diff --git a/.github/workflows/daily-build-gitea.yml b/.github/workflows/daily-build-gitea.yml deleted file mode 100644 index b172af6..0000000 --- a/.github/workflows/daily-build-gitea.yml +++ /dev/null @@ -1,218 +0,0 @@ -name: Daily ROCm Container Build - -on: - schedule: - # Run daily at 02:00 UTC - - cron: '0 2 * * *' - workflow_dispatch: # Allow manual triggering - inputs: - push_images: - description: 'Push images to registry' - required: true - default: 'true' - type: boolean - build_all: - description: 'Build all variants' - required: true - default: 'true' - type: boolean - -env: - REGISTRY: docker.io - REGISTRY_USER: getterup - -jobs: - prepare: - runs-on: ubuntu-latest - outputs: - date: ${{ steps.date.outputs.date }} - sha_short: ${{ steps.vars.outputs.sha_short }} - - steps: - - name: Checkout repository - uses: https://gitea.com/actions/checkout@v4 - - - name: Get current date - id: date - run: | - echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - shell: bash - - - name: Set variables - id: vars - run: | - echo "sha_short=$(echo ${GITHUB_SHA} | cut -c1-7)" >> $GITHUB_OUTPUT - shell: bash - - build-base-images: - runs-on: ubuntu-latest - needs: prepare - strategy: - matrix: - image: - - name: comfyui-rocm7.1 - dockerfile: Dockerfile.comfyui-rocm7.1 - context: . - - name: stable-diffusion.cpp-rocm7.1 - dockerfile: Dockerfile.stable-diffusion.cpp-rocm7.1 - context: . - - steps: - - name: Checkout repository - uses: https://gitea.com/actions/checkout@v4 - - - name: Set up Docker Buildx - uses: https://gitea.com/actions/setup-docker@v1 - with: - buildx: true - - - name: Log in to Docker Hub - if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true') - run: | - echo "${{ secrets.DOCKER_PASSWORD }}" | docker login ${{ env.REGISTRY }} -u ${{ env.REGISTRY_USER }} --password-stdin - shell: bash - - - name: Build and push Docker image - run: | - IMAGE_NAME="${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/${{ matrix.image.name }}" - TAGS="${IMAGE_NAME}:latest ${IMAGE_NAME}:${{ needs.prepare.outputs.date }} ${IMAGE_NAME}:${{ needs.prepare.outputs.sha_short }}" - - # Build the image - docker buildx build \ - --context ${{ matrix.image.context }} \ - --file Dockerfiles/${{ matrix.image.dockerfile }} \ - --platform linux/amd64 \ - --build-arg BUILD_DATE=${{ needs.prepare.outputs.date }} \ - --build-arg VCS_REF=${{ needs.prepare.outputs.sha_short }} \ - $(for tag in $TAGS; do echo "--tag $tag"; done) \ - ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true')) && '--push' || '--load' }} \ - . - shell: bash - - build-stable-diffusion-variants: - runs-on: ubuntu-latest - needs: prepare - if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.build_all == 'true') - strategy: - matrix: - gfx_arch: - - gfx1150 # RDNA 3.5 (Ryzen AI 9 HX 370) - - gfx1151 # RDNA 3.5 (Strix Point/Ryzen AI Max+ 365) - - gfx1200 # RDNA 4 (RX 9070 XT) - - gfx1100 # RDNA 3 (RX 7900 XTX/XT) - - gfx1101 # RDNA 3 (RX 7800 XT/7700 XT) - - gfx1030 # RDNA 2 (RX 6000 series) - - gfx1201 # RDNA 4 (RX 9060 XT/ RX 9070/XT) - - steps: - - name: Checkout repository - uses: https://gitea.com/actions/checkout@v4 - - - name: Set up Docker Buildx - uses: https://gitea.com/actions/setup-docker@v1 - with: - buildx: true - - - name: Log in to Docker Hub - if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true') - run: | - echo "${{ secrets.DOCKER_PASSWORD }}" | docker login ${{ env.REGISTRY }} -u ${{ env.REGISTRY_USER }} --password-stdin - shell: bash - - - name: Build and push GPU variant image - run: | - IMAGE_NAME="${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/stable-diffusion-cpp-${{ matrix.gfx_arch }}" - TAGS="${IMAGE_NAME}:latest ${IMAGE_NAME}:${{ needs.prepare.outputs.date }} ${IMAGE_NAME}:${{ needs.prepare.outputs.sha_short }}" - - # Build the GPU-specific