From d522e02fe47f63402f51826897ccb73b84261e0c Mon Sep 17 00:00:00 2001
From: Mrunal Patel <mrunalp9@outlook.com>
Date: Thu, 4 Jun 2026 01:06:20 -0700
Subject: [PATCH] fix(docker): qualify base image refs for podman short-name
 mode (#90058)

* fix(docker): qualify base image refs for podman short-name mode

Podman with short-name-mode=enforcing (the Fedora/RHEL default) blocked
the build: `FROM oven/bun:1.3.13...` is an ambiguous short name with no
alias, so Podman prompted interactively for a registry (the apparent
"hang") or, headless, failed with "short-name resolution enforced but
cannot prompt without a TTY". `node:*` only resolved because a `node`
short-name alias ships in registries.conf.d.

Fully-qualify the node and bun base images with docker.io/ so registry
resolution is deterministic. Pinned digests are unchanged, so resolved
image content is identical, and Docker/Buildx builds are unaffected.

Also qualify the docker.io/ prefix in the digest-refresh maintenance
comments so the documented update path matches the defaults and does not
reintroduce the same short-name ambiguity for Podman users.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* test(docker): expect qualified base image refs

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: sallyom <somalley@redhat.com>
---
 Dockerfile             | 12 ++++++------
 src/dockerfile.test.ts |  7 +++++--
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index a6aae74b50a7..00f40100671c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,18 +9,18 @@
 # Build stages use full bookworm; the runtime image is always bookworm-slim.
 ARG OPENCLAW_EXTENSIONS=""
 ARG OPENCLAW_BUNDLED_PLUGIN_DIR=extensions
-ARG OPENCLAW_NODE_BOOKWORM_IMAGE="node:24-bookworm@sha256:8530f76a96d88820d288761f022e318970dda93d01536919fbc16076b7983e63"
-ARG OPENCLAW_NODE_BOOKWORM_SLIM_IMAGE="node:24-bookworm-slim@sha256:242549cd46785b480c832479a730f4f2a20865d61ea2e404fdb2a5c3d3b73ecf"
+ARG OPENCLAW_NODE_BOOKWORM_IMAGE="docker.io/library/node:24-bookworm@sha256:8530f76a96d88820d288761f022e318970dda93d01536919fbc16076b7983e63"
+ARG OPENCLAW_NODE_BOOKWORM_SLIM_IMAGE="docker.io/library/node:24-bookworm-slim@sha256:242549cd46785b480c832479a730f4f2a20865d61ea2e404fdb2a5c3d3b73ecf"
 ARG OPENCLAW_NODE_BOOKWORM_SLIM_DIGEST="sha256:242549cd46785b480c832479a730f4f2a20865d61ea2e404fdb2a5c3d3b73ecf"
 # Keep in sync with .github/actions/setup-node-env/action.yml bun-version.
-# To update: docker buildx imagetools inspect oven/bun:<version> and use the manifest-list digest.
-ARG OPENCLAW_BUN_IMAGE="oven/bun:1.3.13@sha256:87416c977a612a204eb54ab9f3927023c2a3c971f4f345a01da08ea6262ae30e"
+# To update: docker buildx imagetools inspect docker.io/oven/bun:<version> and use the manifest-list digest.
+ARG OPENCLAW_BUN_IMAGE="docker.io/oven/bun:1.3.13@sha256:87416c977a612a204eb54ab9f3927023c2a3c971f4f345a01da08ea6262ae30e"
 
 # Base images are pinned to SHA256 digests for reproducible builds.
 # Dependabot refreshes these blessed digests; release builds consume the
 # reviewed base snapshot instead of mutating distro state on every build.
-# To update, run: docker buildx imagetools inspect node:24-bookworm and
-# node:24-bookworm-slim (or podman) and replace the digests below with the
+# To update, run: docker buildx imagetools inspect docker.io/library/node:24-bookworm and
+# docker.io/library/node:24-bookworm-slim (or podman) and replace the digests below with the
 # current multi-arch manifest list entries.
 
 FROM ${OPENCLAW_NODE_BOOKWORM_IMAGE} AS workspace-deps
diff --git a/src/dockerfile.test.ts b/src/dockerfile.test.ts
index bdaaa27a1e28..8dc1de38d6ff 100644
--- a/src/dockerfile.test.ts
+++ b/src/dockerfile.test.ts
@@ -31,10 +31,13 @@ describe("Dockerfile", () => {
   it("uses full bookworm for build stages and slim bookworm for runtime", async () => {
     const dockerfile = await readFile(dockerfilePath, "utf8");
     expect(dockerfile).toContain(
-      'ARG OPENCLAW_NODE_BOOKWORM_IMAGE="node:24-bookworm@sha256:8530f76a96d88820d288761f022e318970dda93d01536919fbc16076b7983e63"',
+      'ARG OPENCLAW_NODE_BOOKWORM_IMAGE="docker.io/library/node:24-bookworm@sha256:8530f76a96d88820d288761f022e318970dda93d01536919fbc16076b7983e63"',
     );
     expect(dockerfile).toContain(
-      'ARG OPENCLAW_NODE_BOOKWORM_SLIM_IMAGE="node:24-bookworm-slim@sha256:242549cd46785b480c832479a730f4f2a20865d61ea2e404fdb2a5c3d3b73ecf"',
+      'ARG OPENCLAW_NODE_BOOKWORM_SLIM_IMAGE="docker.io/library/node:24-bookworm-slim@sha256:242549cd46785b480c832479a730f4f2a20865d61ea2e404fdb2a5c3d3b73ecf"',
+    );
+    expect(dockerfile).toContain(
+      'ARG OPENCLAW_BUN_IMAGE="docker.io/oven/bun:1.3.13@sha256:87416c977a612a204eb54ab9f3927023c2a3c971f4f345a01da08ea6262ae30e"',
     );
     expect(dockerfile).toContain("FROM ${OPENCLAW_NODE_BOOKWORM_IMAGE} AS workspace-deps");
     expect(dockerfile).toContain("FROM ${OPENCLAW_NODE_BOOKWORM_IMAGE} AS build");