Conversation
This merge bumps the pinned tzdata Alpine package in the Dockerfile from 2025c-r0 to 2026a-r0. The 2026a IANA timezone database release includes updated timezone rules and is the current stable version available in the Alpine 3.22 package repository. The change is a single-line substitution in the apk add instruction in the builder stage. No other Dockerfile instructions, environment variables, COPY directives, or runtime-stage files are affected. The /usr/share/zoneinfo directory continues to be extracted from the builder and copied into the final scratch image with --chmod=555, and ENV TZ=UTC remains set in the runtime stage exactly as before. All distroless guarantees, binary paths, and image constraints are fully intact. There is no behavioral change for applications whose timezone requirements are satisfied by the existing UTC default; applications relying on specific IANA timezone identifiers will benefit from the updated rule data bundled in 2026a.
This merge adds a TZ=UTC integrity test to the PR test suite in .github/workflows/pr-tests.yml, closing the gap between the Dockerfile constraint introduced in feat/runtime-tzdata and the automated verification that enforces it on every pull request.
The new step, Integrity Test - TZ is UTC, is appended immediately after the existing NODE_ENV=production integrity test and follows its identical structure: it runs the PR-tagged image with docker run --rm --platform ${{ matrix.platform }}, overrides the entrypoint to /usr/local/bin/node, and passes -e "process.stdout.write(process.env.TZ || '')" to read the value of the TZ environment variable directly from the Node.js process without a shell. The output is captured, echoed for log visibility, and compared against the expected value UTC. If the value does not match, the step prints a descriptive failure message and exits with code 1, failing the job. If it matches, it prints the standard checkmark confirmation line. The step runs once per platform matrix entry, consistent with all other integrity tests in the workflow.
A missing trailing newline at the end of the preceding NODE_ENV=production step's final echo line is also corrected as part of this change. No other workflow steps, job configuration, triggers, permissions, or matrix values are modified.
This merge upgrades the Node.js base image in the Dockerfile builder stage from node:25.7.0-alpine3.22 to node:25.8.0-alpine3.22, bumping the Node.js runtime extracted into the final scratch image from 25.7.0 to 25.8.0. The change is a single-line substitution in the FROM instruction of the builder stage. No other Dockerfile instructions are affected: the tzdata installation, all COPY directives, environment variables, OCI labels, and the FROM scratch runtime base remain exactly as they were. The Node.js binary extracted into the final image moves from 25.7.0 to 25.8.0 and all existing distroless guarantees remain fully intact — no shell, no package manager, no OS utilities, NODE_ENV set to production, TZ set to UTC, and all files copied with --chmod=555 except for the sticky-bit /tmp directory.
This merge updates CONTRIBUTING.md and README.md to bring both documents into alignment with the current state of develop after the chore/node-version-bump, chore/tzdata-bump, and chore/pr-tests-tz-check cycles landed. In README.md, the Node.js Version entry in the Key Features table is updated from 25.7.0 to 25.8.0, and the builder stage reference in both the Usage section Dockerfile snippet and the Pinning to a Specific Version example is updated from node:25.7.0-alpine3.22 to node:25.8.0-alpine3.22. The Timezone Database row in the Key Features table is updated to include the explicit package version, reading IANA tzdata 2026a-r0 included at /usr/share/zoneinfo rather than the unversioned description that was present before. All three version tag examples — in the Usage Dockerfile snippet, the Pinning section, and the Versioning section — are updated from v2.1.0-25.7.0 to v2.2.0-25.8.0. A new item 7, Integrity Test: TZ, is added to the numbered CI/CD & Quality Guarantees list to document that the TZ environment variable is tested to equal UTC on every pull request. A <div align="center"> / </div> wrapper is added around the opening title, tagline, and icon block to center the header in GitHub's rendered Markdown view. In CONTRIBUTING.md, the commit example and PR title example in the Conventional Commits and Pull Request sections are updated from 25.7.0 to 25.8.0. The description of the Integrity Test — TZ is UTC step is added to the PR Tests section immediately after the existing NODE_ENV description, and the merge-readiness statement is updated from "All four integrity tests must pass" to "All five integrity tests must pass". The Timezone Database row in the image components table is updated to specify the package version as IANA timezone data 2026a-r0. The Release Process version tag pattern examples are updated from v2.1.0-25.7.0 / v2.2.0-25.8.0 to v2.2.0-25.8.0 / v2.3.0-25.9.0, and the step 4 tag example is updated from v2.1.0-25.7.0 to v2.2.0-25.8.0. The Dockerfile Constraints version example is updated from node:25.7.0-alpine3.22 to node:25.8.0-alpine3.22, and the rejection criteria wording is tightened to reference ENV NODE_ENV=production and ENV TZ=UTC with their full ENV prefix. A <div align="center"> / </div> wrapper is likewise added around the opening title and icon block. No changes are made to any workflow file, the Dockerfile, or any other operational file. This is a documentation-only change with no behavioral impact.
