install cross-compilation toolchain

Author: aneesh1

.github/workflows/dd-build.yaml

@@ -8,18 +8,67 @@ on:
     - "*-dd*"
 permissions: write-all
 jobs:
-  build:
-    runs-on: ubuntu-latest
+  build-arm64:
+    runs-on: ubuntu-24.04-arm
+    strategy:
+      matrix:
+        platform: ["linux/arm64"]
     steps:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    - name: Set release version environment variable
-      run: echo RELEASE_VERSION=${GITHUB_REF#refs/tags/} >> $GITHUB_ENV
+    - name: Set environment variables
+      id: set_env
+      run: |
+        echo "RELEASE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+        echo "TARGET_OS=$(echo ${{ matrix.platform }} | cut -d'/' -f1)" >> $GITHUB_ENV
+        echo "TARGET_ARCH=$(echo ${{ matrix.platform }} | cut -d'/' -f2)" >> $GITHUB_ENV
+        export GOEXPERIMENT=boringcrypto
       env:
         GITHUB_REF: ${{ github.ref }}
     - name: Build etcd
-      run: REPOSITORY=https://github.com/${{ env.GITHUB_REPOSITORY}}.git CGO_ENABLED=1 GOEXPERIMENT=boringcrypto ./scripts/build-binary ${{ env.RELEASE_VERSION }}
+      run: |
+        REPOSITORY=https://github.com/${{ env.GITHUB_REPOSITORY}}.git \
+        CGO_ENABLED=1 \
+        GO_BUILD_FLAGS="-tags=fips" \
+        TARGET_OS=${TARGET_OS} \
+        TARGET_ARCH=${TARGET_ARCH} \
+        ./scripts/build-release-single-target ${{ env.RELEASE_VERSION }}
+      env:
+        GITHUB_REPOSITORY: ${{ github.repository }}
+    - name: Calculate checksums
+      id: calculate_checksums
+      shell: bash
+      working-directory: release/
+      run: ls . | grep -E '\.tar.gz$|\.zip$' | xargs shasum -a 256 > ./SHA256SUMS
+    - uses: actions/upload-artifact@v4
+      with:
+        name: etcd_output_arm64
+        path: release/
+  build-amd64:
+    strategy:
+      matrix:
+        platform: ["linux/amd64"]
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Set environment variables
+      id: set_env
+      run: |
+        echo "RELEASE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+        echo "TARGET_OS=$(echo ${{ matrix.platform }} | cut -d'/' -f1)" >> $GITHUB_ENV
+        echo "TARGET_ARCH=$(echo ${{ matrix.platform }} | cut -d'/' -f2)" >> $GITHUB_ENV
+        export GOEXPERIMENT=boringcrypto
+    - name: Build etcd
+      run: |
+        REPOSITORY=https://github.com/${{ env.GITHUB_REPOSITORY}}.git \
+        CGO_ENABLED=1 \
+        GO_BUILD_FLAGS="-tags=fips" \
+        TARGET_OS=${TARGET_OS} \
+        TARGET_ARCH=${TARGET_ARCH} \
+        ./scripts/build-release-single-target ${{ env.RELEASE_VERSION }}
       env:
         GITHUB_REPOSITORY: ${{ github.repository }}
     - name: Calculate checksums
@@ -29,13 +78,13 @@ jobs:
       run: ls . | grep -E '\.tar.gz$|\.zip$' | xargs shasum -a 256 > ./SHA256SUMS
     - uses: actions/upload-artifact@v4
       with:
-        name: etcd_output
+        name: etcd_output_amd64
         path: release/
   release:
     permissions:
       contents: write
     runs-on: ubuntu-latest
-    needs: build
+    needs: [build-amd64, build-arm64]
     outputs:
       upload_url: ${{ steps.create_release_branch.outputs.upload_url }}${{ steps.create_release_tags.outputs.upload_url }}
     steps:
@@ -86,9 +135,18 @@ jobs:
         platform: ["linux-arm64","linux-amd64"]
         extension: ["tar.gz"]
     steps:
-    - uses: actions/download-artifact@v4
+    - name: Set artifact name
+      id: set_artifact
+      run: |
+        if [[ "${{ matrix.platform }}" == *"arm64"* ]]; then
+          echo "ARTIFACT_NAME=etcd_output_arm64" >> $GITHUB_ENV
+        else
+          echo "ARTIFACT_NAME=etcd_output_amd64" >> $GITHUB_ENV
+        fi
+    - name: Download artifacts
+      uses: actions/download-artifact@v4
       with:
-        name: etcd_output
+        name: ${{ env.ARTIFACT_NAME }}
         path: _output/release-tars
         github-token: ${{ secrets.GITHUB_TOKEN }}
     - name: Set release version environment variable
@@ -112,11 +170,16 @@ jobs:
     runs-on: ubuntu-latest
     needs: release
     steps:
-    - uses: actions/download-artifact@v4
+    - name: Create output directory
+      run: mkdir -p _output/checksums
+    - name: Download all artifacts
+      uses: actions/download-artifact@v4
       with:
-        name: etcd_output
-        path: _output/checksums
+        path: _output/artifacts
         github-token: ${{ secrets.GITHUB_TOKEN }}
+    - name: Combine checksums
+      run: |
+        find _output/artifacts -name "SHA256SUMS" -exec cat {} \; > _output/checksums/SHA256SUMS
     - name: Upload checksums
       id: upload-checksums
       uses: actions/upload-release-asset@v1

