fix(docker): pin oven/bun image to SHA256 digest to match Node image policy

2026-05-06 06:50:43 +00:00 · 2026-04-29 09:44:58 -04:00
parent f1f909d664
commit fd27ee4a0e
1 changed files with 2 additions and 1 deletions
--- a/3
+++ b/3
@@ -16,7 +16,8 @@ ARG OPENCLAW_NODE_BOOKWORM_IMAGE="node:24-bookworm@sha256:3a09aa6354567619221ef6
 ARG OPENCLAW_NODE_BOOKWORM_SLIM_IMAGE="node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb"
 ARG OPENCLAW_NODE_BOOKWORM_SLIM_DIGEST="sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb"
 # Keep in sync with .github/actions/setup-node-env/action.yml bun-version.
-ARG OPENCLAW_BUN_IMAGE="oven/bun:1.3.9"
+# To update: docker buildx imagetools inspect oven/bun:<version> and use the manifest-list digest.
+ARG OPENCLAW_BUN_IMAGE="oven/bun:1.3.9@sha256:856da45d07aeb62eb38ea3e7f9e1794c0143a4ff63efb00e6c4491b627e2a521"

 # Base images are pinned to SHA256 digests for reproducible builds.
 # Dependabot refreshes these blessed digests; release builds consume the