image - docker buildx build \ - --context . \ - --file Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1 \ - --platform linux/amd64 \ - --build-arg GFX_ARCH=${{ matrix.gfx_arch }} \ - --build-arg BUILD_DATE=${{ needs.prepare.outputs.date }} \ - --build-arg VCS_REF=${{ needs.prepare.outputs.sha_short }} \ - $(for tag in $TAGS; do echo "--tag $tag"; done) \ - ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_images == 'true')) && '--push' || '--load' }} \ - . - shell: bash - - test-compose: - runs-on: ubuntu-latest - needs: [prepare, build-base-images] - if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' - - steps: - - name: Checkout repository - uses: https://gitea.com/actions/checkout@v4 - - - name: Create test directories - run: | - mkdir -p User-Directories/open-webui - mkdir -p User-Directories/ollama - mkdir -p User-Directories/comfyui - shell: bash - - - name: Test docker-compose configuration - run: | - # Install docker-compose if not available - if ! command -v docker-compose &> /dev/null; then - sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose - sudo chmod +x /usr/local/bin/docker-compose - fi - - # Validate compose file - docker-compose config --quiet - echo "โœ… Docker Compose configuration is valid" - shell: bash - - - name: Test image availability - run: | - echo "๐Ÿ“‹ Testing image availability..." - # Check if images exist (without pulling) - docker manifest inspect ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/comfyui-rocm7.1:latest >/dev/null 2>&1 || echo "โš ๏ธ ComfyUI image may not be available yet" - docker manifest inspect ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/stable-diffusion.cpp-rocm7.1:latest >/dev/null 2>&1 || echo "โš ๏ธ Stable Diffusion image may not be available yet" - echo "โœ… Image availability check completed" - shell: bash - - notify: - runs-on: ubuntu-latest - needs: [prepare, build-base-images, build-stable-diffusion-variants, test-compose] - if: always() && (github.event_name == 'schedule') - - steps: - - name: Build summary - run: | - echo "๐Ÿ“Š Daily Build Summary - ${{ needs.prepare.outputs.date }}" - echo "==================================" - echo "" - echo "๐Ÿ”ง Job Results:" - echo "- Prepare: ${{ needs.prepare.result }}" - echo "- Base Images: ${{ needs.build-base-images.result }}" - echo "- GPU Variants: ${{ needs.build-stable-diffusion-variants.result }}" - echo "- Compose Test: ${{ needs.test-compose.result }}" - echo "" - - if [[ "${{ needs.build-base-images.result }}" == "success" && "${{ needs.build-stable-diffusion-variants.result }}" == "success" ]]; then - echo "โœ… All builds completed successfully!" - echo "๐Ÿณ Images pushed to ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/" - echo "๐Ÿ“‹ Docker Compose configuration validated" - else - echo "โŒ Some builds failed - please check the logs" - exit 1 - fi - shell: bash - - cleanup: - runs-on: ubuntu-latest - needs: [build-base-images, build-stable-diffusion-variants] - if: always() - - steps: - - name: Clean up Docker resources - run: | - echo "๐Ÿงน Cleaning up Docker resources..." - docker system prune -f --volumes || true - docker builder prune -f || true - echo "โœ… Cleanup completed" - shell: bash \ No newline at end of file diff --git a/.github/workflows/daily-build-pure-shell.yml b/.github/workflows/daily-build-pure-shell.yml index 50f28ac..3a1ee72 100644 --- a/.github/workflows/daily-build-pure-shell.yml +++ b/.github/workflows/daily-build-pure-shell.yml @@ -31,9 +31,10 @@ jobs: steps: - name: Manual checkout run: | - echo "๐Ÿ”„ Manually cloning repository..." - git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo - cd /tmp/repo + echo "๐Ÿ”„ Manually cloning repository for prepare job..." + rm -rf /tmp/repo-prepare + git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo-prepare + cd /tmp/repo-prepare if [ "${{ github.event_name }}" != "schedule" ]; then git fetch origin ${{ github.sha }} git checkout ${{ github.sha }} @@ -69,9 +70,10 @@ jobs: steps: - name: Manual checkout run: | - echo "๐Ÿ”„ Manually cloning repository..." - git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo - cd /tmp/repo + echo "๐Ÿ”„ Manually cloning repository for build-base-images job..." + rm -rf /tmp/repo-build-base + git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo-build-base + cd /tmp/repo-build-base if [ "${{ github.event_name }}" != "schedule" ]; then git fetch origin ${{ github.sha }} git checkout ${{ github.sha }} @@ -127,13 +129,12 @@ jobs: fi docker buildx build \ - --context ${{ matrix.image.context }} \ --file Dockerfiles/${{ matrix.image.dockerfile }} \ --platform linux/amd64 \ $BUILD_ARGS \ $(for tag in $TAGS; do echo "--tag $tag"; done) \ $PUSH_FLAG \ - . + ${{ matrix.image.context }} echo "โœ… Build completed for ${{ matrix.image.name }}" shell: bash @@ -156,9 +157,10 @@ jobs: steps: - name: Manual checkout run: | - echo "๐Ÿ”„ Manually cloning repository..." - git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo - cd /tmp/repo + echo "๐Ÿ”„ Manually cloning repository for GPU variants job..." + rm -rf /tmp/repo-gpu-variants + git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo-gpu-variants + cd /tmp/repo-gpu-variants if [ "${{ github.event_name }}" != "schedule" ]; then git fetch origin ${{ github.sha }} git checkout ${{ github.sha }} @@ -215,7 +217,6 @@ jobs: fi docker buildx build \ - --context . \ --file Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1 \ --platform linux/amd64 \ $BUILD_ARGS \ @@ -234,9 +235,10 @@ jobs: steps: - name: Manual checkout run: | - echo "๐Ÿ”„ Manually cloning repository..." - git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo - cd /tmp/repo + echo "๐Ÿ”„ Manually cloning repository for test-compose job..." + rm -rf /tmp/repo-test-compose + git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo-test-compose + cd /tmp/repo-test-compose if [ "${{ github.event_name }}" != "schedule" ]; then git fetch origin ${{ github.sha }} git checkout ${{ github.sha }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index e4f1fef..0000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,237 +0,0 @@ -name: Release Build - -on: - push: - tags: - - 'v*.*.*' - workflow_dispatch: - inputs: - version: - description: 'Release version (e.g., v1.0.0)' - required: true - type: string - create_release: - description: 'Create GitHub release' - required: true - default: true - type: boolean - -env: - REGISTRY: docker.io - REGISTRY_USER: getterup - -jobs: - validate-release: - runs-on: ubuntu-latest - outputs: - version: ${{ steps.version.outputs.version }} - is_prerelease: ${{ steps.version.outputs.is_prerelease }} - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Validate and extract version - id: version - run: | - if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then - VERSION="${{ github.event.inputs.version }}" - else - VERSION="${{ github.ref_name }}" - fi - - echo "version=${VERSION}" >> $GITHUB_OUTPUT - - # Check if this is a pre-release (contains alpha, beta, rc) - if [[ "$VERSION" =~ (alpha|beta|rc) ]]; then - echo "is_prerelease=true" >> $GITHUB_OUTPUT - else - echo "is_prerelease=false" >> $GITHUB_OUTPUT - fi - - echo "๐Ÿ“‹ Release version: $VERSION" - echo "๐Ÿš€ Pre-release: $([ "${{ steps.version.outputs.is_prerelease }}" == "true" ] && echo "Yes" || echo "No")" - - build-release-images: - runs-on: ubuntu-latest - needs: validate-release - strategy: - matrix: - image: - - name: comfyui-rocm7.1 - dockerfile: Dockerfile.comfyui-rocm7.1 - - name: stable-diffusion.cpp-rocm7.1 - dockerfile: Dockerfile.stable-diffusion.cpp-rocm7.1 - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - with: - driver-opts: network=host - - - name: Log in to Docker Hub - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ env.REGISTRY_USER }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Extract metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/${{ matrix.image.name }} - tags: | - type=raw,value=latest,enable={{is_default_branch}} - type=raw,value=${{ needs.validate-release.outputs.version }} - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}},enable=${{ !needs.validate-release.outputs.is_prerelease }} - - - name: Build and push release image - uses: docker/build-push-action@v5 - with: - context: . - file: Dockerfiles/${{ matrix.image.dockerfile }} - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - platforms: linux/amd64 - cache-from: type=gha - cache-to: type=gha,mode=max - build-args: | - VERSION=${{ needs.validate-release.outputs.version }} - BUILD_DATE=${{ github.run_id }} - VCS_REF=${{ github.sha }} - - build-gpu-variants: - runs-on: ubuntu-latest - needs: validate-release - strategy: - matrix: - gfx_arch: [gfx1150, gfx1151, gfx1200, gfx1100, gfx1101, gfx1030, gfx1201] - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Log in to Docker Hub - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ env.REGISTRY_USER }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Extract metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/stable-diffusion-cpp-${{ matrix.gfx_arch }} - tags: | - type=raw,value=latest,enable={{is_default_branch}} - type=raw,value=${{ needs.validate-release.outputs.version }} - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - - - name: Build and push GPU variant - uses: docker/build-push-action@v5 - with: - context: . - file: Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1 - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - platforms: linux/amd64 - build-args: | - GFX_ARCH=${{ matrix.gfx_arch }} - VERSION=${{ needs.validate-release.outputs.version }} - BUILD_DATE=${{ github.run_id }} - VCS_REF=${{ github.sha }} - - create-release: - runs-on: ubuntu-latest - needs: [validate-release, build-release-images, build-gpu-variants] - if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && github.event.inputs.create_release == 'true') - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Generate release notes - id: release_notes - run: | - cat > release_notes.md << 'EOF' - ## ๐Ÿš€ ROCm 7.1 Container Release ${{ needs.validate-release.outputs.version }} - - ### ๐Ÿ“ฆ Container Images Built - - **Base Images:** - - `getterup/comfyui-rocm7.1:${{ needs.validate-release.outputs.version }}` - - `getterup/stable-diffusion.cpp-rocm7.1:${{ needs.validate-release.outputs.version }}` - - **GPU-Specific Variants:** - - `getterup/stable-diffusion-cpp-gfx1150:${{ needs.validate-release.outputs.version }}` (RDNA 3.5 - Ryzen AI 9 HX 370) - - `getterup/stable-diffusion-cpp-gfx1151:${{ needs.validate-release.outputs.version }}` (RDNA 3.5 - Strix Point) - - `getterup/stable-diffusion-cpp-gfx1200:${{ needs.validate-release.outputs.version }}` (RDNA 4 - RX 9070 XT) - - `getterup/stable-diffusion-cpp-gfx1100:${{ needs.validate-release.outputs.version }}` (RDNA 3 - RX 7900 XTX/XT) - - `getterup/stable-diffusion-cpp-gfx1101:${{ needs.validate-release.outputs.version }}` (RDNA 3 - RX 7800/7700 XT) - - `getterup/stable-diffusion-cpp-gfx1030:${{ needs.validate-release.outputs.version }}` (RDNA 2 - RX 6000 series) - - `getterup/stable-diffusion-cpp-gfx1201:${{ needs.validate-release.outputs.version }}` (RDNA 4 - RX 9060/9070 XT) - - ### ๐Ÿ”ง Usage - - ```bash - # Quick start with docker-compose - git clone https://github.com/yourusername/rocm-automated.git - cd rocm-automated - docker-compose up -d - ``` - - ### ๐Ÿ› ๏ธ What's Included - - - ROCm 7.1 support for AMD GPUs - - Optimized ComfyUI for AI image generation - - Stable