Nyrest · Nyrest · May 13, 2026 · May 13, 2026 · May 13, 2026 · May 13, 2026
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -17,8 +17,12 @@ env:
 
 jobs:
   build:
-    name: Build and push image
+    name: Build and push ${{ matrix.flavor }} image
     runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        flavor: [full, lite]
 
     steps:
       - name: Checkout
@@ -29,12 +33,31 @@ jobs:
         shell: bash
         run: |
           owner="$(echo "${GITHUB_REPOSITORY_OWNER}" | tr '[:upper:]' '[:lower:]')"
-          date_tag="$(TZ=Asia/Shanghai date +'%Y%m%d')"
+          date_tag="$(date -u +'%Y%m%d')"
           short_sha="${GITHUB_SHA::7}"
+          image="ghcr.io/${owner}/${IMAGE_NAME}"
+          version_tag="${date_tag}-${short_sha}"
 
-          echo "image=ghcr.io/${owner}/${IMAGE_NAME}" >> "${GITHUB_OUTPUT}"
-          echo "tag=${date_tag}-${short_sha}" >> "${GITHUB_OUTPUT}"
-          echo "latest=latest" >> "${GITHUB_OUTPUT}"
+          if [ "${{ matrix.flavor }}" = "full" ]; then
+            stable_tags=$'latest\nfull'
+          else
+            stable_tags='lite'
+          fi
+
+          {
+            echo "image=${image}"
+            echo "version_tag=${version_tag}"
+            echo 'stable_tags<<EOF'
+            printf '%s\n' "${stable_tags}"
+            echo 'EOF'
+            echo 'push_tags<<EOF'
+            while IFS= read -r stable_tag; do
+              [ -n "${stable_tag}" ] || continue
+              printf '%s:%s\n' "${image}" "${stable_tag}"
+            done <<< "${stable_tags}"
+            printf '%s:%s-%s\n' "${image}" "${{ matrix.flavor }}" "${version_tag}"
+            echo 'EOF'
+          } >> "${GITHUB_OUTPUT}"
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -46,45 +69,47 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build for verification
+      - name: Build ${{ matrix.flavor }} image for verification
         uses: docker/build-push-action@v6
         with:
           context: .
           file: ./Dockerfile
+          build-args: |
+            RUNTIME_FLAVOR=${{ matrix.flavor }}
           load: true
-          tags: ${{ steps.meta.outputs.image }}:verify
+          tags: ${{ steps.meta.outputs.image }}:verify-${{ matrix.flavor }}
           labels: |
             org.opencontainers.image.title=${{ env.IMAGE_NAME }}
-            org.opencontainers.image.description=AI agent runtime optimized for general tasks
+            org.opencontainers.image.description=AI agent runtime optimized for general tasks (${{ matrix.flavor }})
             org.opencontainers.image.source=https://github.com/${{ github.repository }}
             org.opencontainers.image.revision=${{ github.sha }}
-            org.opencontainers.image.version=${{ steps.meta.outputs.tag }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+            org.opencontainers.image.version=${{ steps.meta.outputs.version_tag }}
+          cache-from: type=gha,scope=push-${{ matrix.flavor }}
+          cache-to: type=gha,mode=max,scope=push-${{ matrix.flavor }}
 
-      - name: Verify runtime
-        run: docker run --rm "${{ steps.meta.outputs.image }}:verify" verify-runtime
+      - name: Verify ${{ matrix.flavor }} runtime
+        run: docker run --rm "${{ steps.meta.outputs.image }}:verify-${{ matrix.flavor }}" verify-runtime
 
-      - name: Push verified image with attestations
+      - name: Push verified ${{ matrix.flavor }} image with attestations
         id: push
         uses: docker/build-push-action@v6
         with:
           context: .
           file: ./Dockerfile
+          build-args: |
+            RUNTIME_FLAVOR=${{ matrix.flavor }}
           push: true
           provenance: mode=max
           sbom: true
-          tags: |
-            ${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.tag }}
-            ${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.latest }}
+          tags: ${{ steps.meta.outputs.push_tags }}
           labels: |
             org.opencontainers.image.title=${{ env.IMAGE_NAME }}
-            org.opencontainers.image.description=AI agent runtime optimized for general tasks
+            org.opencontainers.image.description=AI agent runtime optimized for general tasks (${{ matrix.flavor }})
             org.opencontainers.image.source=https://github.com/${{ github.repository }}
             org.opencontainers.image.revision=${{ github.sha }}
-            org.opencontainers.image.version=${{ steps.meta.outputs.tag }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+            org.opencontainers.image.version=${{ steps.meta.outputs.version_tag }}
+          cache-from: type=gha,scope=push-${{ matrix.flavor }}
+          cache-to: type=gha,mode=max,scope=push-${{ matrix.flavor }}
 
