Add Docker configuration for Maya1 TTS deployment

[hasithdd]

Maya1 TTS Docker Deployment

This directory contains the configuration for deploying Maya1 TTS using Docker.

Prerequisites

• Docker installed
• NVIDIA GPU with drivers installed
• NVIDIA Container Toolkit installed (for GPU support)

Files

• Dockerfile: The Docker image definition.
• docker-gpu.sh: Helper script to build and run the container with GPU support.
• .dockerignore: Specifies files to exclude from the build context.

Usage

Using the helper script

Run the following command from the project root or the docker directory:

./docker/docker-gpu.sh

This will:

1. Build the Docker image maya1-tts.
2. Run the container with all available GPUs.
3. Expose the API on port 8000.

Manual Build and Run

Build:

docker build -t maya1-tts -f docker/Dockerfile .

Run:

docker run --gpus all --ipc=host -p 8000:8000 maya1-tts

Notes

• The container uses nvidia/cuda:12.1.1-devel-ubuntu22.04 as the base image.
• It installs Python 3.10 and all dependencies from requirements.txt.
• The API is available at http://localhost:8000.
• Health check is available at http://localhost:8000/health.

Summary by CodeRabbit

• New Features

  • Added GPU-enabled Docker containerization to run the app in a production-ready container with a /health endpoint.

• Documentation

  • Added Docker deployment guide detailing prerequisites and how to build/run the GPU-enabled container.

• Chores

  • Added .dockerignore rules to reduce build context.
  • Added CI workflow to build, publish, and optionally sign Docker images.

• Utilities

  • Added a helper script to build and run the GPU-enabled container locally.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds Docker-based containerization and CI: a CUDA-backed Dockerfile, docker/.dockerignore, a GPU helper script, Docker README, and a GitHub Actions workflow to build/publish (and optionally sign) images. No API or exported-entity changes.

Changes

Cohort / File(s)	Summary
Dockerignore docker/.dockerignore	Adds ignore patterns to exclude VCS, virtualenvs, Python caches/artifacts, macOS metadata, logs, hf_space, and docker/ from Docker build context (e.g., .git, .gitignore, venv/, __pycache__/, *.pyc, .DS_Store, logs/, hf_space/, docker/).
Dockerfile docker/Dockerfile	New CUDA-based container image (base: nvidia/cuda:12.8.0-devel-ubuntu22.04); sets DEBIAN_FRONTEND and Python env vars, installs system packages (python3, python3-pip, python3-dev, git, libsndfile1, ffmpeg, curl), upgrades pip, installs Python deps from requirements.txt, copies application files (maya1/, server.sh, samples.txt, README.md), creates logs/, exposes port 8000, adds a curl-based HEALTHCHECK /health, and launches uvicorn maya1.api_v2:app.
Docs docker/README.md	New README describing Docker deployment prerequisites (Docker, NVIDIA GPU & toolkit), included files, helper script usage, manual build/run commands, notes on base image and Python, API URL (http://localhost:8000) and health endpoint.
Helper Script docker/docker-gpu.sh	New bash helper to build image maya1-tts and run a GPU-enabled container (GPU access, IPC share, port 8000, named container, removed on exit); prints colored status messages and exits nonzero on build failure.
CI / Publish .github/workflows/docker-publish.yml	New GitHub Actions workflow "Docker Build and Publish": triggers on pushes to master, semver tags, and PRs to master; sets up buildx, conditionally logs into registry and pushes images (skips push/sign for PRs), extracts metadata, builds/pushes to ghcr.io/${{ github.repository }}, and optionally signs images with cosign.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant Script as docker/docker-gpu.sh
    participant GH as GitHub Actions
    participant Builder as Docker Buildx
    participant Registry as ghcr.io
    participant Image as maya1-tts image
    participant Container as Running Container
    participant App as uvicorn (maya1.api_v2:app)
    participant Health as /health endpoint

    Dev->>Script: run helper (local build & run)
    Script->>Builder: docker build -f docker/Dockerfile
    Builder-->>Image: built image (maya1-tts)
    Script->>Container: docker run --gpus ... -p 8000:8000
    Container->>App: start uvicorn
    Dev->>Health: GET /health
    App-->>Health: 200 OK

    Note over GH,Registry: CI flow (on push/tags/PR)
    GH->>Builder: build & (conditionally) push
    Builder-->>Registry: push image (skip on PRs)
    GH->>Registry: (conditional) cosign sign

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Pay attention to:
  • docker/Dockerfile: base image choice, package install ordering, HEALTHCHECK correctness, sensitive/copied files.
  • .github/workflows/docker-publish.yml: conditional behavior for PRs, registry auth, metadata/tags and cosign signing steps.
  • docker/docker-gpu.sh: correctness of docker run flags (--gpus, --ipc), path handling, and error handling.

Poem

🐰 I nudge the Docker door and hop,
I stitch a CUDA shell non-stop,
Uvicorn wakes, the endpoint gleams,
Ports open wide for TTS dreams,
A rabbit ships the tiny hop. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding Docker configuration files (Dockerfile, docker-gpu.sh, .dockerignore, README.md, and GitHub Actions workflow) for deploying the Maya1 TTS service.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5b9951f and 7635c56.

📒 Files selected for processing (1)

• .github/workflows/docker-publish.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/docker-publish.yml

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

docker/.dockerignore (1)

11-11: Consider clarifying the exclusion of the docker/ directory.

