diff --git a/.github/workflows/nubis-build.yaml b/.github/workflows/nubis-build.yaml index 6669f88..4905722 100644 --- a/.github/workflows/nubis-build.yaml +++ b/.github/workflows/nubis-build.yaml @@ -15,6 +15,30 @@ on: type: string jobs: + setup: + runs-on: [ self-hosted, gcc, lite ] + outputs: + enable: ${{ steps.set-variable.outputs.enable }} + steps: + - uses: actions/checkout@v2 + - name: Set test variable + id: set-variable + run: | + if [ ${{ github.ref }} != 'refs/heads/main' ]; then + echo "will NOT build dockerfiles" + #echo "::set-output name=enable::false" + else + echo "WILL build dockerfiles" + #echo "::set-output name=enable::true" + fi + # Enable build + echo "::set-output name=enable::true" + shell: bash + - name: Read exported variable + run: | + echo "OUTPUT: ${{ steps.set-variable.outputs.enable }}" + + build: runs-on: [ self-hosted, "${{ matrix.architecture }}", gcc, lite ] @@ -34,22 +58,37 @@ jobs: outputs: image_name: ${{ steps.build.outputs.image_name }} + needs: [setup] steps: - name: Build id: build run: | echo ${{ matrix.architecture }} GEN=$( echo "${{ inputs.dockerfile }}" | sed s/Dockerfile\.// ) - echo "image_name=harbor.nbfc.io/nubificus/gh-actions-runner-$GEN" >> "$GITHUB_OUTPUT" + echo "image_name=gh-actions-runner-$GEN" >> "$GITHUB_OUTPUT" + + - name: Fix filename + id: fix-filename + run: | + ARCH=$( echo "${{ matrix.architecture }}" ) + FILENAME=$( echo "${{ inputs.dockerfile }}" ) + if [ $ARCH == "aarch64" ] && [ $FILENAME == "Dockerfile.jetson" ]; + then + FILENAME=$( echo "jetson-aarch64-dockerfile" ) + echo "dockerfilename=$FILENAME" >> "$GITHUB_OUTPUT" + else + echo "dockerfilename=$FILENAME" >> "$GITHUB_OUTPUT" + fi - name: Checkout uses: actions/checkout@v3 - name: Install cosign - if: github.event_name != 'pull_request' + if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }} uses: sigstore/cosign-installer@ca922a571676e06d3299cce5d520e178ba89a276 with: cosign-release: 'v1.13.1' - name: Check install! + if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }} run: cosign version - name: Set up Docker Context for Buildx id: buildx-context @@ -57,6 +96,7 @@ jobs: docker context create builders || true # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx + if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }} uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf with: version: latest @@ -64,7 +104,7 @@ jobs: # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ inputs.REGISTRY }} - if: github.event_name != 'pull_request' + if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }} uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c with: registry: ${{ inputs.REGISTRY }} @@ -78,12 +118,15 @@ jobs: uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 with: images: ${{ inputs.registry }}/${{ steps.build.outputs.image_name }} + tags: | + type=sha,prefix=${{ matrix.architecture }}- # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action - - name: Build and push Docker image + - name: Build and push ${{ steps.fix-filename.outputs.dockerfilename }}-${{ matrix.architecture }} + if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }} id: build-and-push - uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + uses: docker/build-push-action@master with: context: . push: ${{ github.event_name != 'pull_request' }} @@ -91,8 +134,8 @@ jobs: labels: ${{ steps.meta.outputs.labels }} #cache-from: type=local,src=/tmp #cache-to: type=local,mode=max,dest=/tmp - file: ${{ inputs.dockerfile }} - + file: ${{ steps.fix-filename.outputs.dockerfilename }} + provenance: false # Sign the resulting Docker image digest except on PRs. # This will only write to the public Rekor transparency log when the Docker @@ -100,7 +143,7 @@ jobs: # transparency data even for private images, pass --force to cosign below. # https://github.com/sigstore/cosign - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} + if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }} env: COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate @@ -108,12 +151,13 @@ jobs: run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} - name: Clean up Docker Context for Buildx id: buildx-context-cleanup + if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }} run: | docker context remove builders || true manifest: runs-on: [ self-hosted, gcc, lite ] - needs: [build] + needs: [setup, build] permissions: contents: read @@ -123,12 +167,55 @@ jobs: id-token: write steps: + - uses: actions/checkout@v3 + - uses: benjlevesque/short-sha@v2.2 + id: short-sha + with: + length: 7 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ inputs.REGISTRY }} + if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }} + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ inputs.REGISTRY }} + username: ${{ secrets.HARBOR_USER }} + password: ${{ secrets.HARBOR_SECRET }} + + - name: Set image name + id: set-image-name + run: | + NAME=$( echo "${{ needs.build.outputs.image_name }}" ) + REGISTRY=$( echo "${{ inputs.REGISTRY }}" ) + #NAMESPACE="runners" + #echo "image_name=$REGISTRY/$NAMESPACE/$NAME" >> "$GITHUB_OUTPUT" + echo "image_name=$REGISTRY/$NAME" >> "$GITHUB_OUTPUT" + + - name: Create manifest for ${{ needs.build.outputs.image_name }} + id: debug-echo + run: | + VAR1=$(echo ${{ toJSON(fromJson(inputs.matrix).architecture[0]) }}-$SHA ) + VAR2=$(echo ${{ toJSON(fromJson(inputs.matrix).architecture[1]) }}-$SHA ) + echo docker manifest rm ${{ steps.set-image-name.outputs.image_name }}:generic || true + echo docker manifest create ${{ steps.set-image-name.outputs.image_name }}:generic \ + --amend ${{ steps.set-image-name.outputs.image_name }}:$(echo $VAR1) \ + --amend ${{ steps.set-image-name.outputs.image_name }}:$(echo $VAR2) + echo docker manifest push ${{ steps.set-image-name.outputs.image_name }}:generic + env: + SHA: ${{ steps.short-sha.outputs.sha }} + - name: Create manifest for ${{ needs.build.outputs.image_name }} + id: create-manifest + if: ${{ github.event_name != 'pull_request' && needs.setup.outputs.enable == 'true' }} run: | - VAR1=$(echo ${{ toJSON(fromJson(inputs.matrix).architecture[0]) }}) - VAR2=$(echo ${{ toJSON(fromJson(inputs.matrix).architecture[1]) }}) - echo docker manifest rm ${{ needs.build.outputs.image_name }}:generic || true - echo docker manifest create ${{ needs.build.outputs.image_name }}:generic \ - --amend ${{ needs.build.outputs.image_name }}:$(echo $VAR1) \ - --amend ${{ needs.build.outputs.image_name }}:$(echo $VAR2) + VAR1=$(echo ${{ toJSON(fromJson(inputs.matrix).architecture[0]) }}-$SHA ) + VAR2=$(echo ${{ toJSON(fromJson(inputs.matrix).architecture[1]) }}-$SHA ) + docker manifest rm ${{ steps.set-image-name.outputs.image_name }}:generic || true + docker manifest create ${{ steps.set-image-name.outputs.image_name }}:generic \ + --amend ${{ steps.set-image-name.outputs.image_name }}:$(echo $VAR1) \ + --amend ${{ steps.set-image-name.outputs.image_name }}:$(echo $VAR2) + docker manifest push ${{ steps.set-image-name.outputs.image_name }}:generic + env: + SHA: ${{ steps.short-sha.outputs.sha }} diff --git a/.github/workflows/nubis-manifest.yaml b/.github/workflows/nubis-manifest.yaml deleted file mode 100644 index 1bc527a..0000000 --- a/.github/workflows/nubis-manifest.yaml +++ /dev/null @@ -1,54 +0,0 @@ -name: build-arch -on: - workflow_dispatch: - inputs: - matrix: - required: true - type: string - - workflow_call: - inputs: - matrix: - required: true - type: string - - - -jobs: - manifest: - runs-on: [ self-hosted, lite ] - #needs: [ build, prepare ] - strategy: - matrix: - ${{ fromJson(inputs.matrix) }} - fail-fast: false - - steps: - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c - with: - registry: ${{ env.REGISTRY }} - #username: ${{ github.actor }} - username: ${{ secrets.HARBOR_USER }} - #password: ${{ secrets.GITHUB_TOKEN }} - password: ${{ secrets.HARBOR_SECRET }} - - - - name: Manifest images under one label - shell: bash {0} - run: | - echo "${{ matrix.dockerfile }}" - #ARM=$( echo "${{ matrix.dockerfile }}" | sed s/Dockerfile\.// )-"aarch64" - #X86=$( echo "${{ matrix.dockerfile }}" | sed s/Dockerfile\.// )-"x86_64" - GEN=$( echo "${{ matrix.dockerfile }}" | sed s/Dockerfile\.