Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix Docker: Automate base image digest updates and add stale image alerts [1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#59735Fetched 2026-04-08 02:41:11
View on GitHub
Comments
0
Participants
1
Timeline
0
Reactions
0
Author
dboone323dboone323
Participants
dboone323dboone323

Error Message

  • Manual updates are error-prone and may lag behind security patches

Fix Action

Fix / Workaround

This creates a tension:

  • Pinning is good for reproducibility and supply chain security
  • Manual updates are error-prone and may lag behind security patches

Add explicit configuration for digest updates if needed:

- package-ecosystem: docker
  directory: /
  schedule:
    interval: weekly
  ignore:
    - dependency-name: "node"
      update-types: ["version-update:semver-major"]  # Only update patch/minor via digest
name: Check Docker Base Image Age
on:
  schedule:
    - cron: '0 9 * * 1'  # Weekly on Monday
  workflow_dispatch:

Code Example

ARG OPENCLAW_NODE_BOOKWORM_IMAGE="node:24-bookworm@sha256:3a09aa6354567619221ef6c45a5051b671f953f0a1924d1f819ffb236e520e6b"
ARG OPENCLAW_NODE_BOOKWORM_SLIM_IMAGE="node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb"

---

# .github/dependabot.yml (existing)
- package-ecosystem: docker
  directory: /
  schedule:
    interval: weekly
  groups:
    docker-images:
      patterns:
        - "*"
  open-pull-requests-limit: 5

---

- package-ecosystem: docker
  directory: /
  schedule:
    interval: weekly
  ignore:
    - dependency-name: "node"
      update-types: ["version-update:semver-major"]  # Only update patch/minor via digest

---

name: Check Docker Base Image Age
on:
  schedule:
    - cron: '0 9 * * 1'  # Weekly on Monday
  workflow_dispatch:

jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Extract current digest
        id: current
        run: |
          DIGEST=$(grep "OPENCLAW_NODE_BOOKWORM_DIGEST" Dockerfile | head -1 | cut -d'" -f2)
          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
      
      - name: Check image age
        run: |
          # Query Docker Hub API for image creation date
          # Alert if >30 days old
          echo "Checking age of ${{ steps.current.outputs.digest }}"
          # ... implementation
      
      - name: Create issue if stale
        if: steps.check.outputs.days_old > 30
        uses: actions/github-script@v7
        with:
          script: |
            github.rest.issues.create({
              owner: context.repo.owner,
              repo: context.repo.repo,
              title: 'Docker base image is >30 days old',
              body: `Current digest: ${{ steps.current.outputs.digest }}\nConsider updating to latest.`,
              labels: ['docker', 'maintenance']
            });

---

## Updating Base Images

To update the Node.js base image:

1. Check for newer digests:

---

2. Update `Dockerfile` with new digest

3. Verify Dependabot will continue to propose updates

4. Run smoke tests:

---
RAW_BUFFERClick to expand / collapse

Problem

The Dockerfile hardcodes Node image SHA256 digests for reproducible builds:

ARG OPENCLAW_NODE_BOOKWORM_IMAGE="node:24-bookworm@sha256:3a09aa6354567619221ef6c45a5051b671f953f0a1924d1f819ffb236e520e6b"
ARG OPENCLAW_NODE_BOOKWORM_SLIM_IMAGE="node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb"

This creates a tension:

  • Pinning is good for reproducibility and supply chain security
  • Manual updates are error-prone and may lag behind security patches

Current State

  • Dockerfile pins to specific digests (lines 10-15)
  • Dependabot is configured for Docker updates (.github/dependabot.yml:87-96)
  • No verification that Dependabot is actually proposing digest updates

Proposed Solution

Phase 1: Verify Dependabot Configuration

Confirm Dependabot is configured correctly for digest updates:

# .github/dependabot.yml (existing)
- package-ecosystem: docker
  directory: /
  schedule:
    interval: weekly
  groups:
    docker-images:
      patterns:
        - "*"
  open-pull-requests-limit: 5

Add explicit configuration for digest updates if needed:

- package-ecosystem: docker
  directory: /
  schedule:
    interval: weekly
  ignore:
    - dependency-name: "node"
      update-types: ["version-update:semver-major"]  # Only update patch/minor via digest

Phase 2: Add Stale Digest Alert

Create .github/workflows/docker-base-image-check.yml:

name: Check Docker Base Image Age
on:
  schedule:
    - cron: '0 9 * * 1'  # Weekly on Monday
  workflow_dispatch:

jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Extract current digest
        id: current
        run: |
          DIGEST=$(grep "OPENCLAW_NODE_BOOKWORM_DIGEST" Dockerfile | head -1 | cut -d'" -f2)
          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
      
      - name: Check image age
        run: |
          # Query Docker Hub API for image creation date
          # Alert if >30 days old
          echo "Checking age of ${{ steps.current.outputs.digest }}"
          # ... implementation
      
      - name: Create issue if stale
        if: steps.check.outputs.days_old > 30
        uses: actions/github-script@v7
        with:
          script: |
            github.rest.issues.create({
              owner: context.repo.owner,
              repo: context.repo.repo,
              title: 'Docker base image is >30 days old',
              body: `Current digest: ${{ steps.current.outputs.digest }}\nConsider updating to latest.`,
              labels: ['docker', 'maintenance']
            });

Phase 3: Document Update Process

Add to docs/development/docker.md:

## Updating Base Images

To update the Node.js base image:

1. Check for newer digests:
   ```bash
   docker buildx imagetools inspect node:24-bookworm

  1. Update Dockerfile with new digest

  2. Verify Dependabot will continue to propose updates

  3. Run smoke tests:

    docker build . && docker run --rm openclaw --help

## Acceptance Criteria

- [ ] Verify Dependabot proposes digest updates for Docker
- [ ] Weekly CI job checks base image age
- [ ] Alert created when image >30 days old
- [ ] Documentation added for manual update process
- [ ] Update runbook in `docs/development/docker.md`

## References

- Current Dockerfile: `Dockerfile:10-15`
- Dependabot config: `.github/dependabot.yml:87-96`
- Docker image: `node:24-bookworm`

---

**Priority:** Medium
**Effort:** Low (1 day)
**Labels:** docker, security, automation

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#task chaining#parallel task#integration issue#index setup

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

openclaw - 💡(How to fix) Fix Docker: Automate base image digest updates and add stale image alerts [1 participants]