[9.2] (backport #19252) fix: ensure clean state when packaging artifacts #19465
+4
−21
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* fix: copy full repository in Docker build to guarantee clean VCS state Go’s build process now automatically embeds VCS information into the binary. When the repository contains untracked files or the working tree is dirty, the binary receives a “dirty” flag, which can make it look tampered, confuse security scanners, and break reproducible builds. This PR updates the Dockerfiles to copy the entire repository into the build image and adds all tracked files to the Docker build context. By ensuring the same source tree is used both inside and outside the container, the resulting binary matches the locally‑built version and the Git state remains clean. * fix: add gvm to .gitignore The CI packaging pipeline installs gvm directly in the workspace, producing a gvm binary that isn’t tracked by Git. Because the file is untracked, the repository appears dirty, causing Go to embed a dirty flag in the VCS metadata of the built binary. This change adds the generated gvm binary to .gitignore, ensuring the Git tree stays clean and the resulting binary’s VCS metadata reflects a pristine state. * Update Dockerfile * Update Dockerfile.fips * Update Dockerfile.wolfi (cherry picked from commit b74e01a)
2 tasks
Contributor
🤖 GitHub commentsJust comment with:
|
kruskall
approved these changes
Nov 4, 2025
Contributor
💚 Build Succeeded
cc @kruskall |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation/summary
Go’s build process now automatically embeds VCS information into the
binary. When the repository contains untracked files or the working
tree is dirty, the binary receives a “dirty” flag, which can make it
look tampered, confuse security scanners, and break reproducible
builds.
This PR updates the Dockerfiles to copy the entire repository into the
build image and adds all tracked files to the Docker build context.
By ensuring the same source tree is used both inside and outside the
container, the resulting binary matches the locally‑built version and
the Git state remains clean.
The CI packaging pipeline installs gvm directly in the workspace,
producing a gvm binary that isn’t tracked by Git. Because the file
is untracked, the repository appears dirty, causing Go to embed a
dirty flag in the VCS metadata of the built binary.
This change adds the generated gvm binary to .gitignore,
ensuring the Git tree stays clean and the resulting binary’s VCS
metadata reflects a pristine state.
Checklist
For functional changes, consider:
How to test these changes
vcs.modified=falseRelated issues
Closes #19144
This is an automatic backport of pull request #19252 done by [Mergify](https://mergify.com).