diff --git a/.github/workflows/train_and_inference.yml b/.github/workflows/train_and_inference.yml index 56d4f4e..4f732c4 100644 --- a/.github/workflows/train_and_inference.yml +++ b/.github/workflows/train_and_inference.yml @@ -1,13 +1,36 @@ name: Train and Inference with SLSA on: + workflow_dispatch: + inputs: + model_type: + description: Name of the model (implies framework) + required: true + type: choice + options: + - model.pth push: branches: - main + paths-ignore: + - '**/*.md' + - '*.md' + + +permissions: read-all + +defaults: + run: + shell: bash jobs: train: - runs-on: ubuntu-latest + name: Train model + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false # Don't cancel other jobs if one fails + matrix: + os: [ubuntu-latest, macos-latest, windows-latest] steps: - name: Checkout repository @@ -42,20 +65,28 @@ jobs: checksum=$(sha256sum model.pth | cut -d ' ' -f 1) echo "Model checksum: $checksum" # Use the checksum to generate SLSA attestation + - id: hash + env: + MODEL: ${{ github.event.inputs.model_type }} + run: | + set -euo pipefail + (sha256sum -t "$MODEL" || shasum -a 256 "$MODEL") > checksum + echo "hash-${{ matrix.os }}=$(base64 -w0 checksum || base64 checksum)" >> "${GITHUB_OUTPUT}" provenance: if: ${{ github.event_name != 'pull_request' }} needs: [train] + strategy: + fail-fast: false # Don't cancel other jobs if one fails + matrix: + os: [ubuntu-latest, macos-latest, windows-latest] runs-on: ubuntu-latest permissions: actions: read id-token: write contents: write steps: - - name: Get outputs - id: hash - run: echo "::set-output name=hash::$(echo 'hash-'$(sha256sum dataset.tgz | cut -d ' ' -f 1) 'hash-'$(sha256sum model.pth | cut -d ' ' -f 1))" - name: Run SLSA Generator uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 with: - base64-subjects: ${{ steps.hash.outputs.hash }} \ No newline at end of file + base64-subjects: ${{ needs.train.outputs.hash }} \ No newline at end of file