From 002df5f2eb3e56190fe6d96947c48a02f066aa47 Mon Sep 17 00:00:00 2001 From: Mihai Maruseac Date: Thu, 11 Jan 2024 11:37:07 -0800 Subject: [PATCH] Make all workflows run on Windows. Signed-off-by: Mihai Maruseac --- .github/workflows/slsa_for_ml.yml | 158 +++++++++++++++--------------- .github/workflows/unit_tests.yml | 88 ++++++++--------- 2 files changed, 125 insertions(+), 121 deletions(-) diff --git a/.github/workflows/slsa_for_ml.yml b/.github/workflows/slsa_for_ml.yml index 994d7ddc..a9bb95b0 100644 --- a/.github/workflows/slsa_for_ml.yml +++ b/.github/workflows/slsa_for_ml.yml @@ -1,77 +1,81 @@ -name: SLSA for ML models example -on: - workflow_dispatch: - inputs: - model_type: - description: Name of the model (implies framework) - required: true - type: choice - options: - - tensorflow_model.keras - - tensorflow_hdf5_model.h5 - - tensorflow_hdf5.weights.h5 - - pytorch_model.pth - - pytorch_full_model.pth - - pytorch_jitted_model.pt - pull_request: - branches: [main] - types: [opened, synchronize] - -permissions: read-all - -defaults: - run: - shell: bash - -jobs: - train: - name: Train model - runs-on: ubuntu-latest - outputs: - hash: ${{ steps.hash.outputs.hash }} - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 - with: - python-version: 3.11 - cache: pip - cache-dependency-path: slsa_for_models/install/requirements_${{ runner.os }}.txt - - name: Install dependencies - run: | - set -exuo pipefail - python -m venv venv - .github/workflows/scripts/venv_activate.sh - python -m pip install --require-hashes -r slsa_for_models/install/requirements_${{ runner.os }}.txt - - name: Build model - env: - MODEL_TYPE: ${{ github.event.inputs.model_type || 'pytorch_jitted_model.pt' }} - run: | - set -exuo pipefail - python -m venv venv - .github/workflows/scripts/venv_activate.sh - python slsa_for_models/main.py "$MODEL_TYPE" - - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 - with: - path: ${{ github.event.inputs.model_type || 'pytorch_jitted_model.pt' }} - name: ${{ github.event.inputs.model_type || 'pytorch_jitted_model.pt' }} - if-no-files-found: error - - id: hash - env: - MODEL: ${{ github.event.inputs.model_type || 'pytorch_jitted_model.pt' }} - run: | - set -euo pipefail - sha256sum "$MODEL" > checksum - echo "hash=$(cat checksum | base64 -w0)" >> "${GITHUB_OUTPUT}" - - provenance: - # TODO(mihaimaruseac): Don't run on pull requests for now - if: ${{ github.event_name != 'pull_request' }} - needs: [train] - permissions: - actions: read - id-token: write - contents: write - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 - with: - base64-subjects: "${{ needs.train.outputs.hash }}" - upload-assets: true # NOTE: This does nothing unless 'upload-tag-name' parameter is also set to an existing tag +name: SLSA for ML models example +on: + workflow_dispatch: + inputs: + model_type: + description: Name of the model (implies framework) + required: true + type: choice + options: + - tensorflow_model.keras + - tensorflow_hdf5_model.h5 + - tensorflow_hdf5.weights.h5 + - pytorch_model.pth + - pytorch_full_model.pth + - pytorch_jitted_model.pt + pull_request: + branches: [main] + types: [opened, synchronize] + +permissions: read-all + +defaults: + run: + shell: bash + +jobs: + train: + name: Train model + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false # Don't cancel other jobs if one fails + matrix: + os: [ubuntu-latest, macos-latest, windows-latest] + outputs: + hash: ${{ steps.hash.outputs.hash }} + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + with: + python-version: 3.11 + cache: pip + cache-dependency-path: slsa_for_models/install/requirements_${{ runner.os }}.txt + - name: Install dependencies + run: | + set -exuo pipefail + python -m venv venv + .github/workflows/scripts/venv_activate.sh + python -m pip install --require-hashes -r slsa_for_models/install/requirements_${{ runner.os }}.txt + - name: Build model + env: + MODEL_TYPE: ${{ github.event.inputs.model_type || 'pytorch_jitted_model.pt' }} + run: | + set -exuo pipefail + python -m venv venv + .github/workflows/scripts/venv_activate.sh + python slsa_for_models/main.py "$MODEL_TYPE" + - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + with: + path: ${{ github.event.inputs.model_type || 'pytorch_jitted_model.pt' }} + name: ${{ github.event.inputs.model_type || 'pytorch_jitted_model.pt' }} + if-no-files-found: error + - id: hash + env: + MODEL: ${{ github.event.inputs.model_type || 'pytorch_jitted_model.pt' }} + run: | + set -euo pipefail + sha256sum "$MODEL" > checksum + echo "hash=$(cat checksum | base64 -w0)" >> "${GITHUB_OUTPUT}" + + provenance: + # TODO(mihaimaruseac): Don't run on pull requests for now + if: ${{ github.event_name != 'pull_request' }} + needs: [train] + permissions: + actions: read + id-token: write + contents: write + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + with: + base64-subjects: "${{ needs.train.outputs.hash }}" + upload-assets: true # NOTE: This does nothing unless 'upload-tag-name' parameter is also set to an existing tag diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml index 2fad8f8f..c9ff2f0d 100644 --- a/.github/workflows/unit_tests.yml +++ b/.github/workflows/unit_tests.yml @@ -1,44 +1,44 @@ -name: Run unit tests -on: - pull_request: - branches: [main] - types: [opened, synchronize] - -permissions: {} - -defaults: - run: - shell: bash - -jobs: - model-signing-unit-tests: - name: Run unit tests for signing - runs-on: ${{ matrix.os }} - strategy: - fail-fast: false # Don't cancel other jobs if one fails - matrix: - os: [ubuntu-latest, macos-latest] - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 - with: - python-version: 3.11 - cache: pip - cache-dependency-path: | - model_signing/install/requirements_${{ runner.os }}.txt - model_signing/install/requirements_test_${{ runner.os }}.txt - - name: Install dependencies - run: | - set -exuo pipefail - python -m venv venv - .github/workflows/scripts/venv_activate.sh - python -m pip install --require-hashes -r model_signing/install/requirements_${{ runner.os }}.txt - python -m pip install --require-hashes -r model_signing/install/requirements_test_${{ runner.os }}.txt - - name: Run unit tests - run: | - set -euo pipefail - .github/workflows/scripts/venv_activate.sh - # NOTE: option --full-trace may be useful for troubleshooting. - # TODO(#68): Remove the need to create this folder. - mkdir testdata - pytest -v . +name: Run unit tests +on: + pull_request: + branches: [main] + types: [opened, synchronize] + +permissions: {} + +defaults: + run: + shell: bash + +jobs: + model-signing-unit-tests: + name: Run unit tests for signing + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false # Don't cancel other jobs if one fails + matrix: + os: [ubuntu-latest, macos-latest, windows-latest] + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + with: + python-version: 3.11 + cache: pip + cache-dependency-path: | + model_signing/install/requirements_${{ runner.os }}.txt + model_signing/install/requirements_test_${{ runner.os }}.txt + - name: Install dependencies + run: | + set -exuo pipefail + python -m venv venv + .github/workflows/scripts/venv_activate.sh + python -m pip install --require-hashes -r model_signing/install/requirements_${{ runner.os }}.txt + python -m pip install --require-hashes -r model_signing/install/requirements_test_${{ runner.os }}.txt + - name: Run unit tests + run: | + set -euo pipefail + .github/workflows/scripts/venv_activate.sh + # NOTE: option --full-trace may be useful for troubleshooting. + # TODO(#68): Remove the need to create this folder. + mkdir testdata + pytest -v .