fix: repair 20 Dockerfiles with broken git clone, missing python3, and missing ca-certificates

Three categories of fixes across 20 task Dockerfiles + their artifact_only variants:

1. Replace --filter=blob:none --no-checkout with git init + git fetch --depth 1
   by SHA (10 tasks): the blobless clone strategy fails for non-HEAD commits.
   Special cases: envoy-duplicate-headers uses depth 2 for parent checkout,
   cilium-api-doc uses sparse-checkout, envoy-migration-doc uses two shallow
   tag clones instead of worktrees.

2. Add python3 to apt-get install (7 tasks): test.sh verifiers call python3
   for scoring but the Dockerfiles only installed git + ca-certificates.

3. Add ca-certificates to apt-get install (12 tasks): ubuntu:22.04 with
   --no-install-recommends doesn't include ca-certificates, causing
   SSL verification failures on HTTPS git operations.

Also adds scripts/validate_artifact_golden.py for golden-solution validation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: sjarmak

benchmarks/ccb_debug/envoy-duplicate-headers-debug-001/environment/Dockerfile

@@ -7,6 +7,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
     curl \
     python3 \
+    ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
 # Clone Envoy at the target commit (before router header mutation fix)
@@ -15,8 +16,10 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 # finalizeResponseHeaders() call. We check out the parent to get the broken state.
 # The bug was introduced by PR #39534 which moved finalizeResponseHeaders()
 # into the modify_headers_ callback, causing double processing on local replies.
-RUN git clone --filter=blob:none --no-checkout https://github.com/envoyproxy/envoy.git . && \
-    git checkout 25f893b~1 && \
+RUN git init && \
+    git remote add origin https://github.com/envoyproxy/envoy.git && \
+    git fetch --depth 2 origin 25f893b44c9ac785d57f21399fb5aff540f0bef7 && \
+    git checkout 25f893b44c9ac785d57f21399fb5aff540f0bef7~1 && \
     git config user.email "agent@example.com" && \
     git config user.name "Agent"
 

benchmarks/ccb_debug/envoy-duplicate-headers-debug-001/environment/Dockerfile.artifact_only

@@ -12,6 +12,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
     curl \
     python3 \
+    ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
 # Clone Envoy at the target commit (before router header mutation fix)
@@ -20,8 +21,10 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 # finalizeResponseHeaders() call. We check out the parent to get the broken state.
 # The bug was introduced by PR #39534 which moved finalizeResponseHeaders()
 # into the modify_headers_ callback, causing double processing on local replies.
-RUN git clone --filter=blob:none --no-checkout https://github.com/envoyproxy/envoy.git . && \
-    git checkout 25f893b~1 && \
+RUN git init && \
+    git remote add origin https://github.com/envoyproxy/envoy.git && \
+    git fetch --depth 2 origin 25f893b44c9ac785d57f21399fb5aff540f0bef7 && \
+    git checkout 25f893b44c9ac785d57f21399fb5aff540f0bef7~1 && \
     git config user.email "agent@example.com" && \
     git config user.name "Agent"
 

benchmarks/ccb_debug/istio-xds-destrul-debug-001/environment/Dockerfile

@@ -7,15 +7,18 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
     curl \
     python3 \
+    ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
 # Clone Istio at the pre-fix commit for the DestinationRule dependency bug.
 # PR #38088 (merge commit 9fcfe231) fixes the bug where merged DestinationRules
 # lose the metadata of contributing DRs, causing xDS pushes to be silently
 # skipped when a non-surviving DR is updated.
 # We check out the parent commit (f8c9b973) to get the broken state.
-RUN git clone --filter=blob:none --no-checkout https://github.com/istio/istio.git . && \
-    git checkout f8c9b973900a13a898348c010ae3cad2de08693b && \
+RUN git init && \
+    git remote add origin https://github.com/istio/istio.git && \
+    git fetch --depth 1 origin f8c9b973900a13a898348c010ae3cad2de08693b && \
+    git checkout FETCH_HEAD && \
     git config user.email "agent@example.com" && \
     git config user.name "Agent"
 

benchmarks/ccb_debug/istio-xds-destrul-debug-001/environment/Dockerfile.artifact_only

