From d9ce877a060b35f9b2d3ba4ed1ead1d6c5247d19 Mon Sep 17 00:00:00 2001
From: pxc <panxuchen.pxc@alibaba-inc.com>
Date: Fri, 28 Nov 2025 11:20:58 +0800
Subject: [PATCH 1/3] fix docker build

---
 .github/workflows/docker.yaml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index 838bd55df1..b67f65e814 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -28,6 +28,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
+        with:
+          path: trinity-${{ github.run_id }}
       # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
       - name: Log in to the Container registry
         uses: docker/login-action@v2
@@ -51,9 +53,9 @@ jobs:
         id: push
         uses: docker/build-push-action@v4
         with:
-          context: .
+          context: trinity-${{ github.run_id }}
           push: true
-          file: scripts/docker/Dockerfile
+          file: trinity-${{ github.run_id }}/scripts/docker/Dockerfile
           shm-size: 64g
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
@@ -65,3 +67,8 @@ jobs:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
+
+      - name: Cleanup workspace
+        if: always()
+        run: |
+          sudo rm -rf trinity-${{ github.run_id }} 2>/dev/null

From 40495cb212e5303d197a7ea6832750c92109f165 Mon Sep 17 00:00:00 2001
From: pxc <panxuchen.pxc@alibaba-inc.com>
Date: Fri, 28 Nov 2025 11:51:14 +0800
Subject: [PATCH 2/3] fix docker build

---
 .github/workflows/docker.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index b67f65e814..ddc0511758 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -71,4 +71,4 @@ jobs:
       - name: Cleanup workspace
         if: always()
         run: |
-          sudo rm -rf trinity-${{ github.run_id }} 2>/dev/null
+          rm -rf trinity-${{ github.run_id }} 2>/dev/null

From b939ae04c4e5ba822d0537769fd8e6f9bfe67223 Mon Sep 17 00:00:00 2001
From: pxc <panxuchen.pxc@alibaba-inc.com>
Date: Fri, 28 Nov 2025 12:18:00 +0800
Subject: [PATCH 3/3] fix docker build

---
 .github/workflows/docker.yaml | 12 +++++++++---
 scripts/docker/Dockerfile.uv  |  2 +-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index ddc0511758..eb8c15c323 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -10,6 +10,9 @@ on:
       ref:
         description: 'The git ref (branch or tag) to build the Docker image from.'
         required: true
+      version:
+        description: 'Version tag for the Docker image (e.g., 0.3.3)'
+        required: true
 
 env:
   REGISTRY: ghcr.io
@@ -29,6 +32,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v5
         with:
+          ref: ${{ github.event.inputs.ref || github.ref }}
           path: trinity-${{ github.run_id }}
       # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
       - name: Log in to the Container registry
@@ -44,8 +48,10 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
-            type=match,pattern=\d.\d.\d
-            type=sha
+            type=match,pattern=\d.\d.\d,enable=${{ github.event_name == 'release' }}
+            type=sha,enable=${{ github.event_name == 'release' }}
+            type=raw,value=${{ github.event.inputs.version }},enable=${{ github.event_name == 'workflow_dispatch' }}
+            type=sha,enable=${{ github.event_name == 'workflow_dispatch' }}
       # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
       # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see [Usage](https://github.com/docker/build-push-action#usage) in the README of the `docker/build-push-action` repository.
       # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
@@ -71,4 +77,4 @@ jobs:
       - name: Cleanup workspace
         if: always()
         run: |
-          rm -rf trinity-${{ github.run_id }} 2>/dev/null
+          sudo rm -rf trinity-${{ github.run_id }} 2>/dev/null
diff --git a/scripts/docker/Dockerfile.uv b/scripts/docker/Dockerfile.uv
index ad653226bb..3d40a279c5 100644
--- a/scripts/docker/Dockerfile.uv
+++ b/scripts/docker/Dockerfile.uv
@@ -40,7 +40,7 @@ RUN . /opt/venv/bin/activate && \
 
 # Install flash_attn and Megatron
 RUN . /opt/venv/bin/activate && \
-    uv pip install -e.[flash_attn] && \
+    uv pip install flash_attn==2.8.1 --no-deps --no-cache-dir && \
     uv pip install -e .[megatron] && \
     NVCC_APPEND_FLAGS="--threads 4" APEX_PARALLEL_BUILD=8 \
     uv pip install -v --no-build-isolation \