Skip to content

Commit

Permalink
Merge pull request #7 from StacklokLabs/3rd-try
Browse files Browse the repository at this point in the history 
Refactor approach
  • Loading branch information
@lukehinds
lukehinds authored Feb 22, 2024
2 parents b45c13b + 66739e0 commit 97263dd
Showing 1 changed file with 40 additions and 60 deletions.
100 changes: 40 additions & 60 deletions .github/workflows/train_and_inference.yml
View file
Original file line number Diff line number Diff line change
@@ -1,81 +1,61 @@
name: SLSA for ML models example
on:
workflow_dispatch:
inputs:
model_type:
description: Name of the model (implies framework)
required: true
type: choice
options:
- model.pth
pull_request:
branches: [main]
types: [opened, synchronize]
paths-ignore:
- '**/*.md'
- '*.md'

permissions: read-all
name: Train and Inference with SLSA

defaults:
run:
shell: bash
on:
push:
branches:
- main

jobs:
train:
name: Train model
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false # Don't cancel other jobs if one fails
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
outputs:
hash-ubuntu-latest: ${{ steps.hash.outputs.hash-ubuntu-latest }}
hash-macos-latest: ${{ steps.hash.outputs.hash-macos-latest }}
hash-windows-latest: ${{ steps.hash.outputs.hash-windows-latest }}
runs-on: ubuntu-latest

steps:
- run: git config --global core.autocrlf input
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
- name: Checkout repository
uses: actions/checkout@v2

- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.12.2

- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
- name: Build model
env:
MODEL_TYPE: ${{ github.event.inputs.model_type || 'model.pth' }}
- name: Generate Dataset
run: |
set -exuo pipefail
python -m venv venv
.github/workflows/scripts/venv_activate.sh
python slsa_for_models/main.py "$MODEL_TYPE"
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
path: ${{ github.event.inputs.model_type || 'model.pth' }}
name: ${{ github.event.inputs.model_type || 'model.pth' }}_${{ runner.os }}
if-no-files-found: error
- id: hash
env:
MODEL: ${{ github.event.inputs.model_type || 'model.pth' }}
python generate_dataset.py
tar -czvf dataset.tgz dataset.npz
- name: Train Model
run: python train_model.py

- name: Generate SLSA Attestation for Dataset
run: |
set -euo pipefail
(sha256sum -t "$MODEL" || shasum -a 256 "$MODEL") > checksum
echo "hash-${{ matrix.os }}=$(base64 -w0 checksum || base64 checksum)" >> "${GITHUB_OUTPUT}"
checksum=$(sha256sum dataset.tgz | cut -d ' ' -f 1)
echo "Dataset checksum: $checksum"
# Use the checksum to generate SLSA attestation
- name: Generate SLSA Attestation for Model
run: |
checksum=$(sha256sum model.pth | cut -d ' ' -f 1)
echo "Model checksum: $checksum"
# Use the checksum to generate SLSA attestation
provenance:
if: ${{ github.event_name != 'pull_request' }}
needs: [train]
strategy:
fail-fast: false # Don't cancel other jobs if one fails
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ubuntu-latest
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.train.outputs[format('hash-{0}', matrix.os)] }}"
upload-assets: true # NOTE: This does nothing unless 'upload-tag-name' parameter is also set to an existing tag
steps:
- name: Get outputs
id: hash
run: echo "::set-output name=hash::$(echo 'hash-'$(sha256sum dataset.tgz | cut -d ' ' -f 1) 'hash-'$(sha256sum model.pth | cut -d ' ' -f 1))"
- name: Run SLSA Generator
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: ${{ steps.hash.outputs.hash }}

0 comments on commit 97263dd

Please sign in to comment.