Merging to release-5.8.9: Trimpath fix for fips images TT-16023 (#7585)

[probelabs]

User description

Trimpath fix for fips images TT-16023 (#7585)

Related Ticket

TT-16023

---

Co-authored-by: Gromit policy@gromit

---

PR Type

Enhancement

---

Description

• Add -trimpath to FIPS build flags

• Apply to amd64 and arm64 targets

• Ensure reproducible, path-stripped binaries

---

Diagram Walkthrough

flowchart LR
  GR["goreleaser.yml"] -- "add -trimpath flag" --> AMD["FIPS amd64 build"]
  GR -- "add -trimpath flag" --> ARM["FIPS arm64 build"]
  AMD -- "produce path-stripped binary" --> BIN["Reproducible binaries"]
  ARM -- "produce path-stripped binary" --> BIN

Loading

File Walkthrough

	Relevant files
Enhancement	goreleaser.yml Enable trimpath for FIPS builds                                                    ci/goreleaser/goreleaser.yml Add -trimpath to fips-amd64 build flags Add -trimpath to fips-arm64 build flags Preserve existing tags goplugin,ee,fips,boringcrypto +2/-0

---

[github-actions]

🚨 Jira Linter Failed

Commit: 452e3b4
Failed at: 2025-12-03 20:37:42 UTC

The Jira linter failed to validate your PR. Please check the error details below:

🔍 Click to view error details

failed to validate Jira issue: jira ticket TT-16023 has status 'In Test' but must be one of: Dod Check, In Dev, In Code Review, Ready For Dev

Next Steps

• Ensure your branch name contains a valid Jira ticket ID (e.g., ABC-123)
• Verify your PR title matches the branch's Jira ticket ID
• Check that the Jira ticket exists and is accessible

---

This comment will be automatically deleted once the linter passes.

[github-actions]

API Changes

no api changes detected

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
General	Reorder flags for correctness Place -trimpath before -tags to avoid certain Go versions treating it as part of build tags due to YAML-merging or template concatenation quirks. Keeping toolchain flags first reduces risk of misinterpretation and ensures deterministic paths are actually stripped. ci/goreleaser/goreleaser.yml [60-67] - id: fips-amd64 flags: + - -trimpath - -tags=goplugin,ee,fips,boringcrypto - - -trimpath env: - NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates - CC=gcc - GOEXPERIMENT=boringcrypto Suggestion importance[1-10]: 3 __ Why: The existing_code matches lines 60-67 in the new hunk, but reordering flags in a YAML list for goreleaser/go build has no demonstrated necessity; both flags are independent and order-agnostic, so impact is minor and rationale speculative.	Low
	Ensure deterministic flag parsing Maintain consistent flag ordering and put -trimpath first to ensure it's reliably applied across environments and templates. This avoids edge cases where flags lists are joined into a single string and parsed incorrectly. ci/goreleaser/goreleaser.yml [78-85] - id: fips-arm64 flags: + - -trimpath - -tags=goplugin,ee,fips,boringcrypto - - -trimpath env: - NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates - CC=aarch64-linux-gnu-gcc - GOEXPERIMENT=boringcrypto Suggestion importance[1-10]: 3 __ Why: The existing_code corresponds to lines 78-85 in the new hunk. As with the first, changing the order of -trimpath and -tags is unlikely to affect behavior; claim about parsing edge cases is unsubstantiated, so this is a low-impact style consistency tweak.	Low

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud