🐛 set GIT_COMMIT in Makefile to populate version info

[rashmigottipati]

Description

Reviewer Checklist

• API Go Documentation
• Tests: Unit Tests (and E2E Tests, if appropriate)
• Comprehensive Commit Messages
• Links to related GitHub Issue(s)

[netlify]

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	852f0be
🔍 Latest deploy log	https://app.netlify.com/projects/olmv1/deploys/683f5a23baaba300091f8c32
😎 Deploy Preview	https://deploy-preview-2007--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 69.16%. Comparing base (8f81c23) to head (852f0be).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2007      +/-   ##
==========================================
- Coverage   69.17%   69.16%   -0.02%     
==========================================
  Files          79       79              
  Lines        7037     7037              
==========================================
- Hits         4868     4867       -1     
- Misses       1887     1888       +1     
  Partials      282      282              

Flag	Coverage Δ
e2e	43.00% <ø> (ø)
unit	60.05% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[joelanford]

This still feels off to me from a supply chain security perspective.

Under what circumstances does it make sense for a CI system to build commit a but say that it is commit b?

[ankitathomas]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ankitathomas
Once this PR has been reviewed and has the lgtm label, please assign tmshort for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[joelanford]

/hold

Can we discuss this a bit more? Besides my concern about supply chain security, this still feels like a downstream-only concern.

[rashmigottipati]

@joelanford Thanks for raising this. You're right—if the build is for commit A, we absolutely shouldn't be marking it as commit B and this is certainly a concern from a supply chain security standpoint.

This is a downstream only concern. Previously I've created #1811 but that didn't resolve the bug (downstream) as confirmed by QE in the report (which says that with the latest change it's returning empty commit info).

The purpose of this change is to ensure that GIT_COMMIT gets correctly set in environments where the actual git metadata isn't available at build time—specifically in some downstream OpenShift build pipelines. It looks like in those cases, the build system injects the commit SHA via the SOURCE_GIT_COMMIT env var, probably due to not having access to .git directly (this is my assumption - I am not very familiar with the build process downstream). Without it, the resulting binaries end up with an empty gitCommit field.

Upstream, we expect git rev-parse HEAD to suffice, and that’s what is used as a fallback here.

If the concern is around upstream builds incorrectly using SOURCE_GIT_COMMIT, maybe we could explicitly scope the override to CI? Or, we could leave GIT_COMMIT empty unless it's explicitly set by the caller. Or we could make this change downstream and leave upstream as it is.

Happy to adjust based on what we agree is the cleanest path forward.

[joelanford]

I'm guessing that #1811 is the upstream plumbing that was needed such that we could add some downstream plumbing to set GIT_COMMIT to whatever downstream CI has set in its environment for SOURCE_GIT_COMMIT. I think I'd expect our downstream Dockerfiles to do something like (not sure this syntax is correct off the top of my head):

ENV GIT_COMMIT=$SOURCE_GIT_COMMIT

prior to calling make go-build-local. For example, just before here: https://github.com/openshift/operator-framework-operator-controller/blob/6bb442f94f89eba1c2c05b72f711087397706b54/openshift/operator-controller.Dockerfile#L4