[pull] main from llm-d:main

.github/actions/docker-build-and-push/action.yml

@@ -19,15 +19,11 @@ inputs:
   prerelease:
     required: true
     description: indicates whether or not this is a pre-release (not a release) build
-  python-version:
-    required: false
-    description: Python version to use (defaults to 3.12)
-    default: '3.12'
 runs:
   using: "composite"
   steps:
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@v4
 
     - name: Login to GitHub Container Registry
       run: echo "${{ inputs.github-token }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
@@ -49,7 +45,9 @@ runs:
         fi
         docker buildx build \
           --platform linux/amd64,linux/arm64 \
-          --build-arg PYTHON_VERSION=${{ inputs.python-version }} \
+          --cache-from type=gha,scope=${{ inputs.image-name }} \
+          --cache-to type=gha,mode=max,scope=${{ inputs.image-name }} \
+          --build-arg LDFLAGS="-s -w" \
           -t ${{ inputs.registry }}/${{ inputs.image-name }}:${{ inputs.tag }} \
           ${LATEST_TAG} -f ${{ inputs.docker-file }} --push .
       shell: bash

.github/actions/trivy-scan/action.yml

@@ -1,19 +1,17 @@
 name: Trivy Scan
-description: Scan container image with Trivy
+description: Scan container image with official Aqua Security Trivy action
 inputs:
   image:
     required: true
+    description: "Image to scan (e.g., 'my-repo/my-image:latest')"
+
 runs:
   using: "composite"
   steps:
-    - name: Install Trivy
-      run: |
-        wget https://github.com/aquasecurity/trivy/releases/download/v0.44.1/trivy_0.44.1_Linux-64bit.deb
-        sudo dpkg -i trivy_0.44.1_Linux-64bit.deb
-      shell: bash
-
-
-    - name: Scan image
-      run: |
-        trivy image --severity HIGH,CRITICAL --no-progress ${{ inputs.image }}
-      shell: bash
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@0.35.0
+      with:
+        image-ref: ${{ inputs.image }}
+        format: 'table'
+        severity: 'HIGH,CRITICAL'
+        exit-code: '1'

.github/dependabot.yml

@@ -24,9 +24,9 @@ updates:
         update-types: ["version-update:semver-major", "version-update:semver-minor"]
       - dependency-name: "sigs.k8s.io/*"
         update-types: ["version-update:semver-major", "version-update:semver-minor"]
-      # Ignore major updates for all packages
+      # Ignore major updates for all Go packages
       - dependency-name: "*"
-        update-types: ["version-update:semver-major"]        
+        update-types: ["version-update:semver-major"]
     groups:
       go-dependencies:
         patterns:
@@ -46,8 +46,13 @@ updates:
       - "release-note-none"
     commit-message:
       prefix: "deps(actions)"
+    # No "ignore" block here: This allows major version updates
+    groups:
+      github-actions:
+        patterns:
+          - "*"
 
-  # 3. Docker base image updates (e.g., for Dockerfile FROM lines)
+  # 3. Docker base image updates
   - package-ecosystem: "docker"
     directory: "/"
     schedule:

.github/workflows/auto-assign.yaml

@@ -40,7 +40,7 @@ jobs:
           }
 
           # Parse OWNERS
-          while IFS= read -r line; do
+          while IFS= read -r line || [[ -n "$line" ]]; do
             # Skip comments/empty
             [[ -z "${line// }" || "$line" =~ ^[[:space:]]*# ]] && continue
 

.github/workflows/check-typos.yaml

@@ -13,5 +13,5 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Check typos
-        uses: crate-ci/typos@v1.43.5
+        uses: crate-ci/typos@v1.44.0
 

