diff --git a/.github/workflows/docker-build-push-backend-container-on-tag.yml b/.github/workflows/docker-build-push-backend-container-on-tag.yml index 92f3846b2a5..cf2652b8ae5 100644 --- a/.github/workflows/docker-build-push-backend-container-on-tag.yml +++ b/.github/workflows/docker-build-push-backend-container-on-tag.yml @@ -7,8 +7,10 @@ on: env: REGISTRY_IMAGE: ${{ contains(github.ref_name, 'cloud') && 'onyxdotapp/onyx-backend-cloud' || 'onyxdotapp/onyx-backend' }} - LATEST_TAG: ${{ contains(github.ref_name, 'latest') }} DEPLOYMENT: ${{ contains(github.ref_name, 'cloud') && 'cloud' || 'standalone' }} + + # don't tag cloud images with "latest" + LATEST_TAG: ${{ contains(github.ref_name, 'latest') && !contains(github.ref_name, 'cloud') }} jobs: build-and-push: @@ -40,9 +42,11 @@ jobs: uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY_IMAGE }} + flavor: | + latest=false tags: | - type=raw,value=${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }} - type=raw,value=${{ env.LATEST_TAG == 'true' && format('{0}:latest', env.REGISTRY_IMAGE) || '' }} + type=raw,value=${{ github.ref_name }} + type=raw,value=${{ env.LATEST_TAG == 'true' && 'latest' || '' }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -111,6 +115,11 @@ jobs: uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY_IMAGE }} + flavor: | + latest=false + tags: | + type=raw,value=${{ github.ref_name }} + type=raw,value=${{ env.LATEST_TAG == 'true' && 'latest' || '' }} - name: Login to Docker Hub uses: docker/login-action@v3 @@ -138,6 +147,8 @@ jobs: env: TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2" TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db:1" + TRIVY_USERNAME: ${{ secrets.DOCKER_USERNAME }} + TRIVY_PASSWORD: ${{ secrets.DOCKER_TOKEN }} with: # To run locally: trivy image --severity HIGH,CRITICAL onyxdotapp/onyx-backend image-ref: docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }} diff --git a/.github/workflows/docker-build-push-cloud-web-container-on-tag.yml b/.github/workflows/docker-build-push-cloud-web-container-on-tag.yml index 05bece322fb..ed7198e3198 100644 --- a/.github/workflows/docker-build-push-cloud-web-container-on-tag.yml +++ b/.github/workflows/docker-build-push-cloud-web-container-on-tag.yml @@ -4,11 +4,10 @@ name: Build and Push Cloud Web Image on Tag on: push: tags: - - "*" + - "*cloud*" env: REGISTRY_IMAGE: onyxdotapp/onyx-web-server-cloud - LATEST_TAG: ${{ contains(github.ref_name, 'latest') }} DEPLOYMENT: cloud jobs: @@ -39,9 +38,10 @@ jobs: uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY_IMAGE }} + flavor: | + latest=false tags: | - type=raw,value=${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }} - type=raw,value=${{ env.LATEST_TAG == 'true' && format('{0}:latest', env.REGISTRY_IMAGE) || '' }} + type=raw,value=${{ github.ref_name }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -112,6 +112,10 @@ jobs: uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY_IMAGE }} + flavor: | + latest=false + tags: | + type=raw,value=${{ github.ref_name }} - name: Login to Docker Hub uses: docker/login-action@v3 @@ -139,6 +143,8 @@ jobs: env: TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2" TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db:1" + TRIVY_USERNAME: ${{ secrets.DOCKER_USERNAME }} + TRIVY_PASSWORD: ${{ secrets.DOCKER_TOKEN }} with: image-ref: docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }} severity: "CRITICAL,HIGH" diff --git