fix(build-go-attest): harden auto-build-timestamp (fail on empty)#78
Merged
fix(build-go-attest): harden auto-build-timestamp (fail on empty)#78
Conversation
Copilot review on #77: 1. 'git show ... 2>/dev/null || true' silently ate failures — the build continued with main.buildTime unset, defeating the point of opting in. Remove the fallback: if resolution returns empty, emit a ::error:: annotation and exit 1. Stderr no longer silenced so the underlying failure reason reaches the log too. 2. Input description tightened: consumers MUST declare 'var buildTime string' in package main. Go 1.21+ linkers silently ignore unknown -X targets, but older toolchains reject with 'symbol not found' — noting the requirement explicitly instead of saying 'silent no-op'. 3. Matching tightening in the inline step comment. Signed-off-by: Sebastian Mendel <sebastian.mendel@netresearch.de>
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
CybotTM
added a commit
to netresearch/raybeam
that referenced
this pull request
Apr 21, 2026
Copilot on [#227](#227): the comment listed `-X main.buildTime=<commit-timestamp>` as a direct release.yml ldflag, but [netresearch/.github#77](netresearch/.github#77) moved that injection into `build-go-attest.yml`'s `auto-build-timestamp` step. Update the comment to: - attribute `buildTime` to the `auto-build-timestamp` source - describe `var buildTime string` as a contract (not optional insurance), since [netresearch/.github#78](netresearch/.github#78) hardens `auto-build-timestamp` to fail when the ldflag target is missing on older toolchains
There was a problem hiding this comment.
Pull request overview
This PR hardens the reusable Go build/attestation workflow’s auto-build-timestamp behavior so opting in can’t silently produce binaries with an unset/empty main.buildTime, and clarifies the consumer-side contract in the input documentation.
Changes:
- Tighten
auto-build-timestampinput docs to requirevar buildTime stringand to describe fail-hard behavior on empty resolution. - Remove the silent fallback around
git show, and fail the step when timestamp resolution yields an empty value. - Update the inline build-step comments to match the new contract/behavior.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
CybotTM
added a commit
that referenced
this pull request
Apr 21, 2026
) Copilot on [#78](#78): 1. **`set -e` short-circuit**: `BUILD_TS=$(git show …)` under `set -euo pipefail` aborts before the custom `::error::` diagnostic runs. Wrap in `if ! BUILD_TS=$(...); then` so the non-zero exit is captured locally; merge stderr into stdout (`2>&1`) so git's actual error message appears in the annotation. 2. **fetch-depth wording**: `fetch-depth: 0` also produces a valid HEAD. Reword to 'fetch-depth 0 or >=1 both work'.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Copilot review on #77:
git show … 2>/dev/null || trueate failures and let the build continue withmain.buildTimeunset, defeating the opt-in. Remove the fallback — if resolution returns empty, emit::error::+exit 1.var buildTime string. Go 1.21+ linkers silently ignore unknown-Xtargets, but older toolchains reject with 'symbol not found' — state the requirement explicitly instead of 'silent no-op'.