.github/workflows/ci-build-images.yaml

@@ -0,0 +1,63 @@
+name: Build and Push Container Images
+
+on:
+  workflow_call:
+    inputs:
+      epp-image-name:
+        required: true
+        type: string
+      sidecar-image-name:
+        required: true
+        type: string
+      tag:
+        required: true
+        type: string
+      prerelease:
+        required: true
+        type: string
+    secrets:
+      GHCR_TOKEN:
+        required: true
+
+jobs:
+  build-epp:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v6
+
+      - name: Build and push EPP image
+        uses: ./.github/actions/docker-build-and-push
+        with:
+          docker-file: Dockerfile.epp
+          tag: ${{ inputs.tag }}
+          image-name: ${{ inputs.epp-image-name }}
+          registry: ghcr.io/llm-d
+          github-token: ${{ secrets.GHCR_TOKEN }}
+          prerelease: ${{ inputs.prerelease }}
+
+      - name: Run Trivy scan on EPP image
+        uses: ./.github/actions/trivy-scan
+        with:
+          image: ghcr.io/llm-d/${{ inputs.epp-image-name }}:${{ inputs.tag }}
+
+  build-sidecar:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v6
+
+      - name: Build and push sidecar image
+        uses: ./.github/actions/docker-build-and-push
+        with:
+          docker-file: Dockerfile.sidecar
+          tag: ${{ inputs.tag }}
+          image-name: ${{ inputs.sidecar-image-name }}
+          registry: ghcr.io/llm-d
+          github-token: ${{ secrets.GHCR_TOKEN }}
+          prerelease: ${{ inputs.prerelease }}
+
+      - name: Run Trivy scan on sidecar image
+        uses: ./.github/actions/trivy-scan
+        with:
+          image: ghcr.io/llm-d/${{ inputs.sidecar-image-name }}:${{ inputs.tag }}

.github/workflows/ci-dev.yaml

@@ -0,0 +1,39 @@
+name: CI - Dev - Docker Container Image
+
+on:
+  push:
+    branches:
+      - main
+      - 'release-*'
+  workflow_dispatch:
+
+jobs:
+  set-params:
+    runs-on: ubuntu-latest
+    outputs:
+      project_name: ${{ steps.version.outputs.project_name }}
+      sidecar_name: ${{ steps.version.outputs.sidecar_name }}
+      tag: ${{ steps.tag.outputs.tag }}
+    steps:
+      - name: Set image names
+        id: version
+        run: |
+          repo="${GITHUB_REPOSITORY##*/}"
+          echo "project_name=${repo}-dev" >> "$GITHUB_OUTPUT"
+          echo "sidecar_name=llm-d-routing-sidecar-dev" >> "$GITHUB_OUTPUT"
+
+      - name: Set branch name as tag
+        id: tag
+        run: |
+          echo "tag=${GITHUB_REF_NAME}" >> "$GITHUB_OUTPUT"
+
+  build-and-push:
+    needs: set-params
+    uses: ./.github/workflows/ci-build-images.yaml
+    with:
+      epp-image-name: ${{ needs.set-params.outputs.project_name }}
+      sidecar-image-name: ${{ needs.set-params.outputs.sidecar_name }}
+      tag: ${{ needs.set-params.outputs.tag }}
+      prerelease: "true"
+    secrets:
+      GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}

.github/workflows/ci-pr-checks.yaml

@@ -16,75 +16,88 @@ jobs:
     steps:
       - name: Checkout source
         uses: actions/checkout@v6
-      - uses: dorny/paths-filter@v3
+      - uses: dorny/paths-filter@v4
         id: filter
         with:
           filters: |
             src:
               - '**/*.go'
-              - '**/*.py'
-              - Dockerfile.epp
-              - Dockerfile.sidecar
+              - Dockerfile.*
               - Makefile*
               - go.mod
+              - scripts/**
   lint-and-test:
     needs: check-changes
     if: ${{ needs.check-changes.outputs.src == 'true' }}
     runs-on: ubuntu-latest
     steps:
-      - name: Free Disk Space (Ubuntu)
-        uses: jlumbroso/free-disk-space@main
-        with:
-          tool-cache: false
-
       - name: Checkout source
         uses: actions/checkout@v6
 
