From e222030c78a9a36112b8b18c100a2aa3b05f6751 Mon Sep 17 00:00:00 2001 From: Jaison Paul Date: Thu, 2 Jul 2026 11:50:02 -0400 Subject: [PATCH] fix(build): pin nodejs to TOOLS_NODE_VERSION in golang-adk-full Dockerfile The srt-builder and final stages install `nodejs` unpinned via `apk add`, even though `TOOLS_NODE_VERSION=24` is threaded through as a build arg. When Wolfi published nodejs-26.4.0-r1, arm64 builds started crashing with `qemu: uncaught target signal 4 (Illegal instruction) - core dumped` because the newer binary uses CPU instructions the docker/setup-qemu-action version cannot emulate. Pin nodejs to "nodejs~${TOOLS_NODE_VERSION}" to match the pattern already used in ui/Dockerfile:13 and :50, so the version arg actually constrains the installed package and Wolfi upgrades to a new major don't silently break builds. Signed-off-by: Jaison Paul --- go/Dockerfile.full | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/go/Dockerfile.full b/go/Dockerfile.full index ca43787e3..db838bb95 100644 --- a/go/Dockerfile.full +++ b/go/Dockerfile.full @@ -24,10 +24,14 @@ RUN --mount=type=cache,target=/root/go/pkg/mod,rw \ FROM $BASE_IMAGE_REGISTRY/chainguard/wolfi-base:latest AS srt-builder ARG TOOLS_PYTHON_VERSION=3.13 +ARG TOOLS_NODE_VERSION=24 +# Pin nodejs to the major version passed via TOOLS_NODE_VERSION. Without the pin, apk +# silently drifts to whatever Wolfi publishes as `nodejs`, which broke arm64 builds when +# nodejs-26 shipped instructions QEMU couldn't emulate. RUN --mount=type=cache,target=/var/cache/apk,rw \ apk add --no-cache \ - bash git ca-certificates nodejs npm node-gyp bubblewrap python-${TOOLS_PYTHON_VERSION} libstdc++ + bash git ca-certificates "nodejs~${TOOLS_NODE_VERSION}" npm node-gyp bubblewrap python-${TOOLS_PYTHON_VERSION} libstdc++ # Keep the pinned sandbox-runtime revision, but replace its vulnerable locked package versions. # Both lodash-es and shell-quote are direct dependencies of sandbox-runtime, so pinning them @@ -43,10 +47,11 @@ RUN --mount=type=cache,target=/root/.npm \ FROM $BASE_IMAGE_REGISTRY/chainguard/wolfi-base:latest ARG TOOLS_PYTHON_VERSION=3.13 +ARG TOOLS_NODE_VERSION=24 RUN --mount=type=cache,target=/var/cache/apk,rw \ apk add --no-cache \ - bash ca-certificates curl nodejs bubblewrap socat python-${TOOLS_PYTHON_VERSION} ripgrep libstdc++ + bash ca-certificates curl "nodejs~${TOOLS_NODE_VERSION}" bubblewrap socat python-${TOOLS_PYTHON_VERSION} ripgrep libstdc++ RUN addgroup -g 1001 goagent && \ adduser -u 1001 -G goagent -s /bin/bash -D goagent