From 276bfb9154363d0237ef1317564285491be49488 Mon Sep 17 00:00:00 2001
From: Valerio <massimianivalerio1@gmail.com>
Date: Tue, 19 May 2026 18:36:30 +0200
Subject: [PATCH] fix(docker): source CA bundle from distroless instead of apt
 (fixes arm64 release build)

---
 Dockerfile    | 6 +++---
 Dockerfile.ci | 7 ++++---
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 552aea7..fefb39b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -59,9 +59,9 @@ RUN touch crates/*/src/*.rs \
 # ---------------------------------------------------------------------------
 FROM ubuntu:24.04
 
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    ca-certificates \
-    && rm -rf /var/lib/apt/lists/*
+# CA bundle from distroless (ships it, multi-arch, gcr.io) instead of
+# apt-installing from ports.ubuntu.com (unreachable for arm64 on CI runners).
+COPY --from=gcr.io/distroless/static-debian12 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 
 # Copy all three binaries
 COPY --from=builder /build/target/release/webclaw /usr/local/bin/webclaw
diff --git a/Dockerfile.ci b/Dockerfile.ci
index ccd8a33..7b62718 100644
--- a/Dockerfile.ci
+++ b/Dockerfile.ci
@@ -5,9 +5,10 @@ ARG BINARY_DIR=binaries
 
 FROM ubuntu:24.04
 
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    ca-certificates \
-    && rm -rf /var/lib/apt/lists/*
+# CA bundle copied from a reliable multi-arch image instead of apt-installing
+# from ports.ubuntu.com — Canonical's arm64 ports mirror is unreachable from
+# CI runners and breaks the multi-arch release build. No build-time network.
+COPY --from=gcr.io/distroless/static-debian12 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 
 ARG BINARY_DIR
 COPY ${BINARY_DIR}/webclaw /usr/local/bin/webclaw