       - name: Sanity check repo contents
         run: ls -la
 
-      - name: Extract Go version from go.mod
-        run: sed -En 's/^go (.*)$/GO_VERSION=\1/p' go.mod >> $GITHUB_ENV
+      - name: Create and resolve Go cache volumes
+        id: go-cache
+        run: |
+          docker volume create llm-d-gomodcache
+          docker volume create llm-d-gobuildcache
+          echo "mod=$(docker volume inspect llm-d-gomodcache -f '{{.Mountpoint}}')" >> $GITHUB_OUTPUT
+          echo "build=$(docker volume inspect llm-d-gobuildcache -f '{{.Mountpoint}}')" >> $GITHUB_OUTPUT
 
-      - name: Set up Go with cache
-        uses: actions/setup-go@v6
+      - name: Cache Go modules and build cache
+        uses: actions/cache@v4
         with:
-          go-version: "${{ env.GO_VERSION }}"
-          cache-dependency-path: ./go.sum
-
-      - name: Configure CGO for Python
-        run: |
-          PYTHON_INCLUDE=$(python3 -c "import sysconfig; print(sysconfig.get_path('include'))")
-          echo "CPATH=${PYTHON_INCLUDE}:${CPATH}" >> $GITHUB_ENV
-          echo "CGO_ENABLED=1" >> $GITHUB_ENV
-          echo "CGO_CFLAGS=$(python3-config --cflags --embed)" >> $GITHUB_ENV
-          echo "CGO_LDFLAGS=$(python3-config --ldflags --embed)" >> $GITHUB_ENV
+          path: |
+            ${{ steps.go-cache.outputs.mod }}
+            ${{ steps.go-cache.outputs.build }}
+          key: go-cache-${{ hashFiles('go.sum') }}
+          restore-keys: |
+            go-cache-
 
-      - name: Set PKG_CONFIG_PATH
-        run: echo "PKG_CONFIG_PATH=/usr/lib/pkgconfig" >> $GITHUB_ENV
+      - name: Run make lint
+        run: make lint
 
-      - name: Install dependencies
-        run: |
-          go mod tidy
-          sudo -E env "PATH=$PATH" make install-dependencies install-python-deps
+      - name: Run make build
+        shell: bash
+        run: make build
 
-      - name: Run lint checks
-        uses: golangci/golangci-lint-action@v9
+      # Restore the baseline saved from the last main push so the compare step
+      # can diff against it. Missing cache (first PR ever) is not an error;
+      # compare-coverage.sh reports all components as "new" and exits 0.
+      - name: Restore main branch coverage baseline
+        if: github.event_name == 'pull_request'
+        uses: actions/cache/restore@v4
         with:
-          version: "v2.8.0"
-          args: "--config=./.golangci.yml"
-          skip-cache: true
-        env:
-          CGO_ENABLED: ${{ env.CGO_ENABLED }}
-          CGO_CFLAGS: ${{ env.CGO_CFLAGS }}
-          CGO_LDFLAGS: ${{ env.CGO_LDFLAGS }}
-          CPATH: ${{ env.CPATH }}
-          PKG_CONFIG_PATH: ${{ env.PKG_CONFIG_PATH }}
+          path: coverage/baseline
+          key: coverage-main
 
-      - name: Run make build
+      - name: Run unit tests
         shell: bash
-        run: make build
+        run: make test-unit
+
+      - name: Compare coverage against main baseline
+        if: github.event_name == 'pull_request'
+        continue-on-error: true
+        shell: bash
+        run: make coverage-compare BASELINE_DIR=coverage/baseline
+
+      # Copy the freshly generated profiles into coverage/baseline so that
+      # the saved path matches the restored path on future PR runs.
+      - name: Stage coverage baseline for caching
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        shell: bash
+        run: |
+          mkdir -p coverage/baseline
+          cp coverage/*.out coverage/baseline/
+
+      - name: Save coverage baseline (main branch only)
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        uses: actions/cache/save@v4
+        with:
+          path: coverage/baseline
+          key: coverage-main
 
-      - name: Run make test
+      - name: Run make test-e2e
         shell: bash
-        run: make test
+        run: make test-e2e