a/.github/workflows/docker-build-push-model-server-container-on-tag.yml b/.github/workflows/docker-build-push-model-server-container-on-tag.yml index 8a930851eda..e256e5e20ef 100644 --- a/.github/workflows/docker-build-push-model-server-container-on-tag.yml +++ b/.github/workflows/docker-build-push-model-server-container-on-tag.yml @@ -7,10 +7,12 @@ on: env: REGISTRY_IMAGE: ${{ contains(github.ref_name, 'cloud') && 'onyxdotapp/onyx-model-server-cloud' || 'onyxdotapp/onyx-model-server' }} - LATEST_TAG: ${{ contains(github.ref_name, 'latest') }} DOCKER_BUILDKIT: 1 BUILDKIT_PROGRESS: plain DEPLOYMENT: ${{ contains(github.ref_name, 'cloud') && 'cloud' || 'standalone' }} + + # don't tag cloud images with "latest" + LATEST_TAG: ${{ contains(github.ref_name, 'latest') && !contains(github.ref_name, 'cloud') }} jobs: @@ -166,6 +168,8 @@ jobs: env: TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2" TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db:1" + TRIVY_USERNAME: ${{ secrets.DOCKER_USERNAME }} + TRIVY_PASSWORD: ${{ secrets.DOCKER_TOKEN }} with: image-ref: docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }} severity: "CRITICAL,HIGH" diff --git a/.github/workflows/docker-build-push-web-container-on-tag.yml b/.github/workflows/docker-build-push-web-container-on-tag.yml index 3700f91d014..5df0ab53472 100644 --- a/.github/workflows/docker-build-push-web-container-on-tag.yml +++ b/.github/workflows/docker-build-push-web-container-on-tag.yml @@ -9,9 +9,24 @@ env: REGISTRY_IMAGE: onyxdotapp/onyx-web-server LATEST_TAG: ${{ contains(github.ref_name, 'latest') }} DEPLOYMENT: standalone - + jobs: + precheck: + runs-on: [runs-on, runner=2cpu-linux-x64, "run-id=${{ github.run_id }}"] + outputs: + should-run: ${{ steps.set-output.outputs.should-run }} + steps: + - name: Check if tag contains "cloud" + id: set-output + run: | + if [[ "${{ github.ref_name }}" == *cloud* ]]; then + echo "should-run=false" >> "$GITHUB_OUTPUT" + else + echo "should-run=true" >> "$GITHUB_OUTPUT" + fi build: + needs: precheck + if: needs.precheck.outputs.should-run == 'true' runs-on: - runs-on - runner=${{ matrix.platform == 'linux/amd64' && '8cpu-linux-x64' || '8cpu-linux-arm64' }} @@ -38,9 +53,11 @@ jobs: uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY_IMAGE }} + flavor: | + latest=false tags: | - type=raw,value=${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }} - type=raw,value=${{ env.LATEST_TAG == 'true' && format('{0}:latest', env.REGISTRY_IMAGE) || '' }} + type=raw,value=${{ github.ref_name }} + type=raw,value=${{ env.LATEST_TAG == 'true' && 'latest' || '' }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -85,9 +102,10 @@ jobs: retention-days: 1 merge: - runs-on: ubuntu-latest needs: - build + if: needs.precheck.outputs.should-run == 'true' + runs-on: ubuntu-latest steps: - name: Download digests uses: actions/download-artifact@v4 @@ -104,6 +122,11 @@ jobs: uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY_IMAGE }} + flavor: | + latest=false + tags: | + type=raw,value=${{ github.ref_name }} + type=raw,value=${{ env.LATEST_TAG == 'true' && 'latest' || '' }} - name: Login to Docker Hub uses: docker/login-action@v3 @@ -131,6 +154,8 @@ jobs: env: TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2" TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db:1" + TRIVY_USERNAME: ${{ secrets.DOCKER_USERNAME }} + TRIVY_PASSWORD: ${{ secrets.DOCKER_TOKEN }} with: image-ref: docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }} severity: "CRITICAL,HIGH"