From 8415be6eab0d5bbbe9249ad95d9ae0df1dacd5aa Mon Sep 17 00:00:00 2001 From: Abdelsalam Date: Tue, 30 Jun 2026 00:20:59 +0300 Subject: [PATCH] fix(base): make ChimeraX download fail loudly and retry The ChimeraX step used a silent `curl -s | grep` pipeline whose exit status is grep's: an empty or unexpected response (e.g. blocked egress from the Harbor builder) makes grep match nothing and exit 1, aborting the build with a bare "exit code 1" and zero diagnostics -- which is exactly how it failed in CI run 28394997476. Run the token dance under bash with set -euo pipefail and curl -fsS so HTTP/network errors surface, retry transient failures, print the raw response when no download URL is found, and gate apt-get install behind dpkg-deb --info so a non-.deb payload is reported instead of silently breaking the install. --- Dockerfile.base | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/Dockerfile.base b/Dockerfile.base index a2960be..2b8bb98 100644 --- a/Dockerfile.base +++ b/Dockerfile.base @@ -108,13 +108,25 @@ RUN $MAMBA_EXE remove -n lunus -y scons \ # ---------- ChimeraX ---------- ARG CHIMERAX_URL="https://www.cgl.ucsf.edu/chimerax/cgi-bin/secure/chimerax-get.py?file=current/ubuntu-22.04/chimerax-daily.deb" +# The download is a two-step token dance behind www.cgl.ucsf.edu (POST choice=Accept -> +# meta-refresh URL carrying a session ident -> follow with the cookie). Run it under bash with +# `set -euo pipefail` and `curl -fsS` so a failed request aborts loudly instead of feeding an +# empty body into grep -- a silent `curl -s | grep` masks both curl's exit code (pipe takes the +# last command's status) and the real error (grep just exits 1 on no match), which is exactly how +# this step failed in CI with a bare "exit code 1" and zero diagnostics. RUN apt-get update \ - && curl -s -c /tmp/cx_cookies -d "choice=Accept" "${CHIMERAX_URL}" \ - | grep -oP 'url=\K[^"]*' > /tmp/cx_redirect \ - && curl -s -b /tmp/cx_cookies -o /tmp/chimerax.deb \ - "https://www.cgl.ucsf.edu$(cat /tmp/cx_redirect)" \ - && apt-get install -y /tmp/chimerax.deb \ - && rm -f /tmp/chimerax.deb /tmp/cx_cookies /tmp/cx_redirect \ + && bash -euo pipefail -c '\ +url="$1"; \ +echo "ChimeraX: requesting download token..."; \ +resp="$(curl -fsS --retry 5 --retry-all-errors --retry-delay 5 --connect-timeout 30 -c /tmp/cx_cookies -d "choice=Accept" "$url")"; \ +redirect="$(printf "%s" "$resp" | grep -oP "url=\K[^\"]*" | head -n1 || true)"; \ +if [ -z "$redirect" ]; then echo "ChimeraX ERROR: no download URL in response (network block or page change). First 2KB:"; printf "%s" "$resp" | head -c 2048; echo; exit 1; fi; \ +echo "ChimeraX: downloading $redirect"; \ +curl -fsS --retry 5 --retry-all-errors --retry-delay 5 --connect-timeout 30 -b /tmp/cx_cookies -o /tmp/chimerax.deb "https://www.cgl.ucsf.edu$redirect"; \ +dpkg-deb --info /tmp/chimerax.deb >/dev/null 2>&1 || { echo "ChimeraX ERROR: downloaded file is not a valid .deb. First 512B:"; head -c 512 /tmp/chimerax.deb; echo; exit 1; }; \ +apt-get install -y /tmp/chimerax.deb \ +' _ "${CHIMERAX_URL}" \ + && rm -f /tmp/chimerax.deb /tmp/cx_cookies \ && rm -rf /var/lib/apt/lists/* \ && mkdir -p /home/dev/.config/ChimeraX