
























@@ -15,14 +15,14 @@
1515ARG OPENCLAW_EXTENSIONS=""
1616ARG OPENCLAW_VARIANT=default
1717ARG OPENCLAW_BUNDLED_PLUGIN_DIR=extensions
18-ARG OPENCLAW_DOCKER_APT_UPGRADE=1
1918ARG OPENCLAW_NODE_BOOKWORM_IMAGE="node:24-bookworm@sha256:3a09aa6354567619221ef6c45a5051b671f953f0a1924d1f819ffb236e520e6b"
2019ARG OPENCLAW_NODE_BOOKWORM_DIGEST="sha256:3a09aa6354567619221ef6c45a5051b671f953f0a1924d1f819ffb236e520e6b"
2120ARG OPENCLAW_NODE_BOOKWORM_SLIM_IMAGE="node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb"
2221ARG OPENCLAW_NODE_BOOKWORM_SLIM_DIGEST="sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb"
23222423# Base images are pinned to SHA256 digests for reproducible builds.
25-# Trade-off: digests must be updated manually when upstream tags move.
24+# Dependabot refreshes these blessed digests; release builds consume the
25+# reviewed base snapshot instead of mutating distro state on every build.
2626# To update, run: docker buildx imagetools inspect node:24-bookworm (or podman)
2727# and replace the digest below with the current multi-arch manifest list entry.
2828@@ -140,7 +140,6 @@ LABEL org.opencontainers.image.base.name="docker.io/library/node:24-bookworm-sli
140140FROM base-${OPENCLAW_VARIANT}
141141ARG OPENCLAW_VARIANT
142142ARG OPENCLAW_BUNDLED_PLUGIN_DIR
143-ARG OPENCLAW_DOCKER_APT_UPGRADE
144143145144# OCI base-image metadata for downstream image consumers.
146145# If you change these annotations, also update:
@@ -157,14 +156,9 @@ WORKDIR /app
157156158157# Install system utilities present in bookworm but missing in bookworm-slim.
159158# On the full bookworm image these are already installed (apt-get is a no-op).
160-# Smoke workflows can opt out of distro upgrades to cut repeated CI time while
161-# keeping the default runtime image behavior unchanged.
162159RUN --mount=type=cache,id=openclaw-bookworm-apt-cache,target=/var/cache/apt,sharing=locked \
163160 --mount=type=cache,id=openclaw-bookworm-apt-lists,target=/var/lib/apt,sharing=locked \
164161 apt-get update && \
165- if [ "${OPENCLAW_DOCKER_APT_UPGRADE}" != "0" ]; then \
166- DEBIAN_FRONTEND=noninteractive apt-get upgrade -y --no-install-recommends; \
167- fi && \
168162 DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
169163 procps hostname curl git lsof openssl
170164此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。