Refactor Dockerfile for improved dependency management

[ga-it]

Updated Dockerfile to install dependencies and set up environment for pnpm and Bun. Adjusted user permissions and added Homebrew installation.

Hi maintainers,

This PR amends the Dockerfile to make OpenClaw skill installation reliable across Linux platforms and to address recent Go toolchain requirements.

Summary of changes

Replace Debian golang-go with upstream Go tarball (pinned)
Some skills (e.g., blogwatcher) declare go 1.24.0 in go.mod. Debian Bookworm’s golang-go lags and fails with invalid go version '1.24.0'. The Dockerfile now installs Go from the official upstream tarball, pinned via GO_VERSION, and selects the correct archive using dpkg --print-architecture (supports amd64 and arm64).

Ensure tool discovery for skill installers
Adds stable shims:

brew → /usr/local/bin/brew

bun/bunx → /usr/local/bin/bun and /usr/local/bin/bunx
This addresses cases where installers/subprocesses run with a sanitised PATH and incorrectly report “brew not installed” / “go not installed”.

Keep pnpm deterministic via Corepack (enabled as root)
corepack enable must run as root to create /usr/local/bin/pnpm symlinks. Global pnpm bin directory is configured to a stable location (/usr/local/share/pnpm).

Motivation / background

During openclaw-cli onboard, several skills failed with:

go.mod:3: invalid go version '1.24.0' (Go too old)

“brew not installed” (brew present but not discoverable by installer environment)

This PR makes the image resilient by:

providing the required Go toolchain version; and

ensuring brew/bun are discoverable even when PATH is restricted.

Testing

Built and ran onboarding successfully on Linux:

docker build -t openclaw:local .

docker compose run --rm openclaw-cli onboard --no-install-daemon

Verified:

go version reports go1.24.0

brew --version, bun -v, pnpm -v available in the container

Notes

Go is pinned for reproducibility (ARG GO_VERSION=1.24.0).

The arch-selection is portable across amd64 and arm64.

Happy to adjust version pinning strategy (e.g., default to latest patch of 1.24.x) if preferred.

Thanks.

Greptile Overview

Greptile Summary

This PR refactors the Dockerfile to make toolchain/skill installation more reliable across Linux by:

• Installing system dependencies up-front and switching from Debian golang-go to an upstream, pinned Go tarball (arch-aware for amd64/arm64).
• Enabling pnpm via corepack, installing Bun into a stable prefix, and adding /usr/local/bin shims for bun/bunx.
• Installing Homebrew under the Linux prefix and adding a /usr/local/bin/brew shim, plus PATH updates.
• Switching to COPY --chown=node:node and running most installs/build steps as the non-root node user.

Overall this fits the repo’s “containerized CLI + skill installers” workflow by ensuring go, brew, and bun remain discoverable even when subprocess PATH is sanitized.

Confidence Score: 4/5

• This PR looks safe to merge and improves toolchain reliability, with minor reproducibility/compat concerns to consider.
• The Dockerfile changes are straightforward and primarily adjust installation order, user permissions, and toolchain sources. Main concerns are non-deterministic installs (pnpm@latest, Bun installer, Homebrew installer from HEAD) and potential downstream breakage from removing the optional apt-packages build ARG; these are unlikely to break core functionality immediately but can cause flaky rebuilds over time.
• Dockerfile (reproducibility of pnpm/Bun/Homebrew installs; whether OPENCLAW_DOCKER_APT_PACKAGES should be preserved)

_{(2/5) Greptile learns from your feedback when you react with thumbs up/down!}

[greptile-apps]

_{1 file reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

[P1] pnpm version is no longer deterministic

This switches to corepack prepare pnpm@latest --activate, which makes the Docker build non-reproducible (and can break unexpectedly when pnpm publishes a new major). If you want determinism similar to the pinned Go version, consider pinning to a specific pnpm version (or to the version declared in packageManager in package.json) instead of latest.

Prompt To Fix With AI

This is a comment left during a code review.
Path: Dockerfile
Line: 40:40

Comment:
[P1] pnpm version is no longer deterministic

This switches to `corepack prepare pnpm@latest --activate`, which makes the Docker build non-reproducible (and can break unexpectedly when pnpm publishes a new major). If you want determinism similar to the pinned Go version, consider pinning to a specific pnpm version (or to the version declared in `packageManager` in `package.json`) instead of `latest`.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

[P1] Homebrew install is unpinned and reduces Docker layer caching

Using https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh means the Docker build can change over time and may break if the installer script changes. If reproducibility is a goal (as with GO_VERSION), consider pinning the installer to a specific commit/tag (or vendoring a known-good script) so rebuilds are stable.

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

Prompt To Fix With AI

This is a comment left during a code review.
Path: Dockerfile
Line: 63:66

Comment:
[P1] Homebrew install is unpinned and reduces Docker layer caching

Using `https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh` means the Docker build can change over time and may break if the installer script changes. If reproducibility is a goal (as with `GO_VERSION`), consider pinning the installer to a specific commit/tag (or vendoring a known-good script) so rebuilds are stable.

<sub>Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!</sub>

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

[P2] Bun install is unpinned and uses a curl|bash installer

curl -fsSL https://bun.sh/install | bash installs whatever version is current at build time, which can make builds flaky over time. If you’re pinning Go for reproducibility, it may be worth pinning Bun too (e.g. via an env/version arg supported by the installer or by downloading a specific release artifact) to keep the container deterministic.

Prompt To Fix With AI

This is a comment left during a code review.
Path: Dockerfile
Line: 49:53

Comment:
[P2] Bun install is unpinned and uses a curl|bash installer

`curl -fsSL https://bun.sh/install | bash` installs whatever version is current at build time, which can make builds flaky over time. If you’re pinning Go for reproducibility, it may be worth pinning Bun too (e.g. via an env/version arg supported by the installer or by downloading a specific release artifact) to keep the container deterministic.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

[P2] apt-get install no longer uses the optional OPENCLAW_DOCKER_APT_PACKAGES hook

The previous Dockerfile supported ARG OPENCLAW_DOCKER_APT_PACKAGES to inject extra OS packages at build time. This PR removes that hook entirely, which may be a breaking change for downstream users relying on it. If that hook is still intended, consider reintroducing the ARG and appending it to the apt-get install list.

Prompt To Fix With AI

This is a comment left during a code review.
Path: Dockerfile
Line: 7:10

Comment:
[P2] `apt-get install` no longer uses the optional OPENCLAW_DOCKER_APT_PACKAGES hook

The previous Dockerfile supported `ARG OPENCLAW_DOCKER_APT_PACKAGES` to inject extra OS packages at build time. This PR removes that hook entirely, which may be a breaking change for downstream users relying on it. If that hook is still intended, consider reintroducing the ARG and appending it to the `apt-get install` list.

How can I resolve this? If you propose a fix, please make it concise.