Skip to content

Commit f0e491a

Browse files
glegendre01glegendre01
authored
(FIX): CI Security Fix - branchname injection (#479)
1 parent 13dddbd commit f0e491a

File tree

6 files changed

+77
-34
lines changed

6 files changed

+77
-34
lines changed

.github/workflows/build.yaml

Lines changed: 25 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -31,8 +31,10 @@ jobs:
3131
uses: actions/checkout@v3
3232

3333
- id: set-matrix
34+
env:
35+
GITHUB_REF: ${{ github.ref }}
3436
run: |
35-
branchName=$(echo '${{ github.ref }}' | sed 's,refs/heads/,,g')
37+
branchName=$(echo $GITHUB_REF | sed 's,refs/heads/,,g')
3638
matrix=$(jq --arg branchName "$branchName" 'map(. | select((.runOn==$branchName) or (.runOn=="always")) )' .github/workflows/matrix.json)
3739
echo "{\"include\":$(echo $matrix)}"
3840
echo ::set-output name=matrix::{\"include\":$(echo $matrix)}\"
@@ -89,6 +91,15 @@ jobs:
8991
username: ${{ github.actor }}
9092
password: ${{ secrets.GITHUB_TOKEN }}
9193

94+
- name: configure aws credentials
95+
id: aws-creds
96+
uses: aws-actions/configure-aws-credentials@4fc4975a852c8cd99761e2de1f4ba73402e44dd9
97+
with:
98+
role-to-assume: ${{ secrets.AWS_ROLE_GITHUB_BUILDX_CACHE }}
99+
role-duration-seconds: 7200
100+
aws-region: us-east-1
101+
output-credentials: true
102+
92103
- name: Extract metadata (tags, labels) for Docker
93104
id: meta
94105
uses: docker/metadata-action@v5
@@ -107,23 +118,26 @@ jobs:
107118
- name: Build and push Docker image
108119
id: build-and-push
109120
uses: docker/build-push-action@v6
121+
env:
122+
DOCKER_BUILD_SUMMARY: false
110123
with:
111124
context: .
112125
file: ${{ matrix.dockerfile }}
113126
push: ${{ github.event_name != 'pull_request' }}
114127
platforms: 'linux/amd64'
115128
build-args: |
116129
SCCACHE_GHA_ENABLED=${{ matrix.sccache }}
117-
ACTIONS_CACHE_URL=${{ env.ACTIONS_CACHE_URL }}
118-
ACTIONS_RUNTIME_TOKEN=${{ env.ACTIONS_RUNTIME_TOKEN }}
119130
CUDA_COMPUTE_CAP=${{ matrix.cudaComputeCap }}
120131
GIT_SHA=${{ env.GITHUB_SHA }}
121132
DOCKER_LABEL=sha-${{ env.GITHUB_SHA_SHORT }}
122133
${{matrix.extraBuildArgs}}
134+
secrets: |
135+
actions_cache_url=${{ env.ACTIONS_CACHE_URL }}
136+
actions_runtime_token=${{ env.ACTIONS_RUNTIME_TOKEN }}
123137
tags: ${{ steps.meta.outputs.tags }}
124138
labels: ${{ steps.meta.outputs.labels }}
125-
cache-from: type=s3,region=us-east-1,bucket=ci-docker-buildx-cache,name=text-embeddings-inference-cache-${{matrix.name}},access_key_id=${{ secrets.S3_CI_DOCKER_BUILDX_CACHE_ACCESS_KEY_ID }},secret_access_key=${{ secrets.S3_CI_DOCKER_BUILDX_CACHE_SECRET_ACCESS_KEY }},mode=max
126-
cache-to: type=s3,region=us-east-1,bucket=ci-docker-buildx-cache,name=text-embeddings-inference-cache-${{matrix.name}},access_key_id=${{ secrets.S3_CI_DOCKER_BUILDX_CACHE_ACCESS_KEY_ID }},secret_access_key=${{ secrets.S3_CI_DOCKER_BUILDX_CACHE_SECRET_ACCESS_KEY }},mode=max
139+
cache-from: type=s3,region=us-east-1,bucket=${{ vars.AWS_S3BUCKET_GITHUB_BUILDX_CACHE }},name=text-embeddings-inference-cache-${{matrix.name}},access_key_id=${{ steps.aws-creds.outputs.aws-access-key-id }},secret_access_key=${{ steps.aws-creds.outputs.aws-secret-access-key }},session_token=${{ steps.aws-creds.outputs.aws-session-token }},mode=max
140+
cache-to: type=s3,region=us-east-1,bucket=${{ vars.AWS_S3BUCKET_GITHUB_BUILDX_CACHE }},name=text-embeddings-inference-cache-${{matrix.name}},access_key_id=${{ steps.aws-creds.outputs.aws-access-key-id }},secret_access_key=${{ steps.aws-creds.outputs.aws-secret-access-key }},session_token=${{ steps.aws-creds.outputs.aws-session-token }},mode=max
127141

