gop icon indicating copy to clipboard operation
gop copied to clipboard
verified publisher icon goplus

chore(build): add `-trimpath` and `mod_timestamp` for reproducible builds

Open aofei opened this issue 2 weeks ago • 4 comments

See https://goreleaser.com/blog/reproducible-builds/

aofei avatar Dec 10 '25 09:12 aofei

Summary of Changes

Hello @aofei, I'm Gemini Code Assist[^1]! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on improving the reproducibility of the project's Go builds. By integrating the -trimpath flag and configuring mod_timestamp in the build process, the changes aim to produce identical binaries regardless of the build environment or time, which is crucial for consistent and verifiable software releases.

Highlights

  • Reproducible Builds: Implemented changes to ensure more reproducible Go builds by adding the -trimpath flag and setting mod_timestamp.
  • Goreleaser Configuration: Updated the .goreleaser.yaml file to include -trimpath and mod_timestamp: "{{ .CommitTimestamp }}" for both xgo and gop builds.
  • Internal Build Script: Modified the cmd/make.go script to pass the -trimpath flag to the go build command when compiling gopBinPath.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with :thumbsup: and :thumbsdown: on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

[^1]: Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot] avatar Dec 10 '25 09:12 gemini-code-assist[bot]

Codecov Report

:white_check_mark: All modified and coverable lines are covered by tests. :white_check_mark: Project coverage is 93.98%. Comparing base (1ef7ce9) to head (f47b64f). :warning: Report is 4 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2511   +/-   ##
=======================================
  Coverage   93.98%   93.98%           
=======================================
  Files          34       34           
  Lines        9613     9613           
=======================================
  Hits         9035     9035           
  Misses        413      413           
  Partials      165      165

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar Dec 10 '25 09:12 codecov[bot]

Code Review Summary

This PR successfully implements reproducible builds following GoReleaser best practices. The changes are well-executed and provide important security benefits. However, documentation could be enhanced.

Strengths:

  • Consistent application of -trimpath and mod_timestamp across all build configurations
  • Improves supply chain security by enabling binary verification
  • Prevents path information disclosure from binaries
  • Minimal performance impact (<1% build time increase, slight binary size reduction)

Recommendation: Consider expanding the PR description and adding inline comments to .goreleaser.yaml to explain the reproducibility flags for future maintainers.

xgopilot[bot] avatar Dec 10 '25 09:12 xgopilot[bot]

/cc @cpunion

aofei avatar Dec 10 '25 09:12 aofei