm7.1
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: network=host
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ env.REGISTRY_USER }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/${{ matrix.image.name }}
tags: |
type=raw,value=latest,enable={{is_default_branch}}
type=raw,value=${{ needs.validate-release.outputs.version }}
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}},enable=${{ !needs.validate-release.outputs.is_prerelease }}
- name: Build and push release image
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfiles/${{ matrix.image.dockerfile }}
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
VERSION=${{ needs.validate-release.outputs.version }}
BUILD_DATE=${{ github.run_id }}
VCS_REF=${{ github.sha }}
build-gpu-variants:
runs-on: ubuntu-latest
needs: validate-release
strategy:
matrix:
gfx_arch: [gfx1150, gfx1151, gfx1200, gfx1100, gfx1101, gfx1030, gfx1201]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ env.REGISTRY_USER }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/stable-diffusion-cpp-${{ matrix.gfx_arch }}
tags: |
type=raw,value=latest,enable={{is_default_branch}}
type=raw,value=${{ needs.validate-release.outputs.version }}
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
- name: Build and push GPU variant
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64
build-args: |
GFX_ARCH=${{ matrix.gfx_arch }}
VERSION=${{ needs.validate-release.outputs.version }}
BUILD_DATE=${{ github.run_id }}
VCS_REF=${{ github.sha }}
create-release:
runs-on: ubuntu-latest
needs: [validate-release, build-release-images, build-gpu-variants]
if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && github.event.inputs.create_release == 'true')
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Generate release notes
id: release_notes
run: |
cat > release_notes.md << 'EOF'
## 🚀 ROCm 7.1 Container Release ${{ needs.validate-release.outputs.version }}
### 📦 Container Images Built
**Base Images:**
- `getterup/comfyui-rocm7.1:${{ needs.validate-release.outputs.version }}`
- `getterup/stable-diffusion.cpp-rocm7.1:${{ needs.validate-release.outputs.version }}`
**GPU-Specific Variants:**
- `getterup/stable-diffusion-cpp-gfx1150:${{ needs.validate-release.outputs.version }}` (RDNA 3.5 - Ryzen AI 9 HX 370)
- `getterup/stable-diffusion-cpp-gfx1151:${{ needs.validate-release.outputs.version }}` (RDNA 3.5 - Strix Point)
- `getterup/stable-diffusion-cpp-gfx1200:${{ needs.validate-release.outputs.version }}` (RDNA 4 - RX 9070 XT)
- `getterup/stable-diffusion-cpp-gfx1100:${{ needs.validate-release.outputs.version }}` (RDNA 3 - RX 7900 XTX/XT)
- `getterup/stable-diffusion-cpp-gfx1101:${{ needs.validate-release.outputs.version }}` (RDNA 3 - RX 7800/7700 XT)
- `getterup/stable-diffusion-cpp-gfx1030:${{ needs.validate-release.outputs.version }}` (RDNA 2 - RX 6000 series)
- `getterup/stable-diffusion-cpp-gfx1201:${{ needs.validate-release.outputs.version }}` (RDNA 4 - RX 9060/9070 XT)
### 🔧 Usage
```bash
# Quick start with docker-compose
git clone https://github.com/yourusername/rocm-automated.git
cd rocm-automated
docker-compose up -d
```
### 🛠️ What's Included
- ROCm 7.1 support for AMD GPUs
- Optimized ComfyUI for AI image generation
- Stable Diffusion.cpp with GPU acceleration
- Multi-GPU architecture support
- Docker Compose configuration for easy deployment
### 📋 System Requirements
- AMD GPU with ROCm support (RDNA 2/3/4)
- 16GB+ system RAM
- 8GB+ GPU VRAM for large models
- Linux with Docker 24.0+
### 🔗 Links
- [Docker Hub Repository](https://hub.docker.com/u/getterup)
- [Documentation](README.md)
- [Issues & Support](https://github.com/yourusername/rocm-automated/issues)
EOF
echo "📝 Release notes generated"
- name: Create GitHub Release
uses: softprops/action-gh-release@v1
with:
tag_name: ${{ needs.validate-release.outputs.version }}
name: ROCm 7.1 Container Release ${{ needs.validate-release.outputs.version }}
body_path: release_notes.md
draft: false
prerelease: ${{ needs.validate-release.outputs.is_prerelease }}
generate_release_notes: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Update Docker Hub descriptions
run: |
echo "🐳 Consider updating Docker Hub repository descriptions with:"
echo "- Release version: ${{ needs.validate-release.outputs.version }}"
echo "- Build date: $(date -u +'%Y-%m-%d')"
echo "- Commit SHA: $(echo ${{ github.sha }} | cut -c1-7)"

