Skip to content

Bump Docker to 29.6.1 and add INSTALL_DOCKER_TOOLING build arg#4535

Open
David-Uka wants to merge 1 commit into
actions:mainfrom
David-Uka:bump-docker-29.6.1-conditional-tooling
Open

Bump Docker to 29.6.1 and add INSTALL_DOCKER_TOOLING build arg#4535
David-Uka wants to merge 1 commit into
actions:mainfrom
David-Uka:bump-docker-29.6.1-conditional-tooling

Conversation

@David-Uka

Copy link
Copy Markdown

Why

Grype flags Critical findings on ghcr.io/actions/actions-runner:latest. Two changes here address them:

  1. Bump DOCKER_VERSION 29.6.0 → 29.6.1. Clears Critical findings in the bundled docker CLI/daemon binaries (/usr/bin/docker, /usr/bin/dockerd, /usr/bin/docker-proxy): golang.org/x/crypto, golang.org/x/net, and Go stdlib findings tied to the Docker Go toolchain. docker-29.6.1 was released 2026-06-26.

  2. Add INSTALL_DOCKER_TOOLING build arg (default true). Many runner consumers — ARC users with a docker sidecar or host-socket pattern — don't need the in-image docker CLI, dockerd, containerd, runc, or buildx, yet they inherit every CVE in those binaries. Setting --build-arg INSTALL_DOCKER_TOOLING=false skips installing them. Default true preserves current behavior exactly. The target directories are still created in the build stage so the final-stage COPY steps succeed when the tooling is skipped.

Validation

Built locally for linux/arm64 with RUNNER_VERSION=2.335.1:

  • docker build --check — passes, no warnings.
  • Default (INSTALL_DOCKER_TOOLING=true) — builds successfully. Inside the image, both docker --version and dockerd --version report 29.6.1; the docker-buildx cli-plugin is present.
  • INSTALL_DOCKER_TOOLING=false — builds successfully. docker/dockerd/buildx are absent, the cli-plugins directory still exists (empty), and the runner itself (run.sh, config.sh) is intact.
  • Image size: default 1.83GB vs no-tooling 1.14GB (~690MB / ~38% smaller).

Notes / out of scope

  • BUILDX_VERSION is intentionally not bumped: 0.35.0 is the current latest release. The remaining buildx finding (github.com/docker/docker v28.5.2+incompatible, vendored in docker-buildx) can only clear once docker/buildx ships a release with updated vendored deps.
  • containerd-side findings (google.golang.org/grpc, go.opentelemetry.io/otel, Go stdlib in containerd) come from the upstream Docker static tarball and will clear when a future DOCKER_VERSION picks up a rebuilt containerd. Not addressable in this repo.

Bump DOCKER_VERSION from 29.6.0 to 29.6.1 to clear Critical CVEs in the
bundled docker CLI/daemon binaries (golang.org/x/crypto, golang.org/x/net,
and Go stdlib findings tied to the Docker Go toolchain).

Add an INSTALL_DOCKER_TOOLING build arg (default true, preserving current
behavior). Setting it to false skips installing the in-image docker CLI,
daemon, containerd, runc and buildx. Consumers running ARC with a docker
sidecar or host-socket pattern don't need these binaries and otherwise
inherit every CVE in them. The target directories are still created so the
final-stage COPY steps succeed when the tooling is skipped.
@David-Uka David-Uka requested a review from a team as a code owner June 30, 2026 23:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant