Skip to content

fix: add -trimpath to default Go build command #312

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
leodido merged 1 commit into from
Dec 12, 2025
Merged

fix: add -trimpath to default Go build command #312

leodido merged 1 commit into from
Dec 12, 2025

Conversation

@leodido
Copy link
Contributor

@leodido leodido commented Dec 12, 2025
edited
Loading

Summary

Add -trimpath flag to the default Go build command for reproducible builds.

Part of https://linear.app/ona-team/issue/CLC-2085/fix-leeway-slsa-verification-to-enable-remote-cache

Stacked on #311

Problem

Without -trimpath, Go embeds absolute file paths in the binary. These paths vary between build machines (e.g., /home/user1/project vs /home/user2/project), causing identical source code to produce different binaries.

Solution

Add -trimpath to the default build command when no custom buildCommand is specified:

// Before
buildCmd = []string{goCommand, "build"}

// After  
buildCmd = []string{goCommand, "build", "-trimpath"}

Impact

  • Packages using the default Go build command will now produce reproducible binaries
  • Packages with custom buildCommand are unaffected (they should already include -trimpath if reproducibility is needed)
  • No breaking changes - -trimpath only affects debug info paths, not runtime behavior

Testing

  • Added unit test to verify -trimpath is included in default build command
  • All existing tests pass

@leodido leodido changed the title fix: add -trimpath to default Go build command for reproducible builds fix: add -trimpath to default Go build command Dec 12, 2025
@leodido leodido self-assigned this Dec 12, 2025
corneliusludmann
corneliusludmann approved these changes Dec 12, 2025
View reviewed changes
Copy link
Contributor

@corneliusludmann corneliusludmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simple, non-breaking change for reproducible Go builds.

@leodido leodido force-pushed the ldd/sbom-outside-tar branch from 72ddb5e to 8cf7546 Compare December 12, 2025 14:17
@leodido leodido changed the base branch from ldd/sbom-outside-tar to main December 12, 2025 14:28
@leodido @ona-agent
fix: add -trimpath to default Go build command for reproducible builds
b1a6356 
Without -trimpath, Go embeds absolute file paths in the binary, which
vary between build machines and break reproducibility.

Co-authored-by: Ona <no-reply@ona.com>
@leodido leodido merged commit eb5e08c into main Dec 12, 2025
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@corneliusludmann corneliusludmann corneliusludmann approved these changes

@csweichel csweichel Awaiting requested review from csweichel

@kylos101 kylos101 Awaiting requested review from kylos101

@geropl geropl Awaiting requested review from geropl

Assignees

@leodido leodido

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@leodido @corneliusludmann