Skip to content

ci: tag per build job #12428

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
babakks merged 3 commits into from
Jan 6, 2026
Merged

ci: tag per build job #12428

babakks merged 3 commits into from
Jan 6, 2026
+18 −0

Conversation

@babakks
Copy link
Member

@babakks babakks commented Jan 6, 2026

Fixes #12263

With this PR we tag the HEAD commit (per build job) to make sure the right version is baked into the built binaries.

@babakks
ci: tag per build job
fa871ff 
We need to tag the HEAD commit to make sure the right version is baked
into the built binaries.

See for more details:
- #12263

Signed-off-by: Babak K. Shandiz <babakks@github.com>
@babakks babakks requested a review from a team as a code owner January 6, 2026 17:01
@babakks babakks requested review from BagToad and Copilot January 6, 2026 17:01
@babakks
ci: improve step name
d02341d 
Signed-off-by: Babak K. Shandiz <babakks@github.com>
Copilot AI reviewed Jan 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a false positive CVE detection issue (CVE-2024-52308) in Trivy scans by ensuring the correct version information is embedded in built binaries. The problem occurred because binaries were showing pseudo-versions like v2.0.0-20251104174640-152d328db80d instead of proper release tags, causing Trivy to incorrectly flag them as vulnerable versions.

  • Adds local git tag creation before each build job to embed proper version information in binaries
  • Applies the fix consistently across all three build platforms (Linux, macOS, Windows)
  • The tags are created locally only and not pushed to the remote repository

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@babakks
ci: shorten run block
f47a230 
Signed-off-by: Babak K. Shandiz <babakks@github.com>
BagToad
BagToad approved these changes Jan 6, 2026
View reviewed changes
Copy link
Member

@BagToad BagToad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, reviewed in sync

@babakks babakks enabled auto-merge January 6, 2026 17:08
@babakks babakks merged commit 4da13f8 into trunk Jan 6, 2026
9 checks passed
@babakks babakks deleted the bk-kw/tag-per-build branch January 6, 2026 17:15
@BagToad BagToad mentioned this pull request Jan 6, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@BagToad BagToad BagToad approved these changes

Assignees

@babakks babakks

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Trivy is reporting a CVE that looks like it may be a false positive: CVE-2024-52308.

3 participants

@babakks @BagToad