Add Riva Speech Server as an ARM64 Docker image #91
Conversation
…age and update docker-compose for environment variable handling
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-22.04-arm | ||
| outputs: | ||
| image-digest: ${{ steps.build.outputs.digest }} | ||
| metadata: ${{ steps.meta.outputs.json }} | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v2 | ||
|
|
||
| - name: Login to Docker Hub | ||
| uses: docker/login-action@v2 | ||
| with: | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
|
||
| - name: Extract metadata (tags, labels) for Docker | ||
| id: meta | ||
| uses: docker/metadata-action@v4 | ||
| with: | ||
| images: openmindagi/riva-speech-server | ||
| tags: | | ||
| type=semver,pattern={{version}},prefix=v | ||
| type=semver,pattern={{major}}.{{minor}},prefix=v | ||
| type=ref,event=branch | ||
| type=sha | ||
| type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} | ||
| type=raw,value=2.24.0-l4t-aarch64 | ||
|
|
||
| - name: Build and push ARM64 image by digest | ||
| id: build | ||
| uses: docker/build-push-action@v4 | ||
| with: | ||
| context: . | ||
| file: ./docker/gpu/Dockerfile | ||
| platforms: linux/arm64 | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
| outputs: type=image,name=openmindagi/riva-speech-server,push-by-digest=true,name-canonical=true,push=true | ||
|
|
||
| create-manifest: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
In general, the fix is to add an explicit permissions block to the workflow or to each job, granting only the minimal scopes required. Since this workflow only checks out code and interacts with Docker Hub and does not appear to need write access to the GitHub repository, a safe and minimal choice is contents: read at the workflow level so it applies to both jobs.
Concretely, in .github/workflows/release.yml, add a top-level permissions: section near the top of the file (for example after the on: block) with contents: read. This will limit the GITHUB_TOKEN for all jobs in this workflow to read-only repository contents while preserving current functionality. No imports or additional methods are necessary, as this is purely a YAML configuration change.
| @@ -9,6 +9,9 @@ | ||
|
|
||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| build-arm64: | ||
| runs-on: ubuntu-22.04-arm |
| runs-on: ubuntu-latest | ||
| needs: [build-arm64] | ||
| steps: | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v2 | ||
|
|
||
| - name: Login to Docker Hub | ||
| uses: docker/login-action@v2 | ||
| with: | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
|
||
| - name: Create manifest list and push | ||
| run: | | ||
| # Get the metadata from arm64 build to extract tags | ||
| tags=$(echo '${{ needs.build-arm64.outputs.metadata }}' | jq -r '.tags[]') | ||
|
|
||
| # Create manifest for each tag | ||
| for tag in $tags; do | ||
| echo "Creating manifest for: $tag" | ||
|
|
||
| docker buildx imagetools create \ | ||
| --tag $tag \ | ||
| openmindagi/riva-speech-server@${{ needs.build-arm64.outputs.image-digest }} | ||
| done |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
In general, the fix is to add an explicit permissions block to the workflow (either at the top level or per job) that grants only the minimal required access for the GITHUB_TOKEN. Since this workflow only needs to read the repository contents (for checkout) and does not modify GitHub resources, we can safely restrict permissions to read-only.
The best, least-invasive change is to add a top-level permissions section right under the name: (before on:). This applies to all jobs (build-arm64 and create-manifest) without needing per-job blocks. The content should be:
permissions:
contents: readThis grants only read access to repository contents, which is sufficient for actions/checkout@v3 and any implicit GitHub API reads needed by actions. No additional imports or dependencies are required; this is purely a YAML configuration change inside .github/workflows/release.yml.
| @@ -1,5 +1,8 @@ | ||
| name: Release Riva Speech Server ARM64 Image | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: |
This pull request introduces support for running the Riva Speech Server as an ARM64 Docker image, making it easier to deploy speech services on ARM-based hardware (such as NVIDIA Jetson devices). The main changes include a new Dockerfile for building the ARM64 image, a new GitHub Actions workflow for building and releasing the image, updates to the Docker Compose configuration to add the new service, and a startup script to orchestrate service startup.
ARM64 Riva Speech Server Support:
docker/Dockerfile.rivato build an ARM64-based Riva Speech Server image, installing necessary dependencies and copying application code and scripts.docker/scripts/start_riva.shto launch the Riva server and associated Python services in the container.CI/CD and Deployment:
.github/workflows/release.ymlto automate building, tagging, and publishing the ARM64 Docker image to Docker Hub, including manifest creation for multi-arch support.docker/docker-compose.ymlto add ariva_speechservice that uses the new image, exposes relevant ports, sets environment variables, mounts model data, and configures GPU and device access.