Diffusion.cpp with GPU acceleration - - Multi-GPU architecture support - - Docker Compose configuration for easy deployment - - ### ๐Ÿ“‹ System Requirements - - - AMD GPU with ROCm support (RDNA 2/3/4) - - 16GB+ system RAM - - 8GB+ GPU VRAM for large models - - Linux with Docker 24.0+ - - ### ๐Ÿ”— Links - - - [Docker Hub Repository](https://hub.docker.com/u/getterup) - - [Documentation](README.md) - - [Issues & Support](https://github.com/yourusername/rocm-automated/issues) - EOF - - echo "๐Ÿ“ Release notes generated" - - - name: Create GitHub Release - uses: softprops/action-gh-release@v1 - with: - tag_name: ${{ needs.validate-release.outputs.version }} - name: ROCm 7.1 Container Release ${{ needs.validate-release.outputs.version }} - body_path: release_notes.md - draft: false - prerelease: ${{ needs.validate-release.outputs.is_prerelease }} - generate_release_notes: true - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Update Docker Hub descriptions - run: | - echo "๐Ÿณ Consider updating Docker Hub repository descriptions with:" - echo "- Release version: ${{ needs.validate-release.outputs.version }}" - echo "- Build date: $(date -u +'%Y-%m-%d')" - echo "- Commit SHA: $(echo ${{ github.sha }} | cut -c1-7)" \ No newline at end of file diff --git a/.github/workflows/security-scan-gitea.yml b/.github/workflows/security-scan-gitea.yml deleted file mode 100644 index e66fdaa..0000000 --- a/.github/workflows/security-scan-gitea.yml +++ /dev/null @@ -1,177 +0,0 @@ -name: Security Scan (Gitea) - -on: - schedule: - # Run security scans weekly on Sundays at 03:00 UTC - - cron: '0 3 * * 0' - workflow_dispatch: - pull_request: - paths: - - 'Dockerfiles/**' - - '.github/workflows/**' - -env: - REGISTRY: docker.io - REGISTRY_USER: getterup - -jobs: - dockerfile-security-scan: - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: https://gitea.com/actions/checkout@v4 - - - name: Install Hadolint - run: | - wget -O /tmp/hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 - chmod +x /tmp/hadolint - sudo mv /tmp/hadolint /usr/local/bin/hadolint - shell: bash - - - name: Run Hadolint on ComfyUI Dockerfile - run: | - echo "๐Ÿ” Scanning Dockerfile.comfyui-rocm7.1..." - hadolint Dockerfiles/Dockerfile.comfyui-rocm7.1 || echo "โš ๏ธ Warnings found in ComfyUI Dockerfile" - shell: bash - - - name: Run Hadolint on Stable Diffusion Dockerfile - run: | - echo "๐Ÿ” Scanning Dockerfile.stable-diffusion.cpp-rocm7.1..." - hadolint Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1 || echo "โš ๏ธ Warnings found in Stable Diffusion Dockerfile" - shell: bash - - vulnerability-scan: - runs-on: ubuntu-latest - strategy: - matrix: - image: - - name: comfyui-rocm7.1 - dockerfile: Dockerfile.comfyui-rocm7.1 - - name: stable-diffusion.cpp-rocm7.1 - dockerfile: Dockerfile.stable-diffusion.cpp-rocm7.1 - - steps: - - name: Checkout repository - uses: https://gitea.com/actions/checkout@v4 - - - name: Set up Docker Buildx - uses: https://gitea.com/actions/setup-docker@v1 - with: - buildx: true - - - name: Build test image - run: | - docker buildx build \ - --context . \ - --file Dockerfiles/${{ matrix.image.dockerfile }} \ - --tag test-${{ matrix.image.name }}:latest \ - --load \ - . - shell: bash - - - name: Install Trivy - run: | - sudo apt-get update - sudo apt-get install wget apt-transport-https gnupg lsb-release - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - - echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list - sudo apt-get update - sudo apt-get install trivy - shell: bash - - - name: Run Trivy vulnerability scanner - run: | - echo "๐Ÿ›ก๏ธ Scanning test-${{ matrix.image.name }}:latest for vulnerabilities..." - trivy image --exit-code 1 --severity HIGH,CRITICAL --format table test-${{ matrix.image.name }}:latest || echo "โš ๏ธ Vulnerabilities found in ${{ matrix.image.name }}" - - # Generate JSON report for further analysis - trivy image --format json --output trivy-report-${{ matrix.image.name }}.json test-${{ matrix.image.name }}:latest || true - shell: bash - - - name: Upload scan results - run: | - if [ -f "trivy-report-${{ matrix.image.name }}.json" ]; then - echo "๐Ÿ“„ Trivy scan report generated: trivy-report-${{ matrix.image.name }}.json" - # In a real environment, you might upload this to an artifact store or security system - fi - shell: bash - - dependency-check: - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: https://gitea.com/actions/checkout@v4 - - - name: Check for base image updates - run: | - echo "๐Ÿ” Checking base images for updates..." - - # Check common base images used in our Dockerfiles - echo "Checking Ubuntu base images..." - docker pull ubuntu:22.04 2>/dev/null || echo "โš ๏ธ Could not pull ubuntu:22.04" - - echo "Checking Python images..." - docker pull python:3.11-slim 2>/dev/null || echo "โš ๏ธ Could not pull python:3.11-slim" - docker pull python:3.12-slim 2>/dev/null || echo "โš ๏ธ Could not pull python:3.12-slim" - - echo "โœ… Base image check completed" - shell: bash - - - name: Security advisory check - run: | - echo "๐Ÿ›ก๏ธ Security Advisory Information" - echo "==================================" - echo "" - echo "๐Ÿ“‹ Please manually review the following for security updates:" - echo "- ROCm security advisories: https://github.com/RadeonOpenCompute/ROCm/security" - echo "- Docker security best practices: https://docs.docker.com/engine/security/" - echo "- Ubuntu security notices: https://ubuntu.com/security/notices" - echo "- Python security advisories: https://python.org/news/security/" - echo "" - echo "๐Ÿ’ก Regular monitoring of these sources is recommended for production deployments." - shell: bash - - notify-security: - runs-on: ubuntu-latest - needs: [dockerfile-security-scan, vulnerability-scan, dependency-check] - if: always() && github.event_name == 'schedule' - - steps: - - name: Security scan summary - run: | - echo "๐Ÿ”’ Weekly Security Scan Summary" - echo "===============================" - echo "" - echo "๐Ÿ“Š Scan Results:" - echo "- Dockerfile Lint: ${{ needs.dockerfile-security-scan.result }}" - echo "- Vulnerability Scan: ${{ needs.vulnerability-scan.result }}" - echo "- Dependency Check: ${{ needs.dependency-check.result }}" - echo "" - - FAILED_JOBS="" - if [ "${{ needs.dockerfile-security-scan.result }}" == "failure" ]; then - FAILED_JOBS="$FAILED_JOBS dockerfile-lint" - fi - if [ "${{ needs.vulnerability-scan.result }}" == "failure" ]; then - FAILED_JOBS="$FAILED_JOBS vulnerability-scan" - fi - if [ "${{ needs.dependency-check.result }}" == "failure" ]; then - FAILED_JOBS="$FAILED_JOBS dependency-check" - fi - - if [ -n "$FAILED_JOBS" ]; then - echo "โŒ Failed jobs:$FAILED_JOBS" - echo "โš ๏ธ Please review the detailed logs above" - echo "" - echo "๐Ÿ”ง Recommended actions:" - echo "- Review Dockerfile best practices" - echo "- Update base images to latest versions" - echo "- Address high/critical vulnerabilities" - exit 1 - else - echo "โœ… All security scans passed successfully!" - echo "๐Ÿ›ก๏ธ No critical security issues detected" - fi - shell: bash \ No newline at end of file diff --git a/.github/workflows/security-scan-pure-shell.yml b/.github/workflows/security-scan-pure-shell.yml index 4dbf064..57d1b49 100644 --- a/.github/workflows/security-scan-pure-shell.yml +++ b/.github/workflows/security-scan-pure-shell.yml @@ -21,9 +21,10 @@ jobs: steps: - name: Manual checkout run: | - echo "๐Ÿ”„ Manually cloning repository..." - git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo - cd /tmp/repo + echo "๐Ÿ”„ Manually cloning repository for dockerfile-security-scan..." + rm -rf /tmp/repo-dockerfile-scan + git clone --depth=1 ${{ github.server_url }}/${{ github.repository }} /tmp/repo-dockerfile-scan + cd /tmp/repo-dockerfile-scan if [ "${{ github.event_name }}" != "schedule" ]; then git fetch origin ${{ github.sha }} git checkout ${{ github.sha }} @@ -114,7 +115,6 @@ jobs: fi docker buildx build \ - --context . \ --file Dockerfiles/${{ matrix.image.dockerfile }} \ --tag test-${{ matrix.image.name }}:latest \ --load \ diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml deleted file mode 100644 index 91bc375..0000000 --- a/.github/workflows/security-scan.yml +++ /dev/null @@ -1,129 +0,0 @@ -name: Security Scan - -on: - schedule: - # Run security scans weekly on Sundays at 03:00 UTC - - cron: '0 3 * * 0' - workflow_dispatch: - pull_request: - paths: - - 'Dockerfiles/**' - - '.github/workflows/**' - -env: - REGISTRY: docker.io - REGISTRY_USER: getterup - -jobs: - dockerfile-security-scan: - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Run Hadolint (Dockerfile linter) - uses: hadolint/hadolint-action@v3.1.0 - with: - dockerfile: Dockerfiles/Dockerfile.comfyui-rocm7.1 - failure-threshold: warning - - - name: Run Hadolint on Stable Diffusion Dockerfile - uses: hadolint/hadolint-action@v3.1.0 - with: - dockerfile: Dockerfiles/Dockerfile.stable-diffusion.cpp-rocm7.1 - failure-threshold: warning - - vulnerability-scan: - runs-on: ubuntu-latest - strategy: - matrix: - image: - - name: comfyui-rocm7.1 - dockerfile: Dockerfile.comfyui-rocm7.1 - - name: stable-diffusion.cpp-rocm7.1 - dockerfile: Dockerfile.stable-diffusion.cpp-rocm7.1 - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Build test image - uses: docker/build-push-action@v5 - with: - context: . - file: Dockerfiles/${{ matrix.image.dockerfile }} - push: false - tags: test-${{ matrix.image.name }}:latest - load: true - cache-from: type=gha - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: test-${{ matrix.image.name }}:latest - format: 'sarif' - output: 'trivy-results-${{ matrix.image.name }}.sarif' - severity: 'CRITICAL,HIGH,MEDIUM' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: 'trivy-results-${{ matrix.image.name }}.sarif' - - dependency-check: - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Check for outdated base images - run: | - echo "๐Ÿ” Checking base images for updates..." - - # Check ROCm base images - echo "Checking ROCm images..." - docker pull rocm/rocm-terminal:latest - - # Check Python images (commonly used in AI containers) - echo "Checking Python base images..." - docker pull python:3.11-slim - docker pull python:3.12-slim - - echo "โœ… Base image check completed" - - - name: Check for security advisories - run: | - echo "๐Ÿ›ก๏ธ Checking for relevant security advisories..." - echo "Please review:" - echo "- ROCm security advisories: https://github.com/RadeonOpenCompute/ROCm/security" - echo "- Docker security best practices: https://docs.docker.com/engine/security/" - echo "- NVIDIA CVE database (for GPU-related issues): https://nvidia.com/security" - - notify-security: - runs-on: ubuntu-latest - needs: [dockerfile-security-scan, vulnerability-scan, dependency-check] - if: always() && github.event_name == 'schedule' - - steps: - - name: Security scan summary - run: | - echo "๐Ÿ”’ Weekly security scan completed" - echo "๐Ÿ“Š Results:" - echo "- Dockerfile lint: ${{ needs.dockerfile-security-scan.result }}" - echo "- Vulnerability scan: ${{ needs.vulnerability-scan.result }}" - echo "- Dependency check: ${{ needs.dependency-check.result }}" - - if [ "${{ needs.dockerfile-security-scan.result }}" == "failure" ] || \ - [ "${{ needs.vulnerability-scan.result }}" == "failure" ] || \ - [ "${{ needs.dependency-check.result }}" == "failure" ]; then - echo "โš ๏ธ Security issues detected - please review the logs" - exit 1 - else - echo "โœ… No critical security issues found" - fi \ No newline at end of file