fix: include .git in Docker build context for version embedding

.dockerignore

@@ -1,5 +1,6 @@
-# Version control
-.git/
+# Version control — exclude credential files that actions/checkout writes
+# but keep the rest of .git so git describe / git rev-parse work correctly.
+.git/config
 .gitignore
 
 # Sensitive / secret files

.github/workflows/build-aggkit-image.yml

@@ -30,8 +30,19 @@ jobs:
       - name: Build Aggkit Docker Image
         run: make build-docker
 
+      - name: Verify version in image
+        env:
+          IMAGE_NAME: ${{ inputs.docker-image-name }}
+        run: |
+          out=$(docker run --rm "${IMAGE_NAME}:local" version) || { echo "ERROR: docker run failed"; exit 1; }
+          ver=$(echo "$out" | awk '/^Version:/{print $2}')
+          [ -n "$ver" ] || { echo "ERROR: Docker image has no version embedded"; exit 1; }
+          echo "Version check passed: $ver"
+
       - name: Save Aggkit Image to Archive
-        run: docker save --output /tmp/${{ inputs.docker-image-name }}.tar ${{ inputs.docker-image-name }}
+        env:
+          IMAGE_NAME: ${{ inputs.docker-image-name }}
+        run: docker save --output "/tmp/${IMAGE_NAME}.tar" "${IMAGE_NAME}"
 
       - name: Upload Aggkit Archive
         uses: actions/upload-artifact@v4

.github/workflows/build-push-docker-image.yml

@@ -92,6 +92,13 @@ jobs:
             INCLUDE_SHELL=${{ matrix.variant.include_shell }}
           outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true
 
+      - name: Verify version in image
+        run: |
+          out=$(docker run --rm "${{ env.REGISTRY_IMAGE }}@${{ steps.build.outputs.digest }}" version) || { echo "ERROR: docker run failed"; exit 1; }
+          ver=$(echo "$out" | awk '/^Version:/{print $2}')
+          [ -n "$ver" ] || { echo "ERROR: Docker image has no version embedded"; exit 1; }
+          echo "Version check passed: $ver"
+
       - name: Export digest
         run: |
           mkdir -p /tmp/digests

.github/workflows/release.yml

@@ -117,6 +117,15 @@ jobs:
             INCLUDE_SHELL=${{ matrix.variant.include_shell }}
           outputs: type=image,name=${{ (matrix.variant.suffix == '') && steps.image_builder_prod.outputs.IMAGE || steps.image_builder_dev.outputs.IMAGE }},push-by-digest=true,push=true
 
+      - name: Verify version in image
+        run: |
+          IMAGE_NAME="${{ (matrix.variant.suffix == '') && steps.image_builder_prod.outputs.IMAGE || steps.image_builder_dev.outputs.IMAGE }}"
+          DIGEST="${{ steps.build.outputs.digest }}"
+          out=$(docker run --rm "${IMAGE_NAME}@${DIGEST}" version) || { echo "ERROR: docker run failed"; exit 1; }
+          ver=$(echo "$out" | awk '/^Version:/{print $2}')
+          [ -n "$ver" ] || { echo "ERROR: Docker image has no version embedded"; exit 1; }
+          echo "Version check passed: $ver"
+
       - name: Export digest
         run: |
           mkdir -p /tmp/digests

Dockerfile

@@ -8,11 +8,6 @@ RUN apk add --no-cache gcc musl-dev make sqlite-dev git
 
 WORKDIR /app
 
-# Version build arguments (injected from host git metadata)
-ARG VERSION
-ARG GITREV
-ARG GITBRANCH
-
 # Download Go dependencies
 COPY go.mod go.sum ./
 RUN go mod download

Makefile

@@ -87,40 +87,15 @@ $(GOBIN)/remove_ger: ## Build remove_ger tool
 
 .PHONY: build-docker
 build-docker: ## Builds a docker image with the aggkit binary
-	docker build \
-		--build-arg VERSION="$(VERSION)" \
-		--build-arg GITREV="$(GITREV)" \
-		--build-arg GITBRANCH="$(GITBRANCH)" \
-		-t aggkit:local -f ./Dockerfile .
-	@out=$$(docker run --rm aggkit:local version) || { echo "ERROR: docker run failed"; exit 1; }; \
-		ver=$$(echo "$$out" | awk '/^Version:/{print $$2}'); \
-		[ -n "$$ver" ] || { echo "ERROR: Docker image has no version embedded"; exit 1; }; \
-		echo "Version check passed: $$ver"
+	docker build -t aggkit:local -f ./Dockerfile .
 
 .PHONY: build-docker-ci
 build-docker-ci: ## Builds a docker image with the aggkit binary for CI (includes shell)
-	docker build \
-		--build-arg INCLUDE_SHELL=true \
-		--build-arg VERSION="$(VERSION)" \
-		--build-arg GITREV="$(GITREV)" \
-		--build-arg GITBRANCH="$(GITBRANCH)" \
-		-t aggkit:local -f ./Dockerfile .
-	@out=$$(docker run --rm aggkit:local version) || { echo "ERROR: docker run failed"; exit 1; }; \
-		ver=$$(echo "$$out" | awk '/^Version:/{print $$2}'); \
-		[ -n "$$ver" ] || { echo "ERROR: Docker image has no version embedded"; exit 1; }; \
-		echo "Version check passed: $$ver"
+	docker build --build-arg INCLUDE_SHELL=true -t aggkit:local -f ./Dockerfile .
 
 .PHONY: build-docker-nc
 build-docker-nc: ## Builds a docker image with the aggkit binary - but without build cache
-	docker build --no-cache=true \
-		--build-arg VERSION="$(VERSION)" \
-		--build-arg GITREV="$(GITREV)" \
-		--build-arg GITBRANCH="$(GITBRANCH)" \
-		-t aggkit:local -f ./Dockerfile .
-	@out=$$(docker run --rm aggkit:local version) || { echo "ERROR: docker run failed"; exit 1; }; \
-		ver=$$(echo "$$out" | awk '/^Version:/{print $$2}'); \
-		[ -n "$$ver" ] || { echo "ERROR: Docker image has no version embedded"; exit 1; }; \
-		echo "Version check passed: $$ver"
+	docker build --no-cache=true -t aggkit:local -f ./Dockerfile .
 
 .PHONY: build-docker-debug
 build-docker-debug: ## Builds a debug docker image (dlv headless on :40000, no optimizations)

version.mk

@@ -1,4 +1,4 @@
-VERSION ?= $(shell git describe --tags --always)
-GITREV ?= $(shell git rev-parse --short HEAD)
-GITBRANCH ?= $(shell git rev-parse --abbrev-ref HEAD)
+VERSION := $(shell git describe --tags --always)
+GITREV := $(shell git rev-parse --short HEAD)
+GITBRANCH := $(shell git rev-parse --abbrev-ref HEAD)
 DATE := $(shell LANG=US date +"%a, %d %b %Y %X %z")