etcdctl/fips.go

@@ -0,0 +1,6 @@
+//go:build fips
+
+package main
+
+// enforce fips compliance if boringcrypto is enabled
+import _ "crypto/tls/fipsonly"

etcdutl/fips.go

@@ -0,0 +1,6 @@
+//go:build fips
+
+package main
+
+// enforce fips compliance if boringcrypto is enabled
+import _ "crypto/tls/fipsonly"

scripts/build-release-single-target

@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+source ./scripts/test_lib.sh
+
+VER=${1:-}
+REPOSITORY="${REPOSITORY:-git@github.com:etcd-io/etcd.git}"
+
+if [ -z "${VER}" ]; then
+  echo "Usage: ${0} VERSION" >> /dev/stderr
+  exit 255
+fi
+
+
+function setup_env {
+  local ver=${1}
+  local proj=${2}
+
+  if [ ! -d "${proj}" ]; then
+    run git clone "${REPOSITORY}"
+  fi
+
+  pushd "${proj}" >/dev/null
+    run git fetch --all
+    run git checkout "${ver}"
+  popd >/dev/null
+}
+
+
+function package {
+  local target=${1}
+  local srcdir="${2}/bin"
+
+  local ccdir="${srcdir}/${GOOS}_${GOARCH}"
+  if [ -d "${ccdir}" ]; then
+    srcdir="${ccdir}"
+  fi
+  local ext=""
+  if [ "${GOOS:-}" == "windows" ]; then
+    ext=".exe"
+  fi
+  for bin in etcd etcdctl etcdutl; do
+    cp "${srcdir}/${bin}" "${target}/${bin}${ext}"
+  done
+
+  cp etcd/README.md "${target}"/README.md
+  cp etcd/etcdctl/README.md "${target}"/README-etcdctl.md
+  cp etcd/etcdctl/READMEv2.md "${target}"/READMEv2-etcdctl.md
+  cp etcd/etcdutl/README.md "${target}"/README-etcdutl.md
+
+  cp -R etcd/Documentation "${target}"/Documentation
+}
+
+function main {
+  local proj="etcd"
+
+  mkdir -p release
+  cd release
+  setup_env "${VER}" "${proj}"
+
+  local tarcmd=tar
+  if [[ $(go env GOOS) == "darwin" ]]; then
+      echo "Please use linux machine for release builds."
+    exit 1
+  fi
+
+  # Check if TARGET_OS and TARGET_ARCH are set
+  if [ -z "${TARGET_OS:-}" ]; then
+    echo "Error: TARGET_OS environment variable is required" >&2
+    exit 1
+  fi
+
+  if [ -z "${TARGET_ARCH:-}" ]; then
+    echo "Error: TARGET_ARCH environment variable is required" >&2
+    exit 1
+  fi
+
+  export GOOS=${TARGET_OS}
+  export GOARCH=${TARGET_ARCH}
+  echo "Building etcd for ${GOOS}/${GOARCH}..."
+
+  pushd etcd >/dev/null
+  ./build.sh
+  popd >/dev/null
+
+  TARGET="etcd-${VER}-${GOOS}-${GOARCH}"
+  mkdir "${TARGET}"
+  package "${TARGET}" "${proj}"
+
+  if [ ${GOOS} == "linux" ]; then
+    ${tarcmd} cfz "${TARGET}.tar.gz" "${TARGET}"
+    echo "Wrote release/${TARGET}.tar.gz"
+  else
+    zip -qr "${TARGET}.zip" "${TARGET}"
+    echo "Wrote release/${TARGET}.zip"
+  fi
+}
+
+main

server/fips.go

@@ -0,0 +1,6 @@
+//go:build fips
+
+package main
+
+// enforce fips compliance if boringcrypto is enabled
+import _ "crypto/tls/fipsonly"