Update build number retrieval and permissions in workflow

Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>

.github/workflows/00-pr-scanner.yaml

@@ -23,6 +23,7 @@ jobs:
     pr-scanner:
         permissions:
             actions: read
+            artifact-metadata: read
             attestations: read
             checks: read
             contents: write
@@ -37,7 +38,6 @@ jobs:
             repository-projects: read
             security-events: read
             statuses: read
-            artifact-metadata: read
         uses: ./.github/workflows/a-pr-scanner.yaml
         with:
             RELEASE: ""

.goreleaser.yaml

@@ -36,7 +36,6 @@ builds:
       - arm64
     ldflags:
       - -s -w
-      - -X "github.com/kubescape/kubescape/v3/core/cautils.BuildNumber={{.Env.RELEASE}}"
       - -X "github.com/kubescape/kubescape/v3/core/cautils.Client={{.Env.CLIENT}}"
     hooks:
       post:

core/cautils/buildinfo.go

@@ -2,19 +2,25 @@ package cautils
 
 import (
 	"os"
+	"runtime/debug"
 
 	"github.com/kubescape/backend/pkg/versioncheck"
 )
 
-var BuildNumber string
 var Client string
 
 func init() {
-	if BuildNumber != "" {
-		versioncheck.BuildNumber = BuildNumber
-	} else {
+	// Try to get version from build info (Go 1.24+ automatically populates this from VCS tags)
+	if info, ok := debug.ReadBuildInfo(); ok && info.Main.Version != "" && info.Main.Version != "(devel)" {
+		versioncheck.BuildNumber = info.Main.Version
+	}
+
+	// Fallback to RELEASE environment variable
+	if versioncheck.BuildNumber == "" {
 		versioncheck.BuildNumber = os.Getenv("RELEASE")
 	}
+
+	// Client is typically set via ldflags: -X "github.com/kubescape/kubescape/v3/core/cautils.Client=..."
 	if Client != "" {
 		versioncheck.Client = Client
 	}