// ) - #echo $ARM - #echo $X86 - echo $GEN - docker manifest rm ${{ env.REGISTRY }}/gh-actions-runner-$GEN:generic || true - docker manifest create ${{ env.REGISTRY }}/gh-actions-runner-$GEN:generic \ - --amend ${{ env.REGISTRY }}/gh-actions-runner-$GEN:aarch64 \ - --amend ${{ env.REGISTRY }}/gh-actions-runner-$GEN:x86_64 - #docker manifest push ${{ env.REGISTRY }}/gh-actions-runner-$GEN:generic diff --git a/.github/workflows/nubis-meta.yaml b/.github/workflows/nubis-meta.yaml index e97a68c..ff34ce8 100644 --- a/.github/workflows/nubis-meta.yaml +++ b/.github/workflows/nubis-meta.yaml @@ -2,7 +2,7 @@ name: build on: push: branches: - - nubis-runners-meta + - nubis-runners workflow_dispatch: env: @@ -56,7 +56,7 @@ jobs: if [[ $JSON == *, ]]; then JSON="${JSON%?}" fi - JSON="$JSON], \"architecture\":[\"x86_64\", \"arm64\"]}" + JSON="$JSON], \"architecture\":[\"x86_64\", \"aarch64\"]}" echo $JSON # Set output echo "::set-output name=matrix::$( echo "$JSON" )" diff --git a/.github/workflows/nubis.yaml b/.github/workflows/nubis.yaml deleted file mode 100644 index 9cfa2b3..0000000 --- a/.github/workflows/nubis.yaml +++ /dev/null @@ -1,125 +0,0 @@ -name: build -on: - push: - branches: - - nubis-runners - workflow_dispatch: - -env: - # Use docker.io for Docker Hub if empty - #REGISTRY: docker.io - REGISTRY: harbor.nbfc.io/nubificus - # github.repository as / - IMAGE_NAME: gh-actions-runner-gcc-lite - # IMAGE_NAME: ${{ github.repository }} - #IMAGE_NAME: ananos/${{ github.repository }} - -jobs: - build: - #runs-on: ubuntu-latest - runs-on: [ self-hosted, "${{ matrix.archconfig }}", gcc, lite ] - - permissions: - contents: read - packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. - id-token: write - - strategy: - matrix: - archconfig: [ x86_64, aarch64 ] - build_type: [ release ] - tf_version: [ v2.11.0 ] - - fail-fast: false - - steps: - - name: Checkout - uses: actions/checkout@v3 - #- uses: ludeeus/action-shellcheck@1.1.0 - #- uses: hadolint/hadolint-action@v2.1.0 - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: github.event_name != 'pull_request' - # uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 - # with: - # cosign-release: 'v1.11.0' - uses: ananos/cosign-installer@v3.0.1-arm - with: - cosign-release: 'v1.13.1' - - name: Check install! - run: cosign version - - - - name: Find SHA - run: | - if [[ "${{github.event.pull_request.head.sha}}" != "" ]] - then - echo "ARTIFACT_SHA=$(echo ${{github.event.pull_request.head.ref}})" >> $GITHUB_ENV - else - echo "ARTIFACT_SHA=$(echo ${GITHUB_REF##*/})" >> $GITHUB_ENV - fi - - - name: Set up Docker Context for Buildx - id: buildx-context - run: | - docker context create builders || true - # Workaround: https://github.com/docker/build-push-action/issues/461 - - name: Setup Docker buildx - uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf - with: - version: latest - endpoint: builders - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c - with: - registry: ${{ env.REGISTRY }} - #username: ${{ github.actor }} - username: ${{ secrets.HARBOR_USER }} - #password: ${{ secrets.GITHUB_TOKEN }} - password: ${{ secrets.HARBOR_SECRET }} - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - # Build and push Docker image with Buildx (don't push on PR) - # https://github.com/docker/build-push-action - - name: Build and push Docker image - id: build-and-push - uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a - with: - context: . - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - #cache-from: type=local,src=/tmp - #cache-to: type=local,mode=max,dest=/tmp - file: Dockerfile.gcc-lite - - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - COSIGN_EXPERIMENTAL: "true" - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} - - name: Clean up Docker Context for Buildx - id: buildx-context-cleanup - run: | - docker context remove builders || true diff --git a/jetson-aarch64-dockerfile b/jetson-aarch64-dockerfile new file mode 100644 index 0000000..2d7b36f --- /dev/null +++ b/jetson-aarch64-dockerfile @@ -0,0 +1,126 @@ +FROM dustynv/jetson-inference:r35.1.0 + +RUN apt-get update && apt-get install -y --no-install-recommends \ + cmake \ + git \ + libpython3-dev \ + pkg-config \ + python3-numpy \ + sudo \ + wget \ + && rm -rf /var/lib/apt/lists/* + +# we need this for installing download-models.sh and base network models. +RUN cd /jetson-inference && \ + git clone https://github.com/dusty-nv/jetson-inference --depth 1 + +RUN cd /jetson-inference && \ + cp -a utils/image/stb /usr/local/include && \ + mkdir /usr/local/share/jetson-inference/tools && \ + cp tools/download-models.sh /usr/local/share/jetson-inference/tools/ && \ + mkdir /usr/local/share/jetson-inference/data && \ + cp -r jetson-inference/data/networks /usr/local/share/jetson-inference/data/ && \ + sed 's/BUILD_INTERACTIVE=.