fix(openclaw): install gh CLI via apt repo (slim build was failing)#408
Merged
Conversation
Upstream's slim is the same OpenClaw npm package on a node:24-bookworm-slim base instead of node:24-bookworm. The OpenClaw runtime (gateway, plugins including openai-codex, schema) is identical between fat and slim — only the pre-installed Debian system utilities differ. Our extended-image Dockerfile already installs the apt layer we need (ffmpeg, jq, ripgrep, tmux, poppler-utils, curl, wget, ca-certificates, gnupg, git, etc.) so nothing the slim base drops bites us. Compressed image size delta vs the 2026.4.22 fat we just built: 2026.4.22 1163 MB 2026.4.25-slim 680 MB (-42%) Smaller image = faster ECR pull on Fargate cold start, which is the dominant component of the ~3 min container provision time. Slim is also the only variant upstream still publishes for stable .25 releases — fat (non-beta) was discontinued at .23. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…roke) The slim base from upstream alpine/openclaw (node:24-bookworm-slim) failed at the GitHub-CLI step: gzip: stdin: not in gzip format tar: Child returned status 1 tar: Error is not recoverable: exiting now curl's redirect from github.com/cli/cli/releases/download to release-assets.githubusercontent.com returned non-gzip data on the slim base — likely a glibc/curl/cipher diff vs the fat bookworm base where the pipe worked. The 1Password layer right above (also curl-driven, but direct repo) passed cleanly. Switching gh to the same apt-repo pattern 1Password uses removes the fragile pipe entirely and matches GitHub's own install instructions. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3 tasks
prez2307
added a commit
that referenced
this pull request
Apr 28, 2026
…71624b4 (#409) Verified in ECR: isol8/openclaw-extended:2026.4.25-slim-71624b4 digest sha256:0409487c9c3b9d2bdcf2f5386357c852aa3041abc7afd40be444e2381ee14e4a pushed 2026-04-27 23:42:31 EDT Built by build-openclaw-image run 25032408047 against main 71624b4 (the gh-via-apt fix from #408 on top of the 4.25-slim switch from #407 on top of the codex-auth env-var fix from #404). This unblocks the deploy chain — CDK has been failing every cycle since #404 because dev.tag pointed at the placeholder *-bootstrap value. Once this PR merges, deploy.yml will pull the new image and the per-user container task def will reference it on the next provision. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The slim-base build (introduced in #407) failed at Layer 3:
The
curl ... | tar xzpipe of the GitHub release tarball broke onnode:24-bookworm-slim— the redirect fromgithub.com/cli/cli/releases/downloadtorelease-assets.githubusercontent.comreturned non-gzip data. Worked fine on the fat base. Likely a glibc/curl/cipher diff between bookworm and bookworm-slim.Fix
Switched to the official GitHub CLI apt repo (same pattern 1Password uses in Layer 2 right above — that one worked fine on slim). Removes the fragile pipe entirely and matches GitHub's recommended install path.
Test plan
build-openclaw-imagesucceeds with the apt-repo gh install on the slim base🤖 Generated with Claude Code