177
.github/workflows/security-scan-gitea.yml vendored
View File

@@ -1,177 +0,0 @@
name: Security Scan (Gitea)
on:
schedule:
# Run security scans weekly on Sundays at 03:00 UTC
- cron: '0 3 * * 0'
workflow_dispatch:
pull_request:
paths:
- 'Dockerfiles/**'
- '.github/workflows/**'
env:
REGISTRY: docker.io
REGISTRY_USER: getterup
jobs:
dockerfile-security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Install Hadolint
run: |
wget -O /tmp/hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64
chmod +x /tmp/hadolint
sudo mv /tmp/hadolint /usr/local/bin/hadolint
shell: bash
- name: Run Hadolint on ComfyUI Dockerfile
run: |
echo "🔍 Scanning Dockerfile.comfyui-rocm7.1..."
hadolint Dockerfiles/Dockerfile.comfyui-rocm7.1 || echo "⚠️ Warnings found in ComfyUI Dockerfile"
shell: bash
- name: Run Hadolint on Stable Diffusion Dockerfile
run: |
echo "🔍 Scanning Dockerfile.stable-diffusion.cpp-rocm7.1..."
hadolint Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1 || echo "⚠️ Warnings found in Stable Diffusion Dockerfile"
shell: bash
vulnerability-scan:
runs-on: ubuntu-latest
strategy:
matrix:
image:
- name: comfyui-rocm7.1
dockerfile: Dockerfile.comfyui-rocm7.1
- name: stable-diffusion.cpp-rocm7.1
dockerfile: Dockerfile.stable-diffusion.cpp-rocm7.1
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Set up Docker Buildx
uses: https://gitea.com/actions/setup-docker@v1
with:
buildx: true
- name: Build test image
run: |
docker buildx build \
--context . \
--file Dockerfiles/${{ matrix.image.dockerfile }} \
--tag test-${{ matrix.image.name }}:latest \
--load \
.
shell: bash
- name: Install Trivy
run: |
sudo apt-get update
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
shell: bash
- name: Run Trivy vulnerability scanner
run: |
echo "🛡️ Scanning test-${{ matrix.image.name }}:latest for vulnerabilities..."
trivy image --exit-code 1 --severity HIGH,CRITICAL --format table test-${{ matrix.image.name }}:latest || echo "⚠️ Vulnerabilities found in ${{ matrix.image.name }}"
# Generate JSON report for further analysis
trivy image --format json --output trivy-report-${{ matrix.image.name }}.json test-${{ matrix.image.name }}:latest || true
shell: bash
- name: Upload scan results
run: |
if [ -f "trivy-report-${{ matrix.image.name }}.json" ]; then
echo "📄 Trivy scan report generated: trivy-report-${{ matrix.image.name }}.json"
# In a real environment, you might upload this to an artifact store or security system
fi
shell: bash
dependency-check:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: https://gitea.com/actions/checkout@v4
- name: Check for base image updates
run: |
echo "🔍 Checking base images for updates..."
# Check common base images used in our Dockerfiles
echo "Checking Ubuntu base images..."
docker pull ubuntu:22.04 2>/dev/null || echo "⚠️ Could not pull ubuntu:22.04"
echo "Checking Python images..."
docker pull python:3.11-slim 2>/dev/null || echo "⚠️ Could not pull python:3.11-slim"
docker pull python:3.12-slim 2>/dev/null || echo "⚠️ Could not pull python:3.12-slim"
echo "✅ Base image check completed"
shell: bash
- name: Security advisory check
run: |
echo "🛡️ Security Advisory Information"
echo "=================================="
echo ""
echo "📋 Please manually review the following for security updates:"
echo "- ROCm security advisories: https://github.com/RadeonOpenCompute/ROCm/security"
echo "- Docker security best practices: https://docs.docker.com/engine/security/"
echo "- Ubuntu security notices: https://ubuntu.com/security/notices"
echo "- Python security advisories: https://python.org/news/security/"
echo ""
echo "💡 Regular monitoring of these sources is recommended for production deployments."
shell: bash
notify-security:
runs-on: ubuntu-latest
needs: [dockerfile-security-scan, vulnerability-scan, dependency-check]
if: always() && github.event_name == 'schedule'
steps:
- name: Security scan summary
run: |
echo "🔒 Weekly Security Scan Summary"
echo "==============================="
echo ""
echo "📊 Scan Results:"
echo "- Dockerfile Lint: ${{ needs.dockerfile-security-scan.result }}"
echo "- Vulnerability Scan: ${{ needs.vulnerability-scan.result }}"
echo "- Dependency Check: ${{ needs.dependency-check.result }}"
echo ""
FAILED_JOBS=""
if [ "${{ needs.dockerfile-security-scan.result }}" == "failure" ]; then
FAILED_JOBS="$FAILED_JOBS dockerfile-lint"
fi
if [ "${{ needs.vulnerability-scan.result }}" == "failure" ]; then
FAILED_JOBS="$FAILED_JOBS vulnerability-scan"
fi
if [ "${{ needs.dependency-check.result }}" == "failure" ]; then
FAILED_JOBS="$FAILED_JOBS dependency-check"
fi
if [ -n "$FAILED_JOBS" ]; then
echo "❌ Failed jobs:$FAILED_JOBS"
echo "⚠️ Please review the detailed logs above"
echo ""
echo "🔧 Recommended actions:"
echo "- Review Dockerfile best practices"
echo "- Update base images to latest versions"
echo "- Address high/critical vulnerabilities"
exit 1
else
echo "✅ All security scans passed successfully!"
echo "🛡️ No critical security issues detected"
fi
shell: bash

