Fix: image vulnerabilities

.github/actions/docker-push/action.yml

@@ -0,0 +1,28 @@
+name: Docker Push
+description: "Push locally-loaded images to their registry refs"
+
+inputs:
+  image-refs:
+    description: "JSON array of image references to push"
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Push
+      shell: bash
+      env:
+        IMAGE_REFS: ${{ inputs.image-refs }}
+      run: |
+        set -euo pipefail
+        mapfile -t refs < <(echo "${IMAGE_REFS}" | jq -r '.[]')
+        if [ ${#refs[@]} -eq 0 ]; then
+          echo "No image refs to push"
+          exit 1
+        fi
+
+        for ref in "${refs[@]}"; do
+          echo "::group::docker push — ${ref}"
+          docker push "${ref}"
+          echo "::endgroup::"
+        done

.github/actions/grype/action.yml

@@ -3,8 +3,16 @@ description: "Scan Docker images with Grype. For now it's report-only and doesn'
 
 inputs:
   image-refs:
-    description: "JSON array of image references to scan"
+    description: "JSON array of image refs to scan"
     required: true
+  skip-files:
+    description: |
+      Optional newline-separated list of glob patterns to pass to Trivy as
+      --skip-files. Use this to silence known-benign findings (e.g. demo
+      cert/key fixtures shipped by vendored upstream libraries in NGC base
+      images) without affecting the rest of the scan.
+    required: false
+    default: ""
 
 runs:
   using: composite
@@ -22,6 +30,7 @@ runs:
       shell: bash
       env:
         IMAGE_REFS: ${{ inputs.image-refs }}
+        SKIP_FILES: ${{ inputs.skip-files }}
       run: |
         set -uo pipefail
         mapfile -t refs < <(echo "${IMAGE_REFS}" | jq -r '.[]')
@@ -30,8 +39,30 @@ runs:
           exit 1
         fi
 
+        trivy_cmd=(
+          trivy image
+          --timeout 30m
+          --severity CRITICAL,HIGH
+          --exit-code 1
+          --ignore-unfixed
+          --pkg-types os,library
+          --format table
+          --no-progress
+        )
+
+        skip_patterns=()
+        while IFS= read -r pattern; do
+          [ -z "$pattern" ] && continue
+          trivy_cmd+=(--skip-files "$pattern")
+          skip_patterns+=("$pattern")
+        done <<< "${SKIP_FILES}"
+
         echo "Scanning ${#refs[@]} image(s):"
         printf '  - %s\n' "${refs[@]}"
+        if [ ${#skip_patterns[@]} -gt 0 ]; then
+          echo "Skipping file patterns:"
+          printf '  - %s\n' "${skip_patterns[@]}"
+        fi
 
         failed=()
         for ref in "${refs[@]}"; do

.github/workflows/base.yml

@@ -21,7 +21,7 @@ permissions:
 
 jobs:
   build-base:
-    runs-on: blacksmith-8vcpu-ubuntu-2204
+    runs-on: blacksmith-16vcpu-ubuntu-2204
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -46,7 +46,8 @@ jobs:
           files: |
             official-templates/shared/versions.hcl
             official-templates/base/docker-bake.hcl
-          push: true
+          load: true
+          push: false
 
       - name: Extract image refs
         id: refs
@@ -59,10 +60,15 @@ jobs:
         with:
           image-refs: ${{ steps.refs.outputs.refs }}
 
+      - name: Push images
+        uses: ./.github/actions/docker-push
+        with:
+          image-refs: ${{ steps.refs.outputs.refs }}
+
   build-autoresearch:
     needs: build-base
     if: always() && (needs.build-base.result == 'success' || needs.build-base.result == 'skipped')
-    runs-on: blacksmith-8vcpu-ubuntu-2204
+    runs-on: blacksmith-16vcpu-ubuntu-2204
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -99,7 +105,8 @@ jobs:
           files: |
             official-templates/shared/versions.hcl
             official-templates/autoresearch/docker-bake.hcl
-          push: true
+          load: true
+          push: false
 
       - name: Extract image refs
         id: refs
@@ -114,11 +121,17 @@ jobs:
         with:
           image-refs: ${{ steps.refs.outputs.refs }}
 
+      - name: Push images
+        if: github.event_name == 'workflow_dispatch' || steps.changes.outputs.autoresearch_any_changed == 'true'
+        uses: ./.github/actions/docker-push
+        with:
+          image-refs: ${{ steps.refs.outputs.refs }}
+
   build-pytorch:
     needs: build-base
     # always() forces job run even if the dependant is skipped (but not if it failed)
     if: always() && (needs.build-base.result == 'success' || needs.build-base.result == 'skipped')
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: blacksmith-32vcpu-ubuntu-2404
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -156,7 +169,8 @@ jobs:
           files: |
             official-templates/shared/versions.hcl
             official-templates/pytorch/docker-bake.hcl
-          push: true
+          load: true
+          push: false
 
       - name: Extract image refs
         id: refs
@@ -168,5 +182,11 @@ jobs:
       - name: Grype scan
         if: github.event_name == 'workflow_dispatch' || steps.changes.outputs.pytorch_any_changed == 'true'
         uses: ./.github/actions/grype
+        with:
+          image-refs: ${{ steps.refs.outputs.refs }}
+
+      - name: Push images
+        if: github.event_name == 'workflow_dispatch' || steps.changes.outputs.pytorch_any_changed == 'true'
+        uses: ./.github/actions/docker-push
         with:
           image-refs: ${{ steps.refs.outputs.refs }}

