fix: use checkpoints base image from Docker Hub for CI builds

[xraymemory]

Summary

• Replace curl downloads + build-context COPY in the Dockerfile with a single COPY --from=diffuseproject/sampleworks-checkpoints:latest /checkpoints/ /checkpoints/ so that CI (ubuntu-latest) can build without needing checkpoint files locally (~10 GB). Docker automatically pulls the pre-built checkpoints layer from Docker Hub during the build.
• Add checkpoints/ to .dockerignore to prevent accidental inclusion in build context
• Add docker-entrypoint.sh to CI workflow path triggers so changes to the entrypoint trigger a rebuild
• Add CI comment to docker.yml explaining the checkpoints base image pattern
• Make run_all_models.sh use a configurable IMAGE env var (default: diffuseproject/sampleworks:latest) instead of hardcoded sampleworks:latest

Context

PR #141 merged the RF3/Protenix checkpoint support but the Dockerfile still used curl downloads for Boltz checkpoints and COPY checkpoints/... from build context for RF3/Protenix. This caused CI to fail because:

1. The COPY checkpoints/rf3_... and COPY checkpoints/protenix_... files don't exist on the CI runner
2. The DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets were also missing (now added)

The checkpoints base image (diffuseproject/sampleworks-checkpoints:latest) was already built and pushed to Docker Hub from the GPU server, containing all 6 checkpoint items (boltz1, boltz2, ccd, mols/, rf3, protenix).

Testing

• Docker Hub secrets (DOCKERHUB_USERNAME, DOCKERHUB_TOKEN) have been added to the repo
• The checkpoints base image is verified present on Docker Hub
• CI should now pass with this Dockerfile change

Summary by CodeRabbit

• New Features

  • Exposed environment variables for selecting checkpoint paths and for choosing the runtime image, and updated container startup behavior (new default entrypoint/command).

• Chores

  • Docker builds now source model checkpoints from a pre-built external image and ignore local checkpoint files.
  • Simplified build pipeline by removing inline checkpoint operations.
  • CI workflow triggers extended to run on related script changes.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 61b58ee4-24c2-4828-9feb-87c17769ab80

📥 Commits

Reviewing files that changed from the base of the PR and between 4ddf580 and addd9df.

📒 Files selected for processing (1)

• run_all_models.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• run_all_models.sh

---

📝 Walkthrough

Walkthrough

Refactors Docker image build to source model checkpoints from an external pre-built image. Updates .dockerignore, Dockerfile (multi-stage COPY from diffuseproject/sampleworks-checkpoints:latest, ENV keys, ENTRYPOINT/CMD), CI workflow triggers, and run_all_models.sh to parameterize the image reference.

Changes

Cohort / File(s)	Summary
Docker config \.dockerignore, Dockerfile	Exclude checkpoints/ from build context; replace local/downloaded checkpoint steps with COPY --from=diffuseproject/sampleworks-checkpoints:latest /checkpoints/ /checkpoints/; add consolidated ENV variables for checkpoint paths and add ENTRYPOINT/CMD.
CI workflow .github/workflows/docker.yml	Added comment documenting CI pulls checkpoints from pre-built image and extended push trigger paths to include docker-entrypoint.sh.
Run script run_all_models.sh	Introduce IMAGE env var with default and use it in docker run; echo selected image at startup.

Sequence Diagram(s)

sequenceDiagram
  participant Dev as Developer
  participant CI as CI runner
  participant Docker as Docker build
  participant Checkpoints as diffuseproject/sampleworks-checkpoints:latest

  rect rgba(200,230,255,0.5)
  Dev->>CI: Push changes (Dockerfile, .dockerignore, run_all_models.sh)
  end

  rect rgba(200,255,200,0.5)
  CI->>Docker: Start build
  Docker->>Checkpoints: COPY --from=... /checkpoints/ -> /checkpoints/
  Docker-->>CI: Built image includes /checkpoints/
  end

  rect rgba(255,230,200,0.5)
  CI->>Docker: Run container (uses ENTRYPOINT/CMD)
  Docker-->>CI: Container starts with ENV checkpoint paths set
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Bake RF3 and Protenix checkpoints into Docker image #141: Changes how Docker images obtain checkpoints and adjusts related ENV variables (strong overlap with checkpoint sourcing).
• Dockerize and update Sampleworks #91: Prior work on baking checkpoints into images and Dockerfile/CI script adjustments (directly related to checkpoint provisioning and workflow triggers).

Suggested reviewers

• marcuscollins

Poem

🐰 I hopped into builds at dawn,
Where checkpoints live in images drawn,
No bulky files to tote or pack,
Just COPY from one clean, cozy stack.
The rabbit smiles — the build runs on!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the main change: replacing local checkpoint copying with a pre-built Docker Hub base image for CI builds.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/ci-checkpoints-base-image

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

Dockerfile (1)

123-123: Consider pinning the checkpoints image to a specific tag or digest for reproducibility.

Using :latest means builds are not deterministic—if the checkpoints image is updated on Docker Hub, subsequent builds will pull different checkpoints without any code change in this repository. This could lead to subtle inconsistencies between builds.

For improved reproducibility, consider:

1. Using a versioned tag (e.g., diffuseproject/sampleworks-checkpoints:v1.0.0)
2. Using a digest (e.g., diffuseproject/sampleworks-checkpoints@sha256:...)

That said, if checkpoints rarely change and this is acceptable for your workflow, the current approach is functional.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` at line 123, The Dockerfile currently copies checkpoints with the
mutable image reference "COPY
--from=diffuseproject/sampleworks-checkpoints:latest /checkpoints/
/checkpoints/"; change that to a pinned reference by replacing ":latest" with a
specific versioned tag (e.g., :v1.0.0) or an immutable digest (e.g.,
`@sha256`:...), update any build scripts or CI to use the chosen pinned
identifier, and add a short comment or README note near the COPY line that
documents the chosen tag/digest and when to update it.

run_all_models.sh (1)

52-52: Consider quoting $IMAGE for shell best practices.

While Docker image names don't typically contain spaces, quoting variables prevents potential issues with word splitting and glob expansion.

Suggested change

     docker run $DOCKER_OPTS \
         --gpus "\"device=$gpus\"" \
         -v /mnt/diffuse-private:/mnt/diffuse-private:ro \
         -v "$RESULTS_DIR:/data/results" \
-        $IMAGE \
+        "$IMAGE" \
         -e "$env" run_grid_search.py \

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@run_all_models.sh` at line 52, The shell variable $IMAGE is unquoted in
run_all_models.sh which can lead to word-splitting or glob expansion; update the
Docker invocation(s) and any other usages of $IMAGE (the token "$IMAGE" in the
script) to use double quotes instead, i.e., replace occurrences of $IMAGE with
"$IMAGE" so the image name is treated as a single argument.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@Dockerfile`:
- Line 123: The Dockerfile currently copies checkpoints with the mutable image
reference "COPY --from=diffuseproject/sampleworks-checkpoints:latest
/checkpoints/ /checkpoints/"; change that to a pinned reference by replacing
":latest" with a specific versioned tag (e.g., :v1.0.0) or an immutable digest
(e.g., `@sha256`:...), update any build scripts or CI to use the chosen pinned
identifier, and add a short comment or README note near the COPY line that
documents the chosen tag/digest and when to update it.

In `@run_all_models.sh`:
- Line 52: The shell variable $IMAGE is unquoted in run_all_models.sh which can
lead to word-splitting or glob expansion; update the Docker invocation(s) and
any other usages of $IMAGE (the token "$IMAGE" in the script) to use double
quotes instead, i.e., replace occurrences of $IMAGE with "$IMAGE" so the image
name is treated as a single argument.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5eb7bbe1-b586-43ce-a2d0-33d08bd5b55c

📥 Commits

Reviewing files that changed from the base of the PR and between 982d643 and 4ddf580.

📒 Files selected for processing (4)

• .dockerignore
• .github/workflows/docker.yml
• Dockerfile
• run_all_models.sh

[Copilot]

Pull request overview

This PR updates the container build and related tooling so CI can build the Docker image without requiring large checkpoint files to exist in the build context, by pulling pre-baked checkpoints from a separate Docker Hub image.

Changes:

• Switch Dockerfile checkpoint acquisition to COPY --from=diffuseproject/sampleworks-checkpoints:latest /checkpoints/ /checkpoints/.
• Add checkpoints/ to .dockerignore to avoid accidentally sending checkpoint files in build context.
• Update CI workflow path triggers and make run_all_models.sh use a configurable IMAGE env var.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
Dockerfile	Replaces local/curl checkpoint acquisition with a cross-image COPY --from from Docker Hub.
run_all_models.sh	Makes the Docker image configurable via IMAGE instead of hardcoding sampleworks:latest.
.github/workflows/docker.yml	Documents the checkpoints base-image approach and rebuild-trigger paths include docker-entrypoint.sh.
.dockerignore	Excludes checkpoints/ from the Docker build context.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

COPY --from=diffuseproject/sampleworks-checkpoints:latest ... pins to the mutable latest tag, which makes builds non-reproducible and can break unexpectedly if the checkpoints image is updated. Consider pinning to an immutable digest (or at least a versioned tag), and optionally wiring it through an ARG CHECKPOINTS_IMAGE=... so CI and local builds can override intentionally.

[Copilot]

The --gpus flag value is being passed with literal quote characters ("device=..."). Docker CLI does not strip those quotes, so this can fail to parse as a valid --gpus value. Pass the value as device=$gpus (quoted by the shell if needed) without embedding quotes in the argument.

Suggested change

	--gpus "\"device=$gpus\"" \
	--gpus "device=$gpus" \

[marcuscollins]

LGTM, thanks for the updates!

[marcuscollins]

I had no idea you could do this! Fantastic!

[marcuscollins]

Although, couldn't you just use that as a base image?