8
.github/workflows/security-scan-pure-shell.yml vendored
View File

@@ -21,9 +21,10 @@ jobs:
steps:
- name: Manual checkout
run: |
echo "🔄 Manually cloning repository..."
git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo
cd /tmp/repo
echo "🔄 Manually cloning repository for dockerfile-security-scan..."
rm -rf /tmp/repo-dockerfile-scan
git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo-dockerfile-scan
cd /tmp/repo-dockerfile-scan
if [ "${{ github.event_name }}" != "schedule" ]; then
git fetch origin ${{ github.sha }}
git checkout ${{ github.sha }}
@@ -114,7 +115,6 @@ jobs:
fi
docker buildx build \
--context . \
--file Dockerfiles/${{ matrix.image.dockerfile }} \
--tag test-${{ matrix.image.name }}:latest \
--load \

129
.github/workflows/security-scan.yml vendored
View File

@@ -1,129 +0,0 @@
name: Security Scan
on:
schedule:
# Run security scans weekly on Sundays at 03:00 UTC
- cron: '0 3 * * 0'
workflow_dispatch:
pull_request:
paths:
- 'Dockerfiles/**'
- '.github/workflows/**'
env:
REGISTRY: docker.io
REGISTRY_USER: getterup
jobs:
dockerfile-security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Run Hadolint (Dockerfile linter)
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfiles/Dockerfile.comfyui-rocm7.1
failure-threshold: warning
- name: Run Hadolint on Stable Diffusion Dockerfile
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1
failure-threshold: warning
vulnerability-scan:
runs-on: ubuntu-latest
strategy:
matrix:
image:
- name: comfyui-rocm7.1
dockerfile: Dockerfile.comfyui-rocm7.1
- name: stable-diffusion.cpp-rocm7.1
dockerfile: Dockerfile.stable-diffusion.cpp-rocm7.1
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build test image
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfiles/${{ matrix.image.dockerfile }}
push: false
tags: test-${{ matrix.image.name }}:latest
load: true
cache-from: type=gha
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: test-${{ matrix.image.name }}:latest
format: 'sarif'
output: 'trivy-results-${{ matrix.image.name }}.sarif'
severity: 'CRITICAL,HIGH,MEDIUM'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results-${{ matrix.image.name }}.sarif'
dependency-check:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Check for outdated base images
run: |
echo "🔍 Checking base images for updates..."
# Check ROCm base images
echo "Checking ROCm images..."
docker pull rocm/rocm-terminal:latest
# Check Python images (commonly used in AI containers)
echo "Checking Python base images..."
docker pull python:3.11-slim
docker pull python:3.12-slim
echo "✅ Base image check completed"
- name: Check for security advisories
run: |
echo "🛡️ Checking for relevant security advisories..."
echo "Please review:"
echo "- ROCm security advisories: https://github.com/RadeonOpenCompute/ROCm/security"
echo "- Docker security best practices: https://docs.docker.com/engine/security/"
echo "- NVIDIA CVE database (for GPU-related issues): https://nvidia.com/security"
notify-security:
runs-on: ubuntu-latest
needs: [dockerfile-security-scan, vulnerability-scan, dependency-check]
if: always() && github.event_name == 'schedule'
steps:
- name: Security scan summary
run: |
echo "🔒 Weekly security scan completed"
echo "📊 Results:"
echo "- Dockerfile lint: ${{ needs.dockerfile-security-scan.result }}"
echo "- Vulnerability scan: ${{ needs.vulnerability-scan.result }}"
echo "- Dependency check: ${{ needs.dependency-check.result }}"
if [ "${{ needs.dockerfile-security-scan.result }}" == "failure" ] || \
[ "${{ needs.vulnerability-scan.result }}" == "failure" ] || \
[ "${{ needs.dependency-check.result }}" == "failure" ]; then
echo "⚠️ Security issues detected - please review the logs"
exit 1
else
echo "✅ No critical security issues found"
fi