128142
- name: Extract metadata (tags, labels) for Docker
129143
id: meta-grpc
@@ -145,6 +159,8 @@ jobs:
145159
id: build-and-push-grpc
146160
if: ${{ matrix.grpc }}
147161
uses: docker/build-push-action@v6
162+
env:
163+
DOCKER_BUILD_SUMMARY: false
148164
with:
149165
context: .
150166
target: grpc
@@ -153,12 +169,13 @@ jobs:
153169
platforms: 'linux/amd64'
154170
build-args: |
155171
SCCACHE_GHA_ENABLED=${{ matrix.sccache }}
156-
ACTIONS_CACHE_URL=${{ env.ACTIONS_CACHE_URL }}
157-
ACTIONS_RUNTIME_TOKEN=${{ env.ACTIONS_RUNTIME_TOKEN }}
158172
CUDA_COMPUTE_CAP=${{ matrix.cudaComputeCap }}
159173
GIT_SHA=${{ env.GITHUB_SHA }}
160174
DOCKER_LABEL=sha-${{ env.GITHUB_SHA_SHORT }}
161175
${{matrix.extraBuildArgs}}
176+
secrets: |
177+
actions_cache_url=${{ env.ACTIONS_CACHE_URL }}
178+
actions_runtime_token=${{ env.ACTIONS_RUNTIME_TOKEN }}
162179
tags: ${{ steps.meta-grpc.outputs.tags }}
163180
labels: ${{ steps.meta-grpc.outputs.labels }}
164-
cache-from: type=s3,region=us-east-1,bucket=ci-docker-buildx-cache,name=text-embeddings-inference-cache-${{matrix.name}},access_key_id=${{ secrets.S3_CI_DOCKER_BUILDX_CACHE_ACCESS_KEY_ID }},secret_access_key=${{ secrets.S3_CI_DOCKER_BUILDX_CACHE_SECRET_ACCESS_KEY }},mode=max
181+
cache-from: type=s3,region=us-east-1,bucket=${{ vars.AWS_S3BUCKET_GITHUB_BUILDX_CACHE }},name=text-embeddings-inference-cache-${{matrix.name}},access_key_id=${{ steps.aws-creds.outputs.aws-access-key-id }},secret_access_key=${{ steps.aws-creds.outputs.aws-secret-access-key }},session_token=${{ steps.aws-creds.outputs.aws-session-token }},mode=max

Dockerfile

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -24,8 +24,6 @@ ARG GIT_SHA
2424
ARG DOCKER_LABEL
2525

2626
# sccache specific variables
27-
ARG ACTIONS_CACHE_URL
28-
ARG ACTIONS_RUNTIME_TOKEN
2927
ARG SCCACHE_GHA_ENABLED
3028

3129
RUN wget -O- https://apt.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB \
@@ -43,7 +41,9 @@ RUN echo "int mkl_serv_intel_cpu_true() {return 1;}" > fakeintel.c && \
4341

4442
COPY --from=planner /usr/src/recipe.json recipe.json
4543

46-
RUN cargo chef cook --release --features ort --features candle --features mkl-dynamic --no-default-features --recipe-path recipe.json && sccache -s
44+
RUN --mount=type=secret,id=actions_cache_url,env=ACTIONS_CACHE_URL \
45+
--mount=type=secret,id=actions_runtime_token,env=ACTIONS_RUNTIME_TOKEN \
46+
cargo chef cook --release --features ort --features candle --features mkl-dynamic --no-default-features --recipe-path recipe.json && sccache -s
4747

