(FIX): CI Security Fix - branchname injection #167

Workflow file for this run

	name: Build and push docker image to registry

	on:
	workflow_dispatch:
	push:
	branches:
	- 'main'
	tags:
	- 'v*'
	pull_request:
	paths:
	- ".github/workflows/build.yaml"
	- ".github/workflows/matrix.json"
	- "integration-tests/**"
	- "backends/**"
	- "core/**"
	- "router/**"
	- "Cargo.lock"
	- "rust-toolchain.toml"
	- "Dockerfile"
	branches:
	- 'main'

	jobs:
	matrix:
	runs-on: ubuntu-latest
	outputs:
	matrix: ${{ steps.set-matrix.outputs.matrix }}
	steps:
	- name: Checkout repository
	uses: actions/checkout@v3

	- id: set-matrix
	env:
	GITHUB_REF: ${{ github.ref }}
	run: \|
	branchName=$(echo $GITHUB_REF \| sed 's,refs/heads/,,g')
	matrix=$(jq --arg branchName "$branchName" 'map(. \| select((.runOn==$branchName) or (.runOn=="always")) )' .github/workflows/matrix.json)
	echo "{\"include\":$(echo $matrix)}"
	echo ::set-output name=matrix::{\"include\":$(echo $matrix)}\"

	build-and-push-image:
	needs: matrix
	strategy:
	matrix: ${{fromJson(needs.matrix.outputs.matrix)}}
	concurrency:
	group: ${{ github.workflow }}-${{ github.job }}-${{matrix.name}}-${{ github.head_ref \|\| github.run_id }}
	cancel-in-progress: true
	runs-on:
	group: aws-highmemory-32-plus-priv
	permissions:
	contents: write
	packages: write
	# This is used to complete the identity challenge
	# with sigstore/fulcio when running outside of PRs.
	id-token: write
	security-events: write
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Initialize Docker Buildx
	uses: docker/setup-buildx-action@v3
	with:
	install: true
	buildkitd-config: /tmp/buildkitd.toml

	- name: Configure sccache
	uses: actions/github-script@v6
	with:
	script: \|
	core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL \|\| '');
	core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN \|\| '');

	- name: Inject slug/short variables
	uses: rlespinasse/github-slug-action@v4

	- name: Login to internal Container Registry
	if: github.event_name != 'pull_request'
	uses: docker/login-action@v3
	with:
	username: ${{ secrets.REGISTRY_USERNAME }}
	password: ${{ secrets.REGISTRY_PASSWORD }}
	registry: registry.internal.huggingface.tech

	- name: Login to GitHub Container Registry
	if: github.event_name != 'pull_request'
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: configure aws credentials
	id: aws-creds
	uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9
	with:
	role-to-assume: ${{ secrets.AWS_ROLE_GITHUB_BUILDX_CACHE }}
	role-duration-seconds: 7200
	aws-region: us-east-1
	output-credentials: true

	- name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: \|
	registry.internal.huggingface.tech/api-inference/text-embeddings-inference
	ghcr.io/huggingface/text-embeddings-inference
	flavor: \|
	latest=false
	tags: \|
	type=semver,pattern=${{ matrix.imageNamePrefix }}{{version}}
	type=semver,pattern=${{ matrix.imageNamePrefix }}{{major}}.{{minor}}
	type=raw,value=${{ matrix.imageNamePrefix }}latest
	type=raw,value=${{ matrix.imageNamePrefix }}sha-${{ env.GITHUB_SHA_SHORT }}

