From 6c8765d9cbcdcd43765c322216d62f597d45b604 Mon Sep 17 00:00:00 2001
From: Chiro Hiro <chiro8x@gmail.com>
Date: Thu, 4 Jun 2026 17:08:47 +0800
Subject: [PATCH 1/2] Decouple corepack enable from the runner chmod in the
 Dockerfile template

The runner-stage chmod command piggybacked corepack enable onto its tail via
a COREPACK_ENABLE template variable whose value was the literal shell operator
" && corepack enable". Embedding a shell operator inside a template variable
coupled shell control flow to templating and left the {{corepack_enable}}
placeholder concatenated directly onto the chmod with no separation boundary.

Emit corepack enable as its own RUN layer instead, via a new generate_corepack_run()
helper and a {{corepack_run}} placeholder. COREPACK_ENABLE now holds only the
command ("corepack enable"), and the runner chmod stands alone. Behaviour is
unchanged: node/next still enable corepack (now in a dedicated RUN), nginx still
emits none.

Closes #44
---
 Dockerfile.template |  4 +++-
 dockerfile.sh       | 22 ++++++++++++++++++----
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/Dockerfile.template b/Dockerfile.template
index 097e11b..8d1a8fb 100644
--- a/Dockerfile.template
+++ b/Dockerfile.template
@@ -33,7 +33,9 @@ ARG RUNNER_WORKDIR={{runner_workdir}}
 RUN mkdir -p ${RUNNER_WORKDIR} && \
   chown -R {{runner_user}}:{{runner_group}} ${RUNNER_WORKDIR} && \
   chown -R {{runner_user}} /home/{{runner_user}} && \
-  chmod -R 750 ${RUNNER_WORKDIR}{{corepack_enable}}
+  chmod -R 750 ${RUNNER_WORKDIR}
+
+{{corepack_run}}
 
 # Set default working dir
 WORKDIR ${RUNNER_WORKDIR}
diff --git a/dockerfile.sh b/dockerfile.sh
index 2f13d33..51dcbf3 100755
--- a/dockerfile.sh
+++ b/dockerfile.sh
@@ -230,7 +230,7 @@ check_file() {
 case "$DOCKER_TEMPLATE" in
 node)
   RUNNER_BASE_IMAGE="${RUNNER_IMAGE:-node:24-alpine}"
-  COREPACK_ENABLE=" && corepack enable"
+  COREPACK_ENABLE="corepack enable"
   ;;
 nginx)
   RUNNER_BASE_IMAGE="nginx:stable-alpine"
@@ -249,7 +249,7 @@ nginx)
 next)
   RUNNER_BASE_IMAGE="${RUNNER_IMAGE:-node:24-alpine}"
   EXTRA_ENV=$'\nENV NEXT_TELEMETRY_DISABLED=1'
-  COREPACK_ENABLE=" && corepack enable"
+  COREPACK_ENABLE="corepack enable"
   ;;
 esac
 
@@ -343,6 +343,19 @@ generate_env_copy() {
   fi
 }
 
+# ============================================================================
+# Generate corepack enable command
+# ============================================================================
+# Emit corepack enable as its own RUN layer when the template requires it
+# (node/next). Kept as a standalone command instead of being chained onto the
+# runner chmod, so the template carries no shell operators in its variables.
+generate_corepack_run() {
+  if [[ -n "$COREPACK_ENABLE" ]]; then
+    echo "# Enable corepack to manage the project's package manager"
+    echo "RUN ${COREPACK_ENABLE}"
+  fi
+}
+
 # ============================================================================
 # Process template
 # ============================================================================
@@ -366,6 +379,7 @@ generate_copy_instructions > "$TMP_WORK/copy_instructions.txt"
 generate_runner_commands > "$TMP_WORK/runner_commands.txt"
 generate_build_command > "$TMP_WORK/build_command.txt"
 generate_env_copy > "$TMP_WORK/env_copy.txt"
+generate_corepack_run > "$TMP_WORK/corepack_run.txt"
 
