From f430c64e3a10d7bcac26252fc1a47aa3a3572743 Mon Sep 17 00:00:00 2001 From: jesteban <129153821+joanestebanr@users.noreply.github.com> Date: Wed, 20 May 2026 16:25:50 +0200 Subject: [PATCH 1/9] Revert "fix: embed version info in Docker builds (#1619)" This reverts commit 184bb404d553fcfc04f37d2d870605025c0c680d. --- Dockerfile | 5 ----- Makefile | 31 +++---------------------------- go.mod | 14 +++++++------- go.sum | 28 ++++++++++++++-------------- version.mk | 6 +++--- 5 files changed, 27 insertions(+), 57 deletions(-) diff --git a/Dockerfile b/Dockerfile index a09c7cc03..56e6ae4d7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,11 +8,6 @@ RUN apk add --no-cache gcc musl-dev make sqlite-dev git WORKDIR /app -# Version build arguments (injected from host git metadata) -ARG VERSION -ARG GITREV -ARG GITBRANCH - # Download Go dependencies COPY go.mod go.sum ./ RUN go mod download diff --git a/Makefile b/Makefile index 4653a7bab..b6e0a796b 100644 --- a/Makefile +++ b/Makefile @@ -87,40 +87,15 @@ $(GOBIN)/remove_ger: ## Build remove_ger tool .PHONY: build-docker build-docker: ## Builds a docker image with the aggkit binary - docker build \ - --build-arg VERSION="$(VERSION)" \ - --build-arg GITREV="$(GITREV)" \ - --build-arg GITBRANCH="$(GITBRANCH)" \ - -t aggkit:local -f ./Dockerfile . - @out=$$(docker run --rm aggkit:local version) || { echo "ERROR: docker run failed"; exit 1; }; \ - ver=$$(echo "$$out" | awk '/^Version:/{print $$2}'); \ - [ -n "$$ver" ] || { echo "ERROR: Docker image has no version embedded"; exit 1; }; \ - echo "Version check passed: $$ver" + docker build -t aggkit:local -f ./Dockerfile . .PHONY: build-docker-ci build-docker-ci: ## Builds a docker image with the aggkit binary for CI (includes shell) - docker build \ - --build-arg INCLUDE_SHELL=true \ - --build-arg VERSION="$(VERSION)" \ - --build-arg GITREV="$(GITREV)" \ - --build-arg GITBRANCH="$(GITBRANCH)" \ - -t aggkit:local -f ./Dockerfile . - @out=$$(docker run --rm aggkit:local version) || { echo "ERROR: docker run failed"; exit 1; }; \ - ver=$$(echo "$$out" | awk '/^Version:/{print $$2}'); \ - [ -n "$$ver" ] || { echo "ERROR: Docker image has no version embedded"; exit 1; }; \ - echo "Version check passed: $$ver" + docker build --build-arg INCLUDE_SHELL=true -t aggkit:local -f ./Dockerfile . .PHONY: build-docker-nc build-docker-nc: ## Builds a docker image with the aggkit binary - but without build cache - docker build --no-cache=true \ - --build-arg VERSION="$(VERSION)" \ - --build-arg GITREV="$(GITREV)" \ - --build-arg GITBRANCH="$(GITBRANCH)" \ - -t aggkit:local -f ./Dockerfile . - @out=$$(docker run --rm aggkit:local version) || { echo "ERROR: docker run failed"; exit 1; }; \ - ver=$$(echo "$$out" | awk '/^Version:/{print $$2}'); \ - [ -n "$$ver" ] || { echo "ERROR: Docker image has no version embedded"; exit 1; }; \ - echo "Version check passed: $$ver" + docker build --no-cache=true -t aggkit:local -f ./Dockerfile . .PHONY: build-docker-debug build-docker-debug: ## Builds a debug docker image (dlv headless on :40000, no optimizations) diff --git a/go.mod b/go.mod index b1d1416a9..a77eeeb2a 100644 --- a/go.mod +++ b/go.mod @@ -207,17 +207,17 @@ require ( go.yaml.in/yaml/v2 v2.4.2 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/arch v0.22.0 // indirect - golang.org/x/crypto v0.50.0 // indirect + golang.org/x/crypto v0.48.0 // indirect golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect golang.org/x/lint v0.0.0-20200302205851-738671d3881b // indirect - golang.org/x/mod v0.34.0 // indirect - golang.org/x/net v0.53.0 // indirect + golang.org/x/mod v0.32.0 // indirect + golang.org/x/net v0.51.0 // indirect golang.org/x/oauth2 v0.34.0 // indirect - golang.org/x/sys v0.43.0 // indirect - golang.org/x/telemetry v0.0.0-20260311193753-579e4da9a98c // indirect - golang.org/x/text v0.36.0 // indirect + golang.org/x/sys v0.41.0 // indirect + golang.org/x/telemetry v0.0.0-20260109210033-bd525da824e2 // indirect + golang.org/x/text v0.34.0 // indirect golang.org/x/time v0.12.0 // indirect - golang.org/x/tools v0.43.0 // indirect + golang.org/x/tools v0.41.0 // indirect golang.org/x/tools/go/expect