	- name: Build and push Docker image
	id: build-and-push
	uses: docker/build-push-action@v6
	env:
	DOCKER_BUILD_SUMMARY: false
	with:
	context: .
	file: ${{ matrix.dockerfile }}
	push: ${{ github.event_name != 'pull_request' }}
	platforms: 'linux/amd64'
	build-args: \|
	SCCACHE_GHA_ENABLED=${{ matrix.sccache }}
	CUDA_COMPUTE_CAP=${{ matrix.cudaComputeCap }}
	GIT_SHA=${{ env.GITHUB_SHA }}
	DOCKER_LABEL=sha-${{ env.GITHUB_SHA_SHORT }}
	${{matrix.extraBuildArgs}}
	secrets: \|
	actions_cache_url=${{ env.ACTIONS_CACHE_URL }}
	actions_runtime_token=${{ env.ACTIONS_RUNTIME_TOKEN }}
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=s3,region=us-east-1,bucket=${{ vars.AWS_S3BUCKET_GITHUB_BUILDX_CACHE }},name=text-embeddings-inference-cache-${{matrix.name}},access_key_id=${{ steps.aws-creds.outputs.aws-access-key-id }},secret_access_key=${{ steps.aws-creds.outputs.aws-secret-access-key }},session_token=${{ steps.aws-creds.outputs.aws-session-token }},mode=max
	cache-to: type=s3,region=us-east-1,bucket=${{ vars.AWS_S3BUCKET_GITHUB_BUILDX_CACHE }},name=text-embeddings-inference-cache-${{matrix.name}},access_key_id=${{ steps.aws-creds.outputs.aws-access-key-id }},secret_access_key=${{ steps.aws-creds.outputs.aws-secret-access-key }},session_token=${{ steps.aws-creds.outputs.aws-session-token }},mode=max

	- name: Extract metadata (tags, labels) for Docker
	id: meta-grpc
	if: ${{ matrix.grpc }}
	uses: docker/metadata-action@v5
	with:
	images: \|
	registry.internal.huggingface.tech/api-inference/text-embeddings-inference
	ghcr.io/huggingface/text-embeddings-inference
	flavor: \|
	latest=false
	tags: \|
	type=semver,pattern=${{ matrix.imageNamePrefix }}{{version}}-grpc
	type=semver,pattern=${{ matrix.imageNamePrefix }}{{major}}.{{minor}}-grpc
	type=raw,value=${{ matrix.imageNamePrefix }}latest-grpc
	type=raw,value=${{ matrix.imageNamePrefix }}sha-${{ env.GITHUB_SHA_SHORT }}-grpc

	- name: Build and push Docker image
	id: build-and-push-grpc
	if: ${{ matrix.grpc }}
	uses: docker/build-push-action@v6
	env:
	DOCKER_BUILD_SUMMARY: false
	with:
	context: .
	target: grpc
	file: ${{ matrix.dockerfile }}
	push: ${{ github.event_name != 'pull_request' }}
	platforms: 'linux/amd64'
	build-args: \|
	SCCACHE_GHA_ENABLED=${{ matrix.sccache }}
	CUDA_COMPUTE_CAP=${{ matrix.cudaComputeCap }}
	GIT_SHA=${{ env.GITHUB_SHA }}
	DOCKER_LABEL=sha-${{ env.GITHUB_SHA_SHORT }}
	${{matrix.extraBuildArgs}}
	secrets: \|
	actions_cache_url=${{ env.ACTIONS_CACHE_URL }}
	actions_runtime_token=${{ env.ACTIONS_RUNTIME_TOKEN }}
	tags: ${{ steps.meta-grpc.outputs.tags }}
	labels: ${{ steps.meta-grpc.outputs.labels }}
	cache-from: type=s3,region=us-east-1,bucket=${{ vars.AWS_S3BUCKET_GITHUB_BUILDX_CACHE }},name=text-embeddings-inference-cache-${{matrix.name}},access_key_id=${{ steps.aws-creds.outputs.aws-access-key-id }},secret_access_key=${{ steps.aws-creds.outputs.aws-secret-access-key }},session_token=${{ steps.aws-creds.outputs.aws-session-token }},mode=max

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(FIX): CI Security Fix - branchname injection #167

Workflow file

(FIX): CI Security Fix - branchname injection #167

Jobs

Run details

Workflow file for this run