Bump Docker to 29.6.1 and add INSTALL_DOCKER_TOOLING build arg#4535
Open
David-Uka wants to merge 1 commit into
Open
Bump Docker to 29.6.1 and add INSTALL_DOCKER_TOOLING build arg#4535David-Uka wants to merge 1 commit into
David-Uka wants to merge 1 commit into
Conversation
Bump DOCKER_VERSION from 29.6.0 to 29.6.1 to clear Critical CVEs in the bundled docker CLI/daemon binaries (golang.org/x/crypto, golang.org/x/net, and Go stdlib findings tied to the Docker Go toolchain). Add an INSTALL_DOCKER_TOOLING build arg (default true, preserving current behavior). Setting it to false skips installing the in-image docker CLI, daemon, containerd, runc and buildx. Consumers running ARC with a docker sidecar or host-socket pattern don't need these binaries and otherwise inherit every CVE in them. The target directories are still created so the final-stage COPY steps succeed when the tooling is skipped.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Grype flags Critical findings on
ghcr.io/actions/actions-runner:latest. Two changes here address them:Bump
DOCKER_VERSION29.6.0 → 29.6.1. Clears Critical findings in the bundled docker CLI/daemon binaries (/usr/bin/docker,/usr/bin/dockerd,/usr/bin/docker-proxy):golang.org/x/crypto,golang.org/x/net, and Go stdlib findings tied to the Docker Go toolchain. docker-29.6.1 was released 2026-06-26.Add
INSTALL_DOCKER_TOOLINGbuild arg (defaulttrue). Many runner consumers — ARC users with a docker sidecar or host-socket pattern — don't need the in-imagedockerCLI,dockerd,containerd,runc, orbuildx, yet they inherit every CVE in those binaries. Setting--build-arg INSTALL_DOCKER_TOOLING=falseskips installing them. Defaulttruepreserves current behavior exactly. The target directories are still created in the build stage so the final-stageCOPYsteps succeed when the tooling is skipped.Validation
Built locally for
linux/arm64withRUNNER_VERSION=2.335.1:docker build --check— passes, no warnings.INSTALL_DOCKER_TOOLING=true) — builds successfully. Inside the image, bothdocker --versionanddockerd --versionreport29.6.1; thedocker-buildxcli-plugin is present.INSTALL_DOCKER_TOOLING=false— builds successfully.docker/dockerd/buildx are absent, thecli-pluginsdirectory still exists (empty), and the runner itself (run.sh,config.sh) is intact.1.83GBvs no-tooling1.14GB(~690MB / ~38% smaller).Notes / out of scope
BUILDX_VERSIONis intentionally not bumped:0.35.0is the current latest release. The remaining buildx finding (github.com/docker/docker v28.5.2+incompatible, vendored indocker-buildx) can only clear oncedocker/buildxships a release with updated vendored deps.google.golang.org/grpc,go.opentelemetry.io/otel, Go stdlib incontainerd) come from the upstream Docker static tarball and will clear when a futureDOCKER_VERSIONpicks up a rebuilt containerd. Not addressable in this repo.