From d60124f1bdb67fc6350e34ce67c6b2355921db72 Mon Sep 17 00:00:00 2001
From: Josh Knapp <shadow@dao-mail.com>
Date: Thu, 16 Apr 2026 09:09:30 -0700
Subject: [PATCH] Fix CI: harden version computation and Dockerfile apt retries
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two fixes for the v0.3.x initial build failures:

1. **Compute Version step**: When no tags match v0.3.*, `grep` returns
   exit 1 which under `pipefail` killed the step before the empty-tag
   fallback could run. Added `|| true` to the pipeline so the fallback
   (`git rev-list --count HEAD`) runs correctly on first 0.3.x build.

2. **Dockerfile apt-get update**: Transient archive.ubuntu.com mirror
   sync failures (stale Packages.gz with mismatched hash) broke the
   GitHub CLI install step. Added a shell retry loop (5 attempts with
   10s sleep, clearing /var/lib/apt/lists/* between retries) to both
   the main system packages step and the GitHub CLI step, plus
   Acquire::Retries=3 on the other apt-get update calls for transient
   network failures.

Also includes the Cargo.lock 0.2.0 → 0.3.0 rev that went with the
previous version bump commit.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/build-app.yml |  3 ++-
 app/src-tauri/Cargo.lock       |  2 +-
 container/Dockerfile           | 24 ++++++++++++++++++++----
 3 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/.gitea/workflows/build-app.yml b/.gitea/workflows/build-app.yml
index a19c7dd..c504969 100644
--- a/.gitea/workflows/build-app.yml
+++ b/.gitea/workflows/build-app.yml
@@ -40,7 +40,8 @@ jobs:
           echo "Major.Minor: ${MAJOR_MINOR}"
 
           # Find the latest tag matching v{MAJOR_MINOR}.N (exclude -mac, -win suffixes)
-          LATEST_TAG=$(git tag -l "v${MAJOR_MINOR}.*" --sort=-v:refname | grep -E "^v${MAJOR_MINOR}\.[0-9]+$" | head -1)
+          # `|| true` so an empty grep result doesn't fail the step under pipefail.
+          LATEST_TAG=$(git tag -l "v${MAJOR_MINOR}.*" --sort=-v:refname | grep -E "^v${MAJOR_MINOR}\.[0-9]+$" | head -1 || true)
 
           if [ -n "$LATEST_TAG" ]; then
             echo "Latest matching tag: ${LATEST_TAG}"
diff --git a/app/src-tauri/Cargo.lock b/app/src-tauri/Cargo.lock
index 72f8a3a..a2da61a 100644
--- a/app/src-tauri/Cargo.lock
+++ b/app/src-tauri/Cargo.lock
@@ -4950,7 +4950,7 @@ dependencies = [
 
 [[package]]
 name = "triple-c"
-version = "0.2.0"
+version = "0.3.0"
 dependencies = [
  "axum",
  "base64 0.22.1",
diff --git a/container/Dockerfile b/container/Dockerfile
index 5499f68..0cb4a3e 100644
--- a/container/Dockerfile
+++ b/container/Dockerfile
@@ -5,7 +5,17 @@ FROM ubuntu:24.04
 ENV DEBIAN_FRONTEND=noninteractive
 
 # ── System packages ──────────────────────────────────────────────────────────
-RUN apt-get update && apt-get install -y --no-install-recommends \
+# The shell retry loop handles transient mirror-sync failures where
+# archive.ubuntu.com returns stale Packages.gz files with mismatched hashes
+# during hourly resyncs. Clearing /var/lib/apt/lists/* between attempts
+# forces a fresh fetch.
+RUN for i in 1 2 3 4 5; do \
+        apt-get -o Acquire::Retries=3 update && break; \
+        echo "apt-get update failed (attempt $i), retrying in 10s..."; \
+        rm -rf /var/lib/apt/lists/*; \
+        sleep 10; \
+    done \
+    && apt-get install -y --no-install-recommends \
     git \
     curl \
     wget \
@@ -38,7 +48,13 @@ RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
     && chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
     && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
     > /etc/apt/sources.list.d/github-cli.list \
-    && apt-get update && apt-get install -y gh \
+    && for i in 1 2 3 4 5; do \
+        apt-get -o Acquire::Retries=3 update && break; \
+        echo "apt-get update failed (attempt $i), retrying in 10s..."; \
+        rm -rf /var/lib/apt/lists/*; \
+        sleep 10; \
+    done \
+    && apt-get install -y gh \
     && rm -rf /var/lib/apt/lists/*
 
 # ── Node.js LTS (22.x) + pnpm ───────────────────────────────────────────────
@@ -48,7 +64,7 @@ RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
     && npm install -g pnpm
 
 # ── Python 3 + pip + uv + ruff ──────────────────────────────────────────────
-RUN apt-get update && apt-get install -y --no-install-recommends \
+RUN apt-get -o Acquire::Retries=3 update && apt-get install -y --no-install-recommends \
     python3 \
     python3-pip \
     python3-venv \
@@ -61,7 +77,7 @@ RUN install -m 0755 -d /etc/apt/keyrings \
     && chmod a+r /etc/apt/keyrings/docker.gpg \
     && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" \
     > /etc/apt/sources.list.d/docker.list \
-    && apt-get update && apt-get install -y docker-ce-cli \
+    && apt-get -o Acquire::Retries=3 update && apt-get install -y docker-ce-cli \
     && rm -rf /var/lib/apt/lists/*
 
 # ── AWS CLI v2 ───────────────────────────────────────────────────────────────