From 6f96e482a10296e488d72e5b659da446d14ed1f4 Mon Sep 17 00:00:00 2001 From: Sam Morrow Date: Mon, 19 Jan 2026 19:02:48 +0100 Subject: [PATCH 1/2] Pin go-licenses to v2.0.1 for reproducible builds Fixes code scanning alerts #10 and #11 by removing the @latest version for local development and using the pinned v2.0.1 version consistently across all environments. This ensures deterministic builds and addresses the CWE-494 'Download of Code Without Integrity Check' security concern. --- script/licenses | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/script/licenses b/script/licenses index 5aa8ec16b..23686315b 100755 --- a/script/licenses +++ b/script/licenses @@ -18,13 +18,9 @@ # depending on the license. set -e -# Pinned version for CI reproducibility, latest for local development +# Pinned version for reproducibility # See: https://github.com/cli/cli/pull/11161 -if [ "$CI" = "true" ]; then - go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e # v2.0.1 -else - go install github.com/google/go-licenses@latest -fi +go install github.com/google/go-licenses/v2@v2.0.1 # actions/setup-go does not setup the installed toolchain to be preferred over the system install, # which causes go-licenses to raise "Package ... does not have module info" errors in CI. From 1195cf5f532c2693fd46ea47f60ead1e2c96dc77 Mon Sep 17 00:00:00 2001 From: Sam Morrow Date: Mon, 19 Jan 2026 22:43:36 +0100 Subject: [PATCH 2/2] Build full package in Dockerfile to include all commands --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 92ed52581..9d68a985a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,7 +14,7 @@ RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/root/.cache/go-build \ --mount=type=bind,target=. \ CGO_ENABLED=0 go build -ldflags="-s -w -X main.version=${VERSION} -X main.commit=$(git rev-parse HEAD) -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \ - -o /bin/github-mcp-server cmd/github-mcp-server/main.go + -o /bin/github-mcp-server ./cmd/github-mcp-server # Make a stage to run the app FROM gcr.io/distroless/base-debian12