@@ -874,3 +874,63 @@ jobs:
874874 else
875875 echo "No vulnerabilities found or scan failed."
876876 fi
877+
878+ release-hpu-llm-d :
879+ strategy :
880+ fail-fast : false
881+ runs-on : vllm-runner
882+ steps :
883+ - name : Checkout code
884+ uses : actions/checkout@v6
885+ with :
886+ ref : ${{ env.TAG }}
887+ fetch-depth : 0
888+
889+ - name : Log in to Container Registry
890+ uses : docker/login-action@v3
891+ with :
892+ registry : ${{ env.REGISTRY }}
893+ username : ${{ secrets.GHCR_USER }}
894+ password : ${{ secrets.GHCR_TOKEN }}
895+
896+ - name : Build and push the image
897+ id : build-and-push
898+ run : |
899+ export DEVICE=hpu
900+ export DOCKERFILE=Dockerfile.hpu
901+ export VERSION="${{ env.TAG }}"
902+ make image-build
903+ make image-push
904+ echo "tag=${{ env.TAG }}" >> $GITHUB_OUTPUT
905+ # Also tag as latest
906+ export NEW_TAG="latest"
907+ make image-retag
908+ VERSION="latest" make image-push
909+
910+ name : Run Trivy vulnerability scanner
911+ uses : aquasecurity/trivy-action@master
912+ with :
913+ image-ref : ${{ env.REGISTRY }}/${{ github.repository }}-hpu:${{ env.TAG }}
914+ format : ' sarif'
915+ output : ' trivy-results.sarif'
916+ severity : ' CRITICAL,HIGH,MEDIUM'
917+ scanners : vuln
918+ timeout : 30m
919+ skip-dirs : /root/.cache/uv
920+ env :
921+ TRIVY_USERNAME : ${{ secrets.GHCR_USER }}
922+ TRIVY_PASSWORD : ${{ secrets.GHCR_TOKEN }}
923+
924+ - name : Upload Trivy scan results to GitHub Security tab
925+ uses : github/codeql-action/upload-sarif@v3
926+ with :
927+ sarif_file : ' trivy-results.sarif'
928+
929+ - name : Display vulnerability summary
930+ run : |
931+ echo "=== Vulnerability Scan Summary ==="
932+ if [ -f trivy-results.sarif ]; then
933+ echo "Scan completed. Check the Security tab for detailed results."
934+ else
935+ echo "No vulnerabilities found or scan failed."
936+ fi
0 commit comments