rusackas opened a new pull request, #40700: URL: https://github.com/apache/superset/pull/40700
### SUMMARY Several CI jobs intermittently fail on **Docker Hub registry hiccups** rather than real problems — `check-python-deps`, and the `test-sqlite` / `test-postgres` / `test-mysql` integration jobs. The errors look like: ``` docker: Error response from daemon: Get "https://registry-1.docker.io/v2/": context deadline exceeded ##[error]Process completed with exit code 125 ``` Two root causes feed this: (1) bare `docker run`/service-container pulls with **no retry**, and (2) **anonymous** pulls that share GitHub's runner-IP Docker Hub rate limit, so throttling surfaces as connection timeouts. This PR addresses both. ### Changes **Retry (universal — works on fork PRs too)** - `scripts/uv-pip-compile.sh` — pre-pull `python:${VERSION}-slim` in a small backoff loop (4 attempts) before `docker run`, so a flaky pull no longer fails the whole `check-python-deps` job. The pull sits in an `until` condition so `set -e` doesn't abort on a single failed attempt; genuine errors still fail fast in the subsequent `docker run`. **Auth (raises the pull rate limit ~25× on `apache/superset` branches)** - `.github/workflows/check-python-deps.yml` — add a best-effort `docker/login-action` (pinned `v4.2.0`, same as `setup-docker`) before the uv step, so the in-step pull is authenticated. - `.github/workflows/superset-python-integrationtest.yml` — add `credentials:` to the `mysql` / `postgres` / `redis` service containers so the runner-managed pulls (which can't be wrapped in a step-level retry) authenticate too. ### Fork-PR safety `DOCKERHUB_USER` / `DOCKERHUB_TOKEN` already exist as repo secrets (used by `docker.yml`). On **fork** PRs those secrets are withheld by GitHub, so: - the login step is `continue-on-error: true` → it no-ops, and the script's retry loop covers anonymous-pull flakes; - the service `credentials:` resolve to empty → the runner falls back to an anonymous pull. So external contributors see no regression; main-repo branches (including maintainers' own PRs) get the authenticated, higher rate limit. Worth a maintainer's eye on the fork path during review since the repo hasn't used `services.credentials` before. ### Not covered (follow-up) The `docker-build` job's intermittent pull is inside the third-party `docker/setup-qemu-action` (binfmt image) — not wrapped here since it's not ours to retry. Can be addressed separately (e.g. pre-pull-with-retry of the pinned binfmt image). ### TESTING INSTRUCTIONS - `bash -n scripts/uv-pip-compile.sh` passes; both workflow YAMLs parse and pass `zizmor`. - This PR's own `check-python-deps` + integration jobs exercise the authenticated path (secrets present on a main-repo branch). ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