4848
COPY backends backends
4949
COPY core core
@@ -53,7 +53,9 @@ COPY Cargo.lock ./
5353

5454
FROM builder AS http-builder
5555

56-
RUN cargo build --release --bin text-embeddings-router -F ort -F candle -F mkl-dynamic -F http --no-default-features && sccache -s
56+
RUN --mount=type=secret,id=actions_cache_url,env=ACTIONS_CACHE_URL \
57+
--mount=type=secret,id=actions_runtime_token,env=ACTIONS_RUNTIME_TOKEN \
58+
cargo build --release --bin text-embeddings-router -F ort -F candle -F mkl-dynamic -F http --no-default-features && sccache -s
5759

5860
FROM builder AS grpc-builder
5961

@@ -65,7 +67,9 @@ RUN PROTOC_ZIP=protoc-21.12-linux-x86_64.zip && \
6567

6668
COPY proto proto
6769

68-
RUN cargo build --release --bin text-embeddings-router -F grpc -F ort -F candle -F mkl-dynamic --no-default-features && sccache -s
70+
RUN --mount=type=secret,id=actions_cache_url,env=ACTIONS_CACHE_URL \
71+
--mount=type=secret,id=actions_runtime_token,env=ACTIONS_RUNTIME_TOKEN \
72+
cargo build --release --bin text-embeddings-router -F grpc -F ort -F candle -F mkl-dynamic --no-default-features && sccache -s
6973

7074
FROM debian:bookworm-slim AS base
7175

Dockerfile-cuda

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -41,13 +41,13 @@ ARG CARGO_BUILD_JOBS
4141
ARG CARGO_BUILD_INCREMENTAL
4242

4343
# sccache specific variables
44-
ARG ACTIONS_CACHE_URL
45-
ARG ACTIONS_RUNTIME_TOKEN
4644
ARG SCCACHE_GHA_ENABLED
4745

4846
WORKDIR /usr/src
4947

50-
RUN if [ ${CUDA_COMPUTE_CAP} -ge 75 -a ${CUDA_COMPUTE_CAP} -lt 80 ]; \
48+
RUN --mount=type=secret,id=actions_cache_url,env=ACTIONS_CACHE_URL \
49+
--mount=type=secret,id=actions_runtime_token,env=ACTIONS_RUNTIME_TOKEN \
50+
if [ ${CUDA_COMPUTE_CAP} -ge 75 -a ${CUDA_COMPUTE_CAP} -lt 80 ]; \
5151
then \
5252
nvprune --generate-code code=sm_${CUDA_COMPUTE_CAP} /usr/local/cuda/lib64/libcublas_static.a -o /usr/local/cuda/lib64/libcublas_static.a; \
5353
elif [ ${CUDA_COMPUTE_CAP} -ge 80 -a ${CUDA_COMPUTE_CAP} -lt 90 ]; \
@@ -62,7 +62,9 @@ RUN if [ ${CUDA_COMPUTE_CAP} -ge 75 -a ${CUDA_COMPUTE_CAP} -lt 80 ]; \
6262

6363
COPY --from=planner /usr/src/recipe.json recipe.json
6464

65-
RUN if [ ${CUDA_COMPUTE_CAP} -ge 75 -a ${CUDA_COMPUTE_CAP} -lt 80 ]; \
65+
RUN --mount=type=secret,id=actions_cache_url,env=ACTIONS_CACHE_URL \
66+
--mount=type=secret,id=actions_runtime_token,env=ACTIONS_RUNTIME_TOKEN \
67+
if [ ${CUDA_COMPUTE_CAP} -ge 75 -a ${CUDA_COMPUTE_CAP} -lt 80 ]; \
6668
then \
6769
cargo chef cook --release --features candle-cuda-turing --features static-linking --no-default-features --recipe-path recipe.json && sccache -s; \
6870
else \
@@ -77,7 +79,9 @@ COPY Cargo.lock ./
7779

7880
FROM builder AS http-builder
7981

80-
RUN if [ ${CUDA_COMPUTE_CAP} -ge 75 -a ${CUDA_COMPUTE_CAP} -lt 80 ]; \
82+
RUN --mount=type=secret,id=actions_cache_url,env=ACTIONS_CACHE_URL \
83+
--mount=type=secret,id=actions_runtime_token,env=ACTIONS_RUNTIME_TOKEN \
84+
if [ ${CUDA_COMPUTE_CAP} -ge 75 -a ${CUDA_COMPUTE_CAP} -lt 80 ]; \
8185
then \
8286
cargo build --release --bin text-embeddings-router -F candle-cuda-turing -F static-linking -F http --no-default-features && sccache -s; \
8387
else \
@@ -98,7 +102,9 @@ RUN PROTOC_ZIP=protoc-21.12-linux-x86_64.zip && \
98102

