Skip to content

Commit 6831d5f

Browse files
authored
Merge pull request #253 from kylape/sync-upstream
2 parents 3227f69 + ca6ad69 commit 6831d5f

314 files changed

Lines changed: 13183 additions & 8181 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/ISSUE_TEMPLATE/new-release.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,10 @@ This document defines the process for releasing llm-d-router.
2121

2222
1. Permissions to push to the llm-d-router repository.
2323

24+
1. Membership in the `@llm-d/router-release-managers` team. Tag protection on
25+
`refs/tags/v*` restricts who can push release tags, which is what triggers
26+
the release build.
27+
2428
1. Set the required environment variables based on the expected release number:
2529

2630
```shell
Lines changed: 41 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
name: Docker Build - ghcr
2-
description: Build image using buildx
2+
description: Build image using buildx. Supports pushing to a registry or exporting to an output.
33
inputs:
44
docker-file:
55
required: true
@@ -11,43 +11,55 @@ inputs:
1111
required: true
1212
description: Image tag
1313
github-token:
14-
required: true
15-
description: GitHub token for login
14+
required: false
15+
description: GitHub token for registry login. Required when push is true.
16+
default: ''
1617
registry:
1718
required: true
18-
description: Container registry (e.g., ghcr.io/llm-d)
19+
description: GHCR namespace (e.g., ghcr.io/llm-d)
1920
prerelease:
20-
required: true
21+
required: false
2122
description: indicates whether or not this is a pre-release (not a release) build
23+
default: 'false'
24+
push:
25+
required: false
26+
description: Push the built image to the registry. Set to false to export via buildx-outputs instead.
27+
default: 'true'
28+
buildx-outputs:
29+
required: false
30+
description: Buildx outputs value when push is false, such as type=docker,dest=<path>/image.tar.
31+
default: ''
32+
commit-sha:
33+
required: false
34+
description: Git commit SHA to embed via COMMIT_SHA build arg
35+
default: ''
2236
runs:
2337
using: "composite"
2438
steps:
2539
- name: Set up Docker Buildx
2640
uses: docker/setup-buildx-action@v4
2741

2842
- name: Login to GitHub Container Registry
29-
run: echo "${{ inputs.github-token }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
30-
shell: bash
31-
32-
- name: Print image info
33-
run: |
34-
echo "Image name: ${{ inputs.image-name }}"
35-
echo "Tag: ${{ inputs.tag }}"
36-
echo "Registry: ${{ inputs.registry }}"
37-
shell: bash
43+
if: inputs.push == 'true'
44+
uses: docker/login-action@v4
45+
with:
46+
registry: ghcr.io
47+
username: ${{ github.actor }}
48+
password: ${{ inputs.github-token }}
3849

39-
- name: Build image and push
40-
run: |
41-
if [[ ${{ inputs.prerelease }} == "true" ]]; then
42-
LATEST_TAG=""
43-
else
44-
LATEST_TAG="-t ${{ inputs.registry }}/${{ inputs.image-name }}:latest"
45-
fi
46-
docker buildx build \
47-
--platform linux/amd64,linux/arm64 \
48-
--cache-from type=gha,scope=${{ inputs.image-name }} \
49-
--cache-to type=gha,mode=max,scope=${{ inputs.image-name }} \
50-
--build-arg LDFLAGS="-s -w" \
51-
-t ${{ inputs.registry }}/${{ inputs.image-name }}:${{ inputs.tag }} \
52-
${LATEST_TAG} -f ${{ inputs.docker-file }} --push .
53-
shell: bash
50+
- name: Build image
51+
uses: docker/build-push-action@v6
52+
with:
53+
file: ${{ inputs.docker-file }}
54+
push: ${{ inputs.push == 'true' }}
55+
outputs: ${{ inputs.buildx-outputs }}
56+
platforms: ${{ inputs.push != 'true' && 'linux/amd64' || 'linux/amd64,linux/arm64' }}
57+
tags: |
58+
