Generic KServe detector integration

.dockerignore

@@ -19,7 +19,7 @@ firebase.json
 build
 dist
 # Ignoring this for now
-/scripts
+# /scripts
 # Ignoring log files generated by tests
 *.log
 # Ignore some of the files that should be downloaded/generated for evaluation

.github/workflows/push-server-image.yml

@@ -0,0 +1,128 @@
+name: Publish - NeMo Guardrails Server Image
+on:
+  push:
+    branches:
+      - develop
+    tags:
+      - v*
+    paths:
+      - 'nemoguardrails/*'
+      - '.github/workflows/*'
+  pull_request_target:
+    paths:
+      - 'nemoguardrails/*'
+      - '.github/workflows/*'
+    types: [labeled, opened, synchronize, reopened]
+jobs:
+  build-and-push-ci:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      security-events: write
+    steps: # Assign context variable for various action contexts (tag, develop, CI)
+      - name: Assigning CI context
+        if: github.head_ref != '' && github.head_ref != 'develop' && !startsWith(github.ref, 'refs/tags/v')
+        run: echo "BUILD_CONTEXT=ci" >> $GITHUB_ENV
+      - name: Assigning new-tag context
+        if: github.head_ref == '' && startsWith(github.ref, 'refs/tags/v')
+        run: echo "BUILD_CONTEXT=tag" >> $GITHUB_ENV
+      - name: Assigning develop-branch context
+        if: github.head_ref == '' && github.ref == 'refs/heads/develop'
+        run: echo "BUILD_CONTEXT=main" >> $GITHUB_ENV
+
+      # Run checkouts
+      - uses: mheap/github-action-required-labels@v4
+        if: env.BUILD_CONTEXT == 'ci'
+        with:
+          mode: minimum
+          count: 1
+          labels: "ok-to-test, lgtm, approved"
+      - uses: actions/checkout@v3
+        if: env.BUILD_CONTEXT == 'ci'
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - uses: actions/checkout@v3
+        if: env.BUILD_CONTEXT == 'main' ||  env.BUILD_CONTEXT == 'tag'
+      #
+      # Print variables for debugging
+      - name: Log reference variables
+        run: |
+          echo "CONTEXT: ${{ env.BUILD_CONTEXT }}"
+          echo "GITHUB.REF: ${{ github.ref }}"
+          echo "GITHUB.HEAD_REF: ${{ github.head_ref }}"
+          echo "SHA: ${{ github.event.pull_request.head.sha }}"
+          echo "MAIN IMAGE AT: ${{ vars.RELEASE_REPO }}:latest"
+          echo "CI IMAGE AT: ${{ vars.CI_REPO }}:${{ github.event.pull_request.head.sha }}"
+
+      # Set environments depending on context
+      - name: Set CI environment
+        if:  env.BUILD_CONTEXT == 'ci'
+        run: |
+          echo "TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
+          echo "IMAGE_NAME=${{ vars.CI_REPO }}" >> $GITHUB_ENV
+      - name: Set main-branch environment
+        if:  env.BUILD_CONTEXT == 'main'
+        run: |
+          echo "TAG=latest" >> $GITHUB_ENV
+          echo "IMAGE_NAME=${{ vars.RELEASE_REPO }}" >> $GITHUB_ENV
+      - name: Set tag environment
+        if: env.BUILD_CONTEXT == 'tag'
+        run: |
+          echo "TAG=${{ github.ref_name }}" >> $GITHUB_ENV
+          echo "IMAGE_NAME=${{ vars.RELEASE_REPO }}" >> $GITHUB_ENV
+      - name: Extract Quay repo URL from image name
+        run: |
+            repo_path=$(echo "$IMAGE_NAME" | sed -E 's|^quay\.io/([^/:]+/[^/:]+).*|\1|')
+            echo "QUAY_REPO_URL=https://quay.io/repository/$repo_path" >> $GITHUB_ENV
+        env:
+          IMAGE_NAME: ${{ env.IMAGE_NAME }}
+      #
+      # Run docker commands
+      - name: Put expiry date on CI-tagged image
+        if:  env.BUILD_CONTEXT == 'ci'
+        run: |
+          echo 'LABEL quay.expires-after=7d#' >> Dockerfile
+      - name: Build image
+        run: docker build -t ${{ env.IMAGE_NAME }}:$TAG -f Dockerfile.server .
+      - name: Log in to Quay
+        run: docker login -u ${{ secrets.QUAY_ROBOT_USERNAME }} -p ${{ secrets.QUAY_ROBOT_SECRET }} quay.io
+      - name: Push to Quay CI repo
+        run: docker push ${{ env.IMAGE_NAME }}:$TAG
+
+      # Leave comment
+      - uses: peter-evans/find-comment@v3
+        name: Find Comment
+        if:  env.BUILD_CONTEXT == 'ci'
+        id: fc
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: 'github-actions[bot]'
+          body-includes:  PR image build completed successfully
+      - uses: peter-evans/create-or-update-comment@v4
+        if:  env.BUILD_CONTEXT == 'ci'
+        name: Generate/update success message comment
+        with:
+          comment-id: ${{ steps.fc.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          edit-mode: replace
+          body: |
+            PR image build completed successfully!
+
+            📦 [PR image](${{env.QUAY_REPO_URL}}?tab=tags): `${{ env.IMAGE_NAME}}:${{ env.TAG }}`
+      - name: Trivy scan
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'image'
+          image-ref: "${{ env.IMAGE_NAME }}:${{ env.TAG }}"
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'MEDIUM,HIGH,CRITICAL'
+          exit-code: '0'
+          ignore-unfixed: false
+          vuln-type: 'os,library'
+      - name: Update Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: huggingface

