feat: update openclaw action

Author: zhengkunwang223

.github/workflows/openclaw-release.yml

@@ -56,6 +56,9 @@ jobs:
           file: openclaw/Dockerfile
           platforms: ${{ github.event.inputs.platforms || 'linux/amd64,linux/arm64/v8' }}
           push: true
+          build-args: |
+            OPENCLAW_INSTALL_BROWSER=true
+            OPENCLAW_VERSION=${{ github.event.inputs.openclawTag }}
           tags: |
             1panel/openclaw:${{ github.event.inputs.dockerhubTag || github.event.inputs.openclawTag }}
           cache-from: type=gha
@@ -69,6 +72,9 @@ jobs:
           file: openclaw/Dockerfile
           platforms: ${{ github.event.inputs.platforms || 'linux/amd64,linux/arm64/v8' }}
           push: true
+          build-args: |
+            OPENCLAW_INSTALL_BROWSER=true
+            OPENCLAW_VERSION=${{ github.event.inputs.openclawTag }}
           tags: |
             1panel/openclaw:latest
           cache-from: type=gha

openclaw/Dockerfile

@@ -7,6 +7,7 @@ ENV PATH="/root/.bun/bin:${PATH}"
 RUN corepack enable
 
 WORKDIR /app
+RUN chown node:node /app
 
 ARG OPENCLAW_DOCKER_APT_PACKAGES=""
 RUN if [ -n "$OPENCLAW_DOCKER_APT_PACKAGES" ]; then \
@@ -16,23 +17,47 @@ RUN if [ -n "$OPENCLAW_DOCKER_APT_PACKAGES" ]; then \
       rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*; \
     fi
 
-COPY package.json pnpm-lock.yaml pnpm-workspace.yaml .npmrc ./
-COPY ui/package.json ./ui/package.json
-COPY patches ./patches
-COPY scripts ./scripts
+COPY --chown=node:node package.json pnpm-lock.yaml pnpm-workspace.yaml .npmrc ./
+COPY --chown=node:node ui/package.json ./ui/package.json
+COPY --chown=node:node patches ./patches
+COPY --chown=node:node scripts ./scripts
 
+USER node
 RUN pnpm install --frozen-lockfile
 
-COPY . .
+# Optionally install Chromium and Xvfb for browser automation.
+# Build with: docker build --build-arg OPENCLAW_INSTALL_BROWSER=1 ...
+# Adds ~300MB but eliminates the 60-90s Playwright install on every container start.
+# Must run after pnpm install so playwright-core is available in node_modules.
+USER root
+ARG OPENCLAW_INSTALL_BROWSER=""
+RUN if [ -n "$OPENCLAW_INSTALL_BROWSER" ]; then \
+      apt-get update && \
+      DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends xvfb && \
+      mkdir -p /home/node/.cache/ms-playwright && \
+      PLAYWRIGHT_BROWSERS_PATH=/home/node/.cache/ms-playwright \
+      node /app/node_modules/playwright-core/cli.js install --with-deps chromium && \
+      chown -R node:node /home/node/.cache/ms-playwright && \
+      apt-get clean && \
+      rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*; \
+    fi
+
+USER node
+COPY --chown=node:node . .
 RUN pnpm build
 # Force pnpm for UI build (Bun may fail on ARM/Synology architectures)
 ENV OPENCLAW_PREFER_PNPM=1
 RUN pnpm ui:build
 
+ARG OPENCLAW_VERSION=""
+ENV OPENCLAW_VERSION=$OPENCLAW_VERSION
+ENV OPENCLAW_SERVICE_VERSION=$OPENCLAW_VERSION
+
 ENV NODE_ENV=production
 
 # ---- add openclaw command ----
 # Makes `openclaw ...` == `node /app/dist/index.js ...`
+USER root
 RUN printf '%s\n' \
   '#!/bin/sh' \
   'set -e' \
@@ -41,11 +66,15 @@ RUN printf '%s\n' \
   && chmod +x /usr/local/bin/openclaw
 # -----------------------------
 
-# Allow non-root user to write temp files during runtime/tests.
-RUN chown -R node:node /app
-
 # Security hardening: Run as non-root user
+# The node:22-bookworm image includes a 'node' user (uid 1000)
+# This reduces the attack surface by preventing container escape via root privileges
 USER node
 
 # Start gateway server with default config.
+# Binds to loopback (127.0.0.1) by default for security.
+#
+# For container platforms requiring external health checks:
+#   1. Set OPENCLAW_GATEWAY_TOKEN or OPENCLAW_GATEWAY_PASSWORD env var
+#   2. Override CMD: ["node","openclaw.mjs","gateway","--allow-unconfigured","--bind","lan"]
 CMD ["openclaw", "gateway", "--allow-unconfigured"]