.github/workflows/hadolint-pr.yml

@@ -13,12 +13,15 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # Add rows when new top-level Dockerfiles appear (e.g. nvidia-pytorch).
-        dockerfile:
-          - official-templates/base/Dockerfile
-          - official-templates/pytorch/Dockerfile
-          - official-templates/autoresearch/Dockerfile
-          - helper-templates/verify-nccl/Dockerfile
+        include:
+          - dockerfile: official-templates/base/Dockerfile
+            ignore: DL3006,DL3008,DL3013,DL3022
+          - dockerfile: official-templates/pytorch/Dockerfile
+            ignore: "DL3013,DL3006"
+          - dockerfile: official-templates/autoresearch/Dockerfile
+            ignore: "DL3006"
+          - dockerfile: helper-templates/verify-nccl/Dockerfile
+            ignore: "DL3008"
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -31,4 +34,5 @@ jobs:
           dockerfile: ${{ matrix.dockerfile }}
           failure-threshold: warning
           format: tty
-          output-file: /dev/stdout
+          output-file: /dev/stdout
+          ignore: ${{ matrix.ignore }}

.github/workflows/hadolint-push.yml

@@ -15,12 +15,15 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # Add rows when new top-level Dockerfiles appear
-        dockerfile:
-          - official-templates/base/Dockerfile
-          - official-templates/pytorch/Dockerfile
-          - official-templates/autoresearch/Dockerfile
-          - helper-templates/verify-nccl/Dockerfile
+        include:
+          - dockerfile: official-templates/base/Dockerfile
+            ignore: DL3006,DL3008,DL3013,DL3022
+          - dockerfile: official-templates/pytorch/Dockerfile
+            ignore: "DL3013,DL3006"
+          - dockerfile: official-templates/autoresearch/Dockerfile
+            ignore: "DL3006"
+          - dockerfile: helper-templates/verify-nccl/Dockerfile
+            ignore: "DL3008"
     steps:
       - name: Checkout
         uses: actions/checkout@v6

.github/workflows/nvidia.yml

@@ -15,7 +15,7 @@ permissions:
 
 jobs:
   build-nvidia:
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: blacksmith-32vcpu-ubuntu-2404
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -40,7 +40,8 @@ jobs:
           files: |
             official-templates/shared/versions.hcl
             official-templates/nvidia-pytorch/docker-bake.hcl
-          push: true
+          load: true
+          push: false
 
       - name: Extract image refs
         id: refs
@@ -52,3 +53,13 @@ jobs:
         uses: ./.github/actions/grype
         with:
           image-refs: ${{ steps.refs.outputs.refs }}
+          skip-files: |
+            **/civetweb/resources/cert/*
+            **/civetweb/resources/ssl_cert.pem
+            **/civetweb/resources/server.pem
+            **/civetweb/resources/server_bkup.pem
+
+      - name: Push images
+        uses: ./.github/actions/docker-push
+        with:
+          image-refs: ${{ steps.refs.outputs.refs }}

.github/workflows/rocm.yml

@@ -15,7 +15,7 @@ permissions:
 
 jobs:
   build-rocm:
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    runs-on: blacksmith-32vcpu-ubuntu-2404
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -40,7 +40,8 @@ jobs:
           files: |
             official-templates/shared/versions.hcl
             official-templates/rocm/docker-bake.hcl
-          push: true
+          load: true
+          push: false
 
       - name: Extract image refs
         id: refs
@@ -50,5 +51,15 @@ jobs:
 
       - name: Grype scan
         uses: ./.github/actions/grype
+        with:
+          image-refs: ${{ steps.refs.outputs.refs }}
+          skip-files: |
+            **/civetweb/resources/cert/*
+            **/civetweb/resources/ssl_cert.pem
+            **/civetweb/resources/server.pem
+            **/civetweb/resources/server_bkup.pem
+
+      - name: Push images
+        uses: ./.github/actions/docker-push
         with:
           image-refs: ${{ steps.refs.outputs.refs }}

helper-templates/verify-nccl/Dockerfile

@@ -10,11 +10,13 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     pciutils \
     && rm -rf /var/lib/apt/lists/*
 
-RUN git clone https://github.com/NVIDIA/cuda-samples.git && \
-    cd cuda-samples/Samples/0_Introduction/simpleP2P && \
-    make
+RUN git clone https://github.com/NVIDIA/cuda-samples.git 
+
+WORKDIR /verify-nccl/cuda-samples/Samples/0_Introduction/simpleP2P
+
+RUN make
 
 COPY --chmod=755 check_nccl.sh .
 
 # Start Container
-CMD tail -f /dev/null
+CMD ["tail", "-f", "/dev/null"]

official-templates/autoresearch/Dockerfile

@@ -1,8 +1,10 @@
 ARG BASE_IMAGE=non-existing
 FROM ${BASE_IMAGE}
 
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
 # Install runpodctl for pod management (scaling up GPUs)
-ARG RUNPODCTL_VERSION=v2.1.6
+ARG RUNPODCTL_VERSION=v2.3.0
 RUN wget -qO- https://github.com/runpod/runpodctl/releases/download/${RUNPODCTL_VERSION}/runpodctl-linux-amd64.tar.gz | \
     tar -xz -C /usr/local/bin runpodctl
 
@@ -14,10 +16,8 @@ RUN git clone --branch ${AUTORESEARCH_REF} --depth 1 \
 WORKDIR /opt/autoresearch
 
 # Install Python dependencies
-RUN uv sync
-
-# Download data and train tokenizer (~2 min)
-RUN uv run prepare.py
+RUN uv sync && \
+    uv run prepare.py # Download data and train tokenizer (~2 min)
 
 # On first boot: copy source files to /workspace (lightweight, persists edits)
 # and symlink .venv back to /opt (12GB, stays on fast container layer)