@@ -12,15 +12,18 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
     curl \
     python3 \
+    ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
 # Clone Istio at the pre-fix commit for the DestinationRule dependency bug.
 # PR #38088 (merge commit 9fcfe231) fixes the bug where merged DestinationRules
 # lose the metadata of contributing DRs, causing xDS pushes to be silently
 # skipped when a non-surviving DR is updated.
 # We check out the parent commit (f8c9b973) to get the broken state.
-RUN git clone --filter=blob:none --no-checkout https://github.com/istio/istio.git . && \
-    git checkout f8c9b973900a13a898348c010ae3cad2de08693b && \
+RUN git init && \
+    git remote add origin https://github.com/istio/istio.git && \
+    git fetch --depth 1 origin f8c9b973900a13a898348c010ae3cad2de08693b && \
+    git checkout FETCH_HEAD && \
     git config user.email "agent@example.com" && \
     git config user.name "Agent"
 

benchmarks/ccb_debug/terraform-phantom-update-debug-001/environment/Dockerfile

@@ -7,6 +7,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
     curl \
     python3 \
+    ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
 # Clone Terraform at the pre-fix commit for the sensitive marks bug.
@@ -15,8 +16,10 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 # ReadResource / PlanResourceChange, causing phantom diffs and incomplete
 # sensitive_attributes in state.
 # We check out the parent commit (9658f9df) to get the broken state.
-RUN git clone --filter=blob:none --no-checkout https://github.com/hashicorp/terraform.git . && \
-    git checkout 9658f9df6b24bd6d2c267c07cffd4c97cf8b9b40 && \
+RUN git init && \
+    git remote add origin https://github.com/hashicorp/terraform.git && \
+    git fetch --depth 1 origin 9658f9df6b24bd6d2c267c07cffd4c97cf8b9b40 && \
+    git checkout FETCH_HEAD && \
     git config user.email "agent@example.com" && \
     git config user.name "Agent"
 

benchmarks/ccb_debug/terraform-phantom-update-debug-001/environment/Dockerfile.artifact_only

@@ -12,6 +12,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
     curl \
     python3 \
+    ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
 # Clone Terraform at the pre-fix commit for the sensitive marks bug.
@@ -20,8 +21,10 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 # ReadResource / PlanResourceChange, causing phantom diffs and incomplete
 # sensitive_attributes in state.
 # We check out the parent commit (9658f9df) to get the broken state.
-RUN git clone --filter=blob:none --no-checkout https://github.com/hashicorp/terraform.git . && \
-    git checkout 9658f9df6b24bd6d2c267c07cffd4c97cf8b9b40 && \
+RUN git init && \
+    git remote add origin https://github.com/hashicorp/terraform.git && \
+    git fetch --depth 1 origin 9658f9df6b24bd6d2c267c07cffd4c97cf8b9b40 && \
+    git checkout FETCH_HEAD && \
     git config user.email "agent@example.com" && \
     git config user.name "Agent"
 

benchmarks/ccb_document/cilium-api-doc-gen-001/environment/Dockerfile

@@ -3,17 +3,19 @@ FROM ubuntu:22.04
 RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
     python3 \
+    ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /workspace
 
 # Clone Cilium at specific commit (main 2026-02-16)
-RUN git clone --filter=blob:none --no-checkout https://github.com/cilium/cilium.git repo && \
+RUN git init repo && \
     cd repo && \
-    git checkout ad6b298dbdcb9b828a247c54a477a9cfa43eff00 && \
+    git remote add origin https://github.com/cilium/cilium.git && \
     git sparse-checkout init --cone && \
     git sparse-checkout set pkg/bpf pkg/maps pkg/datapath/maps && \
-    git checkout
+    git fetch --depth 1 origin ad6b298dbdcb9b828a247c54a477a9cfa43eff00 && \
+    git checkout FETCH_HEAD
 
