feat: Create and push LCB container

[arekay-nv]

What does this PR do?

Adds script to build and create LCB container which can be used by the accuracy implementations to get LCB score. The implementation uses the src/inference_endpoint/evaluation/livecodebench/lcb_serve.dockerfile to build the container and push to the specified repository.

Type of change

• Bug fix
• New feature
• Documentation update
• Refactor/cleanup

Related issues

Testing

• Tests added/updated
• All tests pass locally
• Manual testing completed

Checklist

• Code follows project style
• Pre-commit hooks pass
• Documentation updated (if needed)

[github-actions]

MLCommons CLA bot All contributors have signed the MLCommons CLA ✍️ ✅

[gemini-code-assist]

Code Review

This pull request introduces scripts (push_image.sh, pull_image.sh, and _image_env.sh) and updates documentation to facilitate building, pushing, and pulling a self-contained LiveCodeBench evaluator image, including support for cross-architecture builds. It also optimizes the dataset generation script (generate.py) to stream rows individually to prevent out-of-memory (OOM) errors. The review feedback suggests security enhancements in push_image.sh to avoid writing the sensitive HF_TOKEN to disk by leveraging Docker BuildKit's native environment variable secret resolution. Additionally, it recommends memory optimizations in generate.py by dropping heavy columns when test cases are not saved and deleting the row reference to release memory more effectively.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

Similarly to the cross-architecture build path, we can avoid writing the sensitive HF_TOKEN to a temporary file on disk for native builds by exporting HF_TOKEN and using --secret id=HF_TOKEN directly.

Suggested change

	secret_file="$(mktemp)"
	trap 'rm -f "$secret_file"' EXIT
	printf '%s' "$HF_TOKEN" >"$secret_file"
	echo ">> Building ${LCB_LOCAL_TAG} ..."
	docker build \
	-f "${SCRIPT_DIR}/lcb_serve.dockerfile" \
	--secret "id=HF_TOKEN,src=${secret_file}" \
	-t "$LCB_LOCAL_TAG" \
	"$SCRIPT_DIR"
	echo ">> Building ${LCB_LOCAL_TAG} ..."
	export HF_TOKEN
	docker build \
	-f "${SCRIPT_DIR}/lcb_serve.dockerfile" \
	--secret id=HF_TOKEN \
	-t "$LCB_LOCAL_TAG" \
	"$SCRIPT_DIR"

[gemini-code-assist]

To fully release all references to the heavy columns before the next iteration, we should also delete the row dictionary. Since row contains the raw, large compressed strings for public_test_cases and private_test_cases, keeping it bound until the next iteration means those raw strings remain in memory longer than necessary.

Suggested change

	del public_cases, private_cases, test_case_data
	del public_cases, private_cases, test_case_data, row

[nvzhihanj]

Review Council — Multi-AI Code Review

Reviewed by: Codex (--yolo) + Claude · Depth: standard

Found 4 issues — 1 posted inline, 3 low-severity advisories in the summary comment below.

[nvzhihanj]

Review Council — Summary

Reviewed by: Codex (--yolo) + Claude · Depth: standard

Found 4 issues — 1 posted inline (medium), 3 low-severity advisories below.

#	File	Line	Severity	Category	Reviewer	Summary
1	generate.py	213	medium	data-integrity	Codex	--max-samples 0 → empty records → from_records([]) writes a schemaless parquet (old df.iloc[[]] kept columns); downstream KeyError. (posted inline)
2	pull_image.sh	81	low	documentation	Codex	--no-local-tag skips creating ${LCB_LOCAL_TAG} (lines 57–59), but the final "Run with:" echo still prints docker run … ${LCB_LOCAL_TAG} — a non-runnable command. Print ${LCB_IMAGE_REF} instead.
3	generate.py	149	low	design	Claude	Memory fix depends on the private builder._writer_batch_size; a future datasets rename would silently no-op and re-introduce the OOM. Mitigated by pinned datasets==3.6.0; consider asserting hasattr(...).
4	push_image.sh	23	low	documentation	Claude	Header comment says --install arm64 while the runtime error message (126) and README (221) say --install all. Make the three consistent.

On the existing gemini-code-assist[bot] security-high comments (push_image.sh:143, :164): the council reviewed these and assesses them as low / stylistic, not security-high. The current mktemp (mode 0600) + printf '%s' (no trailing newline) + --secret id=HF_TOKEN,src=… + trap … EXIT cleanup is a standard, acceptable way to pass a BuildKit build secret; the suggested env-based --secret id=HF_TOKEN is functionally equivalent in exposure (token still lives in the process environment) rather than a meaningful hardening. Not blocking.