fix(build): pin nodejs to TOOLS_NODE_VERSION in golang-adk-full Dockerfile#2139
Closed
jsonmp-k8 wants to merge 1 commit into
Closed
fix(build): pin nodejs to TOOLS_NODE_VERSION in golang-adk-full Dockerfile#2139jsonmp-k8 wants to merge 1 commit into
jsonmp-k8 wants to merge 1 commit into
Conversation
…rfile
The srt-builder and final stages install `nodejs` unpinned via `apk add`,
even though `TOOLS_NODE_VERSION=24` is threaded through as a build arg.
When Wolfi published nodejs-26.4.0-r1, arm64 builds started crashing with
`qemu: uncaught target signal 4 (Illegal instruction) - core dumped`
because the newer binary uses CPU instructions the docker/setup-qemu-action
version cannot emulate.
Pin nodejs to "nodejs~${TOOLS_NODE_VERSION}" to match the pattern already
used in ui/Dockerfile:13 and :50, so the version arg actually constrains
the installed package and Wolfi upgrades to a new major don't silently
break builds.
Signed-off-by: Jaison Paul <paul.jaison@gmail.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes arm64 cross-arch image build failures for golang-adk-full by preventing Wolfi apk from silently upgrading nodejs to a newer major version that QEMU cannot emulate during npm install.
Changes:
- Add
ARG TOOLS_NODE_VERSION=24to thesrt-builderand final runtime stages ingo/Dockerfile.full. - Pin
apk addto the Node major line via"nodejs~${TOOLS_NODE_VERSION}"in both stages to avoid major-version drift.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
Author
|
Superseded — folded this commit into #2138 so the security fix and the infra fix land together (the security PR can't go green on its own without this pin). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the
qemu: uncaught target signal 4 (Illegal instruction)crash that has been breaking every arm64 image build on main since ~14:40 UTC on 2026-07-02.Root cause
go/Dockerfile.fullinstallsnodejsunpinned in two stages:TOOLS_NODE_VERSION=24is passed as a--build-argfrom the Makefile but is never actually referenced inside these Dockerfile stages. So when Wolfi publishednodejs-26.4.0-r1,apk add nodejssilently upgraded to a Node 26 binary whose arm64 instructions QEMU 10.2.3 (fromdocker/setup-qemu-action@v4) cannot emulate — every cross-arch build now crashes atDockerfile.full:35duringnpm install.Evidence this is drift, not something in a recent PR:
Fix
Match the pattern that
ui/Dockerfile(lines 13 and 50) already uses:"nodejs~${TOOLS_NODE_VERSION}", and declareARG TOOLS_NODE_VERSION=24in both stages that need it. The~operator is Wolfi's fuzzy version match — pins the major line but still allows patch updates withinnodejs-24.x.Changes
go/Dockerfile.fullARG TOOLS_NODE_VERSION=24tosrt-builderand final stages; replacenodejswith"nodejs~${TOOLS_NODE_VERSION}"in bothapk addcommandsTest plan
build (golang-adk-full)passes on arm64build (*)jobs (which were cascade-cancelling because of thefail-fastmatrix) pass again24.x, not26.x, in the resulting image