${{ inputs.registry }}/${{ inputs.image-name }}:${{ inputs.tag }}
59+
${{ inputs.push == 'true' && inputs.prerelease != 'true' && format('{0}/{1}:latest', inputs.registry, inputs.image-name) || '' }}
60+
build-args: |
61+
LDFLAGS=-s -w
62+
COMMIT_SHA=${{ inputs.commit-sha || 'unknown' }}
63+
BUILD_REF=${{ inputs.tag || 'unknown' }}
64+
cache-from: type=gha,scope=${{ inputs.image-name }}
65+
cache-to: type=gha,mode=max,scope=${{ inputs.image-name }}
Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
name: E2E runner setup
2+
description: Frees disk space and restores Go module/build caches for an e2e runner.
3+
outputs:
4+
go-mod-cache:
5+
description: Absolute path to the Go module cache directory
6+
value: ${{ steps.go-cache.outputs.mod }}
7+
go-build-cache:
8+
description: Absolute path to the Go build cache directory
9+
value: ${{ steps.go-cache.outputs.build }}
10+
runs:
11+
using: "composite"
12+
steps:
13+
# Custom profile with directory-only removals.
14+
# cleanup-profile: max frees more space but takes longer.
15+
- name: Free disk space
16+
# justinthelaw/maximize-github-runner-space@v0.9.0
17+
uses: justinthelaw/maximize-github-runner-space@ed391644e646cac4b88480d2f9b12d135f1ccf77
18+
with:
19+
cleanup-profile: custom
20+
remove-android: 'true'
21+
remove-dotnet: 'true'
22+
remove-haskell: 'true'
23+
remove-codeql: 'true'
24+
remove-cached-tools: 'false'
25+
remove-swift: 'true'
26+
remove-julia: 'true'
27+
remove-rust: 'true'
28+
remove-miniconda: 'true'
29+
swapfile-size: 0
30+
31+
- name: Create Go cache dirs
32+
id: go-cache
33+
shell: bash
34+
run: |
35+
mkdir -p "$HOME/.cache/llm-d-gomodcache" "$HOME/.cache/llm-d-gobuildcache"
36+
echo "mod=$HOME/.cache/llm-d-gomodcache" >> "$GITHUB_OUTPUT"
37+
echo "build=$HOME/.cache/llm-d-gobuildcache" >> "$GITHUB_OUTPUT"
38+
39+
- name: Cache Go modules and build cache
40+
uses: actions/cache@v5
41+
with:
42+
path: |
43+
${{ steps.go-cache.outputs.mod }}
44+
${{ steps.go-cache.outputs.build }}
45+
key: go-cache-${{ runner.os }}-${{ hashFiles('go.sum') }}
46+
restore-keys: |
47+
go-cache-${{ runner.os }}-

.github/actions/trivy-scan/action.yml

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,17 @@ name: Trivy Scan
22
description: Scan container image with official Aqua Security Trivy action
33
inputs:
44
image:
5-
required: true
6-
description: "Image to scan (e.g., 'my-repo/my-image:latest')"
5+
required: false
6+
default: ''
7+
description: "Image reference to scan (e.g., 'my-repo/my-image:latest'). Mutually exclusive with 'tarball'."
8+
tarball:
9+
required: false
10+
default: ''
11+
description: "Path to a local image tarball to scan (e.g. /tmp/image.tar from buildx type=docker,dest=...). Mutually exclusive with 'image'."
12+
severity:
13+
required: false
14+
default: 'HIGH,CRITICAL'
15+
description: "Comma-separated severities that fail the scan (e.g. 'CRITICAL' or 'MEDIUM,HIGH,CRITICAL')."
716

817
runs:
918
using: "composite"
@@ -12,9 +21,10 @@ runs:
1221
uses: aquasecurity/trivy-action@v0.36.0 # v0.36.0 ed142fd0673e97e23eac54620cfb913e5ce36c25
1322
with:
1423
image-ref: ${{ inputs.image }}
24+
input: ${{ inputs.tarball }}
1525
format: 'sarif'
1626
output: 'trivy-results.sarif'
17-
severity: 'HIGH,CRITICAL'
27+
severity: ${{ inputs.severity }}
1828
exit-code: '1'
1929

2030
- name: Upload Trivy SARIF to Security tab

.github/dependabot.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,3 +53,7 @@ updates:
5353
- "dependencies"
5454
commit-message:
5555
prefix: "deps(docker)"
56+
ignore:
57+
# dependabot covers patches only
58+
- dependency-name: "*"
59+
update-types: ["version-update:semver-major", "version-update:semver-minor"]

