From dd13968c1eb0ed722288c9ca32754c397f3c46f4 Mon Sep 17 00:00:00 2001
From: Jordan Harband <ljharb@gmail.com>
Date: Wed, 3 Jun 2026 13:12:31 -0700
Subject: [PATCH] [Tests] reduce CI flakiness from transient Docker registry
 failures

Container-based suites and the `nvm_download` httpbin check hard-fail whenever DockerHub is briefly unreachable
(observed: `dial tcp ...:443: connect: connection refused` while pulling images),
even though the change under test is fine.
This is unrelated to any test logic.

- tests-xenial / tests-installation-node: retry the `docker pull` up to 5 times before `docker run`, mirroring the existing apt-get retry
- `nvm_download` test: retry the httpbin pull and skip the auth-header checks (rather than fail) when the image cannot be pulled or run, and make cleanup tolerant of a missing container.
---
 .github/workflows/tests-installation-node.yml |  6 +++++
 .github/workflows/tests-xenial.yml            |  6 +++++
 test/fast/Unit tests/nvm_download             | 27 +++++++++++++------
 3 files changed, 31 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/tests-installation-node.yml b/.github/workflows/tests-installation-node.yml
index f288634b..684c1421 100644
--- a/.github/workflows/tests-installation-node.yml
+++ b/.github/workflows/tests-installation-node.yml
@@ -55,6 +55,12 @@ jobs:
       - run: npx which urchin
       - name: Run installation_node tests in container
         run: |
+          # Retry the image pull to tolerate transient Docker registry failures
+          for i in 1 2 3 4 5; do
+            docker pull ubuntu:16.04 && break
+            echo "docker pull failed, attempt $i/5"
+            sleep $((i * 5))
+          done
           docker run --rm \
             -v "${{ github.workspace }}:/workspace" \
             -w /workspace \
diff --git a/.github/workflows/tests-xenial.yml b/.github/workflows/tests-xenial.yml
index 474761f1..b17e8df0 100644
--- a/.github/workflows/tests-xenial.yml
+++ b/.github/workflows/tests-xenial.yml
@@ -52,6 +52,12 @@ jobs:
       - run: npx which urchin
       - name: Run xenial tests in container
         run: |
+          # Retry the image pull to tolerate transient Docker registry failures
+          for i in 1 2 3 4 5; do
+            docker pull ubuntu:16.04 && break
+            echo "docker pull failed, attempt $i/5"
+            sleep $((i * 5))
+          done
           docker run --rm \
             -v "${{ github.workspace }}:/workspace" \
             -w /workspace \
diff --git a/test/fast/Unit tests/nvm_download b/test/fast/Unit tests/nvm_download
index 727fe13f..ced54895 100755
--- a/test/fast/Unit tests/nvm_download	
+++ b/test/fast/Unit tests/nvm_download	
@@ -2,7 +2,7 @@
 
 cleanup () {
   unset -f die cleanup
-  docker stop httpbin && docker rm httpbin
+  docker rm -f httpbin >/dev/null 2>&1 || true
 }
 die () { echo "$@" ; cleanup ; exit 1; }
 
@@ -17,13 +17,24 @@ nvm_download "https://raw.githubusercontent.com/nvm-sh/nvm/HEAD/install.sh" >/de
 # nvm_download should fail to download wrong_install.sh
 ! nvm_download "https://raw.githubusercontent.com/nvm-sh/nvm/HEAD/wrong_install.sh" >/dev/null || die "nvm_download should fail to download no existing file"
 
-# nvm_download should pass when calling with auth header
-docker pull kennethreitz/httpbin && SHELL=bash docker run -d --name httpbin -p 80:80 kennethreitz/httpbin
-sleep 1 # wait for httpbin to start
-NVM_AUTH_HEADER="Bearer test-token" nvm_download "http://127.0.0.1/bearer" > /dev/null || die 'nvm_download with auth header should send correctly'
-
-# nvm_download should fail when calling without auth header
-nvm_download "http://127.0.0.1/bearer" > /dev/null && die 'nvm_download with no auth header should not send the header and should fail'
+# the auth header checks need a local httpbin container; retry the pull, and
+# skip (rather than fail) if the image cannot be pulled or run, so a transient
+# Docker registry outage does not fail the suite
+httpbin_pulled=0
+for i in 1 2 3 4 5; do
+  if docker pull kennethreitz/httpbin; then httpbin_pulled=1; break; fi
+  echo "docker pull httpbin failed, attempt $i/5"
+  sleep $((i * 5))
+done
+if [ "${httpbin_pulled}" = 1 ] && SHELL=bash docker run -d --name httpbin -p 80:80 kennethreitz/httpbin; then
+  sleep 1 # wait for httpbin to start
+  # nvm_download should pass when calling with auth header
+  NVM_AUTH_HEADER="Bearer test-token" nvm_download "http://127.0.0.1/bearer" > /dev/null || die 'nvm_download with auth header should send correctly'
+  # nvm_download should fail when calling without auth header
+  nvm_download "http://127.0.0.1/bearer" > /dev/null && die 'nvm_download with no auth header should not send the header and should fail'
+else
+  echo 'skipping auth header checks: unable to pull or run httpbin'
+fi
 
 # ensure quoted extra args remain quoted
 nvm_download "https://raw.githubusercontent.com/nvm-sh/nvm/HEAD/install.sh" -o "; die quoted-command-not-quoted" || die 'command failed'