 # Replace simple placeholders. Values are passed via the environment and read
 # with $ENV{...} so that user-controlled content (commands, image names, CMD)
@@ -379,7 +393,6 @@ runner_base_image="$RUNNER_BASE_IMAGE" \
 runner_user="$RUNNER_USER" \
 runner_group="$RUNNER_GROUP" \
 runner_workdir="$RUNNER_WORKDIR" \
-corepack_enable="$COREPACK_ENABLE" \
 extra_env="$EXTRA_ENV" \
 expose_port="$EXPOSE_PORT" \
 cmd="$DOCKER_COMMAND" \
@@ -391,7 +404,6 @@ perl -pe '
   s/\{\{runner_user\}\}/$ENV{runner_user}/g;
   s/\{\{runner_group\}\}/$ENV{runner_group}/g;
   s/\{\{runner_workdir\}\}/$ENV{runner_workdir}/g;
-  s/\{\{corepack_enable\}\}/$ENV{corepack_enable}/g;
   s/\{\{extra_env\}\}/$ENV{extra_env}/g;
   s/\{\{expose_port\}\}/$ENV{expose_port}/g;
   s/\{\{cmd\}\}/$ENV{cmd}/g;
@@ -407,6 +419,8 @@ while IFS= read -r line; do
     cat "$TMP_WORK/runner_commands.txt"
   elif [[ "$line" == "{{env_copy}}" ]]; then
     cat "$TMP_WORK/env_copy.txt"
+  elif [[ "$line" == "{{corepack_run}}" ]]; then
+    cat "$TMP_WORK/corepack_run.txt"
   else
     echo "$line"
   fi

From e9dc5ba3c4b7fa4f0befab096bd93a0adb7e978a Mon Sep 17 00:00:00 2001
From: Chiro Hiro <chiro8x@gmail.com>
Date: Thu, 4 Jun 2026 18:10:09 +0800
Subject: [PATCH 2/2] chore: refresh checksum.sha256 for decoupled corepack
 template

---
 checksum.sha256 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/checksum.sha256 b/checksum.sha256
index 35e2228..9c4990f 100644
--- a/checksum.sha256
+++ b/checksum.sha256
@@ -1,11 +1,11 @@
 01bd313aa7a50bb9993a462e6c540e803771c56a083b6c7c0545e5f33617b5e5  ./check-ssh.sh
-2d85805201ba0706baa655e7ba5177c329ba7b00c540c92a5a3556fb703d5a44  ./dockerfile.sh
 48f2d49fab1d7c52f6930bfb239874f1e61479210ceb260d0e2dd9a54c2877e6  ./gpg-list.asc
 5b7f96cd62b02c59adb90159877bd61230c3d95eca3e19a1c4e5dfb4140a986c  ./scripts/build-prod-next.sh
 73d342c47d7a883c74fab489dda45718940343b95e21afd2649383b05c483415  ./ssh-allowed-signers
-7ad81514968f2ded49102e8a88fee647b60299bd71b4f146fac6083fa7899192  ./Dockerfile.template
 90ce4c5d804943369289ed6d3033cb711984d3c113426ccff891b290d30689a2  ./check-gpg.sh
+9b4aa9f7d26145ba1af99e4ad21cd495eb272d0f39004f245fa939f08dd5d2ef  ./dockerfile.sh
 aad9d75f80076441f3164f81fb9fca4f4d55ec3c021129cad29633d89b24170d  ./scripts/build-prod-nginx.sh
 b71e79b66d6a431fc0510d1f8146afbd847d6953b2d0d5314ffde2e868ea8cdc  ./generate-yarn-npm.sh
 ece9b5c612ffff561d0a3b0a5fc7a28ef477ccf13e79da3fdc5460c96eced306  ./scripts/build-prod-node.sh
+ed81728a80fb032e177c986b97b762fa7a01f82be71caab9a5f7576dc7bc6755  ./Dockerfile.template
 f15c4e8e374105e07ab7de3cf94e3ec6aaccd02a76ca9907368782612bc7e50f  ./configs/nginx.conf