fix(ci): fetch upstream tags before building fork image VULN-435

[rodrigoechaide]

Summary

• Adds a step in the fork-image.yaml CI workflow to fetch tags from the upstream traefik/traefik repo before building the binary
• Without upstream tags, Go's debug/buildinfo embeds a pseudo-version anchored to v3.0.0 (the only semver tag in the fork's local git history), causing Trivy to report false-positive CVEs for all vulnerabilities fixed between v3.0.0 and the actual base version (e.g. v3.7.5)
• With upstream tags fetched, Go anchors the pseudo-version to the correct base tag, so Trivy matches the binary to the right version and stops flagging already-fixed CVEs

Root cause

The actions/checkout step with fetch-depth: 0 fetches full history from the fork remote only. Upstream semver tags are never present. Go's build toolchain uses git describe --tags --match 'v*' to compute the module version embedded in the binary — finding only v3.0.0, it produces v3.0.0-0.<timestamp>-<hash>. Trivy reads this and treats the binary as if it were based on v3.0.0.

Fix

- name: Fetch upstream tags
  run: |
    git remote add upstream https://github.com/traefik/traefik.git
    git fetch upstream --tags --no-recurse-submodules

This is placed immediately after checkout, before the Go build. It adds no meaningful CI time (tag fetch is fast, no history is downloaded).

Test plan

• Trigger the Fork image workflow after merging and confirm the new image is pushed to GHCR
• Extract the binary and verify go version -m ./traefik now shows v3.7.x-0.<timestamp>-<hash> instead of v3.0.0-...
• Run Trivy against the new image and confirm the false-positive CVEs are gone

🤖 Generated with Claude Code