Skip to content

Enable signing of all GGUF models #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
stefanberger wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Enable signing of all GGUF models #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
a6e3b27
Add workflow that downloads a .gguf, signs it, and uploads the signature
stefanberger Jul 17, 2025
9d760ba
Delete existing signature before upload of quanitized model
stefanberger Jul 21, 2025
1673c6b
Introduce switch to signing of models
stefanberger Jul 21, 2025
0d233db
Introduce switch to enable doing a token exchange for signing
stefanberger Jul 19, 2025
ce386a1
Enable signing of embedding models
stefanberger Jul 19, 2025
ead255c
Enable signing of language models
stefanberger Jul 18, 2025
11363e6
Enable signing of Guardian models
stefanberger Jul 18, 2025
c0187cb
Enable signing of vision models
stefanberger Jul 18, 2025
17b0568
WIP: README.md: Add documentation for model signing to the README.md
stefanberger Jul 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
105 changes: 105 additions & 0 deletions .github/workflows/granite-3.2-release-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,8 @@ env:
TARGET_HF_REPO_NAME_EXT: -GGUF
TARGET_HF_REPO_OWNER: mrutkows
TARGET_HF_REPO_PRIVATE: false
TARGET_HF_REPO_SIGN_MODELS: true
TARGET_HF_REPO_DO_TOKEN_EXCHANGE: false
COLLECTION_CONFIG: "resources/json/latest/hf_collection_mapping_gguf.json"

jobs:
Expand All @@ -104,6 +106,8 @@ jobs:
target_repo_private: ${{ steps.set-vars.outputs.target_repo_private }}
target_repo_owner: ${{ steps.set-vars.outputs.target_repo_owner }}
target_repo_name_ext: ${{ steps.set-vars.outputs.target_repo_name_ext }}
target_repo_sign_models: ${{ steps.set-vars.outputs.target_repo_sign_models }}
target_repo_do_token_exchange: ${{ steps.set-vars.outputs.target_repo_do_token_exchange }}
source_language_repos: "${{ steps.set-vars.outputs.source_language_repos }}"
target_language_quantizations: "${{ steps.set-vars.outputs.target_language_quantizations }}"
source_vision_repos: "${{ steps.set-vars.outputs.source_vision_repos }}"
Expand All @@ -130,6 +134,8 @@ jobs:
echo "hf_collection_config=$COLLECTION_CONFIG" >> "$GITHUB_OUTPUT"
echo "target_repo_owner=$TARGET_HF_REPO_OWNER" >> "$GITHUB_OUTPUT"
echo "target_repo_name_ext=$TARGET_HF_REPO_NAME_EXT" >> "$GITHUB_OUTPUT"
echo "target_repo_sign_models=$TARGET_HF_REPO_SIGN_MODELS" >> "$GITHUB_OUTPUT"
echo "target_repo_do_token_exchange=$TARGET_HF_REPO_DO_TOKEN_EXCHANGE" >> "$GITHUB_OUTPUT"
echo "source_language_repos=$SOURCE_LANGUAGE_REPOS" >> "$GITHUB_OUTPUT"
echo "target_language_quantizations=$TARGET_LANGUAGE_QUANTIZATIONS" >> "$GITHUB_OUTPUT"
echo "target_repo_private=$TARGET_HF_REPO_PRIVATE" >> "$GITHUB_OUTPUT"
Expand All @@ -151,6 +157,8 @@ jobs:
echo "hf_collection_config: '${{ steps.set-vars.outputs.hf_collection_config }}'"
echo "target_repo_owner: '${{ steps.set-vars.outputs.target_repo_owner }}'"
echo "target_repo_name_ext: '${{ steps.set-vars.outputs.target_repo_name_ext }}'"
echo "target_repo_sign_models: '${{ steps.set-vars.outputs.target_repo_sign_models }}'"
echo "target_repo_do_token_exchange: '${{ steps.set-vars.outputs.target_repo_do_token_exchange }}'"
echo "target_repo_private: '${{ steps.set-vars.outputs.target_repo_private }}'"
echo "source_language_repos: '${{ steps.set-vars.outputs.source_language_repos }}'"
echo "target_language_quantizations: '${{ steps.set-vars.outputs.target_language_quantizations }}'"
Expand Down Expand Up @@ -266,6 +274,30 @@ jobs:
secrets:
hf_token: ${{ secrets.HF_TOKEN_TEST }}

