Build full package in Dockerfile to include all commands (#1844)

* Pin go-licenses to v2.0.1 for reproducible builds

Fixes code scanning alerts #10 and #11 by removing the @latest
version for local development and using the pinned v2.0.1 version
consistently across all environments.

This ensures deterministic builds and addresses the CWE-494
'Download of Code Without Integrity Check' security concern.

* Build full package in Dockerfile to include all commands

Author: SamMorrowDrums

Dockerfile

@@ -14,7 +14,7 @@ RUN --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=bind,target=. \
     CGO_ENABLED=0 go build -ldflags="-s -w -X main.version=${VERSION} -X main.commit=$(git rev-parse HEAD) -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
-    -o /bin/github-mcp-server cmd/github-mcp-server/main.go
+    -o /bin/github-mcp-server ./cmd/github-mcp-server
 
 # Make a stage to run the app
 FROM gcr.io/distroless/base-debian12

script/licenses

@@ -18,13 +18,9 @@
 #       depending on the license.
 set -e
 
-# Pinned version for CI reproducibility, latest for local development
+# Pinned version for reproducibility
 # See: https://github.com/cli/cli/pull/11161
-if [ "$CI" = "true" ]; then
-    go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e # v2.0.1
-else
-    go install github.com/google/go-licenses@latest
-fi
+go install github.com/google/go-licenses/v2@v2.0.1
 
 # actions/setup-go does not setup the installed toolchain to be preferred over the system install,
 # which causes go-licenses to raise "Package ... does not have module info" errors in CI.