.gitignore

@@ -58,7 +58,7 @@ docs/user_guides/llm/vertexai/config
 docs/**/config
 
 # Ignoring this for now
-/scripts
+# /scripts
 
 # Ignoring log files generated by tests
 firebase.json

Dockerfile.server

@@ -0,0 +1,44 @@
+FROM registry.access.redhat.com/ubi9/python-312 as build
+
+USER 0
+WORKDIR /app
+
+RUN dnf install -y gcc gcc-c++ git && \
+    pip install --no-cache-dir poetry==1.8.2 pyyaml==6.0.2 && \
+    dnf clean all && \
+    rm -rf /var/cache/dnf
+
+COPY pyproject.toml poetry.lock* README.md ./
+COPY nemoguardrails/ ./nemoguardrails/
+COPY examples/ ./examples/
+COPY chat-ui/ ./chat-ui/
+COPY scripts/provider-list.yaml ./scripts/
+COPY scripts/filter_guardrails.py ./scripts/
+COPY scripts/entrypoint.sh ./scripts/
+RUN chmod +x ./scripts/entrypoint.sh
+
+ARG GUARDRAILS_PROFILE=opensource
+RUN python3 ./scripts/filter_guardrails.py ./scripts/provider-list.yaml $GUARDRAILS_PROFILE
+
+ENV POETRY_VIRTUALENVS_IN_PROJECT=1 \
+    POETRY_NO_INTERACTION=1
+
+RUN poetry install --no-ansi --extras="sdd jailbreak openai nvidia tracing" && \
+    poetry run pip install "spacy>=3.4.4,<4.0.0" && \
+    poetry run python -m spacy download en_core_web_lg
+
+FROM registry.access.redhat.com/ubi9/python-312
+
+USER 0
+WORKDIR /app
+
+COPY --from=build /app /app
+RUN rm -f /etc/security/namespace.conf /usr/lib64/security/pam_namespace.so || true && \
+    chgrp -R 0 /app && \
+    chmod -R g+rwX /app
+
+USER 1001
+
+ENV PATH="/app/.venv/bin:$PATH"
+EXPOSE 8000
+ENTRYPOINT ["./scripts/entrypoint.sh"]