As we reevaluate how to best support and maintain Staging Ref in the future, we encourage development teams using this environment to highlight their use cases in the following issue: https://gitlab.com/gitlab-com/gl-infra/software-delivery/framework/software-delivery-framework-issue-tracker/-/issues/36.

Skip to content
Snippets Groups Projects
Unverified Commit 96c31fe3 authored by Igor Drozdov's avatar Igor Drozdov
Browse files

Run CI with FIPS_MODE enabled

parent 3ab6db35
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
.gitlab-ci.yml
+ 14
1
View file @ 96c31fe3
@@ -23,6 +23,9 @@ variables:
BUNDLE_PATH: vendor/ruby
POLICY: pull
CI_DEBUG_SERVICES: 'true'
RUST_VERSION: "rust-1.73"
UBI_VERSION: "8.6"
IMAGE_TAG: "rubygems-3.4-git-2.36-exiftool-12.60"
workflow:
rules: &workflow_rules
@@ -34,7 +37,7 @@ workflow:
- if: '$CI_COMMIT_TAG'
default:
image: registry.gitlab.com/gitlab-org/gitlab-build-images/debian-${DEBIAN_VERSION}-${RUBY_VERSION}-${GO_VERSION}-rust-1.65:rubygems-3.4-git-2.36-exiftool-12.60
image: registry.gitlab.com/gitlab-org/gitlab-build-images/debian-${DEBIAN_VERSION}-${RUBY_VERSION}-${GO_VERSION}-${RUST_VERSION}:${IMAGE_TAG}
tags:
- gitlab-org
@@ -154,6 +157,16 @@ tests_without_cgo:
script:
- make verify test_fancy
tests:fips:
image: registry.gitlab.com/gitlab-org/gitlab-build-images/ubi-${UBI_VERSION}-${RUBY_VERSION}-${GO_VERSION}-${RUST_VERSION}:${IMAGE_TAG}
extends:
- .cached-job
- .test-job
variables:
FIPS_MODE: 1
script:
- make test_fancy
race:
extends:
- .cached-go-job
Makefile
+ 9
8
View file @ 96c31fe3
@@ -20,17 +20,18 @@ GOLANGCI_LINT_FILE := support/bin/golangci-lint-${GOLANGCI_LINT_VERSION}
export GOFLAGS := -mod=readonly
ifeq (${FIPS_MODE}, 1)
GO_TAGS += fips
# If the golang-fips compiler is built with CGO_ENABLED=0, this needs to be
# explicitly switched on.
export CGO_ENABLED=1
# Go 1.19 now requires GOEXPERIMENT=boringcrypto for FIPS compilation.
# See https://github.com/golang/go/issues/51940 for more details.
BORINGCRYPTO_SUPPORT := $(shell GOEXPERIMENT=boringcrypto go version > /dev/null 2>&1; echo $$?)
ifeq ($(BORINGCRYPTO_SUPPORT), 0)
GOBUILD_ENV=GOEXPERIMENT=boringcrypto
export GOEXPERIMENT=boringcrypto
endif
GO_TAGS += fips
# If the golang-fips compiler is built with CGO_ENABLED=0, this needs to be
# explicitly switched on.
export CGO_ENABLED=1
endif
ifneq (${CGO_ENABLED}, 0)
@@ -100,10 +101,10 @@ _script_install:
compile: bin/gitlab-shell bin/gitlab-sshd
bin/gitlab-shell: $(GO_SOURCES)
GOBIN="$(CURDIR)/bin" $(GOBUILD_ENV) go install $(GOBUILD_FLAGS) ./cmd/...
GOBIN="$(CURDIR)/bin" go install $(GOBUILD_FLAGS) ./cmd/...
bin/gitlab-sshd: $(GO_SOURCES)
GOBIN="$(CURDIR)/bin" $(GOBUILD_ENV) go install $(GOBUILD_FLAGS) ./cmd/gitlab-sshd
GOBIN="$(CURDIR)/bin" go install $(GOBUILD_FLAGS) ./cmd/gitlab-sshd
check:
bin/check
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

As we reevaluate how to best support and maintain Staging Ref in the future, we encourage development teams using this environment to highlight their use cases in the following issue: https://gitlab.com/gitlab-com/gl-infra/software-delivery/framework/software-delivery-framework-issue-tracker/-/issues/36.