Configure CI to use Docker to build the FIPS binaries (#74)

.github/workflows/fips.yaml

@@ -26,12 +26,17 @@ env:
   GOPROXY: https://proxy.golang.org
 
 jobs:
-  fips:
+  fips-build:
     runs-on: ubuntu-latest
+    env:
+      BUILD_FIPS_IN_DOCKER: true
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
+      - uses: docker/setup-qemu-action@v3
+        with:
+          platforms: amd64,arm64
       - run: make fips
       - run: make docker-fips

.github/workflows/publish.yaml

@@ -25,6 +25,8 @@ env:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    env:
+      BUILD_FIPS_IN_DOCKER: true
     steps:
       - name: "Set release tag"
         if: ${{ github.ref_type == 'tag' }}
@@ -37,15 +39,18 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
-
-      - run: make check
-
       - uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/setup-qemu-action@v3
+        with:
+          platforms: amd64,arm64
 
+      - run: make check
+      - run: make static
+      - run: make fips
       - run: make docker-push
       - run: make docker-push-fips
 

Makefile

@@ -35,27 +35,24 @@ static: $(TARGETS:%=$(OUTDIR)/$(NAME)-static-%)  ## Build all the static binarie
 .PHONY: fips
 fips: $(FIPS_TARGETS:%=$(OUTDIR)/$(NAME)-fips-%)  ## Build all the FIPS static binaries
 
-$(OUTDIR):
-	@mkdir -p $@
-
 $(OUTDIR)/$(NAME)-%: GOOS=$(word 1,$(subst -, ,$(subst $(NAME)-,,$(@F))))
 $(OUTDIR)/$(NAME)-%: GOARCH=$(word 2,$(subst -, ,$(subst $(NAME)-,,$(@F))))
-$(OUTDIR)/$(NAME)-%: $(OUTDIR)
+$(OUTDIR)/$(NAME)-%:
 	@echo "Build $(@F)"
 	@GOOS=$(GOOS) GOARCH=$(GOARCH) go build $(BUILD_OPTS) -o $@ $(PKG)
 
 $(OUTDIR)/$(NAME)-static-%: GOOS=$(word 1,$(subst -, ,$(subst $(NAME)-static-,,$(@F))))
 $(OUTDIR)/$(NAME)-static-%: GOARCH=$(word 2,$(subst -, ,$(subst $(NAME)-static-,,$(@F))))
-$(OUTDIR)/$(NAME)-static-%: $(OUTDIR)
+$(OUTDIR)/$(NAME)-static-%:
 	@echo "Build $(@F)"
 	@CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) go build $(BUILD_OPTS) \
 		-ldflags '-s -w -extldflags "-static"' -tags "netgo" \
 		-o $@ $(PKG)
 
 $(OUTDIR)/$(NAME)-fips-%: GOOS=$(word 1,$(subst -, ,$(subst $(NAME)-fips-,,$(@F))))
 $(OUTDIR)/$(NAME)-fips-%: GOARCH=$(word 2,$(subst -, ,$(subst $(NAME)-fips-,,$(@F))))
-$(OUTDIR)/$(NAME)-fips-%: $(OUTDIR)
-ifneq ($(OS),Darwin)
+$(OUTDIR)/$(NAME)-fips-%:
+ifneq ($(BUILD_FIPS_IN_DOCKER),true)
 	@echo "Build $(@F)"
 	@GOEXPERIMENT=boringcrypto CGO_ENABLED=1 GOOS=$(GOOS) GOARCH=$(GOARCH) go build $(BUILD_OPTS) \
 		-ldflags '-linkmode=external -s -w -extldflags "-static"' -tags "netgo" \
@@ -152,11 +149,11 @@ docker-fips: docker-pre $(DOCKER_TARGETS:%=docker/fips/%)  ## Build the FIPS Doc
 
 .SECONDEXPANSION:
 docker/%: PLATFORM=$(subst -,/,$(notdir $(*)))
-docker/%: ARCH=$(notdir $(subst -,/,$(PLATFORM)))
+docker/%: DOCKER_ARCH=$(notdir $(subst -,/,$(PLATFORM)))
 docker/%: FLAVOR=$(subst /,,$(dir $(*)))
 docker/%: TAG_SUFFIX=$(if $(subst static,,${FLAVOR}),-fips)
 docker/%: $(OUTDIR)/$(NAME)-$$(FLAVOR)-$$(notdir %)
-	@echo "Building Docker image $(DOCKER_HUB)/$(NAME):$(DOCKER_TAG)-$(ARCH)$(TAG_SUFFIX)"
+	@echo "Building Docker image $(DOCKER_HUB)/$(NAME):$(DOCKER_TAG)-$(DOCKER_ARCH)$(TAG_SUFFIX)"
 	@docker buildx build \
 		$(DOCKER_BUILD_ARGS) \
 		--builder $(DOCKER_BUILDER_NAME) \
@@ -165,8 +162,8 @@ docker/%: $(OUTDIR)/$(NAME)-$$(FLAVOR)-$$(notdir %)
 		--platform $(PLATFORM) \
 		--build-arg REPO=https://$(GO_MODULE) \
 		--build-arg FLAVOR=$(FLAVOR) \
-		-t $(DOCKER_HUB)/$(NAME):latest-$(ARCH)$(TAG_SUFFIX) \
-		-t $(DOCKER_HUB)/$(NAME):$(DOCKER_TAG)-$(ARCH)$(TAG_SUFFIX) \
+		-t $(DOCKER_HUB)/$(NAME):latest-$(DOCKER_ARCH)$(TAG_SUFFIX) \
+		-t $(DOCKER_HUB)/$(NAME):$(DOCKER_TAG)-$(DOCKER_ARCH)$(TAG_SUFFIX) \
 		.
 
 .PHONY: docker-push

env.mk

@@ -39,7 +39,12 @@ else
 DOCKER_TAG ?= $(shell git rev-parse HEAD)
 endif
 
+# In non-Linux systems, use Docker to build FIPS-compliant binaries.
 OS := $(shell uname)
+ifeq ($(OS),Darwin)
+BUILD_FIPS_IN_DOCKER ?= true
+endif
+
 export ARCH := $(shell uname -m)
 ifeq ($(ARCH),x86_64)
 export ARCH := amd64

run-in-docker.sh

@@ -37,4 +37,4 @@ docker run \
     -e GOPRIVATE="$(go env GOPRIVATE)" \
     -w /source \
     "${BUILD_IMAGE}" \
-    /bin/bash -c "${*:2}"
+    /bin/bash -c "git config --global --add safe.directory /source ; ${*:2}"