Skip to content

v2.1.6+node25.8.2 — Node.js 25.8.2 and Max BuildKit Attestations

Choose a tag to compare

View all tags
@Amnoor Amnoor released this 02 Apr 12:29
· 10 commits to maintenance/v2+node25 since this release
Immutable release. Only release title and notes can be modified.
v2.1.6+node25.8.2
1f30b82
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Runtime Node v2.1.6+node25.8.2

Secure, Distroless, Multi-Arch Node.js Runtime. Built from Scratch.

This is a patch release on the Node.js 25 maintenance line. The Node.js runtime remains 25.8.2, and the image composition, distroless guarantee, runtime defaults, and binary path are unchanged from v2.1.5+node25.8.2. This release grants the deployment workflow the OIDC permission required for signed BuildKit attestations and switches the multi-platform release build to explicit attests: entries with mode=max for both provenance and SBOM output.

Pull the Image

# Docker Hub — versioned (recommended for production)
docker pull runtimenode/runtime-node:v2.1.6-node25.8.2

# GitHub Container Registry — versioned (recommended for production)
docker pull ghcr.io/runtimes-node/runtime-node:v2.1.6-node25.8.2

Note: Docker registries normalize + to - in tag names. The canonical version tag is v2.1.6+node25.8.2 — the registry tag is v2.1.6-node25.8.2.

What's Included

Component Detail
Base FROM scratch — no OS, no shell
Node.js Version 25.8.2 (from node:25.8.2-alpine3.23)
NODE_ENV production (baked in)
TZ UTC (baked in)
Timezone Database IANA tzdata (/usr/share/zoneinfo)
CA Certificates Included (/etc/ssl/certs/)
DNS Resolution nsswitch.conf included
Runtime Libraries ld-musl, libstdc++, libgcc_s
/tmp Writable, sticky-bit 1777
Shell None
Package Manager None
Architectures linux/amd64, linux/arm64
Provenance & SBOM Attached to this release

What's New

  • Added id-token: write to the top-level permissions: block in .github/workflows/deployment.yml so the release workflow can mint the OIDC token required for signed BuildKit attestations.
  • Replaced provenance: true with attests: entry type=provenance,mode=max in the Build and push (multi-registry, multi-platform) step of .github/workflows/deployment.yml so provenance attestations are emitted with maximum detail.
  • Replaced sbom: true with attests: entry type=sbom,mode=max in the Build and push (multi-registry, multi-platform) step of .github/workflows/deployment.yml so SBOM attestations are emitted with maximum detail.
  • Kept the runtime image contents unchanged from v2.1.5+node25.8.2; there are no Dockerfile, dependency, or runtime behavior changes in this release.

Maintenance Line

This tag is published on the maintenance/v2+node25 branch. The v2.x.x+node25.x.x line receives minor and patch updates only — no major Node.js version changes will be made on this branch.

Versioning

Tags follow the pattern v<image_semver>+node<node_version>. GitHub marks this release as the latest published release as of April 2, 2026.

Immutable Tag

This tag is immutable. Once published, v2.1.6+node25.8.2 will never be moved or overwritten on either registry.

Full Changelog

v2.1.5+node25.8.2...v2.1.6+node25.8.2

Assets 3
Loading
0 Join discussion