From 5f36141960b946df6e464d0f7db70e9aa2728dd1 Mon Sep 17 00:00:00 2001
From: Nghia Tran <tcnghia@gmail.com>
Date: Tue, 17 Dec 2024 10:15:50 -0800
Subject: [PATCH] trust-manager: set GODEBUG in go.mod (#37293)

* trust-manager: set GODEBUG in go.mod
* also add a test to confirm that the symbol showed up in `go version
-m`

Follow up of https://github.com/wolfi-dev/os/pull/37219

Signed-off-by: Nghia Tran <tcnghia@gmail.com>
---
 trust-manager.yaml | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/trust-manager.yaml b/trust-manager.yaml
index 293491b38a7..3c9062b069e 100644
--- a/trust-manager.yaml
+++ b/trust-manager.yaml
@@ -1,7 +1,7 @@
 package:
   name: trust-manager
   version: 0.14.0
-  epoch: 2
+  epoch: 3
   description: trust-manager is an operator for distributing trust bundles across a Kubernetes cluster.
   copyright:
     - license: Apache-2.0
@@ -46,14 +46,12 @@ pipeline:
       # and https://kubernetes.slack.com/archives/CDEQJ0Q8M/p1734105432142589
       #
       # We should revert this change when upstream fixes their cert bundle.
-      export GODEBUG="x509negativeserial=1"
+      echo "godebug x509negativeserial=1" >> go.mod
 
-      go build -o ./bin/trust-manager ./cmd/trust-manager
+      go build -ldflags="-w" -o ./bin/trust-manager ./cmd/trust-manager
       mkdir -p ${{targets.destdir}}/usr/bin
       install -Dm755 ./bin/trust-manager ${{targets.destdir}}/usr/bin/trust-manager
 
-  - uses: strip
-
 update:
   enabled: true
   github:
@@ -63,7 +61,13 @@ update:
     tag-filter: v
 
 test:
+  environment:
+    contents:
+      packages:
+        - go
   pipeline:
     # AUTOGENERATED
     - runs: |
         trust-manager --help
+    - runs: |
+        go version -m /usr/bin/trust-manager | grep GODEBUG=x509negativeserial=1