feat: support vLLM nightly builds via wheels.vllm.ai

[doringeman]

Install vLLM from https://wheels.vllm.ai/{VLLM_VERSION}/{VLLM_CUDA_VERSION} instead of GitHub Releases, allowing nightly builds to be used via make docker-run-vllm VLLM_VERSION=nightly (or pinned to a specific commit hash for reproducible builds).

vLLM stable releases (0.16.x) do not yet support Qwen3.5 (#731) — support is available on the main branch ahead of 0.17.0. vLLM publishes pre-built wheels for every merged commit at wheels.vllm.ai, which this change allows us to use.

Usage

• Latest nightly

make docker-run-vllm VLLM_VERSION=nightly

E.g.,

$ docker model status | grep vllm
vllm       Running        vllm 0.16.1rc1.dev268+ge2b31243c

• Pinned to a specific commit (recommended for reproducible builds)

make docker-run-vllm VLLM_VERSION=e2b31243c092e9f4ade5ffe4bf9a5d5ddae06ca7

E.g., (intentionally the same commit as nightly)

$ docker model status | grep vllm
vllm       Running        vllm 0.16.1rc1.dev268+ge2b31243c

• Default stable release (unchanged)

make docker-run-vllm

E.g.,

$ docker model status | grep vllm
vllm       Running        vllm 0.12.0

[gemini-code-assist]

Code Review

This pull request introduces support for installing vLLM nightly builds from wheels.vllm.ai by adding a VLLM_COMMIT build argument. However, the VLLM_COMMIT build argument is handled unsafely in both the Makefile and the Dockerfile, leading to potential command injection and path traversal vulnerabilities. This could allow an attacker to execute arbitrary code on the build server, compromise the resulting Docker image, or cause pip to fetch packages from an unintended location. Strict validation for the VLLM_COMMIT argument and proper quoting in the Makefile are recommended.