 # Agent writes documentation.md to /workspace/
 # Verifier: /tests/test.sh scores against /tests/ground_truth.json

benchmarks/ccb_document/cilium-api-doc-gen-001/environment/Dockerfile.artifact_only

@@ -8,17 +8,19 @@ FROM ubuntu:22.04
 RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
     python3 \
+    ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /workspace
 
 # Clone Cilium at specific commit (main 2026-02-16)
-RUN git clone --filter=blob:none --no-checkout https://github.com/cilium/cilium.git repo && \
+RUN git init repo && \
     cd repo && \
-    git checkout ad6b298dbdcb9b828a247c54a477a9cfa43eff00 && \
+    git remote add origin https://github.com/cilium/cilium.git && \
     git sparse-checkout init --cone && \
     git sparse-checkout set pkg/bpf pkg/maps pkg/datapath/maps && \
-    git checkout
+    git fetch --depth 1 origin ad6b298dbdcb9b828a247c54a477a9cfa43eff00 && \
+    git checkout FETCH_HEAD
 
 # Agent writes documentation.md to /workspace/
 # Verifier: /tests/test.sh scores against /tests/ground_truth.json

benchmarks/ccb_document/envoy-migration-doc-gen-001/environment/Dockerfile

@@ -3,18 +3,13 @@ FROM ubuntu:22.04
 RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
     python3 \
+    ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /workspace
 
-# Clone Envoy repo with blob filtering for fast clone
-RUN git clone --filter=blob:none --no-checkout https://github.com/envoyproxy/envoy.git envoy-repo
+# Clone Envoy at v1.30 and v1.31 tags
+RUN git clone --depth 1 --branch v1.30.0 https://github.com/envoyproxy/envoy.git envoy-v1.30
+RUN git clone --depth 1 --branch v1.31.0 https://github.com/envoyproxy/envoy.git envoy-v1.31
 
-# Create worktrees for v1.30.0 and v1.31.0
-WORKDIR /workspace/envoy-repo
-RUN git worktree add ../envoy-v1.30 50ea83e602d5da162df89fd5798301e22f5540cf
-RUN git worktree add ../envoy-v1.31 7b8baff1758f0a584dcc3cb657b5032000bcb3d7
-
-# Keep main clone (worktrees reference its .git directory)
-# Set working directory to workspace root
 WORKDIR /workspace

benchmarks/ccb_document/envoy-migration-doc-gen-001/environment/Dockerfile.artifact_only

@@ -8,20 +8,15 @@ FROM ubuntu:22.04
 RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
     python3 \
+    ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /workspace
 
-# Clone Envoy repo with blob filtering for fast clone
-RUN git clone --filter=blob:none --no-checkout https://github.com/envoyproxy/envoy.git envoy-repo
+# Clone Envoy at v1.30 and v1.31 tags
+RUN git clone --depth 1 --branch v1.30.0 https://github.com/envoyproxy/envoy.git envoy-v1.30
+RUN git clone --depth 1 --branch v1.31.0 https://github.com/envoyproxy/envoy.git envoy-v1.31
 
-# Create worktrees for v1.30.0 and v1.31.0
-WORKDIR /workspace/envoy-repo
-RUN git worktree add ../envoy-v1.30 50ea83e602d5da162df89fd5798301e22f5540cf
-RUN git worktree add ../envoy-v1.31 7b8baff1758f0a584dcc3cb657b5032000bcb3d7
-
-# Keep main clone (worktrees reference its .git directory)
-# Set working directory to workspace root
 WORKDIR /workspace
 # --- artifact_only mode ---
 # Sentinel flag for artifact-based verification.