diff --git a/.github/workflows/install-smoke.yml b/.github/workflows/install-smoke.yml
index 79a14ab5e6a..29daf8eb74e 100644
--- a/.github/workflows/install-smoke.yml
+++ b/.github/workflows/install-smoke.yml
@@ -41,6 +41,9 @@ jobs:
     needs: [docs-scope]
     if: (github.event_name != 'pull_request' || !github.event.pull_request.draft) && needs.docs-scope.outputs.docs_only != 'true'
     runs-on: blacksmith-16vcpu-ubuntu-2404
+    env:
+      DOCKER_BUILD_SUMMARY: "false"
+      DOCKER_BUILD_RECORD_UPLOAD: "false"
     steps:
       - name: Checkout CLI
         uses: actions/checkout@v6
@@ -55,6 +58,8 @@ jobs:
         with:
           context: .
           file: ./Dockerfile
+          build-args: |
+            OPENCLAW_DOCKER_APT_UPGRADE=0
           tags: openclaw-dockerfile-smoke:local
           load: true
           push: false
@@ -73,6 +78,7 @@ jobs:
           context: .
           file: ./Dockerfile
           build-args: |
+            OPENCLAW_DOCKER_APT_UPGRADE=0
             OPENCLAW_EXTENSIONS=matrix
           tags: openclaw-ext-smoke:local
           load: true
diff --git a/Dockerfile b/Dockerfile
index fa97f83323a..5f137b9aeeb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -14,6 +14,7 @@
 #   Slim (bookworm-slim):    docker build --build-arg OPENCLAW_VARIANT=slim .
 ARG OPENCLAW_EXTENSIONS=""
 ARG OPENCLAW_VARIANT=default
+ARG OPENCLAW_DOCKER_APT_UPGRADE=1
 ARG OPENCLAW_NODE_BOOKWORM_IMAGE="node:24-bookworm@sha256:3a09aa6354567619221ef6c45a5051b671f953f0a1924d1f819ffb236e520e6b"
 ARG OPENCLAW_NODE_BOOKWORM_DIGEST="sha256:3a09aa6354567619221ef6c45a5051b671f953f0a1924d1f819ffb236e520e6b"
 ARG OPENCLAW_NODE_BOOKWORM_SLIM_IMAGE="node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb"
@@ -113,6 +114,7 @@ LABEL org.opencontainers.image.base.name="docker.io/library/node:24-bookworm-sli
 # ── Stage 3: Runtime ────────────────────────────────────────────
 FROM base-${OPENCLAW_VARIANT}
 ARG OPENCLAW_VARIANT
+ARG OPENCLAW_DOCKER_APT_UPGRADE
 
 # OCI base-image metadata for downstream image consumers.
 # If you change these annotations, also update:
@@ -129,10 +131,14 @@ WORKDIR /app
 
 # Install system utilities present in bookworm but missing in bookworm-slim.
 # On the full bookworm image these are already installed (apt-get is a no-op).
+# Smoke workflows can opt out of distro upgrades to cut repeated CI time while
+# keeping the default runtime image behavior unchanged.
 RUN --mount=type=cache,id=openclaw-bookworm-apt-cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,id=openclaw-bookworm-apt-lists,target=/var/lib/apt,sharing=locked \
     apt-get update && \
-    DEBIAN_FRONTEND=noninteractive apt-get upgrade -y --no-install-recommends && \
+    if [ "${OPENCLAW_DOCKER_APT_UPGRADE}" != "0" ]; then \
+      DEBIAN_FRONTEND=noninteractive apt-get upgrade -y --no-install-recommends; \
+    fi && \
     DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
       procps hostname curl git lsof openssl
 
diff --git a/package.json b/package.json
index e358cfe7e84..b19385159ae 100644
--- a/package.json
+++ b/package.json
@@ -817,7 +817,6 @@
       "yauzl": "3.2.1"
     },
     "onlyBuiltDependencies": [
-      "@discordjs/opus",
       "@lydell/node-pty",
       "@matrix-org/matrix-sdk-crypto-nodejs",
       "@napi-rs/canvas",
@@ -830,6 +829,10 @@
       "protobufjs",
       "sharp"
     ],
+    "ignoredBuiltDependencies": [
+      "@discordjs/opus",
+      "koffi"
+    ],
     "packageExtensions": {
       "@mariozechner/pi-coding-agent": {
         "dependencies": {
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index b708dca4578..e076fb0a4c4 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -15,3 +15,7 @@ onlyBuiltDependencies:
   - node-llama-cpp
   - protobufjs
   - sharp
+
+ignoredBuiltDependencies:
+  - "@discordjs/opus"
+  - koffi
diff --git a/scripts/docker/install-sh-nonroot/Dockerfile b/scripts/docker/install-sh-nonroot/Dockerfile
index f95859beedf..0c41ef8a938 100644
--- a/scripts/docker/install-sh-nonroot/Dockerfile
+++ b/scripts/docker/install-sh-nonroot/Dockerfile
@@ -2,6 +2,8 @@
 
