From fa0d37a579853c402b615ecadb5c91e677180337 Mon Sep 17 00:00:00 2001
From: MarcoFalke <*~=`'#}+{/-|&$^_@721217.xyz>
Date: Tue, 4 Nov 2025 13:12:58 +0100
Subject: [PATCH 1/4] ci: Rewrite Bash to check inputs to Python

This is shorter and easier to read. Also, according to the dev notes,
Bash should not be used.
---
 .github/actions/configure-docker/action.yml | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/.github/actions/configure-docker/action.yml b/.github/actions/configure-docker/action.yml
index 814f2dd1068..5c9531d3592 100644
--- a/.github/actions/configure-docker/action.yml
+++ b/.github/actions/configure-docker/action.yml
@@ -8,16 +8,11 @@ runs:
   using: 'composite'
   steps:
     - name: Check inputs
-      shell: bash
+      shell: python
       run: |
         # We expect only gha or cirrus as inputs to cache-provider
-        case "${{ inputs.cache-provider }}" in
-          gha|cirrus)
-            ;;
-          *)
-            echo "::warning title=Unknown input to configure docker action::Provided value was ${{ inputs.cache-provider }}"
-            ;;
-        esac
+        if "${{ inputs.cache-provider }}" not in ("gha", "cirrus"):
+          print("::warning title=Unknown input to configure docker action::Provided value was ${{ inputs.cache-provider }}")
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3

From fac4f6de28e7e477e005c02ddcfbe07cb27441a4 Mon Sep 17 00:00:00 2001
From: MarcoFalke <*~=`'#}+{/-|&$^_@721217.xyz>
Date: Tue, 4 Nov 2025 13:55:31 +0100
Subject: [PATCH 2/4] ci: Rewrite lint task Bash snippet to Python

The Bash snippet was shorter, but relying on implicit word splitting
(see the shellcheck SC2086 warning).

For example, the DOCKER_BUILD_CACHE_ARG shlex.split is now done
identical to how ci/test/02_run_container.py does it.

Moreover, the Python will hopefully be easier to modify in the future,
as the dev notes recommend Python over Bash.
---
 .github/workflows/ci.yml | 40 +++++++++++++++++++++++++++++++++-------
 1 file changed, 33 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d433646292f..323d0a71569 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -599,11 +599,37 @@ jobs:
           cache-provider: ${{ needs.runners.outputs.provider }}
 
       - name: CI script
+        shell: python
         run: |
-          set -o xtrace
-          docker buildx build -t "$CONTAINER_NAME" $DOCKER_BUILD_CACHE_ARG --file "./ci/lint_imagefile" .
-          CIRRUS_PR_FLAG=""
-          if [ "${{ github.event_name }}" = "pull_request" ]; then
-            CIRRUS_PR_FLAG="-e CIRRUS_PR=1"
-          fi
-          docker run --rm $CIRRUS_PR_FLAG -v "$(pwd)":/bitcoin "$CONTAINER_NAME"
+          import os, shlex, subprocess, sys
+
+          def run(cmd, **kwargs):
+              print("+ " + shlex.join(cmd), flush=True)
+              kwargs.setdefault("check", True)
+              try:
+                  return subprocess.run(cmd, **kwargs)
+              except Exception as e:
+                  sys.exit(e)
+
+          CONTAINER_NAME = os.environ["CONTAINER_NAME"]
+
+          build_cmd = [
+              "docker", "buildx", "build",
+              f"--tag={CONTAINER_NAME}",
+              *shlex.split(os.getenv("DOCKER_BUILD_CACHE_ARG", "")),
+              "--file=./ci/lint_imagefile",
+              "."
+          ]
+
+          run(build_cmd)
+
+          CIRRUS_PR_FLAG = []
+          if '${{ github.event_name }}' == "pull_request":
+              CIRRUS_PR_FLAG = ["-e", "CIRRUS_PR=1"]
+
+          run([
+              "docker", "run", "--rm",
+              *CIRRUS_PR_FLAG,
+              f"--volume={os.getcwd()}:/bitcoin",
+              CONTAINER_NAME,
+          ])