       - name: Install cosign
         uses: sigstore/cosign-installer@v3.8.1

diff --git a/.github/workflows/docker-verify.yml b/.github/workflows/docker-verify.yml
@@ -37,8 +37,12 @@ jobs:
           category: hadolint
 
   scan:
-    name: Build and scan image
+    name: Build and scan ${{ matrix.flavor }} image
     runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        flavor: [full, lite]
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -51,25 +55,27 @@ jobs:
         with:
           context: .
           file: ./Dockerfile
+          build-args: |
+            RUNTIME_FLAVOR=${{ matrix.flavor }}
           load: true
-          tags: ${{ env.IMAGE_NAME }}:pr-${{ github.event.number }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          tags: ${{ env.IMAGE_NAME }}:pr-${{ github.event.number }}-${{ matrix.flavor }}
+          cache-from: type=gha,scope=pr-${{ matrix.flavor }}
+          cache-to: type=gha,mode=max,scope=pr-${{ matrix.flavor }}
 
       - name: Verify runtime
-        run: docker run --rm "${{ env.IMAGE_NAME }}:pr-${{ github.event.number }}" verify-runtime
+        run: docker run --rm "${{ env.IMAGE_NAME }}:pr-${{ github.event.number }}-${{ matrix.flavor }}" verify-runtime
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@v0.36.0
         with:
-          image-ref: ${{ env.IMAGE_NAME }}:pr-${{ github.event.number }}
+          image-ref: ${{ env.IMAGE_NAME }}:pr-${{ github.event.number }}-${{ matrix.flavor }}
           format: sarif
-          output: trivy-results.sarif
+          output: trivy-results-${{ matrix.flavor }}.sarif
           severity: HIGH,CRITICAL
 
       - name: Upload Trivy results to GitHub Security
         if: always()
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: trivy-results.sarif
-          category: trivy
+          sarif_file: trivy-results-${{ matrix.flavor }}.sarif
+          category: trivy-${{ matrix.flavor }}
diff --git a/Dockerfile b/Dockerfile
@@ -8,13 +8,15 @@ ARG NODE_MAJOR=24
 ARG OXIPNG_VERSION=10.1.1
 ARG HADOLINT_VERSION=2.13.1
 ARG WEBSOCAT_VERSION=1.14.1
+ARG RUNTIME_FLAVOR=full
 ARG BUN_INSTALL=/opt/bun
 ARG UV_INSTALL_DIR=/usr/local/bin
 ARG UV_PYTHON_INSTALL_DIR=/opt/uv-python
 ARG PYTHON_VENV=/opt/python
 
