Skip to content

v1.2.5+node24.14.1 — Node.js 24.14.1 and Max BuildKit Attestations

Choose a tag to compare

View all tags
@Amnoor Amnoor released this 02 Apr 14:31
· 12 commits to maintenance/v1+node24 since this release
Immutable release. Only release title and notes can be modified.
v1.2.5+node24.14.1
07eced2
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Runtime Node v1.2.5+node24.14.1

Secure, Distroless, Multi-Arch Node.js Runtime. Built from Scratch.

This is a patch release on the Node.js 24 maintenance line. The Node.js runtime remains 24.14.1, and the image composition, distroless guarantee, runtime defaults, and binary path are unchanged from v1.2.4+node24.14.1. This release grants the deployment workflow the OIDC permission required for signed BuildKit attestations and switches the multi-platform release build to explicit attests: entries with mode=max for both provenance and SBOM output.

Pull the Image

# Docker Hub — versioned (recommended for production)
docker pull runtimenode/runtime-node:v1.2.5-node24.14.1

# GitHub Container Registry — versioned (recommended for production)
docker pull ghcr.io/runtimes-node/runtime-node:v1.2.5-node24.14.1

Note: Docker registries normalize + to - in tag names. The canonical version tag is v1.2.5+node24.14.1 — the registry tag is v1.2.5-node24.14.1.

What's Included

Component Detail
Base FROM scratch — no OS, no shell
Node.js Version 24.14.1 (from node:24.14.1-alpine3.23)
NODE_ENV production (baked in)
TZ UTC (baked in)
Timezone Database IANA tzdata (/usr/share/zoneinfo)
CA Certificates Included (/etc/ssl/certs/)
DNS Resolution nsswitch.conf included
Runtime Libraries ld-musl, libstdc++, libgcc_s
/tmp Writable, sticky-bit 1777
Shell None
Package Manager None
Architectures linux/amd64, linux/arm64
Provenance & SBOM Attached to this release

What's New

  • Added id-token: write to the top-level permissions: block in .github/workflows/deployment.yml so the release workflow can mint the OIDC token required for signed BuildKit attestations.
  • Replaced provenance: true with attests: entry type=provenance,mode=max in the Build and push (multi-registry, multi-platform) step of .github/workflows/deployment.yml so provenance attestations are emitted with maximum detail.
  • Replaced sbom: true with attests: entry type=sbom,mode=max in the Build and push (multi-registry, multi-platform) step of .github/workflows/deployment.yml so SBOM attestations are emitted with maximum detail.
  • Kept the runtime image contents unchanged from v1.2.4+node24.14.1; there are no Dockerfile, dependency, or runtime behavior changes in this release.

Maintenance Line

This tag is published on the maintenance/v1+node24 branch. The v1.x.x+node24.x.x line receives minor and patch updates only — no major Node.js version changes will be made on this branch.

Versioning

Tags follow the pattern v<image_semver>+node<node_version>. The latest tag continues to track the newest overall release line and is not updated by this maintenance release.

Immutable Tag

This tag is immutable. Once published, v1.2.5+node24.14.1 will never be moved or overwritten on either registry.

Full Changelog

v1.2.4+node24.14.1...v1.2.5+node24.14.1

Assets 3
Loading
0 Join discussion