From 1ef50307ac46073cd22d1e34fab044d0324b1bfe Mon Sep 17 00:00:00 2001 From: Kayos Date: Wed, 6 May 2026 17:05:37 -0700 Subject: [PATCH] fix go-install verification in Dockerfile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Latent bug: the post-loop check used `command -v` to verify govulncheck and staticcheck installed. `command -v` only walks PATH, but at this layer PATH does NOT include $GOPATH/bin (/home/crafter/go/bin) — that's only added in the canonical final PATH at the bottom of the Dockerfile (line 314). At runtime the binaries work fine via the bottom PATH; only the build-time verify was broken. The bug was masked by stale Docker layer caching from earlier Dockerfile shapes. Adding the new Nix layer above this step invalidated the cache and surfaced it. Switch to direct binary path checks (test -x \"\$GOPATH/bin/...\") which work regardless of PATH state at the layer. --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ef5455d..e48fc23 100644 --- a/Dockerfile +++ b/Dockerfile @@ -259,7 +259,7 @@ RUN for i in 1 2 3 4 5; do \ && go install honnef.co/go/tools/cmd/staticcheck@latest \ && break || { echo "go install attempt $i failed, sleeping $((i*10))s"; sleep $((i*10)); }; \ done; \ - command -v govulncheck && command -v staticcheck || { echo "go install failed after 5 attempts"; exit 1; } + test -x "$GOPATH/bin/govulncheck" && test -x "$GOPATH/bin/staticcheck" || { echo "go install failed after 5 attempts"; exit 1; } # GOPATH already set above; PATH handled by the final clean ENV at the # bottom (which includes /home/crafter/go/bin). No per-layer PATH ENV