|
14 | 14 | # Slim (bookworm-slim): docker build --build-arg OPENCLAW_VARIANT=slim . |
15 | 15 | ARG OPENCLAW_EXTENSIONS="" |
16 | 16 | ARG OPENCLAW_VARIANT=default |
17 | | -ARG OPENCLAW_NODE_BOOKWORM_IMAGE="node:22-bookworm@sha256:b501c082306a4f528bc4038cbf2fbb58095d583d0419a259b2114b5ac53d12e9" |
18 | | -ARG OPENCLAW_NODE_BOOKWORM_DIGEST="sha256:b501c082306a4f528bc4038cbf2fbb58095d583d0419a259b2114b5ac53d12e9" |
19 | | -ARG OPENCLAW_NODE_BOOKWORM_SLIM_IMAGE="node:22-bookworm-slim@sha256:9c2c405e3ff9b9afb2873232d24bb06367d649aa3e6259cbe314da59578e81e9" |
20 | | -ARG OPENCLAW_NODE_BOOKWORM_SLIM_DIGEST="sha256:9c2c405e3ff9b9afb2873232d24bb06367d649aa3e6259cbe314da59578e81e9" |
| 17 | +ARG OPENCLAW_NODE_BOOKWORM_IMAGE="node:24-bookworm@sha256:3a09aa6354567619221ef6c45a5051b671f953f0a1924d1f819ffb236e520e6b" |
| 18 | +ARG OPENCLAW_NODE_BOOKWORM_DIGEST="sha256:3a09aa6354567619221ef6c45a5051b671f953f0a1924d1f819ffb236e520e6b" |
| 19 | +ARG OPENCLAW_NODE_BOOKWORM_SLIM_IMAGE="node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb" |
| 20 | +ARG OPENCLAW_NODE_BOOKWORM_SLIM_DIGEST="sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb" |
21 | 21 |
|
22 | 22 | # Base images are pinned to SHA256 digests for reproducible builds. |
23 | 23 | # Trade-off: digests must be updated manually when upstream tags move. |
24 | | -# To update, run: docker manifest inspect node:22-bookworm (or podman) |
| 24 | +# To update, run: docker buildx imagetools inspect node:24-bookworm (or podman) |
25 | 25 | # and replace the digest below with the current multi-arch manifest list entry. |
26 | 26 |
|
27 | 27 | FROM ${OPENCLAW_NODE_BOOKWORM_IMAGE} AS ext-deps |
@@ -91,12 +91,12 @@ RUN CI=true pnpm prune --prod && \ |
91 | 91 |
|
92 | 92 | FROM ${OPENCLAW_NODE_BOOKWORM_IMAGE} AS base-default |
93 | 93 | ARG OPENCLAW_NODE_BOOKWORM_DIGEST |
94 | | -LABEL org.opencontainers.image.base.name="docker.io/library/node:22-bookworm" \ |
| 94 | +LABEL org.opencontainers.image.base.name="docker.io/library/node:24-bookworm" \ |
95 | 95 | org.opencontainers.image.base.digest="${OPENCLAW_NODE_BOOKWORM_DIGEST}" |
96 | 96 |
|
97 | 97 | FROM ${OPENCLAW_NODE_BOOKWORM_SLIM_IMAGE} AS base-slim |
98 | 98 | ARG OPENCLAW_NODE_BOOKWORM_SLIM_DIGEST |
99 | | -LABEL org.opencontainers.image.base.name="docker.io/library/node:22-bookworm-slim" \ |
| 99 | +LABEL org.opencontainers.image.base.name="docker.io/library/node:24-bookworm-slim" \ |
100 | 100 | org.opencontainers.image.base.digest="${OPENCLAW_NODE_BOOKWORM_SLIM_DIGEST}" |
101 | 101 |
|
102 | 102 | FROM base-${OPENCLAW_VARIANT} |
@@ -213,7 +213,7 @@ RUN printf '%s\n' \ |
213 | 213 | ENV NODE_ENV=production |
214 | 214 |
|
215 | 215 | # Security hardening: Run as non-root user |
216 | | -# The node:22-bookworm image includes a 'node' user (uid 1000) |
| 216 | +# The node:24-bookworm image includes a 'node' user (uid 1000) |
217 | 217 | # This reduces the attack surface by preventing container escape via root privileges |
218 | 218 | USER node |
219 | 219 |
|
|
0 commit comments