language-sign-models-in-repos:
if: ${{ needs.environment-setup.outputs.target_repo_sign_models == 'true' }}
needs: [ environment-setup, bvt-language-quantized-gguf-models ]
permissions:
id-token: write
strategy:
fail-fast: false
matrix:
repo_id: ${{ fromJson(needs.environment-setup.outputs.source_language_repos) }}
quantization:
- f16
- ${{ fromJson(needs.environment-setup.outputs.target_language_quantizations) }}
uses: IBM/gguf/.github/workflows/reusable-sign-model-in-hf-repo.yml@main
with:
debug: ${{ needs.environment-setup.outputs.debug == 'true' }}
do_token_exchange: ${{ needs.environment-setup.outputs.target_repo_do_token_exchange == 'true' }}
target_repo_owner: ${{ needs.environment-setup.outputs.target_repo_owner }}
target_repo_name_ext: ${{ needs.environment-setup.outputs.target_repo_name_ext }}
repo_id: "${{ matrix.repo_id }}"
quantization: "${{ matrix.quantization }}"
secrets:
hf_token: ${{ secrets.HF_TOKEN_TEST }}
sigstore_sts_client_secret: ${{ secrets.SIGSTORE_STS_CLIENT_SECRET }}

# TODO: change collection from private to public (on success)
create-hf-collections:
needs: [
Expand Down Expand Up @@ -369,6 +401,31 @@ jobs:
secrets:
hf_token: ${{ secrets.HF_TOKEN_TEST }}

vision-sign-models-in-repos:
if: ${{ needs.environment-setup.outputs.target_repo_sign_models == 'true' }}
needs: [ environment-setup, bvt-vision-quantized-gguf-models ]
permissions:
id-token: write
strategy:
fail-fast: false
matrix:
repo_id: ${{ fromJson(needs.environment-setup.outputs.source_vision_repos) }}
quantization:
- f16
- ${{ fromJson(needs.environment-setup.outputs.target_vision_quantizations) }}
- "fullname:mmproj-model-f16.gguf"
uses: IBM/gguf/.github/workflows/reusable-sign-model-in-hf-repo.yml@main
with:
debug: ${{ needs.environment-setup.outputs.debug == 'true' }}
do_token_exchange: ${{ needs.environment-setup.outputs.target_repo_do_token_exchange == 'true' }}
target_repo_owner: "${{ needs.environment-setup.outputs.target_repo_owner }}"
target_repo_name_ext: "${{ needs.environment-setup.outputs.target_repo_name_ext }}"
repo_id: "${{ matrix.repo_id }}"
quantization: "${{ matrix.quantization }}"
secrets:
hf_token: ${{ secrets.HF_TOKEN_TEST }}
sigstore_sts_client_secret: ${{ secrets.SIGSTORE_STS_CLIENT_SECRET }}

# TODO: change collection from private to public (on success)
vision-create-hf-collections:
needs: [
Expand Down Expand Up @@ -472,6 +529,30 @@ jobs:
secrets:
hf_token: ${{ secrets.HF_TOKEN_TEST }}

