feat: add timezone support, explicit /tmp permissions, and pin tzdata to 2025c-r0

[Amnoor]

Summary

This PR adds timezone support to the Runtime Node image by installing tzdata=2025c-r0 in the builder stage, copying /usr/share/zoneinfo into the final scratch image with --chmod=555, and setting ENV TZ=UTC as the default timezone baked into the image. It also makes the /tmp permissions explicit by adding --chmod=1777 to its COPY instruction, which previously relied on the sticky-bit being preserved implicitly from the builder stage. Section numbering in the Dockerfile comments is updated to accommodate the new Timezone Support section. A follow-up fix pins tzdata to an exact Alpine package version (2025c-r0) and adds apk update before the install to ensure a reproducible and deterministic build, which resolved a failure in the PR test suite.

Files Changed

Added:

• None

Modified:

• Dockerfile

Deleted:

• None

Key Changes

• Added RUN apk update && apk add --no-cache tzdata=2025c-r0 to the builder stage, pinning the IANA timezone database to the exact Alpine package version 2025c-r0.
• Added COPY --from=builder --chmod=555 /usr/share/zoneinfo /usr/share/zoneinfo to the runtime stage, copying the full timezone database from the builder into the final scratch image.
• Added ENV TZ=UTC to the runtime stage, setting UTC as the default timezone baked into the image.
• Changed /tmp copy from COPY --from=builder /target/tmp /tmp to COPY --from=builder --chmod=1777 /target/tmp /tmp, making the sticky-bit 1777 permissions explicit rather than relying on implicit preservation from the builder stage.
• Updated Dockerfile section comment numbering: 2. Security → 3. Security, 3. Dependencies → 4. Dependencies, 4. Core → 5. Core, with the new 2. Timezone Support section inserted between DNS configuration and CA certificates.