You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix: ensure clean state when packaging artifacts (#19252)
* fix: copy full repository in Docker build to guarantee clean VCS state
Go’s build process now automatically embeds VCS information into the
binary. When the repository contains untracked files or the working
tree is dirty, the binary receives a “dirty” flag, which can make it
look tampered, confuse security scanners, and break reproducible
builds.
This PR updates the Dockerfiles to copy the entire repository into the
build image and adds all tracked files to the Docker build context.
By ensuring the same source tree is used both inside and outside the
container, the resulting binary matches the locally‑built version and
the Git state remains clean.
* fix: add gvm to .gitignore
The CI packaging pipeline installs gvm directly in the workspace,
producing a gvm binary that isn’t tracked by Git. Because the file
is untracked, the repository appears dirty, causing Go to embed a
dirty flag in the VCS metadata of the built binary.
This change adds the generated gvm binary to .gitignore,
ensuring the Git tree stays clean and the resulting binary’s VCS
metadata reflects a pristine state.
* Update Dockerfile
* Update Dockerfile.fips
* Update Dockerfile.wolfi
(cherry picked from commit b74e01a)
![mergify[bot]](https://avatars.githubusercontent.com/in/10562?v=4&size=40){kind=avatar}
0 commit comments