99103
COPY proto proto
100104

101-
RUN if [ ${CUDA_COMPUTE_CAP} -ge 75 -a ${CUDA_COMPUTE_CAP} -lt 80 ]; \
105+
RUN --mount=type=secret,id=actions_cache_url,env=ACTIONS_CACHE_URL \
106+
--mount=type=secret,id=actions_runtime_token,env=ACTIONS_RUNTIME_TOKEN \
107+
if [ ${CUDA_COMPUTE_CAP} -ge 75 -a ${CUDA_COMPUTE_CAP} -lt 80 ]; \
102108
then \
103109
cargo build --release --bin text-embeddings-router -F candle-cuda-turing -F static-linking -F grpc --no-default-features && sccache -s; \
104110
else \

Dockerfile-cuda-all

Lines changed: 21 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -36,8 +36,6 @@ ARG DOCKER_LABEL
3636
ARG VERTEX="false"
3737

3838
# sccache specific variables
39-
ARG ACTIONS_CACHE_URL
40-
ARG ACTIONS_RUNTIME_TOKEN
4139
ARG SCCACHE_GHA_ENABLED
4240

4341
# Limit parallelism
@@ -49,28 +47,36 @@ WORKDIR /usr/src
4947

5048
COPY --from=planner /usr/src/recipe.json recipe.json
5149

52-
RUN if [ $VERTEX = "true" ]; \
50+
RUN --mount=type=secret,id=actions_cache_url,env=ACTIONS_CACHE_URL \
51+
--mount=type=secret,id=actions_runtime_token,env=ACTIONS_RUNTIME_TOKEN \
52+
if [ $VERTEX = "true" ]; \
5353
then \
5454
cargo chef cook --release --features google --recipe-path recipe.json && sccache -s; \
5555
else \
5656
cargo chef cook --release --recipe-path recipe.json && sccache -s; \
5757
fi;
5858

59-
RUN if [ $VERTEX = "true" ]; \
59+
RUN --mount=type=secret,id=actions_cache_url,env=ACTIONS_CACHE_URL \
60+
--mount=type=secret,id=actions_runtime_token,env=ACTIONS_RUNTIME_TOKEN \
61+
if [ $VERTEX = "true" ]; \
6062
then \
6163
CUDA_COMPUTE_CAP=75 cargo chef cook --release --features google --features candle-cuda-turing --recipe-path recipe.json && sccache -s; \
6264
else \
6365
CUDA_COMPUTE_CAP=75 cargo chef cook --release --features candle-cuda-turing --recipe-path recipe.json && sccache -s; \
6466
fi;
6567

66-
RUN if [ $VERTEX = "true" ]; \
68+
RUN --mount=type=secret,id=actions_cache_url,env=ACTIONS_CACHE_URL \
69+
--mount=type=secret,id=actions_runtime_token,env=ACTIONS_RUNTIME_TOKEN \
70+
if [ $VERTEX = "true" ]; \
6771
then \
6872
CUDA_COMPUTE_CAP=80 cargo chef cook --release --features google --features candle-cuda --recipe-path recipe.json && sccache -s; \
6973
else \
7074
CUDA_COMPUTE_CAP=80 cargo chef cook --release --features candle-cuda --recipe-path recipe.json && sccache -s; \
7175
fi;
7276

73-
RUN if [ $VERTEX = "true" ]; \
77+
RUN --mount=type=secret,id=actions_cache_url,env=ACTIONS_CACHE_URL \
78+
--mount=type=secret,id=actions_runtime_token,env=ACTIONS_RUNTIME_TOKEN \
79+
if [ $VERTEX = "true" ]; \
7480
then \
7581
CUDA_COMPUTE_CAP=90 cargo chef cook --release --features google --features candle-cuda --recipe-path recipe.json && sccache -s; \
7682
else \
@@ -83,7 +89,9 @@ COPY router router
8389
COPY Cargo.toml ./
8490
COPY Cargo.lock ./
8591