…elines for participation and security policies.
…ranch This merge adds CODE_OF_CONDUCT.md and SECURITY.md to the repository and updates CONTRIBUTING.md and README.md to reference both files and document the issue template structure. CODE_OF_CONDUCT.md is a new 66-line document. It opens with a centered header block carrying the project badges and icon, consistent with the style established in README.md and CONTRIBUTING.md. It covers Our Pledge, Our Standards with explicit lists of acceptable and unacceptable behaviours, Our Responsibilities, Scope, Enforcement with the project contact address at runtimenodes@gmail.com, and an Attribution section crediting the Contributor Covenant version 2.1 as the basis for the document. SECURITY.md is a new 106-line document. It likewise opens with the centered header block. It defines the supported version model — only the latest published tag is actively supported and security fixes are always delivered as a new release with a new version tag rather than patching in place — and documents the full vulnerability scope specific to this project: introduction of a shell, package manager, or OS utility; inclusion of a library with a known CVE; weakened file permissions outside /tmp; unpinned or floating base images; supply chain compromise; and sensitive information in image metadata. The Reporting section directs reporters to GitHub's built-in Private Vulnerability Reporting as the preferred channel and provides the runtimenodes@gmail.com email as a fallback. It also documents what to include in a report, the response timeline (acknowledgement within 48 hours, initial assessment within 5 business days), the coordinated disclosure policy, and the out-of-scope items covering the user's own application, upstream Node.js vulnerabilities, and third-party GitHub Actions. In CONTRIBUTING.md, the Code of Conduct paragraph is updated to link to CODE_OF_CONDUCT.md rather than describing the expectation inline. A new Issues section is inserted between the Conventional Commits section and the Pull Requests section, documenting the three issue templates: Bug Report for image misbehaviour with an explicit note directing security vulnerabilities to SECURITY.md instead; Feature Request for new image capabilities held to the distroless bar; and Node.js Version Bump for upgrade requests, noting that version bumps are always at minimum a major semver bump and require a full release cycle. The Pull Requests introduction is updated to reference the pre-filled PR template and to note that incomplete descriptions will not be reviewed, and the phrasing is updated from "Include exactly three sections" to "The template provides exactly three sections". In README.md, the compressed amd64 image size for runtimenode/runtime-node in the comparison table is corrected from ~45 MB to ~49 MB, and the footnote date is updated from 26 February 2026 to 05 March 2026 to reflect the current measurement. Three new sections are appended immediately before the existing License section: Security, which links to SECURITY.md and explicitly instructs users not to open a public GitHub Issue for vulnerability reports; Code of Conduct, which links to CODE_OF_CONDUCT.md; and Contributing, which links to CONTRIBUTING.md. No changes are made to any workflow file, the Dockerfile, or any other operational file. This is a documentation-only change with no behavioral impact.