.github/workflows/auto-assign.yaml

Lines changed: 0 additions & 84 deletions
This file was deleted.

.github/workflows/check-typos.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,5 +20,5 @@ jobs:
2020
uses: actions/checkout@v6
2121

2222
- name: Check typos
23-
uses: crate-ci/typos@v1.46.3
23+
uses: crate-ci/typos@v1.47.2
2424

.github/workflows/ci-build-images.yaml

Lines changed: 36 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -32,41 +32,67 @@ jobs:
3232
- name: Checkout source
3333
uses: actions/checkout@v6
3434

35-
- name: Build and push EPP image
35+
- name: Build AMD64 EPP image (no push)
3636
uses: ./.github/actions/docker-build-and-push
3737
with:
3838
docker-file: Dockerfile.epp
3939
tag: ${{ inputs.tag }}
4040
image-name: ${{ inputs.epp-image-name }}
4141
registry: ghcr.io/llm-d
42-
github-token: ${{ github.token }}
43-
prerelease: ${{ inputs.prerelease }}
42+
push: 'false'
43+
buildx-outputs: type=docker,dest=/tmp/epp-image.tar
4444

45-
- name: Run Trivy scan on EPP image
45+
# Gate the push on the scan: a HIGH/CRITICAL by default when not set but configurable
46+
- name: Run Trivy scan for EPP on AMD64
4647
uses: ./.github/actions/trivy-scan
4748
with:
48-
image: ghcr.io/llm-d/${{ inputs.epp-image-name }}:${{ inputs.tag }}
49+
tarball: /tmp/epp-image.tar
50+
51+
# Re-run the build with push enabled with: cache-to/cache-from type=gha
52+
- name: Push EPP image for both AMD64 and ARM64
53+
uses: ./.github/actions/docker-build-and-push
54+
with:
55+
docker-file: Dockerfile.epp
56+
tag: ${{ inputs.tag }}
57+
image-name: ${{ inputs.epp-image-name }}
58+
registry: ghcr.io/llm-d
59+
github-token: ${{ github.token }}
60+
prerelease: ${{ inputs.prerelease }}
61+
commit-sha: ${{ github.sha }}
62+
push: 'true'
4963

5064
build-sidecar:
5165
runs-on: ubuntu-latest
5266
steps:
5367
- name: Checkout source
5468
uses: actions/checkout@v6
5569

56-
- name: Build and push sidecar image
70+
- name: Build sidecar AMD64 image (no push)
5771
uses: ./.github/actions/docker-build-and-push
5872
with:
5973
docker-file: Dockerfile.sidecar
6074
tag: ${{ inputs.tag }}
6175
image-name: ${{ inputs.sidecar-image-name }}
6276
registry: ghcr.io/llm-d
63-
github-token: ${{ github.token }}
64-
prerelease: ${{ inputs.prerelease }}
77+
push: 'false'
78+
buildx-outputs: type=docker,dest=/tmp/sidecar-image.tar
6579

66-
- name: Run Trivy scan on sidecar image
80+
- name: Run Trivy scan on sidecar image on AMD64
6781
uses: ./.github/actions/trivy-scan
6882
with:
69-
image: ghcr.io/llm-d/${{ inputs.sidecar-image-name }}:${{ inputs.tag }}
83+
tarball: /tmp/sidecar-image.tar
84+
85+
- name: Push sidecar image for both AMD64 and ARM64
86+
uses: ./.github/actions/docker-build-and-push
87+
with:
88+
docker-file: Dockerfile.sidecar
89+
tag: ${{ inputs.tag }}
90+
image-name: ${{ inputs.sidecar-image-name }}
91+
registry: ghcr.io/llm-d
92+
github-token: ${{ github.token }}
93+
prerelease: ${{ inputs.prerelease }}
94+
commit-sha: ${{ github.sha }}
95+
push: 'true'
7096

7197
push-helm-charts:
7298
needs: [build-epp, build-sidecar]
Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
name: CI - Dependency Review
2+
on:
3+
pull_request:
4+
branches:
5+
- main
6+
permissions:
7+
contents: read
8+
concurrency:
9+
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
10+
cancel-in-progress: true
11+
jobs:
12+
dependency-review:
13+
runs-on: ubuntu-latest
14+
steps:
15+
- name: Checkout source
16+
uses: actions/checkout@v6
17+
- name: Dependency review
18+
uses: actions/dependency-review-action@v5
19+
with:
20+
fail-on-severity: high

0 commit comments

Comments
 (0)