v0.1.1-deprecated // indirect golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated // indirect google.golang.org/api v0.215.0 // indirect diff --git a/go.sum b/go.sum index 654a06308..e97fadcfb 100644 --- a/go.sum +++ b/go.sum @@ -565,8 +565,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE= golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= -golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI= -golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q= +golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts= +golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos= golang.org/x/exp v0.0.0-20190221220918-438050ddec5e/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 h1:R84qjqJb5nVJMxqWYb3np9L5ZsaDtB+a39EqjV0JSUM= golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0/go.mod h1:S9Xr4PYopiDyqSyp5NjCrhFrqg6A5zA2E/iPHPhqnS8= @@ -581,8 +581,8 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI= -golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY= +golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c= +golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -602,8 +602,8 @@ golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= -golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA= -golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs= +golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo= +golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw= golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= @@ -645,10 +645,10 @@ golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI= -golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= -golang.org/x/telemetry v0.0.0-20260311193753-579e4da9a98c h1:6a8FdnNk6bTXBjR4AGKFgUKuo+7GnR3FX5L7CbveeZc= -golang.org/x/telemetry v0.0.0-20260311193753-579e4da9a98c/go.mod h1:TpUTTEp9frx7rTdLpC9gFG9kdI7zVLFTFFlqaH2Cncw= +golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k= +golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/telemetry v0.0.0-20260109210033-bd525da824e2 h1:O1cMQHRfwNpDfDJerqRoE2oD+AFlyid87D40L/OkkJo= +golang.org/x/telemetry v0.0.0-20260109210033-bd525da824e2/go.mod h1:b7fPSJ0pKZ3ccUh8gnTONJxhn3c/PS6tyzQvyqw4iA8= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= @@ -664,8 +664,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg= -golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164= +golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk= +golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA= golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE= golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= @@ -681,8 +681,8 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s= -golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0= +golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc= +golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg= golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM= golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY= golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM= diff --git a/version.mk b/version.mk index 4067da7fe..73db3b019 100644 --- a/version.mk +++ b/version.mk @@ -1,4 +1,4 @@ -VERSION ?= $(shell git describe --tags --always) -GITREV ?= $(shell git rev-parse --short HEAD) -GITBRANCH ?= $(shell git rev-parse --abbrev-ref HEAD) +VERSION := $(shell git describe --tags --always) +GITREV := $(shell git rev-parse --short HEAD) +GITBRANCH := $(shell git rev-parse --abbrev-ref HEAD) DATE := $(shell LANG=US date +"%a, %d %b %Y %X %z") From 549aea0c977f799e01aeba37921a343b053d1f50 Mon Sep 17 00:00:00 2001 From: jesteban <129153821+joanestebanr@users.noreply.github.com> Date: Wed, 20 May 2026 16:26:22 +0200 Subject: [PATCH 2/9] fix: include .git in Docker build context for version embedding Removing .git/ from .dockerignore allows git describe/rev-parse to run inside the builder stage, so the binary gets correct Version, GitRev and GitBranch values without requiring build-args. Co-Authored-By: Claude Sonnet 4.6 --- .dockerignore | 1 - 1 file changed, 1 deletion(-) diff --git a/.dockerignore b/.dockerignore index 3aeaa04e7..6a4811d17 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,5 +1,4 @@ # Version control -.git/ .gitignore # Sensitive / secret files From 1d19eec65b3eb5ed1889d5d814ab2d60985c5f3c Mon Sep 17 00:00:00 2001 From: jesteban <129153821+joanestebanr@users.noreply.github.com> Date: Wed, 20 May 2026 17:55:14 +0200 Subject: [PATCH 3/9] chore: bump golang.org/x dependencies to fix vulnerabilities Upgrades golang.org/x/crypto, net, sys, text, tools, mod and telemetry to their latest versions to address known security vulnerabilities. Co-Authored-By: Claude Sonnet 4.6 --- go.mod | 14 +++++++------- go.sum | 28 ++++++++++++++-------------- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/go.mod b/go.mod index a77eeeb2a..b1d1416a9 100644 --- a/go.mod +++ b/go.mod @@ -207,17 +207,17 @@ require ( go.yaml.in/yaml/v2 v2.4.2 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/arch v0.22.0 // indirect - golang.org/x/crypto v0.48.0 // indirect + golang.org/x/crypto v0.50.0 // indirect golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect golang.org/x/lint v0.0.0-20200302205851-738671d3881b // indirect - golang.org/x/mod v0.32.0 // indirect - golang.org/x/net v0.51.0 // indirect + golang.org/x/mod v0.34.0 // indirect + golang.org/x/net v0.53.0 // indirect golang.org/x/oauth2 v0.34.0 // indirect - golang.org/x/sys v0.41.0 // indirect - golang.org/x/telemetry v0.0.0-20260109210033-bd525da824e2 // indirect - golang.org/x/text v0.34.0 // indirect + golang.org/x/sys v0.43.0 // indirect + golang.org/x/telemetry v0.0.0-20260311193753-579e4da9a98c // indirect + golang.org/x/text v0.36.0 // indirect golang.org/x/time v0.12.0 // indirect - golang.org/x/tools v0.41.0 // indirect + golang.org/x/tools v0.43.0 // indirect golang.org/x/tools/go/expect v0.1.1-deprecated // indirect golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated // indirect google.golang.org/api v0.215.0 // indirect diff --git a/go.sum b/go.sum index e97fadcfb..654a06308 100644 --- a/go.sum +++ b/go.sum @@ -565,8 +565,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE= golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= -golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts= -golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos= +golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI= +golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q= golang.org/x/exp v0.0.0-20190221220918-438050ddec5e/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 h1:R84qjqJb5nVJMxqWYb3np9L5ZsaDtB+a39EqjV0JSUM= golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0/go.mod h1:S9Xr4PYopiDyqSyp5NjCrhFrqg6A5zA2E/iPHPhqnS8= @@ -581,8 +581,8 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c= -golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU= +golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI= +golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -602,8 +602,8 @@ golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= -golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo= -golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y= +golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA= +golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw= golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= @@ -645,10 +645,10 @@ golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k= -golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= -golang.org/x/telemetry v0.0.0-20260109210033-bd525da824e2 h1:O1cMQHRfwNpDfDJerqRoE2oD+AFlyid87D40L/OkkJo= -golang.org/x/telemetry v0.0.0-20260109210033-bd525da824e2/go.mod h1:b7fPSJ0pKZ3ccUh8gnTONJxhn3c/PS6tyzQvyqw4iA8= +golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI= +golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= +golang.org/x/telemetry v0.0.0-20260311193753-579e4da9a98c h1:6a8FdnNk6bTXBjR4AGKFgUKuo+7GnR3FX5L7CbveeZc= +golang.org/x/telemetry v0.0.0-20260311193753-579e4da9a98c/go.mod h1:TpUTTEp9frx7rTdLpC9gFG9kdI7zVLFTFFlqaH2Cncw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= @@ -664,8 +664,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk= -golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA= +golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg= +golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164= golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE= golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= @@ -681,8 +681,8 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc= -golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg= +golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s= +golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0= golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM= golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY= golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM= From 98b0f7b7c9db434e2a2996ef9eba2aecb72ffec6 Mon Sep 17 00:00:00 2001 From: jesteban <129153821+joanestebanr@users.noreply.github.com> Date: Thu, 21 May 2026 10:39:05 +0200 Subject: [PATCH 4/9] ci: verify version is embedded in Docker image after build After each platform/variant build, pulls the image by digest and runs `aggkit version`, failing the job if the Version field is empty. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/release.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f92621134..a7366bc18 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -117,6 +117,15 @@ jobs: INCLUDE_SHELL=${{ matrix.variant.include_shell }} outputs: type=image,name=${{ (matrix.variant.suffix == '') && steps.image_builder_prod.outputs.IMAGE || steps.image_builder_dev.outputs.IMAGE }},push-by-digest=true,push=true + - name: Verify version in image + run: | + IMAGE_NAME="${{ (matrix.variant.suffix == '') && steps.image_builder_prod.outputs.IMAGE || steps.image_builder_dev.outputs.IMAGE }}" + DIGEST="${{ steps.build.outputs.digest }}" + out=$(docker run --rm "${IMAGE_NAME}@${DIGEST}" version) || { echo "ERROR: docker run failed"; exit 1; } + ver=$(echo "$out" | awk '/^Version:/{print $2}') + [ -n "$ver" ] || { echo "ERROR: Docker image has no version embedded"; exit 1; } + echo "Version check passed: $ver" + - name: Export digest run: | mkdir -p /tmp/digests From cc9142c1509804873a44cf41ffa41f2bf6f32aa4 Mon Sep 17 00:00:00 2001 From: jesteban <129153821+joanestebanr@users.noreply.github.com> Date: Thu, 21 May 2026 10:42:21 +0200 Subject: [PATCH 5/9] fix: exclude .git/config from Docker context to avoid credential leakage Restore .git/ to .dockerignore but re-include only the files required by git describe and git rev-parse (HEAD, packed-refs, refs/), so the auth token that actions/checkout writes to .git/config is never sent to the Docker daemon or stored in build cache. Co-Authored-By: Claude Sonnet 4.6 --- .dockerignore | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.dockerignore b/.dockerignore index 6a4811d17..76bd06b66 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,4 +1,10 @@ -# Version control +# Version control — exclude .git but keep the minimal metadata needed for +# git describe / git rev-parse (HEAD, packed-refs, refs/). This avoids +# sending .git/config which may contain credentials from actions/checkout. +.git/ +!.git/HEAD +!.git/packed-refs +!.git/refs/ .gitignore # Sensitive / secret files From 0cfc477311f11e3975d8a4c46e7535e2f2ad13e6 Mon Sep 17 00:00:00 2001 From: jesteban <129153821+joanestebanr@users.noreply.github.com> Date: Thu, 21 May 2026 10:46:07 +0200 Subject: [PATCH 6/9] ci: verify version is embedded in Docker image after build Mirrors the same check added to release.yml: after each platform/variant build, pulls the image by digest and runs `aggkit version`, failing the job if the Version field is empty. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/build-push-docker-image.