From f1f909d66440b655d83aa3d83a773d185883ad20 Mon Sep 17 00:00:00 2001
From: Federico Kamelhar <federico.kamelhar@oracle.com>
Date: Wed, 29 Apr 2026 09:37:05 -0400
Subject: [PATCH] fix(docker): replace curl|bash Bun install with pinned
 multi-stage COPY
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous approach fetched https://bun.sh/install and executed it as
root with no version pin, checksum, or signature verification — despite
both Node base images being pinned to SHA256 digests.

Replace with a multi-stage COPY from the official oven/bun image, using
the same version (1.3.9) already pinned in
.github/actions/setup-node-env/action.yml. The new OPENCLAW_BUN_IMAGE
ARG follows the same pattern as OPENCLAW_NODE_BOOKWORM_IMAGE and can be
updated via Dependabot.

Closes #74356
---
 Dockerfile | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 37971e6439e..1b966e78ba0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,6 +15,8 @@ ARG OPENCLAW_BUNDLED_PLUGIN_DIR=extensions
 ARG OPENCLAW_NODE_BOOKWORM_IMAGE="node:24-bookworm@sha256:3a09aa6354567619221ef6c45a5051b671f953f0a1924d1f819ffb236e520e6b"
 ARG OPENCLAW_NODE_BOOKWORM_SLIM_IMAGE="node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb"
 ARG OPENCLAW_NODE_BOOKWORM_SLIM_DIGEST="sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb"
+# Keep in sync with .github/actions/setup-node-env/action.yml bun-version.
+ARG OPENCLAW_BUN_IMAGE="oven/bun:1.3.9"
 
 # Base images are pinned to SHA256 digests for reproducible builds.
 # Dependabot refreshes these blessed digests; release builds consume the
@@ -37,22 +39,12 @@ RUN --mount=type=bind,source=${OPENCLAW_BUNDLED_PLUGIN_DIR},target=/tmp/${OPENCL
     done
 
 # ── Stage 2: Build ──────────────────────────────────────────────
+FROM ${OPENCLAW_BUN_IMAGE} AS bun-binary
 FROM ${OPENCLAW_NODE_BOOKWORM_IMAGE} AS build
 ARG OPENCLAW_BUNDLED_PLUGIN_DIR
 
-# Install Bun (required for build scripts). Retry the whole bootstrap flow to
-# tolerate transient 5xx failures from bun.sh/GitHub during CI image builds.
-RUN set -eux; \
-    for attempt in 1 2 3 4 5; do \
-      if curl --retry 5 --retry-all-errors --retry-delay 2 -fsSL https://bun.sh/install | bash; then \
-        break; \
-      fi; \
-      if [ "$attempt" -eq 5 ]; then \
-        exit 1; \
-      fi; \
-      sleep $((attempt * 2)); \
-    done
-ENV PATH="/root/.bun/bin:${PATH}"
+# Copy pinned Bun binary from the official image instead of fetching via curl.
+COPY --from=bun-binary /usr/local/bin/bun /usr/local/bin/bun
 
 RUN corepack enable