Skip to content

fix: ensure clean state when packaging artifacts #19252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: ensure clean state when packaging artifacts #19252

wants to merge 2 commits into from

Conversation

@kruskall
Copy link
Member

Motivation/summary

Go’s build process now automatically embeds VCS information into the
binary. When the repository contains untracked files or the working
tree is dirty, the binary receives a “dirty” flag, which can make it
look tampered, confuse security scanners, and break reproducible
builds.

This PR updates the Dockerfiles to copy the entire repository into the
build image and adds all tracked files to the Docker build context.
By ensuring the same source tree is used both inside and outside the
container, the resulting binary matches the locally‑built version and
the Git state remains clean.

The CI packaging pipeline installs gvm directly in the workspace,
producing a gvm binary that isn’t tracked by Git. Because the file
is untracked, the repository appears dirty, causing Go to embed a
dirty flag in the VCS metadata of the built binary.

This change adds the generated gvm binary to .gitignore,
ensuring the Git tree stays clean and the resulting binary’s VCS
metadata reflects a pristine state.

Checklist

For functional changes, consider:

  • Is it observable through the addition of either logging or metrics?
  • Is its use being published in telemetry to enable product improvement?
  • Have system tests been added to avoid regression?

How to test these changes

  • build docker image
  • inspect apm-server binary and ensure vcs.modified=false

Related issues

Closes #19144

@kruskall
fix: copy full repository in Docker build to guarantee clean VCS state
5720407 
Go’s build process now automatically embeds VCS information into the
binary. When the repository contains untracked files or the working
tree is dirty, the binary receives a “dirty” flag, which can make it
look tampered, confuse security scanners, and break reproducible
builds.

This PR updates the Dockerfiles to copy the entire repository into the
build image and adds all tracked files to the Docker build context.
By ensuring the same source tree is used both inside and outside the
container, the resulting binary matches the locally‑built version and
the Git state remains clean.
@kruskall
fix: add gvm to .gitignore
0df17c4 
The CI packaging pipeline installs gvm directly in the workspace,
producing a gvm binary that isn’t tracked by Git. Because the file
is untracked, the repository appears dirty, causing Go to embed a
dirty flag in the VCS metadata of the built binary.

This change adds the generated gvm binary to .gitignore,
ensuring the Git tree stays clean and the resulting binary’s VCS
metadata reflects a pristine state.
@kruskall kruskall requested a review from a team as a code owner October 20, 2025 22:49
@github-actions
Copy link
Contributor

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@mergify
Copy link
Contributor

mergify bot commented Oct 20, 2025

This pull request does not have a backport label. Could you fix it @kruskall? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-7.17 is the label to automatically backport to the 7.17 branch.
  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit.
  • backport-9./d is the label to automatically backport to the 9./d branch. /d is the digit.
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@kruskall kruskall changed the title Fix/apm server vcs dirty fix: ensure clean state when packaging artifacts Oct 20, 2025
@elasticmachine
Copy link
Contributor

💚 Build Succeeded

@kruskall kruskall added the backport-active-all Automated backport with mergify to all the active branches label Oct 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

backport-active-all Automated backport with mergify to all the active branches

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

binary vcs information contains 'dirty' marker

2 participants

@kruskall @elasticmachine