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/build-push-docker-image.yml b/.github/workflows/build-push-docker-image.yml index 928785adc..2a38b9bc7 100644 --- a/.github/workflows/build-push-docker-image.yml +++ b/.github/workflows/build-push-docker-image.yml @@ -92,6 +92,13 @@ jobs: INCLUDE_SHELL=${{ matrix.variant.include_shell }} outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true + - name: Verify version in image + run: | + out=$(docker run --rm "${{ env.REGISTRY_IMAGE }}@${{ steps.build.outputs.digest }}" version) || { echo "ERROR: docker run failed"; exit 1; } + ver=$(echo "$out" | awk '/^Version:/{print $2}') + [ -n "$ver" ] || { echo "ERROR: Docker image has no version embedded"; exit 1; } + echo "Version check passed: $ver" + - name: Export digest run: | mkdir -p /tmp/digests From 2aa5c1c96cf238559637423a55e52d78f3d1d9c0 Mon Sep 17 00:00:00 2001 From: jesteban <129153821+joanestebanr@users.noreply.github.com> Date: Thu, 21 May 2026 10:47:36 +0200 Subject: [PATCH 7/9] ci: verify version is embedded in Docker image after build Mirrors the same check added to release.yml and build-push-docker-image.yml: after the make build-docker step, runs `aggkit version` and fails if the Version field is empty. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/build-aggkit-image.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/build-aggkit-image.yml b/.github/workflows/build-aggkit-image.yml index cd09d1c3e..9e3c9bbb1 100644 --- a/.github/workflows/build-aggkit-image.yml +++ b/.github/workflows/build-aggkit-image.yml @@ -30,6 +30,13 @@ jobs: - name: Build Aggkit Docker Image run: make build-docker + - name: Verify version in image + run: | + out=$(docker run --rm ${{ inputs.docker-image-name }}:local version) || { echo "ERROR: docker run failed"; exit 1; } + ver=$(echo "$out" | awk '/^Version:/{print $2}') + [ -n "$ver" ] || { echo "ERROR: Docker image has no version embedded"; exit 1; } + echo "Version check passed: $ver" + - name: Save Aggkit Image to Archive run: docker save --output /tmp/${{ inputs.docker-image-name }}.tar ${{ inputs.docker-image-name }} From 2ce4d907f2ec974f12f0b333028cb22e6b90d7f0 Mon Sep 17 00:00:00 2001 From: jesteban <129153821+joanestebanr@users.noreply.github.com> Date: Thu, 21 May 2026 10:53:37 +0200 Subject: [PATCH 8/9] fix: exclude .git/config from Docker context instead of all of .git Rather than trying to re-include individual git metadata files via negation patterns, keep .git/ accessible for git describe/rev-parse and only exclude .git/config where actions/checkout stores its auth token. Co-Authored-By: Claude Sonnet 4.6 --- .dockerignore | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/.dockerignore b/.dockerignore index 76bd06b66..858192e05 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,10 +1,6 @@ -# Version control — exclude .git but keep the minimal metadata needed for -# git describe / git rev-parse (HEAD, packed-refs, refs/). This avoids -# sending .git/config which may contain credentials from actions/checkout. -.git/ -!.git/HEAD -!.git/packed-refs -!.git/refs/ +# Version control — exclude credential files that actions/checkout writes +# but keep the rest of .git so git describe / git rev-parse work correctly. +.git/config .gitignore # Sensitive / secret files From dda8358326c9a03b91fa005e965b0a739162191f Mon Sep 17 00:00:00 2001 From: jesteban <129153821+joanestebanr@users.noreply.github.com> Date: Thu, 21 May 2026 14:58:02 +0200 Subject: [PATCH 9/9] fix: avoid script injection by using env vars for workflow inputs Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/build-aggkit-image.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-aggkit-image.yml b/.github/workflows/build-aggkit-image.yml index 9e3c9bbb1..6de00ee46 100644 --- a/.github/workflows/build-aggkit-image.yml +++ b/.github/workflows/build-aggkit-image.yml @@ -31,14 +31,18 @@ jobs: run: make build-docker - name: Verify version in image + env: + IMAGE_NAME: ${{ inputs.docker-image-name }} run: | - out=$(docker run --rm ${{ inputs.docker-image-name }}:local version) || { echo "ERROR: docker run failed"; exit 1; } + out=$(docker run --rm "${IMAGE_NAME}:local" version) || { echo "ERROR: docker run failed"; exit 1; } ver=$(echo "$out" | awk '/^Version:/{print $2}') [ -n "$ver" ] || { echo "ERROR: Docker image has no version embedded"; exit 1; } echo "Version check passed: $ver" - name: Save Aggkit Image to Archive - run: docker save --output /tmp/${{ inputs.docker-image-name }}.tar ${{ inputs.docker-image-name }} + env: + IMAGE_NAME: ${{ inputs.docker-image-name }} + run: docker save --output "/tmp/${IMAGE_NAME}.tar" "${IMAGE_NAME}" - name: Upload Aggkit Archive uses: actions/upload-artifact@v4