 ENV LANG=en_US.UTF-8 \
     LANGUAGE=en_US:en \
+    ASTRUM_RUNTIME_FLAVOR=${RUNTIME_FLAVOR} \
     BUN_INSTALL=${BUN_INSTALL} \
     UV_INSTALL_DIR=${UV_INSTALL_DIR} \
     UV_PYTHON_INSTALL_DIR=${UV_PYTHON_INSTALL_DIR} \
@@ -52,157 +54,27 @@ RUN printf '%s\n' \
     && chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg \
     && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" > /etc/apt/sources.list.d/github-cli.list \
     && apt-get update \
-    && apt-get install -y --no-install-recommends \
-        nodejs \
-        git \
-        git-lfs \
-        gh \
-        build-essential \
-        cmake \
-        ninja-build \
-        pkg-config \
-        autoconf \
-        automake \
-        libtool \
-        make \
-        gcc \
-        g++ \
-        clang \
-        llvm \
-        golang-go \
-        gdb \
-        lldb \
-        strace \
-        file \
-        patch \
-        diffutils \
-        grep \
-        gawk \
-        findutils \
-        coreutils \
-        util-linux \
-        procps \
-        gettext-base \
-        moreutils \
-        expect \
-        shellcheck \
-        shfmt \
-        csvkit \
-        httpie \
-        jq \
-        yq \
-        ripgrep \
-        fd-find \
-        miller \
-        aria2 \
-        tmux \
-        rsync \
-        p7zip-full \
-        zip \
-        unzip \
-        xz-utils \
-        zstd \
-        tar \
-        gzip \
-        bzip2 \
-        unrar \
-        rclone \
-        openssh-client \
-        sshpass \
-        netcat-openbsd \
-        dnsutils \
-        iputils-ping \
-        iproute2 \
-        nmap \
-        tcpdump \
-        traceroute \
-        whois \
-        telnet \
-        socat \
-        less \
-        vim-tiny \
-        nano \
-        tree \
-        htop \
-        postgresql-client \
-        default-mysql-client \
-        redis-tools \
-        sqlite3 \
-        libreoffice \
-        libreoffice-writer \
-        libreoffice-calc \
-        libreoffice-impress \
-        libreoffice-java-common \
-        default-jre-headless \
-        pandoc \
-        fonts-noto-cjk \
-        fonts-noto-cjk-extra \
-        fonts-noto-color-emoji \
-        fonts-noto-core \
-        fonts-liberation \
-        fonts-dejavu \
-        fontconfig \
-        # LaTeX / academic paper compilation
-        latexmk \
-        biber \
-        chktex \
-        lacheck \
-        python3-pygments \
-        lmodern \
-        tex-gyre \
-        texlive-latex-base \
-        texlive-latex-recommended \
-        texlive-latex-extra \
-        texlive-luatex \
-        texlive-xetex \
-        texlive-fonts-recommended \
-        texlive-fonts-extra \
-        texlive-font-utils \
-        texlive-pictures \
-        texlive-pstricks \
-        texlive-science \
-        texlive-publishers \
-        texlive-bibtex-extra \
-        texlive-extra-utils \
-        texlive-lang-cjk \
-        texlive-lang-chinese \
-        texlive-lang-japanese \
-        fonts-cmu \
-        fonts-stix \
-        fonts-texgyre \
-        poppler-utils \
-        qpdf \
-        ghostscript \
-        ffmpeg \
-        imagemagick \
-        libimage-exiftool-perl \
-        libcairo2 \
-        libpango-1.0-0 \
-        libpangocairo-1.0-0 \
-        libatk1.0-0 \
-        libatk-bridge2.0-0 \
-        libnss3 \
-        libnspr4 \
-        libx11-6 \
-        libx11-xcb1 \
-        libxcb1 \
-        libxcomposite1 \
-        libxcursor1 \
-        libxdamage1 \
-        libxext6 \
-        libxfixes3 \
-        libxi6 \
-        libxrandr2 \
-        libxrender1 \
-        libxss1 \
-        libxtst6 \
-        libgbm1 \
-        libgtk-3-0 \
-        libdrm2 \
-        libasound2t64 \
-        libdbus-1-3 \
-        libatspi2.0-0 \
-        libxkbcommon0 \
+    && common_packages=( \
+        nodejs git git-lfs gh build-essential cmake ninja-build pkg-config autoconf automake libtool make gcc g++ clang llvm golang-go \
+        gdb lldb strace file patch diffutils grep gawk findutils coreutils util-linux procps gettext-base moreutils expect shellcheck \
+        shfmt csvkit httpie jq yq ripgrep fd-find miller aria2 tmux rsync p7zip-full zip unzip xz-utils zstd tar gzip bzip2 unrar rclone \
+        openssh-client sshpass netcat-openbsd dnsutils iputils-ping iproute2 nmap tcpdump traceroute whois telnet socat less vim-tiny nano \
+        tree htop postgresql-client default-mysql-client redis-tools sqlite3 pandoc poppler-utils qpdf ghostscript ffmpeg imagemagick \
+        libimage-exiftool-perl libcairo2 libpango-1.0-0 libpangocairo-1.0-0 libatk1.0-0 libatk-bridge2.0-0 libnss3 libnspr4 libx11-6 \
+        libx11-xcb1 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 libxss1 libxtst6 \
+        libgbm1 libgtk-3-0 libdrm2 libasound2t64 libdbus-1-3 libatspi2.0-0 libxkbcommon0 \
+    ) \
+    && full_only_packages=( \
+        libreoffice libreoffice-writer libreoffice-calc libreoffice-impress libreoffice-java-common default-jre-headless \
+        fonts-noto-cjk fonts-noto-cjk-extra fonts-noto-color-emoji fonts-noto-core fonts-liberation fonts-dejavu fontconfig \
+        latexmk biber chktex lacheck python3-pygments lmodern tex-gyre texlive-latex-base texlive-latex-recommended texlive-latex-extra \
+        texlive-luatex texlive-xetex texlive-fonts-recommended texlive-fonts-extra texlive-font-utils texlive-pictures texlive-pstricks \
+        texlive-science texlive-publishers texlive-bibtex-extra texlive-extra-utils texlive-lang-cjk texlive-lang-chinese texlive-lang-japanese \
+        fonts-cmu fonts-stix fonts-texgyre \
+    ) \
+    && packages=( "${common_packages[@]}" ) \
+    && if [ "${RUNTIME_FLAVOR}" = "full" ]; then packages+=( "${full_only_packages[@]}" ); fi \
+    && apt-get install -y --no-install-recommends "${packages[@]}" \
     && git lfs install --system \
     && ln -sf /usr/bin/fdfind /usr/local/bin/fd \
     && apt-get clean \
@@ -327,7 +199,7 @@ RUN set -eux; \
 
 COPY verify-runtime.sh /usr/local/bin/verify-runtime
 RUN chmod +x /usr/local/bin/verify-runtime \
-    && fc-cache -f \
+    && if command -v fc-cache >/dev/null; then fc-cache -f; fi \
     && mkdir -p \
         /workspace \
         /output \