Decouple corepack enable from the runner chmod in the Dockerfile template

Dockerfile.template

@@ -33,7 +33,9 @@ ARG RUNNER_WORKDIR={{runner_workdir}}
 RUN mkdir -p ${RUNNER_WORKDIR} && \
   chown -R {{runner_user}}:{{runner_group}} ${RUNNER_WORKDIR} && \
   chown -R {{runner_user}} /home/{{runner_user}} && \
-  chmod -R 750 ${RUNNER_WORKDIR}{{corepack_enable}}
+  chmod -R 750 ${RUNNER_WORKDIR}
+
+{{corepack_run}}
 
 # Set default working dir
 WORKDIR ${RUNNER_WORKDIR}

checksum.sha256

@@ -1,11 +1,11 @@
 01bd313aa7a50bb9993a462e6c540e803771c56a083b6c7c0545e5f33617b5e5  ./check-ssh.sh
-2d85805201ba0706baa655e7ba5177c329ba7b00c540c92a5a3556fb703d5a44  ./dockerfile.sh
 48f2d49fab1d7c52f6930bfb239874f1e61479210ceb260d0e2dd9a54c2877e6  ./gpg-list.asc
 5b7f96cd62b02c59adb90159877bd61230c3d95eca3e19a1c4e5dfb4140a986c  ./scripts/build-prod-next.sh
 73d342c47d7a883c74fab489dda45718940343b95e21afd2649383b05c483415  ./ssh-allowed-signers
-7ad81514968f2ded49102e8a88fee647b60299bd71b4f146fac6083fa7899192  ./Dockerfile.template
 90ce4c5d804943369289ed6d3033cb711984d3c113426ccff891b290d30689a2  ./check-gpg.sh
+9b4aa9f7d26145ba1af99e4ad21cd495eb272d0f39004f245fa939f08dd5d2ef  ./dockerfile.sh
 aad9d75f80076441f3164f81fb9fca4f4d55ec3c021129cad29633d89b24170d  ./scripts/build-prod-nginx.sh
 b71e79b66d6a431fc0510d1f8146afbd847d6953b2d0d5314ffde2e868ea8cdc  ./generate-yarn-npm.sh
 ece9b5c612ffff561d0a3b0a5fc7a28ef477ccf13e79da3fdc5460c96eced306  ./scripts/build-prod-node.sh
+ed81728a80fb032e177c986b97b762fa7a01f82be71caab9a5f7576dc7bc6755  ./Dockerfile.template
 f15c4e8e374105e07ab7de3cf94e3ec6aaccd02a76ca9907368782612bc7e50f  ./configs/nginx.conf

dockerfile.sh

@@ -230,7 +230,7 @@ check_file() {
 case "$DOCKER_TEMPLATE" in
 node)
   RUNNER_BASE_IMAGE="${RUNNER_IMAGE:-node:24-alpine}"
-  COREPACK_ENABLE=" && corepack enable"
+  COREPACK_ENABLE="corepack enable"
   ;;
 nginx)
   RUNNER_BASE_IMAGE="nginx:stable-alpine"
@@ -249,7 +249,7 @@ nginx)
 next)
   RUNNER_BASE_IMAGE="${RUNNER_IMAGE:-node:24-alpine}"
   EXTRA_ENV=$'\nENV NEXT_TELEMETRY_DISABLED=1'
-  COREPACK_ENABLE=" && corepack enable"
+  COREPACK_ENABLE="corepack enable"
   ;;
 esac
 
@@ -343,6 +343,19 @@ generate_env_copy() {
   fi
 }
 
+# ============================================================================
+# Generate corepack enable command
+# ============================================================================
+# Emit corepack enable as its own RUN layer when the template requires it
+# (node/next). Kept as a standalone command instead of being chained onto the
+# runner chmod, so the template carries no shell operators in its variables.
+generate_corepack_run() {
+  if [[ -n "$COREPACK_ENABLE" ]]; then
+    echo "# Enable corepack to manage the project's package manager"
+    echo "RUN ${COREPACK_ENABLE}"
+  fi
+}
+
 # ============================================================================
 # Process template
 # ============================================================================
@@ -366,6 +379,7 @@ generate_copy_instructions > "$TMP_WORK/copy_instructions.txt"
 generate_runner_commands > "$TMP_WORK/runner_commands.txt"
 generate_build_command > "$TMP_WORK/build_command.txt"
 generate_env_copy > "$TMP_WORK/env_copy.txt"
+generate_corepack_run > "$TMP_WORK/corepack_run.txt"
 
 # Replace simple placeholders. Values are passed via the environment and read
 # with $ENV{...} so that user-controlled content (commands, image names, CMD)
@@ -379,7 +393,6 @@ runner_base_image="$RUNNER_BASE_IMAGE" \
 runner_user="$RUNNER_USER" \
 runner_group="$RUNNER_GROUP" \
 runner_workdir="$RUNNER_WORKDIR" \
-corepack_enable="$COREPACK_ENABLE" \
 extra_env="$EXTRA_ENV" \
 expose_port="$EXPOSE_PORT" \
 cmd="$DOCKER_COMMAND" \
@@ -391,7 +404,6 @@ perl -pe '
   s/\{\{runner_user\}\}/$ENV{runner_user}/g;
   s/\{\{runner_group\}\}/$ENV{runner_group}/g;
   s/\{\{runner_workdir\}\}/$ENV{runner_workdir}/g;
-  s/\{\{corepack_enable\}\}/$ENV{corepack_enable}/g;
   s/\{\{extra_env\}\}/$ENV{extra_env}/g;
   s/\{\{expose_port\}\}/$ENV{expose_port}/g;
   s/\{\{cmd\}\}/$ENV{cmd}/g;
@@ -407,6 +419,8 @@ while IFS= read -r line; do
     cat "$TMP_WORK/runner_commands.txt"
   elif [[ "$line" == "{{env_copy}}" ]]; then
     cat "$TMP_WORK/env_copy.txt"
+  elif [[ "$line" == "{{corepack_run}}" ]]; then
+    cat "$TMP_WORK/corepack_run.txt"
   else
     echo "$line"
   fi