Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions .github/workflows/build-coder.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,17 +32,17 @@ jobs:
IMAGE: ghcr.io/defilantech/llmkube-foreman-agent-coder
LOCAL: ghcr.io/defilantech/llmkube-foreman-agent-coder:ci-${{ github.sha }}
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

# arm64 leg builds under emulation. The Dockerfile cross-compiles every Go
# binary in the $BUILDPLATFORM stage and downloads prebuilt helm /
# golangci-lint, so QEMU only assembles the arm64 image layers (fast) --
# it never runs the Go compiler interpreted.
- name: Set up QEMU (arm64 emulation)
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

# On a coder-v<version> tag push, build against that LLMKube release
# (LLMKUBE_REF=v<version>) so the ref is taken from the tag and can never
Expand All @@ -59,7 +59,7 @@ jobs:

# Native amd64 build, loaded locally so the smoke runs the real image.
- name: Build (amd64, load for smoke)
uses: docker/build-push-action@v6
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
with:
context: coder
platforms: linux/amd64
Expand All @@ -73,14 +73,14 @@ jobs:
run: ./scripts/coder-smoke.sh "${{ env.LOCAL }}"

- name: Generate SBOM
uses: anchore/sbom-action@v0
uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
with:
image: ${{ env.LOCAL }}
format: spdx-json
output-file: sbom.spdx.json

- name: Upload SBOM artifact
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: sbom-coder-${{ github.sha }}
path: sbom.spdx.json
Expand All @@ -90,7 +90,7 @@ jobs:
# pull_request. ---
- name: Log in to GHCR
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: ghcr.io
username: ${{ github.actor }}
Expand All @@ -102,7 +102,7 @@ jobs:
# candidate SHAs. type=match only emits on tag refs; harmless on branch/PR.
- name: Derive image tags
id: meta
uses: docker/metadata-action@v5
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
images: ${{ env.IMAGE }}
tags: |
Expand All @@ -117,7 +117,7 @@ jobs:
# refs; the digest below is the multi-arch index digest.
- name: Build multi-arch (build-only validates arm64 on PRs; push on trusted refs)
id: push
uses: docker/build-push-action@v6
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
with:
context: coder
platforms: linux/amd64,linux/arm64
Expand All @@ -136,7 +136,7 @@ jobs:

- name: Attest build provenance
if: github.event_name != 'pull_request'
uses: actions/attest-build-provenance@v2
uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
with:
subject-name: ${{ env.IMAGE }}
subject-digest: ${{ steps.push.outputs.digest }}
Expand Down
14 changes: 7 additions & 7 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ jobs:
IMAGE: ${{ matrix.image }}
LOCAL: ${{ matrix.image }}:ci-${{ github.sha }}
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

# vulkan-shaders-gen forks a compiler per shader and is memory-heavy;
# the default hosted-runner memory left it failing to fork on a fresh
Expand All @@ -67,10 +67,10 @@ jobs:
free -h

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Build image (load locally for the gate)
uses: docker/build-push-action@v6
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
with:
context: vulkan
target: ${{ matrix.target }}
Expand All @@ -83,14 +83,14 @@ jobs:
run: ./scripts/tier1-gate.sh "${{ env.LOCAL }}"

- name: Generate SBOM
uses: anchore/sbom-action@v0
uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
with:
image: ${{ env.LOCAL }}
format: spdx-json
output-file: sbom.spdx.json

- name: Upload SBOM artifact
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: sbom-${{ matrix.target }}-${{ github.sha }}
path: sbom.spdx.json
Expand All @@ -102,7 +102,7 @@ jobs:
# signature before anything consumes it (proposal 697, Tier-2 gate). ---
- name: Log in to GHCR
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: ghcr.io
username: ${{ github.actor }}
Expand All @@ -120,7 +120,7 @@ jobs:

- name: Attest build provenance
if: github.event_name != 'pull_request'
uses: actions/attest-build-provenance@v2
uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
with:
subject-name: ${{ env.IMAGE }}
subject-digest: ${{ env.DIGEST }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dco.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
Expand Down