From 4bf44261e7483e50a695218a1e1b410b550aca4a Mon Sep 17 00:00:00 2001
From: Rodrigo Echaide
 <rodrigoechaide@ip-192-168-1-2.eu-west-3.compute.internal>
Date: Tue, 23 Jun 2026 09:32:51 -0300
Subject: [PATCH] fix(ci): fetch upstream tags before building fork image

Without upstream tags, Go's build info embeds a pseudo-version anchored
to v3.0.0 (the only semver tag in the fork's history), causing Trivy to
report false-positive CVEs for all vulnerabilities fixed after v3.0.0.
Fetching upstream tags lets Go anchor the pseudo-version to the correct
base (e.g. v3.7.5), so the embedded module version reflects the actual
code the binary was built from. VULN-435

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/fork-image.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/fork-image.yaml b/.github/workflows/fork-image.yaml
index 5a0c98b7c1..d76c2a6987 100644
--- a/.github/workflows/fork-image.yaml
+++ b/.github/workflows/fork-image.yaml
@@ -45,6 +45,11 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Fetch upstream tags
+        run: |
+          git remote add upstream https://github.com/traefik/traefik.git
+          git fetch upstream --tags --no-recurse-submodules
+
       - name: Set up Go
         uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with: