Dockerfile: use x-access-token:TOKEN URL form for classic PAT

Previous URL form 'https://$TOKEN@github.com/...' relied on GitHub's
special-case where fine-grained PATs are accepted as a single-value
username. Classic PATs don't get that special-casing: git parses
'TOKEN@github.com' as username=TOKEN with no password and then prompts
for one, which fails in the non-interactive Docker build with
'No such device or address'.

Switching to 'https://x-access-token:$TOKEN@github.com/...' (GitHub
Actions convention) is the standard explicit-Basic-Auth form and works
uniformly for classic + fine-grained PATs, so the URL stays the same
when we eventually swap GH_PAT for a deploy key (the URL changes to
ssh+git anyway in that case).

Co-authored-by: Cursor <cursoragent@cursor.com>

Dockerfile

@@ -60,9 +60,15 @@ RUN pip install --no-cache-dir playwright \
 # not exposed as env, not written to disk after the layer commits. Bumping
 # CADGENBENCH_SHA is the one-line path to picking up a new cadgenbench.
 ARG CADGENBENCH_SHA=d7e0468
+# URL form `https://x-access-token:<token>@github.com/...` (GitHub Actions
+# convention) rather than the bare `https://<token>@github.com/...` form:
+# the bare form works only for fine-grained PATs (GitHub special-cases the
+# single-value username), while classic PATs need explicit
+# `username:token` Basic Auth or git prompts for a password and fails in
+# the non-interactive container build.
 RUN --mount=type=secret,id=GH_PAT,mode=0400,required=true \
     pip install --no-cache-dir \
-        "cadgenbench @ git+https://$(cat /run/secrets/GH_PAT)@github.com/huggingface/cadgenbench.git@${CADGENBENCH_SHA}"
+        "cadgenbench @ git+https://x-access-token:$(cat /run/secrets/GH_PAT)@github.com/huggingface/cadgenbench.git@${CADGENBENCH_SHA}"
 
 # Drop privileges. HF Spaces conventionally run as uid 1000 with
 # WORKDIR /home/user/app.