From fd27ee4a0e8c222134e697e751eaf8cdeba7ee0d Mon Sep 17 00:00:00 2001
From: Federico Kamelhar <federico.kamelhar@oracle.com>
Date: Wed, 29 Apr 2026 09:44:58 -0400
Subject: [PATCH] fix(docker): pin oven/bun image to SHA256 digest to match
 Node image policy

---
 Dockerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 1b966e78ba0..b79d456ecf4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -16,7 +16,8 @@ ARG OPENCLAW_NODE_BOOKWORM_IMAGE="node:24-bookworm@sha256:3a09aa6354567619221ef6
 ARG OPENCLAW_NODE_BOOKWORM_SLIM_IMAGE="node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb"
 ARG OPENCLAW_NODE_BOOKWORM_SLIM_DIGEST="sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb"
 # Keep in sync with .github/actions/setup-node-env/action.yml bun-version.
-ARG OPENCLAW_BUN_IMAGE="oven/bun:1.3.9"
+# To update: docker buildx imagetools inspect oven/bun:<version> and use the manifest-list digest.
+ARG OPENCLAW_BUN_IMAGE="oven/bun:1.3.9@sha256:856da45d07aeb62eb38ea3e7f9e1794c0143a4ff63efb00e6c4491b627e2a521"
 
 # Base images are pinned to SHA256 digests for reproducible builds.
 # Dependabot refreshes these blessed digests; release builds consume the