diff --git a/.github/workflows/fips.yaml b/.github/workflows/fips.yaml index 75d5756..7e448d2 100644 --- a/.github/workflows/fips.yaml +++ b/.github/workflows/fips.yaml @@ -26,12 +26,17 @@ env: GOPROXY: https://proxy.golang.org jobs: - fips: + fips-build: runs-on: ubuntu-latest + env: + BUILD_FIPS_IN_DOCKER: true steps: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: go-version-file: go.mod + - uses: docker/setup-qemu-action@v3 + with: + platforms: amd64,arm64 - run: make fips - run: make docker-fips diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 5c81478..a9d683c 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -25,6 +25,8 @@ env: jobs: publish: runs-on: ubuntu-latest + env: + BUILD_FIPS_IN_DOCKER: true steps: - name: "Set release tag" if: ${{ github.ref_type == 'tag' }} @@ -37,15 +39,16 @@ jobs: - uses: actions/setup-go@v5 with: go-version-file: go.mod - - - run: make check - - uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - uses: docker/setup-qemu-action@v3 + with: + platforms: amd64,arm64 + - run: make check - run: make docker-push - run: make docker-push-fips diff --git a/Makefile b/Makefile index 953f91b..e6f73f7 100644 --- a/Makefile +++ b/Makefile @@ -55,7 +55,7 @@ $(OUTDIR)/$(NAME)-static-%: $(OUTDIR) $(OUTDIR)/$(NAME)-fips-%: GOOS=$(word 1,$(subst -, ,$(subst $(NAME)-fips-,,$(@F)))) $(OUTDIR)/$(NAME)-fips-%: GOARCH=$(word 2,$(subst -, ,$(subst $(NAME)-fips-,,$(@F)))) $(OUTDIR)/$(NAME)-fips-%: $(OUTDIR) -ifneq ($(OS),Darwin) +ifneq ($(BUILD_FIPS_IN_DOCKER),true) @echo "Build $(@F)" @GOEXPERIMENT=boringcrypto CGO_ENABLED=1 GOOS=$(GOOS) GOARCH=$(GOARCH) go build $(BUILD_OPTS) \ -ldflags '-linkmode=external -s -w -extldflags "-static"' -tags "netgo" \ diff --git a/env.mk b/env.mk index 667c6ea..d3dbeea 100644 --- a/env.mk +++ b/env.mk @@ -39,7 +39,12 @@ else DOCKER_TAG ?= $(shell git rev-parse HEAD) endif +# In non-Linux systems, use Docker to build FIPS-compliant binaries. OS := $(shell uname) +ifeq ($(OS),Darwin) +BUILD_FIPS_IN_DOCKER ?= true +endif + export ARCH := $(shell uname -m) ifeq ($(ARCH),x86_64) export ARCH := amd64 diff --git a/run-in-docker.sh b/run-in-docker.sh index 9d79f8c..dd781c2 100755 --- a/run-in-docker.sh +++ b/run-in-docker.sh @@ -37,4 +37,4 @@ docker run \ -e GOPRIVATE="$(go env GOPRIVATE)" \ -w /source \ "${BUILD_IMAGE}" \ - /bin/bash -c "${*:2}" + /bin/bash -c "git config --global --add safe.directory /source ; ${*:2}"