From 6f96e482a10296e488d72e5b659da446d14ed1f4 Mon Sep 17 00:00:00 2001 From: Sam Morrow Date: Mon, 19 Jan 2026 19:02:48 +0100 Subject: [PATCH] Pin go-licenses to v2.0.1 for reproducible builds Fixes code scanning alerts #10 and #11 by removing the @latest version for local development and using the pinned v2.0.1 version consistently across all environments. This ensures deterministic builds and addresses the CWE-494 'Download of Code Without Integrity Check' security concern. --- script/licenses | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/script/licenses b/script/licenses index 5aa8ec16b..23686315b 100755 --- a/script/licenses +++ b/script/licenses @@ -18,13 +18,9 @@ # depending on the license. set -e -# Pinned version for CI reproducibility, latest for local development +# Pinned version for reproducibility # See: https://github.com/cli/cli/pull/11161 -if [ "$CI" = "true" ]; then - go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e # v2.0.1 -else - go install github.com/google/go-licenses@latest -fi +go install github.com/google/go-licenses/v2@v2.0.1 # actions/setup-go does not setup the installed toolchain to be preferred over the system install, # which causes go-licenses to raise "Package ... does not have module info" errors in CI.