From 8018c7a4874c9cd574d2de1a02ed3d0779934808 Mon Sep 17 00:00:00 2001
From: David Baum <davidbaum461@gmail.com>
Date: Tue, 24 Mar 2026 20:25:08 -0500
Subject: [PATCH] fix: harden build pipeline and improve reproducibility

- Add .dockerignore to keep .git/ and docs/ in build context, which are
  needed by validate-go-mod, validate-headers, and validate-docs targets
- Pin osxcross image by digest for reproducible builds
- Use test channel for Docker apt repo to fix apt-key deprecation warnings
- Fix COPY --from stage name reference in license-update target

Signed-off-by: David Baum <davidbaum461@gmail.com>
---
 .dockerignore            |  7 +++++++
 .github/workflows/ci.yml | 17 +++++++++--------
 Dockerfile               |  6 +++---
 3 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/.dockerignore b/.dockerignore
index e660fd93d31..10fc06e8a93 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1 +1,8 @@
 bin/
+.github/
+README.md
+BUILDING.md
+CONTRIBUTING.md
+logo.png
+pkg/e2e/fixtures/
+codecov.yml
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4e5015e30f6..a6541e41bc6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -143,7 +143,7 @@ jobs:
             *.cache-to=type=gha,scope=test
       -
         name: Gather coverage data
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: coverage-data-unit
           path: bin/coverage/unit/
@@ -191,9 +191,10 @@ jobs:
         run: |
           sudo systemctl stop docker.service
           sudo apt-get purge docker-ce docker-ce-cli containerd.io docker-compose-plugin docker-ce-rootless-extras docker-buildx-plugin
-          sudo apt-get install curl
-          curl -fsSL https://test.docker.com -o get-docker.sh
-          sudo sh ./get-docker.sh --version ${{ matrix.engine }}
+          curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
+          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) test" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+          sudo apt-get update
+          sudo apt-get install -y docker-ce=5:${{ matrix.engine }}.* docker-ce-cli=5:${{ matrix.engine }}.* containerd.io
 
       - name: Check Docker Version
         run: docker --version
@@ -244,7 +245,7 @@ jobs:
 
       - name: Gather coverage data
         if: ${{ matrix.mode == 'plugin' }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: coverage-data-e2e-${{ env.MODE_ENGINE_PAIR }}
           path: bin/coverage/e2e/
@@ -278,13 +279,13 @@ jobs:
           go-version-file: '.go-version'
           check-latest: true
       - name: Download unit test coverage
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v7
         with:
           name: coverage-data-unit
           path: coverage/unit
           merge-multiple: true
       - name: Download E2E test coverage
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v7
         with:
           pattern: coverage-data-e2e-*
           path: coverage/e2e
@@ -293,7 +294,7 @@ jobs:
         run: |
           go tool covdata textfmt -i=./coverage/unit,./coverage/e2e -o ./coverage.txt
       - name: Store coverage report in GitHub Actions
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: go-covdata-txt
           path: ./coverage.txt
diff --git a/Dockerfile b/Dockerfile
index bb8001e9464..bebe22fbd25 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -28,7 +28,7 @@ ARG LICENSE_FILES=".*\(Dockerfile\|Makefile\|\.go\|\.hcl\|\.sh\)"
 FROM --platform=${BUILDPLATFORM} tonistiigi/xx:${XX_VERSION} AS xx
 
 # osxcross contains the MacOSX cross toolchain for xx
-FROM crazymax/osxcross:15.5-alpine AS osxcross
+FROM crazymax/osxcross:15.5-alpine@sha256:ab016ff172118c7c98f49413bbdbf496b7c96c2677d1fb1736543301b8359341 AS osxcross
 
 FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION}-alpine AS golangci-lint
 FROM ghcr.io/google/addlicense:${ADDLICENSE_VERSION} AS addlicense
@@ -108,7 +108,7 @@ RUN --mount=type=bind,target=. \
     mkdir -p /tmp/coverage && \
     rm -rf /tmp/report && \
     mkdir -p /tmp/report && \
-    go run gotest.tools/gotestsum@latest --format testname --junitfile "/tmp/report/report.xml" -- -tags "$BUILD_TAGS" -v -cover -covermode=atomic $(go list  $(TAGS) ./... | grep -vE 'e2e') -args -test.gocoverdir="/tmp/coverage" && \
+    go run gotest.tools/gotestsum@v1.13.0 --format testname --junitfile "/tmp/report/report.xml" -- -tags "$BUILD_TAGS" -v -cover -covermode=atomic $(go list  $(TAGS) ./... | grep -vE 'e2e') -args -test.gocoverdir="/tmp/coverage" && \
     go tool covdata percent -i=/tmp/coverage
 
 FROM scratch AS test-coverage
@@ -124,7 +124,7 @@ RUN --mount=type=bind,target=.,rw \
     find . -regex "${LICENSE_FILES}" | cpio -pdm /out
 
 FROM scratch AS license-update
-COPY --from=set /out /
+COPY --from=license-set /out /
 
 FROM base AS license-validate
 ARG LICENSE_FILES