Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIPS compliant v3.5.17-dd.2 build #10

Open
wants to merge 6 commits into
base: release-3.5-dd-v3.5.17-dd.2-fips
Choose a base branch
from
Open

FIPS compliant v3.5.17-dd.2 build #10

wants to merge 6 commits into from

Conversation

aneesh1
Copy link

@aneesh1 aneesh1 commented Mar 11, 2025
edited
Loading

What's changing in .github/workflows/dd-build.yaml

  • Original build job is split up into build-arm64 and build-amd64
    • Doing this b/c we're running with CGO_ENABLED=1 and I was having issues cross-compiling. The build-arm64 job runs on an arm64 machine and build-amd64 job runs on an amd64 machine. I use a matrix strategy for both rather than hardcoding environment variables.
  • Artifacts uploaded separately under different names etcd_output_arm64 and etcd_output_amd64
  • Release job depends on both build-amd64 and build-arm64
  • Artifact Download Adjustment
    • We introduced a job Set artifact name to set the name of the artifact to be downloaded properly in releaseassets.
  • Combine checksums and then upload (because we're running two separate jobs on two separate runners)
  • Renamed releaseassets --> releaseassetsarm

New script ./scripts/build-release-single-target

  • Very similar to ./scripts/build-binary
  • Builds etcd and creates a .tar.gz release artifact.
  • Takes in variables TARGET_OS and TARGET_ARCH to build the binary

Modifications to build.sh

Added fips.go to etcd, etcdctl, etcdutl main packages

@aneesh1 aneesh1 changed the base branch from main to release-3.5-dd-v3.5.17-dd.2-fips March 11, 2025 20:59
@aneesh1 aneesh1 force-pushed the release-3.5-dd-v3.5.17-dd.2-fips-test branch from 9522d28 to ecdf7ca Compare March 11, 2025 21:03
ahrtr and others added 4 commits March 11, 2025 21:22
@ahrtr @aneesh1
Bump actions/upload-artifact to v4.6.0
1233d67 
Signed-off-by: Benjamin Wang <[email protected]>
@ahrtr @aneesh1
Bump actions/download-artifact to v4.1.8
21f048e 
Signed-off-by: Benjamin Wang <[email protected]>
@joshjms @aneesh1
bump go to v1.23.6
a0a6307 
Signed-off-by: joshjms <[email protected]>

change go directive to 1.23

Signed-off-by: joshjms <[email protected]>
@ivanvc @aneesh1
Bump go toolchain to 1.23.7
b2df10f 
Signed-off-by: Ivan Valdes <[email protected]>
@aneesh1 aneesh1 force-pushed the release-3.5-dd-v3.5.17-dd.2-fips-test branch 10 times, most recently from f82296c to 08ab516 Compare March 14, 2025 02:49
datadog-datadog-prod-us1[bot]
datadog-datadog-prod-us1 bot reviewed Mar 14, 2025
View reviewed changes
.github/workflows/dd-build.yaml
- "windows/arm64"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)

Pin GitHub Actions by commit hash to ensure supply chain security.

Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

View in Datadog  Leave us feedback  Documentation

.github/workflows/dd-build.yaml
shell: bash
working-directory: release/
run: ls . | grep -E '\.tar.gz$|\.zip$' | xargs shasum -a 256 > ./SHA256SUMS
- uses: actions/upload-artifact@v4
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)

Pin GitHub Actions by commit hash to ensure supply chain security.

Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

View in Datadog  Leave us feedback  Documentation

@aneesh1 aneesh1 force-pushed the release-3.5-dd-v3.5.17-dd.2-fips-test branch 6 times, most recently from ef8ca58 to 3438b26 Compare March 14, 2025 15:04
datadog-datadog-prod-us1[bot]
datadog-datadog-prod-us1 bot reviewed Mar 14, 2025
View reviewed changes
.github/workflows/dd-build.yaml
- name: Create output directory
run: mkdir -p _output/checksums
- name: Download all artifacts
uses: actions/download-artifact@v4
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)

Pin GitHub Actions by commit hash to ensure supply chain security.

Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

View in Datadog  Leave us feedback  Documentation

@aneesh1 aneesh1 marked this pull request as ready for review March 14, 2025 17:44
@aneesh1 aneesh1 force-pushed the release-3.5-dd-v3.5.17-dd.2-fips-test branch from 3438b26 to 57dc0c7 Compare March 14, 2025 17:49
datadog-datadog-prod-us1[bot]
datadog-datadog-prod-us1 bot reviewed Mar 14, 2025
View reviewed changes
.github/workflows/dd-build.yaml
echo "ARTIFACT_NAME=etcd_output_amd64" >> $GITHUB_ENV
fi
- name: Download artifacts
uses: actions/download-artifact@v4
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)

Pin GitHub Actions by commit hash to ensure supply chain security.

Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

View in Datadog  Leave us feedback  Documentation

@aneesh1 aneesh1 force-pushed the release-3.5-dd-v3.5.17-dd.2-fips-test branch 2 times, most recently from 3036440 to b22336f Compare March 14, 2025 18:54
@aneesh1 aneesh1 force-pushed the release-3.5-dd-v3.5.17-dd.2-fips-test branch 6 times, most recently from f10fa56 to d92b212 Compare March 14, 2025 20:04
@aneesh1
Copy link
Author

aneesh1 commented Mar 14, 2025 

% go tool nm etcd-v3.5.17-dd.2-fips-test-linux-arm64/etcd | grep -i 'crypto/internal/boring/sig.FIPSOnly'
  17b500 T crypto/internal/boring/sig.FIPSOnly.abi0
% go tool nm etcd-v3.5.17-dd.2-fips-test-linux-arm64/etcdctl | grep -i 'crypto/internal/boring/sig.FIPSOnly'
  176eb0 T crypto/internal/boring/sig.FIPSOnly.abi0
% go tool nm etcd-v3.5.17-dd.2-fips-test-linux-arm64/etcdutl | grep -i 'crypto/internal/boring/sig.FIPSOnly'
  42c2c0 T crypto/internal/boring/sig.FIPSOnly.abi0
% go tool nm etcd-v3.5.17-dd.2-fips-test-linux-amd64/etcd | grep -i 'crypto/internal/boring/sig.FIPSOnly'
  5fde80 T crypto/internal/boring/sig.FIPSOnly.abi0
% go tool nm etcd-v3.5.17-dd.2-fips-test-linux-amd64/etcdctl | grep -i 'crypto/internal/boring/sig.FIPSOnly'
  5f9c20 T crypto/internal/boring/sig.FIPSOnly.abi0
% go tool nm etcd-v3.5.17-dd.2-fips-test-linux-amd64/etcdutl | grep -i 'crypto/internal/boring/sig.FIPSOnly'
  8cdcc0 T crypto/internal/boring/sig.FIPSOnly.abi0

@aneesh1 aneesh1 force-pushed the release-3.5-dd-v3.5.17-dd.2-fips-test branch from d92b212 to be893a6 Compare March 14, 2025 20:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@datadog-datadog-prod-us1 datadog-datadog-prod-us1[bot] datadog-datadog-prod-us1[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@aneesh1 @ahrtr @joshjms @ivanvc