guardian-sign-models-in-repos:
if: ${{ needs.environment-setup.outputs.target_repo_sign_models == 'true' }}
needs: [ environment-setup, guardian-bvt-quantized-gguf-models ]
permissions:
id-token: write
strategy:
fail-fast: false
matrix:
repo_id: ${{ fromJson(needs.environment-setup.outputs.source_guardian_repos) }}
quantization:
- f16
- ${{ fromJson(needs.environment-setup.outputs.target_guardian_quantizations) }}
uses: IBM/gguf/.github/workflows/reusable-sign-model-in-hf-repo.yml@main
with:
debug: ${{ needs.environment-setup.outputs.debug == 'true' }}
do_token_exchange: ${{ needs.environment-setup.outputs.target_repo_do_token_exchange == 'true' }}
target_repo_owner: ${{ needs.environment-setup.outputs.target_repo_owner }}
target_repo_name_ext: "${{ needs.environment-setup.outputs.target_repo_name_ext }}"
repo_id: ${{ matrix.repo_id }}
quantization: "${{ matrix.quantization }}"
secrets:
hf_token: ${{ secrets.HF_TOKEN_TEST }}
sigstore_sts_client_secret: ${{ secrets.SIGSTORE_STS_CLIENT_SECRET }}

# TODO: change collection from private to public (on success)
guardian-create-hf-collections:
needs: [
Expand Down Expand Up @@ -593,3 +674,27 @@ jobs:
target_collection_private: ${{ needs.environment-setup.outputs.target_repo_private == 'true' }}
secrets:
hf_token: ${{ secrets.HF_TOKEN_TEST }}

embedding-sign-models-in-repos:
if: ${{ needs.environment-setup.outputs.target_repo_sign_models == 'true' }}
needs: [ environment-setup, embedding-quantize-upload-gguf ]
permissions:
id-token: write
strategy:
fail-fast: false
matrix:
repo_id: ${{ fromJson(needs.environment-setup.outputs.source_embedding_repos) }}
quantization:
- f16
- ${{ fromJson(needs.environment-setup.outputs.target_embedding_quantizations) }}
uses: IBM/gguf/.github/workflows/reusable-sign-model-in-hf-repo.yml@main
with:
debug: ${{ needs.environment-setup.outputs.debug == 'true' }}
do_token_exchange: ${{ needs.environment-setup.outputs.target_repo_do_token_exchange == 'true' }}
repo_id: "${{ matrix.repo_id }}"
quantization: "${{ matrix.quantization }}"
target_repo_owner: ${{ needs.environment-setup.outputs.target_repo_owner }}
target_repo_name_ext: ${{ needs.environment-setup.outputs.target_repo_name_ext }}
secrets:
hf_token: ${{ secrets.HF_TOKEN_TEST }}
sigstore_sts_client_secret: ${{ secrets.SIGSTORE_STS_CLIENT_SECRET }}
9 changes: 9 additions & 0 deletions .github/workflows/reusable-quantize-llava-upload-gguf.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,15 @@ jobs:
ls -al .
echo "--------------------"

- name: delete-previous-signature
run: |
signature=${{ env.LOCAL_FNAME_QUANTIZED_GGUF }}.sig
exists=$(python ./scripts/hf_model_file_exists.py ${{ env.TARGET_REPO_ID }} ${signature} ${{secrets.hf_token}})
echo "exists: '$exists'"
if [[ "$exists" == "True" ]]; then
python ./scripts/hf_file_delete.py ${{ env.TARGET_REPO_ID }} ${signature} ${{secrets.hf_token}}
fi

- name: upload-quantized-gguf-model
run: |
echo "TARGET_REPO_ID=${{env.TARGET_REPO_ID}}"
Expand Down
10 changes: 10 additions & 0 deletions .github/workflows/reusable-quantize-upload-gguf.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -291,6 +291,16 @@ jobs:
ls -al .
echo "--------------------"

- name: delete-previous-signature
if: env.F16_OPT_ENABLED == 'true'
run: |
signature=${{ env.LOCAL_FNAME_QUANTIZED_GGUF }}.sig
exists=$(python ./scripts/hf_model_file_exists.py ${{ env.TARGET_REPO_ID }} ${signature} ${{secrets.hf_token}})
echo "exists: '$exists'"
if [[ "$exists" == "True" ]]; then
python ./scripts/hf_file_delete.py ${{ env.TARGET_REPO_ID }} ${signature} ${{secrets.hf_token}}
fi

- name: delete-previous-upload
if: env.F16_OPT_ENABLED == 'true'
run: |
Expand Down
Loading