From c2e665268da5bf34dd85b31e1a389a568a81b510 Mon Sep 17 00:00:00 2001 From: Peter Hedenskog Date: Mon, 18 May 2026 07:26:37 +0200 Subject: [PATCH 1/4] Tighten Dockerfile: pinning, certs, GPG hygiene MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The base image is pinned to a specific Ubuntu noble tag so that builds are reproducible from day to day. The previous apt-get upgrade -y step undid that by pulling in whatever happened to be current in the Ubuntu archive at build time, so the pin only controlled the starting point and not the result. Drop the upgrade and let rebases of the base tag be the explicit signal that we want to take in updated packages. ca-certificates was grouped with the build-time tools and removed by the final apt-get purge --auto-remove, leaving the resulting image without a system CA bundle. Anything downstream that talks HTTPS (the npm registry, sitespeed's own network probes) would either have to reinstall it or fall back to Node's bundled certs. Install ca-certificates separately so it survives the purge. GPG was run against the default home, which writes keys and an agent socket into /root/.gnupg and leaves them in the final layer. Move GnuPG to a temporary GNUPGHOME, stop the agent, and remove the directory once verification is done so no keyring material ships in the image. Finally, the original line continuation between PLATFORM= and buildDeps= was missing an &&. It happened to work because export accepts several name=value pairs, but the intent was a chained command sequence — add the && so the structure matches what's actually meant. Co-authored-by: Claude Opus 4.7 (1M context) noreply@anthropic.com --- Dockerfile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9e87171..6f11370 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,12 +9,13 @@ ENV NPM_CONFIG_LOGLEVEL=info ENV NODE_VERSION=24.14.0 RUN export PLATFORM=$(if [ "$TARGETPLATFORM" = "linux/amd64" ] ; then echo "x64"; else echo "arm64"; fi) \ - buildDeps='xz-utils curl ca-certificates gnupg2 lsb-release dirmngr' \ + && buildDeps='xz-utils curl gnupg2 lsb-release dirmngr' \ && set -x \ - && apt-get update && apt-get upgrade -y && apt-get install -y $buildDeps --no-install-recommends \ + && apt-get update && apt-get install -y --no-install-recommends ca-certificates $buildDeps \ && rm -rf /var/lib/apt/lists/* \ # gpg keys listed at https://github.com/nodejs/node#release-keys && set -ex \ + && export GNUPGHOME="$(mktemp -d)" \ && for key in \ 4ED778F539E3634C779C87C6D7062848A1AB005C \ 141F07595B7B3FFE74309A937405533BE57C7D57 \ @@ -36,6 +37,8 @@ RUN export PLATFORM=$(if [ "$TARGETPLATFORM" = "linux/amd64" ] ; then echo "x64" && grep " node-v$NODE_VERSION-linux-$PLATFORM.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$PLATFORM.tar.xz" -C /usr/local --strip-components=1 \ && rm "node-v$NODE_VERSION-linux-$PLATFORM.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && { gpgconf --kill all || true; } \ + && rm -rf "$GNUPGHOME" \ && apt-get purge -y --auto-remove $buildDeps \ && ln -s /usr/local/bin/node /usr/local/bin/nodejs From 07c10e670f8ecf97876db26dc95a884690a49979 Mon Sep 17 00:00:00 2001 From: Peter Hedenskog Date: Mon, 18 May 2026 07:38:31 +0200 Subject: [PATCH 2/4] Bump ubuntu and nodejs --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6f11370..39df92c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:noble-20260210.1 +FROM ubuntu:noble-20260410 ARG TARGETPLATFORM @@ -6,7 +6,7 @@ ARG TARGETPLATFORM # gpg keys listed at https://github.com/nodejs/node#release-team ENV NPM_CONFIG_LOGLEVEL=info -ENV NODE_VERSION=24.14.0 +ENV NODE_VERSION=24.15.0 RUN export PLATFORM=$(if [ "$TARGETPLATFORM" = "linux/amd64" ] ; then echo "x64"; else echo "arm64"; fi) \ && buildDeps='xz-utils curl gnupg2 lsb-release dirmngr' \ From 8d5ba459cd2bb493a20e4238fdd099266668268c Mon Sep 17 00:00:00 2001 From: Peter Hedenskog Date: Mon, 18 May 2026 07:58:04 +0200 Subject: [PATCH 3/4] Add an extra build test --- .github/workflows/build.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/build.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..770f2d6 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,19 @@ +name: Build the docker container +on: + push: + branches: + - main + pull_request: +jobs: + build: + name: Build + runs-on: ubuntu-24.04 + if: ${{ !contains(github.event.head_commit.message, 'docs:') }} + steps: + - name: Checkout code + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + + - name: Build an image from Dockerfile + run: | + docker buildx install + docker buildx build --load --platform linux/amd64 -t docker.io/sitespeedio/node:${{ github.sha }} . \ No newline at end of file From ad1fd2d30d8ffe9801d9595ac1e082537282a73e Mon Sep 17 00:00:00 2001 From: Peter Hedenskog Date: Mon, 18 May 2026 08:05:18 +0200 Subject: [PATCH 4/4] bump --- Dockerfile | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 39df92c..0479fc5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,16 +17,14 @@ RUN export PLATFORM=$(if [ "$TARGETPLATFORM" = "linux/amd64" ] ; then echo "x64" && set -ex \ && export GNUPGHOME="$(mktemp -d)" \ && for key in \ - 4ED778F539E3634C779C87C6D7062848A1AB005C \ - 141F07595B7B3FFE74309A937405533BE57C7D57 \ - 74F12602B6F1C4E913FAA37AD3A89613643B6201 \ - 61FC681DFB92A079F1685E77973F295594EC4689 \ + 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ + DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ + CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 \ 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ + A363A499291CBBC940DD62E41F10027AF002F8B0 \ ; do \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \