From fd0700a5727da6d18e20ff6bbf5e37dd4140803a Mon Sep 17 00:00:00 2001 From: Navid EMAD Date: Fri, 15 May 2026 23:45:06 +0200 Subject: [PATCH] dockerfile: fix curl|sh pipefail; trim builder stage - Download rustup to a file then execute, so a failed curl is not masked by sh's exit code under /bin/sh (no pipefail). - Add --no-install-recommends and apt-list cleanup to both apt stages (stage 0 drops from 156 to 116 packages, 1144 MB to 605 MB). - Add --retry 3 --retry-delay 2 to all 4 external downloads. - Use git clone --depth 1 (28 MB to 9.6 MB working tree). - Drop -v from tar for minisign and zig extractions (log noise only). Final shipped image is unchanged; the wins live in the builder stage and build-cache footprint. --- Dockerfile | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/Dockerfile b/Dockerfile index 33c583b0..24a99071 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,20 +7,25 @@ ARG ZIG_V8=v0.4.5 ARG TARGETPLATFORM RUN apt-get update -yq && \ - apt-get install -yq xz-utils ca-certificates \ + apt-get install -yq --no-install-recommends xz-utils ca-certificates \ pkg-config libglib2.0-dev \ - clang make curl git + clang make curl git && \ + rm -rf /var/lib/apt/lists/* # Get Rust -RUN curl https://sh.rustup.rs -sSf | sh -s -- --profile minimal -y +# Download then execute (rather than `curl | sh`) so a failed download is not +# masked by sh's exit code under /bin/sh, which has no pipefail. +RUN curl --fail -sSL --retry 3 --retry-delay 2 -o /tmp/rustup.sh https://sh.rustup.rs && \ + sh /tmp/rustup.sh --profile minimal -y && \ + rm /tmp/rustup.sh ENV PATH="/root/.cargo/bin:${PATH}" # install minisig -RUN curl --fail -L -O https://github.com/jedisct1/minisign/releases/download/${MINISIG}/minisign-${MINISIG}-linux.tar.gz && \ - tar xvzf minisign-${MINISIG}-linux.tar.gz -C / +RUN curl --fail -L --retry 3 --retry-delay 2 -O https://github.com/jedisct1/minisign/releases/download/${MINISIG}/minisign-${MINISIG}-linux.tar.gz && \ + tar xzf minisign-${MINISIG}-linux.tar.gz -C / # clone lightpanda -RUN git clone https://github.com/lightpanda-io/browser.git +RUN git clone --depth 1 https://github.com/lightpanda-io/browser.git WORKDIR /browser # install zig @@ -29,10 +34,10 @@ RUN ZIG=$(grep '\.minimum_zig_version = "' "build.zig.zon" | cut -d'"' -f2) && \ "linux/arm64") ARCH="aarch64" ;; \ *) ARCH="x86_64" ;; \ esac && \ - curl --fail -L -O https://ziglang.org/download/${ZIG}/zig-${ARCH}-linux-${ZIG}.tar.xz && \ - curl --fail -L -O https://ziglang.org/download/${ZIG}/zig-${ARCH}-linux-${ZIG}.tar.xz.minisig && \ + curl --fail -L --retry 3 --retry-delay 2 -O https://ziglang.org/download/${ZIG}/zig-${ARCH}-linux-${ZIG}.tar.xz && \ + curl --fail -L --retry 3 --retry-delay 2 -O https://ziglang.org/download/${ZIG}/zig-${ARCH}-linux-${ZIG}.tar.xz.minisig && \ /minisign-linux/${ARCH}/minisign -Vm zig-${ARCH}-linux-${ZIG}.tar.xz -P ${ZIG_MINISIG} && \ - tar xvf zig-${ARCH}-linux-${ZIG}.tar.xz && \ + tar xf zig-${ARCH}-linux-${ZIG}.tar.xz && \ mv zig-${ARCH}-linux-${ZIG} /usr/local/lib && \ ln -s /usr/local/lib/zig-${ARCH}-linux-${ZIG}/zig /usr/local/bin/zig @@ -41,7 +46,7 @@ RUN case $TARGETPLATFORM in \ "linux/arm64") ARCH="aarch64" ;; \ *) ARCH="x86_64" ;; \ esac && \ - curl --fail -L -o libc_v8.a https://github.com/lightpanda-io/zig-v8-fork/releases/download/${ZIG_V8}/libc_v8_${V8}_linux_${ARCH}.a && \ + curl --fail -L --retry 3 --retry-delay 2 -o libc_v8.a https://github.com/lightpanda-io/zig-v8-fork/releases/download/${ZIG_V8}/libc_v8_${V8}_linux_${ARCH}.a && \ mkdir -p v8/ && \ mv libc_v8.a v8/libc_v8.a @@ -58,7 +63,8 @@ RUN zig build -Doptimize=ReleaseFast \ FROM debian:stable-slim RUN apt-get update -yq && \ - apt-get install -yq tini + apt-get install -yq --no-install-recommends tini && \ + rm -rf /var/lib/apt/lists/* FROM debian:stable-slim