*/BUILD_INTERACTIVE=0/g' \ + -i /usr/local/share/jetson-inference/tools/download-models.sh && \ + unlink /usr/local/bin/images && unlink /usr/local/bin/networks && \ + ln -s /usr/local/share/jetson-inference/data/networks /usr/local/bin/ + +RUN rm -rf /jetson-inference + +WORKDIR / + +# This the release tag of virtual-environments: https://github.com/actions/virtual-environments/releases +ARG UBUNTU_VERSION=2004 +ARG VIRTUAL_ENVIRONMENT_VERSION=ubuntu20/20230109.1 + +ENV UBUNTU_VERSION=${UBUNTU_VERSION} VIRTUAL_ENVIRONMENT_VERSION=${VIRTUAL_ENVIRONMENT_VERSION} + +# Set environment variable to prevent interactive installation +ENV DEBIAN_FRONTEND=noninteractive + +SHELL ["/bin/bash", "-o", "pipefail", "-c"] + +# Install base packages. +RUN apt update && TZ=Etc/UTC \ + apt-get install -y --no-install-recommends \ + ca-certificates \ + sudo=1.8.* \ + lsb-release=11.1.* \ + software-properties-common=0.99.* \ + gnupg-agent=2.2.* \ + openssh-client=1:8.* \ + make=4.*\ + rsync \ + wget \ + jq=1.* \ + gcc \ + g++ \ + curl && \ + apt-get -y clean && \ + rm -rf /var/cache/apt /var/lib/apt/lists/* /tmp/* /var/tmp/* + +# Add sudo rule for runner user +RUN echo "runner ALL= EXEC: NOPASSWD:ALL" >> /etc/sudoers.d/runner + +# Update git. +RUN add-apt-repository -y ppa:git-core/ppa && \ + apt-get update && \ + apt-get -y install --no-install-recommends git && \ + apt-get -y clean && \ + rm -rf /var/cache/apt /var/lib/apt/lists/* /tmp/* /var/tmp/* + +# Install docker cli. +RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg > /etc/apt/trusted.gpg.d/docker.asc && \ + echo "deb [arch=$(dpkg --print-architecture)] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list && \ + apt-get update && \ + apt-get install -y --no-install-recommends docker-ce-cli=5:20.10.* && \ + apt-get -y clean && \ + rm -rf /var/cache/apt /var/lib/apt/lists/* /tmp/* /var/tmp/* + +# Add Kitware APT repository for updated CMake version +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + apt-transport-https ca-certificates gnupg && \ + apt-key adv --fetch-keys 'https://apt.kitware.com/keys/kitware-archive-latest.asc' && \ + echo 'deb https://apt.kitware.com/ubuntu/ focal main' > /etc/apt/sources.list.d/kitware.list && \ + apt-get update + + +# Install build-essential and update cmake +RUN apt-get update && \ + apt-get install -y --no-install-recommends software-properties-common && \ + add-apt-repository -y ppa:ubuntu-toolchain-r/test && \ + apt-get update && \ + apt-get install -y --no-install-recommends gcc-10 g++-10 && \ + update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-10 100 --slave /usr/bin/g++ g++ /usr/bin/g++-10 && \ + apt-get install -y --no-install-recommends build-essential cmake && \ + apt-get -y clean && \ + rm -rf /var/cache/apt /var/lib/apt/lists/* /tmp/* /var/tmp/* + +# Copy scripts. +COPY scripts/ /usr/local/bin/ + +# Try to fix opencv issues if plugin does not build +RUN apt remove -y opencv-libs opencv-main opencv-scripts opencv-python opencv-dev + +# Install additional distro packages and runner virtual envs +ARG VIRTUAL_ENV_PACKAGES="" +ARG VIRTUAL_ENV_INSTALLS="basic python nodejs" +RUN apt-get -y update && \ + ( [ -z "$VIRTUAL_ENV_PACKAGES" ] || apt-get -y --no-install-recommends install $VIRTUAL_ENV_PACKAGES ) && \ + . /usr/local/bin/install-from-virtual-env-helpers && \ + for package in ${VIRTUAL_ENV_INSTALLS}; do \ + install-from-virtual-env $package; \ + done && \ + apt-get -y install --no-install-recommends gosu=1.* && \ + apt-get -y clean && \ + rm -rf /virtual-environments /var/cache/apt /var/lib/apt/lists/* /tmp/* /var/tmp/* + +# Install runner and its dependencies. +RUN groupadd -g 121 runner && useradd -mr -d /home/runner -u 1001 -g 121 runner && \ + install-runner + +COPY entrypoint.sh / +WORKDIR /home/runner +USER runner +ENTRYPOINT ["/entrypoint.sh"]