fix mdmproxy build by reverting back to previous but not filtering tags

[rfairburn]

Related issue: Resolves #

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.

• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.

• Timeouts are implemented and retries are limited to avoid infinite loops

• If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes

Testing

• Added/updated automated tests

• Where appropriate, automated tests simulate multiple hosts and test for host isolation (updates to one hosts's records do not affect another)

• QA'd all new/changed functionality manually

For unreleased bug fixes in a release candidate, one of:

• Confirmed that the fix is not expected to adversely impact load test results
• Alerted the release DRI if additional load testing is needed

Database migrations

• Checked schema for all modified table for columns that will auto-update timestamps during migration.
• Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.
• Ensured the correct collation is explicitly set for character columns (COLLATE utf8mb4_unicode_ci).

New Fleet configuration settings

• Setting(s) is/are explicitly excluded from GitOps

If you didn't check the box above, follow this checklist for GitOps-enabled settings:

• Verified that the setting is exported via fleetctl generate-gitops
• Verified the setting is documented in a separate PR to the GitOps documentation
• Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional)
• Verified that any relevant UI is disabled when GitOps mode is enabled

fleetd/orbit/Fleet Desktop

• Verified compatibility with the latest released version of Fleet (see Must rule)
• If the change applies to only one platform, confirmed that runtime.GOOS is used as needed to isolate changes
• Verified that fleetd runs on macOS, Linux and Windows
• Verified auto-update works from the released version of component to the new version (see tools/tuf/test)

Summary by CodeRabbit

• Chores
  • Updated the container build process for the migration proxy so the binary is built during image creation.
  • Adjusted the runtime image packaging to copy the generated executable from the build output location while keeping runtime behavior unchanged.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[Copilot]

Pull request overview

This PR updates the mdmproxy Docker build to compile the binary from a checked-out Fleet repo (instead of go install ...@TAG), aiming to restore successful builds while allowing the build arg to reference tags/branches as needed.

Changes:

• Install git in the builder stage and git clone Fleet at the provided TAG.
• Build mdmproxy via go build from the cloned source.
• Update the final-stage COPY to pull the binary from the build output path in the cloned repo.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ef979090-a67b-4992-bced-14ac5b6ddbb0

📥 Commits

Reviewing files that changed from the base of the PR and between 6b61881 and 9822201.

📒 Files selected for processing (1)

• tools/mdm/migration/mdmproxy/Dockerfile

🚧 Files skipped from review as they are similar to previous changes (1)

• tools/mdm/migration/mdmproxy/Dockerfile

---

Walkthrough

The Dockerfile for tools/mdm/migration/mdmproxy now builds mdmproxy by cloning fleet at the build-time TAG, installing git, and running go build in the tool directory. The runtime stage now copies the binary from /go/fleet/tools/mdm/migration/mdmproxy/mdmproxy instead of /go/bin/mdmproxy.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is just the template and lacks a real issue reference, testing details, and filled checklist items.	Fill in the related issue, summarize the change, and complete or remove checklist items with any testing details.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title matches the mdmproxy Dockerfile build change and tag-handling adjustment, though phrasing is a bit awkward.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-mdmproxy-build

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tools/mdm/migration/mdmproxy/Dockerfile`:
- Around line 2-5: The Dockerfile’s git clone step uses TAG unquoted in a shell
RUN, which can allow build-time command injection if the value is
user-controlled. Update the mdmproxy Dockerfile to validate TAG before it
reaches the shell and ensure the git clone invocation in the RUN block treats it
as a safe branch/ref value. Locate the fix around the ARG TAG and the git clone
command so the build only accepts expected tag formats and does not expand
arbitrary shell metacharacters.
- Around line 4-6: The Dockerfile build step that clones Fleet in the mdmproxy
image currently checks out only by tag, which can drift if the tag is moved.
Update the git clone flow to accept a commit SHA input alongside the existing
TAG, then verify the checked-out revision in the same RUN sequence after
checkout before running go build in tools/mdm/migration/mdmproxy. Use the
existing git clone command block as the fix point and ensure the HEAD SHA
matches the expected commit SHA.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 979f0d44-8aa3-4fab-9691-e917b4ba4841

📥 Commits

Reviewing files that changed from the base of the PR and between c041c6c and 6b61881.

📒 Files selected for processing (1)

• tools/mdm/migration/mdmproxy/Dockerfile