From 736de0b6b0616b16d74cffa21bb293ede03649e8 Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <sebastian.mendel@netresearch.de>
Date: Tue, 21 Apr 2026 07:08:04 +0200
Subject: [PATCH] fix(build-go-attest): unmerge git show stderr from BUILD_TS

Copilot review on #79: merging stderr into stdout via '2>&1' meant
that if 'git show' exited 0 but wrote a warning to stderr (e.g.,
line-ending or core.autocrlf notices in some environments),
BUILD_TS would contain that warning text. The empty-string check
would still pass, and the ldflag would then be assembled with a
non-timestamp value, either breaking 'go build' or shipping
corrupted -X main.buildTime metadata.

Drop the 2>&1 merge. BUILD_TS now captures stdout only; git's
stderr flows to the Actions step log naturally where users can
read the exact git error. The '::error::' annotation points them
at 'the git error above' instead of inlining a potentially
truncated string.

Signed-off-by: Sebastian Mendel <sebastian.mendel@netresearch.de>
---
 .github/workflows/build-go-attest.yml | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build-go-attest.yml b/.github/workflows/build-go-attest.yml
index 989321b..4ead989 100644
--- a/.github/workflows/build-go-attest.yml
+++ b/.github/workflows/build-go-attest.yml
@@ -217,12 +217,15 @@ jobs:
           # fails hard if resolution yields an empty string so opting in
           # can't silently ship a binary with an empty buildTime.
           if [[ "${AUTO_BUILD_TIMESTAMP}" == "true" ]]; then
-            # Capture both success/failure explicitly — `set -e` would
-            # otherwise abort on a non-zero `git show` before the custom
-            # diagnostic runs. The empty-string check still fires for
-            # exit-0-empty-output edge cases.
-            if ! BUILD_TS=$(git show -s --format=%cI HEAD 2>&1); then
-              echo "::error::auto-build-timestamp=true but 'git show -s --format=%cI HEAD' failed: ${BUILD_TS}. Check that actions/checkout completed and HEAD points at a real commit."
+            # Capture success/failure explicitly — `set -e` would otherwise
+            # abort on a non-zero `git show` before the custom diagnostic
+            # runs. Stderr intentionally NOT merged into BUILD_TS so a
+            # warning on stderr (exit 0) can't corrupt the ldflag value;
+            # git's own error message still surfaces through the Actions
+            # step log naturally. The empty-string check still fires for
+            # the exit-0-empty-stdout edge case.
+            if ! BUILD_TS=$(git show -s --format=%cI HEAD); then
+              echo "::error::auto-build-timestamp=true but 'git show -s --format=%cI HEAD' failed. See the git error above. Check that actions/checkout completed and HEAD points at a real commit."
               exit 1
             fi
             if [[ -z "${BUILD_TS}" ]]; then