86-
RUN if [ $VERTEX = "true" ]; \
92+
RUN --mount=type=secret,id=actions_cache_url,env=ACTIONS_CACHE_URL \
93+
--mount=type=secret,id=actions_runtime_token,env=ACTIONS_RUNTIME_TOKEN \
94+
if [ $VERTEX = "true" ]; \
8795
then \
8896
CUDA_COMPUTE_CAP=75 cargo build --release --bin text-embeddings-router -F candle-cuda-turing -F google && sccache -s; \
8997
else \
@@ -92,7 +100,9 @@ RUN if [ $VERTEX = "true" ]; \
92100

93101
RUN mv /usr/src/target/release/text-embeddings-router /usr/src/target/release/text-embeddings-router-75
94102

95-
RUN if [ $VERTEX = "true" ]; \
103+
RUN --mount=type=secret,id=actions_cache_url,env=ACTIONS_CACHE_URL \
104+
--mount=type=secret,id=actions_runtime_token,env=ACTIONS_RUNTIME_TOKEN \
105+
if [ $VERTEX = "true" ]; \
96106
then \
97107
CUDA_COMPUTE_CAP=80 cargo build --release --bin text-embeddings-router -F candle-cuda -F google && sccache -s; \
98108
else \
@@ -101,7 +111,9 @@ RUN if [ $VERTEX = "true" ]; \
101111

102112
RUN mv /usr/src/target/release/text-embeddings-router /usr/src/target/release/text-embeddings-router-80
103113

104-
RUN if [ $VERTEX = "true" ]; \
114+
RUN --mount=type=secret,id=actions_cache_url,env=ACTIONS_CACHE_URL \
115+
--mount=type=secret,id=actions_runtime_token,env=ACTIONS_RUNTIME_TOKEN \
116+
if [ $VERTEX = "true" ]; \
105117
then \
106118
CUDA_COMPUTE_CAP=90 cargo build --release --bin text-embeddings-router -F candle-cuda -F google && sccache -s; \
107119
else \

Dockerfile-intel

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -24,13 +24,13 @@ ARG GIT_SHA
2424
ARG DOCKER_LABEL
2525

2626
# sccache specific variables
27-
ARG ACTIONS_CACHE_URL
28-
ARG ACTIONS_RUNTIME_TOKEN
2927
ARG SCCACHE_GHA_ENABLED
3028

3129
COPY --from=planner /usr/src/recipe.json recipe.json
3230

33-
RUN cargo chef cook --release --features python --no-default-features --recipe-path recipe.json && sccache -s
31+
RUN --mount=type=secret,id=actions_cache_url,env=ACTIONS_CACHE_URL \
32+
--mount=type=secret,id=actions_runtime_token,env=ACTIONS_RUNTIME_TOKEN \
33+
cargo chef cook --release --features python --no-default-features --recipe-path recipe.json && sccache -s
3434

3535
COPY backends backends
3636
COPY core core
@@ -46,13 +46,17 @@ RUN PROTOC_ZIP=protoc-21.12-linux-x86_64.zip && \
4646

4747
FROM builder as http-builder
4848

49-
RUN cargo build --release --bin text-embeddings-router -F python -F http --no-default-features && sccache -s
49+
RUN --mount=type=secret,id=actions_cache_url,env=ACTIONS_CACHE_URL \
50+
--mount=type=secret,id=actions_runtime_token,env=ACTIONS_RUNTIME_TOKEN \
51+
cargo build --release --bin text-embeddings-router -F python -F http --no-default-features && sccache -s
5052

5153
FROM builder as grpc-builder
5254

5355
COPY proto proto
5456

55-
RUN cargo build --release --bin text-embeddings-router -F grpc -F python --no-default-features && sccache -s
57+
RUN --mount=type=secret,id=actions_cache_url,env=ACTIONS_CACHE_URL \
58+
--mount=type=secret,id=actions_runtime_token,env=ACTIONS_RUNTIME_TOKEN \
59+
cargo build --release --bin text-embeddings-router -F grpc -F python --no-default-features && sccache -s
5660

5761
FROM intel/intel-optimized-pytorch:2.4.0-pip-base AS cpu
5862
ENV HUGGINGFACE_HUB_CACHE=/data \

backends/proto/embed.proto

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,4 +37,4 @@ message Score {
3737

3838
message PredictResponse {
3939
repeated Score scores = 1;
40-
}
40+
}

0 commit comments

Comments
 (0)