Configure CI to use Docker to build the FIPS binaries

tetrateio · Mar 5, 2024 · 4a6d368 · 4a6d368
1 parent cf035a9
commit 4a6d368
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 6 deletions.
diff --git a/.github/workflows/fips.yaml b/.github/workflows/fips.yaml
@@ -26,12 +26,17 @@ env:
   GOPROXY: https://proxy.golang.org
 
 jobs:
-  fips:
+  fips-build:
     runs-on: ubuntu-latest
+    env:
+      BUILD_FIPS_IN_DOCKER: true
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
+      - uses: docker/setup-qemu-action@v3
+        with:
+          platforms: amd64,arm64
       - run: make fips
       - run: make docker-fips
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -25,6 +25,8 @@ env:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    env:
+      BUILD_FIPS_IN_DOCKER: true
     steps:
       - name: "Set release tag"
         if: ${{ github.ref_type == 'tag' }}
@@ -37,15 +39,16 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
-
-      - run: make check
-
       - uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/setup-qemu-action@v3
+        with:
+          platforms: amd64,arm64
 
+      - run: make check
       - run: make docker-push
       - run: make docker-push-fips
 

diff --git a/Makefile b/Makefile
@@ -55,7 +55,7 @@ $(OUTDIR)/$(NAME)-static-%: $(OUTDIR)
 $(OUTDIR)/$(NAME)-fips-%: GOOS=$(word 1,$(subst -, ,$(subst $(NAME)-fips-,,$(@F))))
 $(OUTDIR)/$(NAME)-fips-%: GOARCH=$(word 2,$(subst -, ,$(subst $(NAME)-fips-,,$(@F))))
 $(OUTDIR)/$(NAME)-fips-%: $(OUTDIR)
-ifneq ($(OS),Darwin)
+ifneq ($(BUILD_FIPS_IN_DOCKER),true)
 	@echo "Build $(@F)"
 	@GOEXPERIMENT=boringcrypto CGO_ENABLED=1 GOOS=$(GOOS) GOARCH=$(GOARCH) go build $(BUILD_OPTS) \
 		-ldflags '-linkmode=external -s -w -extldflags "-static"' -tags "netgo" \

diff --git a/env.mk b/env.mk
@@ -39,7 +39,12 @@ else
 DOCKER_TAG ?= $(shell git rev-parse HEAD)
 endif
 
+# In non-Linux systems, use Docker to build FIPS-compliant binaries.
 OS := $(shell uname)
+ifeq ($(OS),Darwin)
+BUILD_FIPS_IN_DOCKER ?= true
+endif
+
 export ARCH := $(shell uname -m)
 ifeq ($(ARCH),x86_64)
 export ARCH := amd64

diff --git a/run-in-docker.sh b/run-in-docker.sh
@@ -37,4 +37,4 @@ docker run \
     -e GOPRIVATE="$(go env GOPRIVATE)" \
     -w /source \
     "${BUILD_IMAGE}" \
-    /bin/bash -c "${*:2}"
+    /bin/bash -c "git config --global --add safe.directory /source ; ${*:2}"