Bandit Scan as part of PR and precommit workflow #929
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Tests an FL experiment in a Dockerized environment. | |
name: TaskRunner (docker/gramine-direct) | |
on: | |
pull_request: | |
types: [opened, synchronize, reopened, ready_for_review] | |
permissions: | |
contents: read | |
jobs: | |
build: | |
if: github.event.pull_request.draft == false | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up Python 3 | |
uses: actions/setup-python@v3 | |
with: | |
python-version: "3.10" | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install . | |
- name: Create workspace image | |
run: | | |
fx workspace create --prefix example_workspace --template keras_cnn_mnist | |
cd example_workspace | |
fx plan initialize -a localhost | |
# Disable tensorboard logging as multiprocessing is not supported in Gramine | |
# https://github.com/gramineproject/examples/issues/33 | |
sed -i 's/write_logs: true/write_logs: false/g' plan/plan.yaml | |
fx workspace dockerize --save --revision https://github.com/${GITHUB_REPOSITORY}.git@${{ github.event.pull_request.head.sha }} | |
- name: Create certificate authority for workspace | |
run: | | |
cd example_workspace | |
fx workspace certify | |
- name: Create signed cert for collaborator | |
run: | | |
cd example_workspace | |
fx collaborator create -d 1 -n charlie --silent | |
fx collaborator generate-cert-request -n charlie --silent | |
fx collaborator certify --request-pkg col_charlie_to_agg_cert_request.zip --silent | |
# Pack the collaborator's private key, signed cert, and data.yaml into a tarball | |
tarfiles="plan/data.yaml agg_to_col_charlie_signed_cert.zip" | |
for entry in cert/client/*; do | |
if [[ "$entry" == *.key ]]; then | |
tarfiles="$tarfiles $entry" | |
fi | |
done | |
tar -cf cert_col_charlie.tar $tarfiles | |
# Clean up | |
rm -f $tarfiles | |
rm -f col_charlie_to_agg_cert_request.zip | |
- name: Create signed cert for aggregator | |
run: | | |
cd example_workspace | |
fx aggregator generate-cert-request --fqdn localhost | |
fx aggregator certify --fqdn localhost --silent | |
# Pack all files that aggregator needs to start training | |
tar -cf cert_agg.tar plan cert save | |
# Remove the directories after archiving | |
rm -rf plan cert save | |
- name: Load workspace image | |
run: | | |
cd example_workspace | |
docker load -i example_workspace.tar | |
- name: Run aggregator and collaborator | |
run: | | |
cd example_workspace | |
set -x | |
docker run --rm \ | |
--network host \ | |
--security-opt seccomp=unconfined \ | |
--mount type=bind,source=./cert_agg.tar,target=/certs.tar \ | |
--env KERAS_HOME=/tmp \ | |
example_workspace bash -c "tar -xf /certs.tar && gramine-direct fx aggregator start" & | |
# TODO: Run with two collaborators instead. | |
docker run --rm \ | |
--network host \ | |
--security-opt seccomp=unconfined \ | |
--mount type=bind,source=./cert_col_charlie.tar,target=/certs.tar \ | |
--env KERAS_HOME=/tmp \ | |
example_workspace bash -c "tar -xf /certs.tar && fx collaborator certify --import agg_to_col_charlie_signed_cert.zip && gramine-direct fx collaborator start -n charlie" |