Skip to content

Pin go-licenses to v2.0.1 for reproducible builds #1840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
SamMorrowDrums wants to merge 2 commits into from
Closed

Pin go-licenses to v2.0.1 for reproducible builds #1840

SamMorrowDrums wants to merge 2 commits into from

Conversation

@SamMorrowDrums
Copy link
Collaborator

@SamMorrowDrums SamMorrowDrums commented Jan 19, 2026

Summary

Fixes code scanning alerts #10 and #11 by pinning go-licenses to v2.0.1 for all environments.

Problem

The script/licenses script used @latest for local development while CI was pinned to a specific commit. This triggered two code scanning alerts:

Both flagged CWE-494: Download of Code Without Integrity Check - using unpinned versions leads to non-deterministic builds.

Solution

  • Removed the conditional logic that used @latest for local development
  • Pin to v2.0.1 (the current latest release) for all environments
  • Simplified the script by removing the CI check for version selection

Before

if [ "$CI" = "true" ]; then
    go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e # v2.0.1
else
    go install github.com/google/go-licenses@latest
fi

After

go install github.com/google/go-licenses@v2.0.1

Testing

  • script/lint passes
  • script/test passes

@SamMorrowDrums SamMorrowDrums requested a review from a team as a code owner January 19, 2026 18:04
Copilot AI review requested due to automatic review settings January 19, 2026 18:04
Copilot AI reviewed Jan 19, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses security alerts by pinning the go-licenses tool to v2.0.1 for reproducible builds across all environments.

Changes:

  • Removed conditional logic that used @latest for local development and a pinned commit for CI
  • Pinned go-licenses to v2.0.1 for all environments (CI and local)
  • Updated comment to reflect the simplified approach

@SamMorrowDrums
Pin go-licenses to v2.0.1 for reproducible builds
6f96e48 
Fixes code scanning alerts #10 and #11 by removing the @latest
version for local development and using the pinned v2.0.1 version
consistently across all environments.

This ensures deterministic builds and addresses the CWE-494
'Download of Code Without Integrity Check' security concern.
@SamMorrowDrums SamMorrowDrums force-pushed the fix-unpinned-go-licenses branch from 49c9423 to 6f96e48 Compare January 19, 2026 18:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JoannaaKL JoannaaKL JoannaaKL approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SamMorrowDrums @JoannaaKL