…documentation issues
This merge adds a full suite of GitHub issue templates and a pull request template to the .github/ directory, providing structured forms for every contribution type the project accepts and enforcing the PR description structure defined in CONTRIBUTING.md. Six YAML issue templates are added to .github/ISSUE_TEMPLATE/. bug-report.yml is a structured form for reporting image misbehaviour. It requires the exact affected version tag, registry selection (Docker Hub or GHCR), platform selection (linux/amd64 or linux/arm64), a description, steps to reproduce, actual behaviour, and expected behaviour. It includes a pre-flight note directing security vulnerabilities to SECURITY.md and away from this form. documentation-issue.yml covers errors in README.md, CONTRIBUTING.md, SECURITY.md, CODE_OF_CONDUCT.md, and other files, with required fields for the affected file, issue type (typo, outdated version reference, incorrect content, broken link, incorrect code example, missing information, or other), exact location, and correct content. feature-request.yml handles proposals for new image capabilities and requires a description, a justification establishing strict runtime necessity, and a distroless impact assessment confirming the addition does not introduce a shell, package manager, or OS utility. new-platform-request.yml is a dedicated form for new build target platforms or architectures, separate from a general feature request, and requires the exact Docker platform string, confirmation of an official Alpine-based Node.js image for the target, confirmation of QEMU support in GitHub Actions, and a use case description. node-version-bump.yml handles Node.js version upgrade requests and requires the current and target versions and the exact Alpine image tag, with a note that version bumps always result in at minimum a major semver release. tzdata-version-bump.yml handles tzdata Alpine package upgrade requests and requires the current pinned version, the requested version, and confirmation of availability in the Alpine 3.22 package repository. config.yml is added alongside the templates. It sets blank_issues_enabled to false, preventing freeform issue creation, and adds a Report a Security Vulnerability contact link pointing directly to the GitHub Private Vulnerability Reporting URL for the repository, ensuring security issues are never filed as public issues. PULL_REQUEST_TEMPLATE.md is added to .github/. It pre-fills the three required sections — Summary, Files Changed, and Key Changes — with inline HTML comments providing author guidance for each section, matching the structure described in CONTRIBUTING.md and used consistently across all PRs in this repository. No changes are made to any workflow file, the Dockerfile, or any operational file. This is a documentation and repository configuration change with no behavioral impact on the image or CI pipeline.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR promotes
release/v2.2.0-25.8.0intomain, marking the fifth release of Runtime Node. Six development cycles ondevelopare consolidated here: thetzdatabump from2025c-r0to2026a-r0, the addition of theTZ=UTCintegrity test to the PR test suite, the Node.js upgrade from25.7.0to25.8.0, two documentation update cycles aligningREADME.mdandCONTRIBUTING.mdwith current develop state and addingCODE_OF_CONDUCT.mdandSECURITY.md, and the addition of a full suite of GitHub issue templates and a pull request template.Files Changed
Added:
CODE_OF_CONDUCT.mdSECURITY.md.github/PULL_REQUEST_TEMPLATE.mdISSUE_TEMPLATE/bug-report.ymlconfig.ymldocumentation-issue.ymlfeature-request.ymlnew-platform-request.ymlnode-version-bump.ymltzdata-version-bump.ymlModified:
DockerfileCONTRIBUTING.mdREADME.md.github/workflows/pr-tests.ymlDeleted:
Key Changes
Dockerfilebuilder stage fromnode:25.7.0-alpine3.22tonode:25.8.0-alpine3.22, bumping the Node.js runtime bundled in the final scratch image from25.7.0to25.8.0.tzdataAlpine package in theDockerfilebuilder stage from2025c-r0to2026a-r0, delivering updated IANA timezone rules into the/usr/share/zoneinfodirectory in the final image.TZ=UTCintegrity test step to.github/workflows/pr-tests.ymlimmediately after the existingNODE_ENV=productiontest, verifying the baked-inTZenvironment variable via a Node.js one-liner on every PR across both platforms.CODE_OF_CONDUCT.md(66 lines) covering Our Pledge, Our Standards, Our Responsibilities, Scope, Enforcement, and Attribution to Contributor Covenant v2.1.SECURITY.md(106 lines) covering supported versions, vulnerability scope, private reporting channels (GitHub Security Advisories preferred;runtimenodes@gmail.comfallback), response timeline, coordinated disclosure policy, and out-of-scope items.CONTRIBUTING.mdwith centered header alignment, a link toCODE_OF_CONDUCT.md, a newIssuessection documenting all three issue templates, updated Conventional Commits and PR title examples to25.8.0, updated theIntegrity Test — TZ is UTCdescription and merge-readiness count to five tests, updated thetzdatacomponent table row to2026a-r0, updated all version tag and Dockerfile Constraints examples to25.8.0, and tightened rejection criteria wording to use the fullENVprefix.README.mdwith centered header alignment, corrected Node.js version to25.8.0, updatedTimezone Databaserow toIANA tzdata 2026a-r0, corrected image size to~49 MBwith an updated footnote date of 05 March 2026, updated all version tag examples tov2.2.0-25.8.0, addedIntegrity Test: TZas item 7 in the CI/CD guarantees list, and added Security, Code of Conduct, and Contributing sections before the License section.bug-report.yml,documentation-issue.yml,feature-request.yml,new-platform-request.yml,node-version-bump.yml,tzdata-version-bump.yml) andconfig.ymldisabling blank issues and surfacing the private security reporting link.PULL_REQUEST_TEMPLATE.mdpre-filling the three required PR description sections with inline HTML comment guidance.