v1.0.0+node24.13.1 — Initial Release

[Amnoor]

Runtime Node v1.0.0+node24.13.1

Secure, Distroless, Multi-Arch Node.js Runtime. Built from Scratch.

This is the first release of Runtime Node. It ships a production-grade distroless Node.js runtime image assembled from node:24.13.1-alpine3.23 into a FROM scratch base, with NODE_ENV=production and TZ=UTC baked in, zero known vulnerabilities, and multi-arch support for linux/amd64 and linux/arm64.

---

Pull the Image

# Docker Hub — versioned (recommended for production)
docker pull runtimenode/runtime-node:v1.0.0+node24.13.1

# Docker Hub — latest
docker pull runtimenode/runtime-node:latest

# GitHub Container Registry — versioned (recommended for production)
docker pull ghcr.io/runtimes-node/runtime-node:v1.0.0+node24.13.1

# GitHub Container Registry — latest
docker pull ghcr.io/runtimes-node/runtime-node:latest

---

What's Included

Component	Detail
Base	FROM scratch — no OS, no shell
Node.js Version	24.13.1 (from node:24.13.1-alpine3.23)
NODE_ENV	production (baked in)
TZ	UTC (baked in)
Timezone Database	IANA tzdata (/usr/share/zoneinfo)
CA Certificates	Included (/etc/ssl/certs/)
DNS Resolution	nsswitch.conf included
Runtime Libraries	ld-musl, libstdc++, libgcc_s
/tmp	Writable, sticky-bit 1777
Shell	None
Package Manager	None
Vulnerabilities	0 known
Architectures	linux/amd64, linux/arm64
Provenance & SBOM	Attached to this release

---

What's New

This is the initial release. Everything below is new.

• Introduced a two-stage Dockerfile with a builder stage based on node:24.13.1-alpine3.23 and a runtime stage based on FROM scratch.
• Added script.sh — a hardened shell installer that reads pinned package names from dependencies/requirements.txt and installs them via apk add --no-cache in the builder stage, with validation for root privileges and file existence.
• Added dependencies/requirements.txt pinning tzdata and ca-certificates as the only Alpine packages installed in the builder stage.
• Set ENV NODE_ENV=production and ENV TZ=UTC in the runtime stage, baking both defaults into the image at build time.
• Copied /tmp with explicit --chmod=1777 sticky-bit permissions, /etc/nsswitch.conf for DNS resolution, /usr/share/zoneinfo for timezone data, /etc/ssl/certs/ca-certificates.crt and /etc/ssl/cert.pem for TLS, ld-musl-*.so.1, libstdc++.so.6, and libgcc_s.so.1 for runtime library support, and /usr/local/bin/node as the sole executable — all with --chmod=555.
• Added .github/workflows/deployment.yml — publishes multi-arch images to Docker Hub and GHCR on v* tag pushes with provenance attestations and an SBOM attached. Supports manual promotion of any published versioned tag to a floating tag (e.g. latest) via workflow_dispatch, with pre-promotion validation checks against both registries.
• Added .github/workflows/pr-tests.yml — lints the Dockerfile with Hadolint on every PR targeting main, develop*, or maintenance/v*, then builds and runs five integrity tests per platform (linux/amd64 and linux/arm64): Node.js smoke test (node --version), no shell present, no package manager present, NODE_ENV is production, and TZ is UTC.
• Added .github/dependabot.yml — configures Dependabot to monitor the Dockerfile for Docker base image updates targeting the develop branch.
• Added .github/PULL_REQUEST_TEMPLATE.md pre-filling the three required PR description sections (Summary, Files Changed, Key Changes).
• Added GitHub issue templates for bug reports, documentation issues, feature requests, new platform requests, Node.js version bumps, and tzdata version bumps, with config.yml disabling blank issues and surfacing the private security advisory link.
• Added README.md, CONTRIBUTING.md, SECURITY.md, and CODE_OF_CONDUCT.md as the initial documentation set.
• Added .github/assets/icon.svg as the shared branding icon used across all documentation headers.

---

Versioning

Tags follow the pattern v<image_semver>+node<node_version>. The latest tag tracks the most recent stable release.

---

Immutable Tag

This tag is immutable. Once published, v1.0.0+node24.13.1 will never be moved or overwritten on either registry.

---

Full Changelog

https://github.com/Runtimes-Node/Runtime-Node/commits/v1.0.0+node24.13.1

---

This discussion was created from the release v1.0.0+node24.13.1 — Initial Release.