fix: add retry logic to apt-get upgrade in agent Dockerfile#1781
Merged
lpcox merged 1 commit intofix/cli-proxy-dockerfile-mcpg-pathfrom Apr 8, 2026
Conversation
Copilot created this pull request from a session on behalf of
lpcox
April 8, 2026 02:19
View session
lpcox
deleted the
copilot/fix-github-actions-workflow-bac8b038-1d9c-4593-afdd-b1fc60c36099
branch
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves the reliability of the agent container build by adding retry behavior around apt-get update && apt-get upgrade, mitigating transient Ubuntu mirror sync issues that can break CI image builds.
Changes:
- Add retry fallback for
apt-get update && apt-get upgrade -ywhen the initial attempt fails. - Clear apt lists before retrying to force a fresh package index.
- Add inline documentation describing the reason for the retry logic.
Show a summary per file
| File | Description |
|---|---|
containers/agent/Dockerfile |
Adds retry logic for the security-patch upgrade step to reduce flakiness during Docker image builds. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/1 changed files
- Comments generated: 1
Comment on lines
+53
to
+55
| # Retry logic handles transient mirror sync failures during apt-get update | ||
| RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/* || \ | ||
| (echo "apt-get upgrade failed, retrying with fresh package index..." && \ |
There was a problem hiding this comment.
The retry log message says "apt-get upgrade failed", but this block is also retrying failures from apt-get update (which is the stated motivation). Consider updating the message (and/or the preceding comment) to reflect that either apt-get update or apt-get upgrade can fail here, so build logs are less misleading during investigations.
Suggested change
| # Retry logic handles transient mirror sync failures during apt-get update | |
| RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/* || \ | |
| (echo "apt-get upgrade failed, retrying with fresh package index..." && \ | |
| # Retry logic handles transient mirror sync failures during apt-get update or apt-get upgrade | |
| RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/* || \ | |
| (echo "apt-get update or upgrade failed, retrying with fresh package index..." && \ |
lpcox
added a commit
that referenced
this pull request
Apr 8, 2026
…1778) * fix: bind mcpg to assigned IP + fail-close on missing GH_TOKEN Address security review findings from #1778: 1. Bind mcpg to its assigned IP (172.30.0.51) instead of 0.0.0.0 so the agent container cannot reach mcpg directly. Previously mcpg listened on all interfaces, making it reachable from any container on awf-net. 2. Add fail-close guard: generateDockerCompose now throws if enableCliProxy is set but githubToken is absent. mcpg requires a token to enforce DIFC policies — running without one would bypass integrity checks. 3. Use mcpg IP in healthcheck (not localhost) for TLS hostname consistency with how cli-proxy connects via GH_HOST. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: align TLS hostname by sharing mcpg network namespace Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/b1a5ac57-6103-45c6-b689-67924f7df25b * fix: remove duplicate comment block in docker-manager.ts Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/b1a5ac57-6103-45c6-b689-67924f7df25b * fix: add retry logic to apt-get upgrade in agent Dockerfile (#1781) Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/1831b666-eb93-4772-9455-4604a64bfd24 Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
This was referenced Apr 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the Smoke Copilot workflow failure (job 70354045748) caused by transient Ubuntu mirror sync issues during Docker image build.
Root Cause
The
apt-get update && apt-get upgrade -ycommand at line 53 ofcontainers/agent/Dockerfilehad no retry logic. When an Ubuntu mirror is mid-sync,apt-get updatefails with exit code 100 due to file size/hash mismatches:This caused
docker compose up -dto fail, preventing the agent container from starting.Fix
Added retry logic to the
apt-get update && apt-get upgradeRUN command, consistent with the existing retry pattern used by otherapt-getcommands in the same Dockerfile (lines 15-36 and 41-49). On failure, the apt cache is cleared and the update+upgrade is retried with a fresh package index.Testing
docker build --checkpasses)