From 018f2e78ba5c51f2215705f4a9fa3cff160c940c Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Sun, 26 Apr 2026 22:40:38 +0100 Subject: [PATCH] build: skip docker apt upgrades --- .github/workflows/install-smoke.yml | 2 -- Dockerfile | 10 ++-------- Dockerfile.sandbox | 1 - Dockerfile.sandbox-browser | 1 - Dockerfile.sandbox-common | 1 - docs/install/docker.md | 4 +++- scripts/docker/cleanup-smoke/Dockerfile | 3 +-- scripts/docker/install-sh-e2e/Dockerfile | 3 +-- scripts/docker/install-sh-smoke/Dockerfile | 2 +- 9 files changed, 8 insertions(+), 19 deletions(-) diff --git a/.github/workflows/install-smoke.yml b/.github/workflows/install-smoke.yml index 9f7a1241a90..6a75eb849c1 100644 --- a/.github/workflows/install-smoke.yml +++ b/.github/workflows/install-smoke.yml @@ -103,7 +103,6 @@ jobs: context: . file: ./Dockerfile build-args: | - OPENCLAW_DOCKER_APT_UPGRADE=0 OPENCLAW_EXTENSIONS=matrix tags: | openclaw-dockerfile-smoke:local @@ -218,7 +217,6 @@ jobs: context: . file: ./Dockerfile build-args: | - OPENCLAW_DOCKER_APT_UPGRADE=0 OPENCLAW_EXTENSIONS=matrix tags: | openclaw-dockerfile-smoke:local diff --git a/Dockerfile b/Dockerfile index df78b09d10f..e5e0db2082a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,14 +15,14 @@ ARG OPENCLAW_EXTENSIONS="" ARG OPENCLAW_VARIANT=default ARG OPENCLAW_BUNDLED_PLUGIN_DIR=extensions -ARG OPENCLAW_DOCKER_APT_UPGRADE=1 ARG OPENCLAW_NODE_BOOKWORM_IMAGE="node:24-bookworm@sha256:3a09aa6354567619221ef6c45a5051b671f953f0a1924d1f819ffb236e520e6b" ARG OPENCLAW_NODE_BOOKWORM_DIGEST="sha256:3a09aa6354567619221ef6c45a5051b671f953f0a1924d1f819ffb236e520e6b" ARG OPENCLAW_NODE_BOOKWORM_SLIM_IMAGE="node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb" ARG OPENCLAW_NODE_BOOKWORM_SLIM_DIGEST="sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb" # Base images are pinned to SHA256 digests for reproducible builds. -# Trade-off: digests must be updated manually when upstream tags move. +# Dependabot refreshes these blessed digests; release builds consume the +# reviewed base snapshot instead of mutating distro state on every build. # To update, run: docker buildx imagetools inspect node:24-bookworm (or podman) # and replace the digest below with the current multi-arch manifest list entry. @@ -140,7 +140,6 @@ LABEL org.opencontainers.image.base.name="docker.io/library/node:24-bookworm-sli FROM base-${OPENCLAW_VARIANT} ARG OPENCLAW_VARIANT ARG OPENCLAW_BUNDLED_PLUGIN_DIR -ARG OPENCLAW_DOCKER_APT_UPGRADE # OCI base-image metadata for downstream image consumers. # If you change these annotations, also update: @@ -157,14 +156,9 @@ WORKDIR /app # Install system utilities present in bookworm but missing in bookworm-slim. # On the full bookworm image these are already installed (apt-get is a no-op). -# Smoke workflows can opt out of distro upgrades to cut repeated CI time while -# keeping the default runtime image behavior unchanged. RUN --mount=type=cache,id=openclaw-bookworm-apt-cache,target=/var/cache/apt,sharing=locked \ --mount=type=cache,id=openclaw-bookworm-apt-lists,target=/var/lib/apt,sharing=locked \ apt-get update && \ - if [ "${OPENCLAW_DOCKER_APT_UPGRADE}" != "0" ]; then \ - DEBIAN_FRONTEND=noninteractive apt-get upgrade -y --no-install-recommends; \ - fi && \ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ procps hostname curl git lsof openssl diff --git a/Dockerfile.sandbox b/Dockerfile.sandbox index 253a6775d35..78fa73bdff2 100644 --- a/Dockerfile.sandbox +++ b/Dockerfile.sandbox @@ -7,7 +7,6 @@ ENV DEBIAN_FRONTEND=noninteractive RUN --mount=type=cache,id=openclaw-sandbox-bookworm-apt-cache,target=/var/cache/apt,sharing=locked \ --mount=type=cache,id=openclaw-sandbox-bookworm-apt-lists,target=/var/lib/apt,sharing=locked \ apt-get update \ - && apt-get upgrade -y --no-install-recommends \ && apt-get install -y --no-install-recommends \ bash \ ca-certificates \ diff --git a/Dockerfile.sandbox-browser b/Dockerfile.sandbox-browser index 2ece473a04d..53cabb8be74 100644 --- a/Dockerfile.sandbox-browser +++ b/Dockerfile.sandbox-browser @@ -7,7 +7,6 @@ ENV DEBIAN_FRONTEND=noninteractive RUN --mount=type=cache,id=openclaw-sandbox-bookworm-apt-cache,target=/var/cache/apt,sharing=locked \ --mount=type=cache,id=openclaw-sandbox-bookworm-apt-lists,target=/var/lib/apt,sharing=locked \ apt-get update \ - && apt-get upgrade -y --no-install-recommends \ && apt-get install -y --no-install-recommends \ bash \ ca-certificates \ diff --git a/Dockerfile.sandbox-common b/Dockerfile.sandbox-common index fba29a5df3d..39eaa3692b4 100644 --- a/Dockerfile.sandbox-common +++ b/Dockerfile.sandbox-common @@ -24,7 +24,6 @@ ENV PATH=${BUN_INSTALL_DIR}/bin:${BREW_INSTALL_DIR}/bin:${BREW_INSTALL_DIR}/sbin RUN --mount=type=cache,id=openclaw-sandbox-common-apt-cache,target=/var/cache/apt,sharing=locked \ --mount=type=cache,id=openclaw-sandbox-common-apt-lists,target=/var/lib/apt,sharing=locked \ apt-get update \ - && apt-get upgrade -y --no-install-recommends \ && apt-get install -y --no-install-recommends ${PACKAGES} RUN if [ "${INSTALL_PNPM}" = "1" ]; then npm install -g pnpm; fi diff --git a/docs/install/docker.md b/docs/install/docker.md index 6d71876d486..ad3452d074b 100644 --- a/docs/install/docker.md +++ b/docs/install/docker.md @@ -359,7 +359,9 @@ See [ClawDock](/install/clawdock) for the full helper guide. The main Docker image uses `node:24-bookworm` and publishes OCI base-image annotations including `org.opencontainers.image.base.name`, - `org.opencontainers.image.source`, and others. See + `org.opencontainers.image.source`, and others. The Node base digest is + refreshed through Dependabot Docker base-image PRs; release builds do not run + a distro upgrade layer. See [OCI image annotations](https://github.com/opencontainers/image-spec/blob/main/annotations.md). diff --git a/scripts/docker/cleanup-smoke/Dockerfile b/scripts/docker/cleanup-smoke/Dockerfile index 9284c4a56b5..892ac2c53a7 100644 --- a/scripts/docker/cleanup-smoke/Dockerfile +++ b/scripts/docker/cleanup-smoke/Dockerfile @@ -1,13 +1,12 @@ # syntax=docker/dockerfile:1.7 -FROM node:24-bookworm-slim@sha256:b4687aef2571c632a1953695ce4d61d6462a7eda471fe6e272eebf0418f276ba +FROM node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb ENV COREPACK_ENABLE_DOWNLOAD_PROMPT=0 RUN --mount=type=cache,id=openclaw-cleanup-smoke-apt-cache,target=/var/cache/apt,sharing=locked \ --mount=type=cache,id=openclaw-cleanup-smoke-apt-lists,target=/var/lib/apt,sharing=locked \ apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get upgrade -y --no-install-recommends \ && apt-get install -y --no-install-recommends \ bash \ ca-certificates \ diff --git a/scripts/docker/install-sh-e2e/Dockerfile b/scripts/docker/install-sh-e2e/Dockerfile index 0bb6f1d99f3..3ba13e98965 100644 --- a/scripts/docker/install-sh-e2e/Dockerfile +++ b/scripts/docker/install-sh-e2e/Dockerfile @@ -1,11 +1,10 @@ # syntax=docker/dockerfile:1.7 -FROM node:24-bookworm-slim@sha256:b4687aef2571c632a1953695ce4d61d6462a7eda471fe6e272eebf0418f276ba +FROM node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb RUN --mount=type=cache,id=openclaw-install-sh-e2e-apt-cache,target=/var/cache/apt,sharing=locked \ --mount=type=cache,id=openclaw-install-sh-e2e-apt-lists,target=/var/lib/apt,sharing=locked \ apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get upgrade -y --no-install-recommends \ && apt-get install -y --no-install-recommends \ bash \ ca-certificates \ diff --git a/scripts/docker/install-sh-smoke/Dockerfile b/scripts/docker/install-sh-smoke/Dockerfile index 1bba1c61892..401ce87479d 100644 --- a/scripts/docker/install-sh-smoke/Dockerfile +++ b/scripts/docker/install-sh-smoke/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1.7 -FROM node:24-bookworm-slim@sha256:b4687aef2571c632a1953695ce4d61d6462a7eda471fe6e272eebf0418f276ba +FROM node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb # Smoke images are pinned and short-lived, so skip distro upgrades here and # spend the time budget on installer coverage instead.