 FROM ubuntu:24.04@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b
 
+# Smoke images are pinned and short-lived, so skip distro upgrades here and
+# spend the time budget on installer coverage instead.
 RUN --mount=type=cache,id=openclaw-install-sh-nonroot-apt-cache,target=/var/cache/apt,sharing=locked \
   --mount=type=cache,id=openclaw-install-sh-nonroot-apt-lists,target=/var/lib/apt,sharing=locked \
   set -eux; \
@@ -11,7 +13,6 @@ RUN --mount=type=cache,id=openclaw-install-sh-nonroot-apt-cache,target=/var/cach
     if [ "${attempt}" -eq 3 ]; then exit 1; fi; \
     sleep 3; \
   done; \
-  DEBIAN_FRONTEND=noninteractive apt-get -o Acquire::Retries=3 upgrade -y --no-install-recommends; \
   apt-get -o Acquire::Retries=3 install -y --no-install-recommends \
     bash \
     ca-certificates \
diff --git a/scripts/docker/install-sh-smoke/Dockerfile b/scripts/docker/install-sh-smoke/Dockerfile
index ee37a24d6ce..1bba1c61892 100644
--- a/scripts/docker/install-sh-smoke/Dockerfile
+++ b/scripts/docker/install-sh-smoke/Dockerfile
@@ -2,6 +2,8 @@
 
 FROM node:24-bookworm-slim@sha256:b4687aef2571c632a1953695ce4d61d6462a7eda471fe6e272eebf0418f276ba
 
+# Smoke images are pinned and short-lived, so skip distro upgrades here and
+# spend the time budget on installer coverage instead.
 RUN --mount=type=cache,id=openclaw-install-sh-smoke-apt-cache,target=/var/cache/apt,sharing=locked \
   --mount=type=cache,id=openclaw-install-sh-smoke-apt-lists,target=/var/lib/apt,sharing=locked \
   set -eux; \
@@ -11,7 +13,6 @@ RUN --mount=type=cache,id=openclaw-install-sh-smoke-apt-cache,target=/var/cache/
     if [ "${attempt}" -eq 3 ]; then exit 1; fi; \
     sleep 3; \
   done; \
-  DEBIAN_FRONTEND=noninteractive apt-get -o Acquire::Retries=3 upgrade -y --no-install-recommends; \
   apt-get -o Acquire::Retries=3 install -y --no-install-recommends \
     bash \
     ca-certificates \
diff --git a/scripts/docker/install-sh-smoke/run.sh b/scripts/docker/install-sh-smoke/run.sh
index 81dff784722..bc29c5b595d 100755
--- a/scripts/docker/install-sh-smoke/run.sh
+++ b/scripts/docker/install-sh-smoke/run.sh
@@ -12,14 +12,18 @@ SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 source "$SCRIPT_DIR/../install-sh-common/cli-verify.sh"
 
 echo "==> Resolve npm versions"
-LATEST_VERSION="$(npm view "$PACKAGE_NAME" version)"
-if [[ -n "$SMOKE_PREVIOUS_VERSION" ]]; then
+if [[ "$SKIP_PREVIOUS" == "1" ]]; then
+  LATEST_VERSION="$(npm view "$PACKAGE_NAME" version)"
+  PREVIOUS_VERSION="$LATEST_VERSION"
+elif [[ -n "$SMOKE_PREVIOUS_VERSION" ]]; then
+  LATEST_VERSION="$(npm view "$PACKAGE_NAME" version)"
   PREVIOUS_VERSION="$SMOKE_PREVIOUS_VERSION"
 else
+  LATEST_VERSION="$(npm view "$PACKAGE_NAME" dist-tags.latest)"
   VERSIONS_JSON="$(npm view "$PACKAGE_NAME" versions --json)"
-  PREVIOUS_VERSION="$(VERSIONS_JSON="$VERSIONS_JSON" LATEST_VERSION="$LATEST_VERSION" node - <<'NODE'
+  PREVIOUS_VERSION="$(LATEST_VERSION="$LATEST_VERSION" VERSIONS_JSON="$VERSIONS_JSON" node - <<'NODE'
+const latest = String(process.env.LATEST_VERSION || "");
 const raw = process.env.VERSIONS_JSON || "[]";
-const latest = process.env.LATEST_VERSION || "";
 let versions;
 try {
   versions = JSON.parse(raw);
@@ -29,15 +33,15 @@ try {
 if (!Array.isArray(versions)) {
   versions = [versions];
 }
-if (versions.length === 0) {
+if (versions.length === 0 || latest.length === 0) {
   process.exit(1);
 }
-const latestIndex = latest ? versions.lastIndexOf(latest) : -1;
-if (latestIndex > 0) {
-  process.stdout.write(String(versions[latestIndex - 1]));
+const latestIndex = versions.lastIndexOf(latest);
+if (latestIndex <= 0) {
+  process.stdout.write(latest);
   process.exit(0);
 }
-process.stdout.write(String(latest || versions[versions.length - 1]));
+process.stdout.write(String(versions[latestIndex - 1] ?? latest));
 NODE
 )"
 fi