diff --git a/.github/docker/Dockerfile.ci b/.github/docker/Dockerfile.ci
index 1048bb47..f8c7f1ad 100644
--- a/.github/docker/Dockerfile.ci
+++ b/.github/docker/Dockerfile.ci
@@ -4,27 +4,44 @@ FROM ubuntu:24.04
 
 ENV DEBIAN_FRONTEND=noninteractive
 
-# System deps
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    git curl unzip ca-certificates jq bc gpg \
+# Make apt/curl resilient to transient Ubuntu mirror failures.
+# archive.ubuntu.com periodically returns connection refused on individual
+# regional IPs; without retry logic a single failed fetch nukes the build.
+RUN printf 'Acquire::Retries "5";\nAcquire::http::Timeout "30";\nAcquire::https::Timeout "30";\n' \
+    > /etc/apt/apt.conf.d/80-retries
+
+# System deps (apt retries are wired in above, but also retry the whole step
+# in case apt-get update itself can't reach any mirror)
+RUN for i in 1 2 3; do \
+      apt-get update && apt-get install -y --no-install-recommends \
+        git curl unzip ca-certificates jq bc gpg && break || \
+      (echo "apt-get retry $i/3 after failure"; sleep 10); \
+    done \
     && rm -rf /var/lib/apt/lists/*
 
 # GitHub CLI
-RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
+RUN curl --retry 5 --retry-delay 5 --retry-connrefused -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
     | gpg --dearmor -o /usr/share/keyrings/githubcli-archive-keyring.gpg \
     && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
     | tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
-    && apt-get update && apt-get install -y --no-install-recommends gh \
+    && for i in 1 2 3; do \
+         apt-get update && apt-get install -y --no-install-recommends gh && break || \
+         (echo "gh install retry $i/3"; sleep 10); \
+       done \
     && rm -rf /var/lib/apt/lists/*
 
 # Node.js 22 LTS (needed for claude CLI)
-RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
-    && apt-get install -y --no-install-recommends nodejs \
+RUN curl --retry 5 --retry-delay 5 --retry-connrefused -fsSL https://deb.nodesource.com/setup_22.x | bash - \
+    && for i in 1 2 3; do \
+         apt-get install -y --no-install-recommends nodejs && break || \
+         (echo "nodejs install retry $i/3"; sleep 10); \
+       done \
     && rm -rf /var/lib/apt/lists/*
 
 # Bun (install to /usr/local so non-root users can access it)
 ENV BUN_INSTALL="/usr/local"
-RUN curl -fsSL https://bun.sh/install | BUN_VERSION=1.3.10 bash
+RUN curl --retry 5 --retry-delay 5 --retry-connrefused -fsSL https://bun.sh/install \
+    | BUN_VERSION=1.3.10 bash
 
 # Claude CLI
 RUN npm i -g @anthropic-ai/claude-code