[CI/Build] Replace COPY scripts with bind mounts to reduce layers

[mirzaim]

Replace COPY scripts with bind mounts to reduce layers. For full context, check #28648.

Purpose

Test Plan

CI

Test Result

---

Essential Elements of an Effective PR Description Checklist

• The purpose of the PR, such as "Fix some issue (link existing issues this PR will resolve)".
• The test plan, such as providing test command.
• The test results, such as pasting the results comparison before and after, or e2e results
• (Optional) The necessary documentation update, such as updating supported_models.md and examples for a new model.
• (Optional) Release notes update. If your change is user facing, please update the release notes draft in the Google Doc.

[github-actions]

👋 Hi! Thank you for contributing to the vLLM project.

💬 Join our developer Slack at https://slack.vllm.ai to discuss your PR in #pr-reviews, coordinate on features in #feat- channels, or join special interest groups in #sig- channels.

Just a reminder: PRs would not trigger full CI run by default. Instead, it would only run fastcheck CI which starts running only a small and essential subset of CI tests to quickly catch errors.

You ask your reviewers to trigger select CI tests on top of fastcheck CI.

Once the PR is approved and ready to go, your PR reviewer(s) can run CI to test the changes comprehensively before merging.

To run CI, PR reviewers can either: Add ready label to the PR or enable auto-merge.

If you have any questions, please reach out to us on Slack at https://slack.vllm.ai.

🚀

[gemini-code-assist]

Code Review

This pull request aims to reduce Docker image layers by replacing COPY instructions with RUN --mount=type=bind. While this is a good practice, the implementation has a critical issue where a cache mount for the uv package manager was accidentally removed, which would regress build performance. I've also identified several places where the new bind mounts can be made read-only to improve security, and one instance of a redundant file removal command that should be deleted. My review includes suggestions to fix these issues.

[gemini-code-assist]

The previous RUN command included --mount=type=cache,target=/root/.cache/uv to leverage caching for the uv package manager. This cache mount was removed in the new RUN command, which will significantly slow down Docker builds by preventing uv from using its cache. The cache mount should be restored. Additionally, for better security, the bind mount for the script should be made read-only.

RUN --mount=type=cache,target=/root/.cache/uv \
    --mount=type=bind,source=tools/install_deepgemm.sh,target=/tmp/install_deepgemm.sh,ro \
    VLLM_DOCKER_BUILD_CONTEXT=1 TORCH_CUDA_ARCH_LIST="9.0a 10.0a" /tmp/install_deepgemm.sh --cuda-version "${CUDA_VERSION}" ${DEEPGEMM_GIT_REF:+--ref "$DEEPGEMM_GIT_REF"}

[gemini-code-assist]

For better security and to follow the principle of least privilege, you should make the bind mount read-only using the ro option, since the script is only being executed and not modified.

RUN --mount=type=bind,source=tools/ep_kernels/install_python_libraries.sh,target=install_python_libraries.sh,ro \
    export TORCH_CUDA_ARCH_LIST="${TORCH_CUDA_ARCH_LIST:-9.0a 10.0a+PTX}" \
    && bash install_python_libraries.sh

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Stop deleting bind-mounted gdrcopy script

The new RUN --mount=type=bind,source=tools/install_gdrcopy.sh,target=install_gdrcopy.sh block still ends by running rm ./install_gdrcopy.sh, but bind mounts in BuildKit are read-only unless rw is specified. Under the set -e in this block, the rm now fails with a permission error, aborting the image build whenever this step runs. Because the script is only bind-mounted for the duration of the RUN, the cleanup is unnecessary and currently breaks the build.

Useful? React with 👍 / 👎.