Excluding docker/ from the build context is functional (since the Dockerfile is specified explicitly with -f), but it's unconventional and may cause confusion for future maintainers. Consider either:

• Removing this pattern if you want the docker directory to be discoverable in the context, or
• Documenting why it's excluded if this is intentional (e.g., to reduce build context size).

docker/docker-gpu.sh (1)

11-11: Add error handling to the cd command.

If the cd command fails, the script will continue executing in the wrong directory, potentially causing the docker build to fail silently or operate on unintended context.

Apply this diff to add proper error handling:

-# Navigate to project root
-cd "$(dirname "$0")/.."
+# Navigate to project root
+cd "$(dirname "$0")/.." || { echo "Failed to navigate to project root"; exit 1; }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 63099d9 and f2ec214.

📒 Files selected for processing (4)

• docker/.dockerignore (1 hunks)
• docker/Dockerfile (1 hunks)
• docker/README.md (1 hunks)
• docker/docker-gpu.sh (1 hunks)

🧰 Additional context used

🪛 Shellcheck (0.11.0)

docker/docker-gpu.sh

[warning] 11-11: Use 'cd ... || exit' or 'cd ... || return' in case cd fails.

(SC2164)

🔇 Additional comments (4)

docker/README.md (1)

1-51: Documentation is comprehensive and well-aligned with implementation.

The README provides clear prerequisites, usage instructions (both scripted and manual), and helpful notes. All documented details align with the Dockerfile and docker-gpu.sh script.

docker/docker-gpu.sh (1)

14-27: Build and run logic is sound.

Docker build correctly targets the Dockerfile with proper context, and the run command includes appropriate flags for GPU support, port mapping, IPC sharing, and cleanup.

docker/Dockerfile (2)

47-48: Verify the health check endpoint exists in the application.

The health check references /health, but we should confirm this endpoint exists in maya1.api_v2:app before deployment.

Please verify that the application exposes a health check endpoint at /health. You can inspect the application code or test the endpoint after running the container.

---

5-8: Environment variables and dependency installation are properly configured.

The environment variables are well-chosen for containerized Python applications (PYTHONUNBUFFERED, PYTHONDONTWRITEBYTECODE), TORCH_CUDA_ARCH_LIST covers modern GPUs, and pip install properly uses --no-cache-dir to minimize image size.

Also applies to: 11-32

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/docker-publish.yml (2)

34-38: Normalize the if: condition syntax for consistency.

Line 87 uses if: ${{ github.event_name != 'pull_request' }} with outer braces, while lines 35 and 47 use if: github.event_name != 'pull_request' without them. In GitHub Actions if: contexts, the outer ${{ }} are redundant (they are needed only for value interpolation, such as line 75 in the push: parameter). Normalize all if: conditions to the idiomatic format for consistency.

Apply this diff to normalize the syntax:

      # Sign the resulting Docker image digest except on PRs.
      # This will only write to the public Rekor transparency log when the Docker
      # repository is public to avoid leaking data.  If you would like to publish
      # transparency data even for private images, pass --force to cosign below.
      # https://github.com/sigstore/cosign
      - name: Sign the published Docker image
-       if: ${{ github.event_name != 'pull_request' }}
+       if: github.event_name != 'pull_request'
        env:
          TAGS: ${{ steps.meta.outputs.tags }}
          DIGEST: ${{ steps.build-and-push.outputs.digest }}

Also applies to: 86-91

---

1-91: Consider adding Build Provenance and SBOM for enhanced supply chain security.

The workflow currently signs the image with cosign, which is excellent. For further hardening:

1. Provenance attestation: docker/build-push-action@v5 supports provenance=true (default) to generate SLSA provenance, which attests to the build process and inputs.
2. Software Bill of Materials (SBOM): Enable sbom=true in the build-push-action to generate and attach a cyclonedx SBOM, improving vulnerability scanning and compliance.

These additions provide stronger guarantees about what is in the image and how it was built, which is valuable in regulated or security-sensitive environments.

If you'd like to enable SBOM and provenance, add the following to the Build and push Docker image step (lines 69–79):

       - name: Build and push Docker image
         id: build-and-push
         uses: docker/build-push-action@v5
         with:
           context: .
           file: docker/Dockerfile
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          provenance: true
+          sbom: true
           cache-from: type=gha
           cache-to: type=gha,mode=max

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f2ec214 and 5b9951f.

📒 Files selected for processing (2)

• .github/workflows/docker-publish.yml (1 hunks)
• docker/Dockerfile (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• docker/Dockerfile

🔇 Additional comments (5)

.github/workflows/docker-publish.yml (5)

3-9: Trigger configuration is well-structured.

The workflow correctly triggers on master pushes, semver tags, and PRs targeting master—supporting both development/CI on PRs and production releases on tags.

---

21-26: Permissions are appropriately scoped.

The job permissions follow the principle of least privilege: contents:read for checkout, packages:write for registry push, and id-token:write for cosign OIDC identity exchange with Sigstore.

---

61-65: Tagging strategy supports both development and release workflows.

The metadata tags include latest on the default branch (for development), branch refs, tag refs, and SHA—providing flexibility for version pinning and rollback scenarios.

---

78-79: GitHub Actions cache configuration optimizes build performance.

Using cache-from: type=gha with mode=max enables multi-stage layer caching, improving build speed on subsequent runs.

---

34-39: Version pinning and conditional execution reduce supply-chain risk.

Explicit version pins on cosign-installer@v3.5.0 (with cosign-release: v2.2.4), docker/login-action@v3, and docker/build-push-action@v5 limit exposure to unexpected upstream changes. Skipping registry login, cosign install, and image push on PR events prevents data leakage and avoids polluting the registry with PR artifacts.

Also applies to: 46-52, 69-79