From e36b900b20ca3988e4c8d8caafb88cb2df7e734e Mon Sep 17 00:00:00 2001 From: Dhi Aurrahman Date: Sun, 13 Nov 2022 19:50:31 +0700 Subject: [PATCH] Enable FIPS for Linux only (#231) * Enable FIPS for Linux only Signed-off-by: Dhi Aurrahman * Fix Signed-off-by: Dhi Aurrahman * Use include Signed-off-by: Dhi Aurrahman * No default for Linux Signed-off-by: Dhi Aurrahman Signed-off-by: Dhi Aurrahman --- .github/workflows/commit.yaml | 19 +++++++++---------- .github/workflows/release.yaml | 22 +++++++++------------- Makefile | 4 ++-- 3 files changed, 20 insertions(+), 25 deletions(-) diff --git a/.github/workflows/commit.yaml b/.github/workflows/commit.yaml index 8d162304..b3c6d2fe 100644 --- a/.github/workflows/commit.yaml +++ b/.github/workflows/commit.yaml @@ -55,14 +55,13 @@ jobs: strategy: fail-fast: false # don't fail fast as sometimes failures are operating system specific. matrix: - os: - - "macos-11" - - "ubuntu-18.04" - mode: - - "default" - # On CI, by default, we use libc++. - - "clang" - - "clang-fips" + include: + - os: macos-11 + mode: default + - os: ubuntu-18.04 + mode: clang + - os: ubuntu-18.04 + mode: clang-fips steps: - name: Cancel when duplicated uses: styfle/cancel-workflow-action@0.4.1 @@ -100,7 +99,7 @@ jobs: # Prepare clang tooling and config when it is required. - name: Setup clang - if: matrix.mode == 'clang' || matrix.mode == 'clang-fips' + if: runner.os == 'Linux' && (matrix.mode == 'clang' || matrix.mode == 'clang-fips') # This downloads the required clang tooling when it is not downloaded yet. run: | make clang.bazelrc @@ -108,7 +107,7 @@ jobs: # Set BAZEL_FLAGS to FIPS mode only when it is required. - name: Setup FIPS mode - if: matrix.mode == 'clang-fips' + if: runner.os == 'Linux' && matrix.mode == 'clang-fips' run: echo "BAZEL_FLAGS=--config=libc++ --define=boringssl=fips" >> $GITHUB_ENV - name: Run all tests diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b919fa8c..9d52a3e4 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -17,14 +17,13 @@ jobs: strategy: fail-fast: false # don't fail fast as sometimes failures are operating system specific. matrix: - os: - - "macos-11" - - "ubuntu-18.04" - mode: - - "default" - # By default we use libc++. - - "clang" - - "clang-fips" + include: + - os: macos-11 + mode: default + - os: ubuntu-18.04 + mode: clang + - os: ubuntu-18.04 + mode: clang-fips steps: - name: Cancel when duplicated uses: styfle/cancel-workflow-action@0.4.1 @@ -62,7 +61,7 @@ jobs: # Prepare clang tooling and config when it is required. - name: Setup clang - if: matrix.mode == 'clang' || matrix.mode == 'clang-fips' + if: runner.os == 'Linux' && (matrix.mode == 'clang' || matrix.mode == 'clang-fips') # This downloads the required clang tooling when it is not downloaded yet. # GITHUB_REF: refs/tags/0.5.1-rc1, resulted VERSION: "0.5.1". run: | @@ -72,7 +71,7 @@ jobs: # Set BAZEL_FLAGS to FIPS mode only when it is required. - name: Setup FIPS mode - if: matrix.mode == 'clang-fips' + if: runner.os == 'Linux' && matrix.mode == 'clang-fips' run: echo "BAZEL_FLAGS=--config=libc++ --define=boringssl=fips" >> $GITHUB_ENV - name: Create artifacts @@ -120,9 +119,6 @@ jobs: uses: softprops/action-gh-release@v1 with: files: | - dist-Linux-default/**/*.tar.gz dist-Linux-clang/**/*.tar.gz dist-Linux-clang-fips/**/*.tar.gz dist-macOS-default/**/*.tar.gz - dist-macOS-clang/**/*.tar.gz - dist-macOS-clang-fips/**/*.tar.gz diff --git a/Makefile b/Makefile index 45fd4c3c..22b095de 100644 --- a/Makefile +++ b/Makefile @@ -51,7 +51,7 @@ main_target := //src/main:$(binary_name) # Always use amd64 for bazelisk for build and test rules below, since we don't support for macOS # arm64 (with --host_javabase=@local_jdk//:jdk) yet (especially the protoc-gen-validate project: # "no matching toolchains found for types @io_bazel_rules_go//go:toolchain"). -bazel := GOARCH=amd64 $(go) run $(bazelisk@v) --output_user_root=$(bazel_cache_dir) +bazel := GOARCH=amd64 $(go) run $(bazelisk@v) $(if $(CI),--output_user_root=$(bazel_cache_dir),) buildifier := $(go_tools_dir)/buildifier envsubst := $(go_tools_dir)/envsubst protodoc := $(go_tools_dir)/protodoc @@ -90,7 +90,7 @@ build-%: dist: dist/$(binary_name)_$(goos)_amd64_$(MODE)_$(VERSION).tar.gz # Since we don't do cross-compilation yet (probably we can do it later via `zig cc`), we can only -# build artifact for the current `os` and `mode` pair (e.g. {os: 'macOS', mode: 'clang-fips'}). +# build artifact for the current `os` and `mode` pair (e.g. {os: 'linux', mode: 'clang-fips'}). dist/$(binary_name)_$(goos)_amd64_$(MODE)_$(VERSION).tar.gz: $(stripped_binary) ## Create build artifacts @$(eval DIST_DIR := $(shell mktemp -d)) @cp -f LICENSE $(DIST_DIR)