From faf05d637d674d945704577ab785dff0f9a6d80f Mon Sep 17 00:00:00 2001
From: MarcoFalke <*~=`'#}+{/-|&$^_@721217.xyz>
Date: Tue, 4 Nov 2025 14:13:38 +0100
Subject: [PATCH 3/4] ci: Retry lint image building once after failure

The same was done for the other CI tasks in commit fa6aa9f42fa. This may
guard against intermittent network issues to download the base image or
packages ...
---
 .github/workflows/ci.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 323d0a71569..5a316c685d7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -601,7 +601,7 @@ jobs:
       - name: CI script
         shell: python
         run: |
-          import os, shlex, subprocess, sys
+          import os, shlex, subprocess, sys, time
 
           def run(cmd, **kwargs):
               print("+ " + shlex.join(cmd), flush=True)
@@ -621,7 +621,10 @@ jobs:
               "."
           ]
 
-          run(build_cmd)
+          if run(build_cmd, check=False).returncode != 0:
+              print("Retry building image tag after failure")
+              time.sleep(3)
+              run(build_cmd)
 
           CIRRUS_PR_FLAG = []
           if '${{ github.event_name }}' == "pull_request":

From fae3618fd6c82dfcea2f296caa16a79182b32059 Mon Sep 17 00:00:00 2001
From: MarcoFalke <*~=`'#}+{/-|&$^_@721217.xyz>
Date: Tue, 4 Nov 2025 14:23:04 +0100
Subject: [PATCH 4/4] ci: Annotate all check runs with the pull request number

On check re-runs the annotations are discarded, so all check runs
require the number to be set.
---
 .github/workflows/ci.yml | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5a316c685d7..4f802fad1bc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -35,10 +35,12 @@ jobs:
     outputs:
       provider: ${{ steps.runners.outputs.provider }}
     steps:
-      - name: Annotate with pull request number
+      - &ANNOTATION_PR_NUMBER
+        name: Annotate with pull request number
         # This annotation is machine-readable and can be used to assign a check
-        # run to its corresponding pull request. Running in one check run is
-        # sufficient for each check suite.
+        # run to its corresponding pull request. Running in all check runs is
+        # required, because check re-runs discard the annotations of other
+        # tasks in the test suite.
         run: |
           if [ "${{ github.event_name }}" = "pull_request" ]; then
             echo "::notice title=debug_pull_request_number_str::${{ github.event.number }}"
@@ -63,6 +65,7 @@ jobs:
     steps:
       - name: Determine fetch depth
         run: echo "FETCH_DEPTH=$((${{ github.event.pull_request.commits }} + 2))" >> "$GITHUB_ENV"
+      - *ANNOTATION_PR_NUMBER
       - uses: actions/checkout@v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
@@ -141,6 +144,8 @@ jobs:
       BASE_ROOT_DIR: ${{ github.workspace }}
 
     steps:
+      - *ANNOTATION_PR_NUMBER
+
       - &CHECKOUT
         name: Checkout
         uses: actions/checkout@v5
@@ -212,6 +217,8 @@ jobs:
             job-name: 'Windows native, fuzz, VS 2022'
 
     steps:
+      - *ANNOTATION_PR_NUMBER
+
       - *CHECKOUT
 
       - &SET_UP_VS
@@ -341,6 +348,8 @@ jobs:
       DANGER_CI_ON_HOST_FOLDERS: 1
 
     steps:
+      - *ANNOTATION_PR_NUMBER
+
       - *CHECKOUT
 
       - name: Configure environment
@@ -381,6 +390,8 @@ jobs:
       TEST_RUNNER_TIMEOUT_FACTOR: 40
 
     steps:
+      - *ANNOTATION_PR_NUMBER
+
       - *CHECKOUT
 
       - name: Download built executables
@@ -547,6 +558,8 @@ jobs:
             file-env: './ci/test/00_setup_env_native_msan.sh'
 
     steps:
+      - *ANNOTATION_PR_NUMBER
+
       - *CHECKOUT
 
       - name: Configure environment
@@ -587,6 +600,8 @@ jobs:
     env:
       CONTAINER_NAME: "bitcoin-linter"
     steps:
+      - *ANNOTATION_PR_NUMBER
+
       - name: Checkout
         uses: actions/checkout@v5
         with: