fix: cherry-pick: include .git in Docker build context for version embedding

[joanestebanr]

🔄 Changes Summary

• Cherry-pick of fix: include .git in Docker build context for version embedding #1621 from release/0.10 into develop
• Remove .git/ from .dockerignore so that git describe and git rev-parse run correctly inside the builder stage, embedding the correct Version, GitRev and GitBranch values in the binary
• Update CI workflows (build-aggkit-image.yml, build-push-docker-image.yml, release.yml) to include .git in the Docker build context

⚠️ Breaking Changes

• None

📋 Config Updates

• None

✅ Testing

• 🖱️ Manual: make build-docker && docker run aggkit:local version shows correct Version, Git revision and Git branch fields

🐞 Issues

• Related to bug: aggkit release 0.10.0-rc3 don't show version #1618

🔗 Related PRs

• Cherry-pick of fix: include .git in Docker build context for version embedding #1621 (originally merged into release/0.10)

📝 Notes

• .git/ was excluded from the Docker context for security and context-size reasons. Since the builder stage only uses git metadata to set ldflags and the .git directory is not copied into the final runtime image, the security concern does not apply.
• Dockerfile, Makefile, and version.mk were not included because develop already has the correct state for those files.

🤖 Generated with Claude Code

[claude]

Claude finished @joanestebanr's task in 1m 43s —— View job

---

PR Review Complete ✅

---

🚀 What's New

This PR fixes Docker version embedding by including .git metadata in the Docker build context. The binary now correctly displays Version, Git revision, and Git branch when running aggkit version. Additionally, all three CI workflows now include automated version verification steps to ensure the built images have correct version information.

🐛 Bug Fixes

• Fixed missing version information in Docker-built binaries by selectively including .git directory (excluding only .git/config for security)
• Added version verification steps to all Docker build workflows to catch this issue automatically in the future

📋 Config Updates

None

⚠️ Breaking Changes

None

---

Review Feedback

🟢 Overall Assessment: APPROVED

This is a well-executed cherry-pick that solves the version embedding issue without introducing security concerns. The changes are minimal, focused, and include proper safeguards.

---

✅ Strengths

1. Smart security approach (.dockerignore:2-3): Only excluding .git/config (which contains credentials from actions/checkout) while keeping the rest of .git is the right balance between functionality and security.

2. Multi-stage Docker safety: The Dockerfile confirms .git is only present in the builder stage (lines 1-20) and never copied to the final runtime image (lines 24-63), so no security risk in production containers.

3. Automated verification: All three workflows now include version verification steps that fail the build if version info is missing. This prevents regression.

4. Good quoting practices: The workflow changes properly quote shell variables (e.g., "${IMAGE_NAME}") to prevent word-splitting issues.

---

🟡 Suggestions (Optional Improvements)

1. Consistency in workflow verification steps

The three workflows have slight variations in their version verification steps:

• build-aggkit-image.yml:37-40 - Uses IMAGE_NAME env var ✅
• build-push-docker-image.yml:96-100 - Inline variable usage ⚠️
• release.yml:121-127 - Uses both IMAGE_NAME and DIGEST env vars ✅

Suggestion: For consistency and maintainability, consider standardizing the approach across all workflows. The pattern used in build-aggkit-image.yml (with env vars) is cleaner and more readable.

2. Consider adding a comment in version.mk

Since version.mk relies on git commands that now work thanks to this fix, consider adding a comment explaining the .dockerignore dependency:

# These commands require .git metadata to be available in Docker builds
# See .dockerignore for details on what's included/excluded
VERSION := $(shell git describe --tags --always)
GITREV := $(shell git rev-parse --short HEAD)
GITBRANCH := $(shell git rev-parse --abbrev-ref HEAD)

This would help future developers understand the relationship between these files.

---

🔍 Technical Analysis

Security Review

• ✅ .git/config correctly excluded (contains checkout credentials)
• ✅ .git not present in final runtime image (multi-stage build)
• ✅ No sensitive data exposure risk
• ✅ Build context size increase is acceptable (~few MB for git metadata)

Version Embedding Mechanism

The fix enables these Makefile variables to work correctly inside Docker:

VERSION := $(shell git describe --tags --always)    # version.mk:1
GITREV := $(shell git rev-parse --short HEAD)       # version.mk:2
GITBRANCH := $(shell git rev-parse --abbrev-ref HEAD) # version.mk:3

These are passed to the binary via ldflags during make build-aggkit (Makefile:77):

LDFLAGS += -X 'github.com/agglayer/aggkit.Version=$(VERSION)'
LDFLAGS += -X 'github.com/agglayer/aggkit.GitRev=$(GITREV)'
LDFLAGS += -X 'github.com/agglayer/aggkit.GitBranch=$(GITBRANCH)'

Cherry-pick Correctness

• ✅ Changes match the original PR fix: include .git in Docker build context for version embedding #1621 scope
• ✅ PR description correctly notes that Dockerfile, Makefile, and version.mk were excluded because develop already has the correct state
• ✅ Only the necessary delta between release/0.10 and develop is included

---

📝 Minor Observations

1. Line length consistency: All bash scripts in workflows are readable and properly formatted
2. Error handling: Version verification steps properly use || for error handling and exit with meaningful messages
3. Workflow naming: The new verification steps are clearly named ("Verify version in image")

---

✅ Checklist Verification

• .dockerignore changes are correct and secure
• All three workflow files have proper version verification
• Multi-stage Docker build prevents .git from reaching production
• Shell quoting is correct in all workflows
• Changes align with project structure and conventions
• Manual testing mentioned in PR description (make build-docker && docker run aggkit:local version)

---

🎯 Recommendation

Approve and merge. This PR successfully fixes the version embedding issue with a minimal, secure approach. The automated verification steps will prevent this from regressing in the future.

The optional suggestions above would enhance maintainability but are not blockers for merging.

---

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud