chore(ci): add pipelines to test and build on Go+BoringCrypto

SumoLogic · May 27, 2022 · c56670b · c56670b
1 parent 956e103
commit c56670b
Show file tree

Hide file tree

Showing 5 changed files with 644 additions and 20 deletions.
diff --git a/.github/workflows/dev_builds.yml b/.github/workflows/dev_builds.yml
@@ -125,6 +125,150 @@ jobs:
           path: ./otelcolbuilder/cmd/otelcol-sumo-${{matrix.arch_os}}_modules.txt
           if-no-files-found: error
 
+  # pipeline to build FIPS compliance binary on Go+BoringCrypto
+  build-go-boringcrypto:
+    name: Build
+    runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        go: [ '1.18.2b7' ]
+        arch_os: [ 'linux_amd64' , 'linux_arm64' ]
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Fetch current branch
+        run: ./ci/fetch_current_branch.sh
+
+      - name: Install Go+BoringCrypto
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+          curl -LJ "https://go-boringcrypto.storage.googleapis.com/go${{ matrix.go }}.linux-amd64.tar.gz" -o go.linux-amd64.tar.gz \
+            && sudo rm -rf /usr/local/go \
+            && sudo tar -C /usr/local -xzf go.linux-amd64.tar.gz \
+            && sudo rm go.linux-amd64.tar.gz \
+            && sudo ln -s /usr/local/go/bin/go /usr/local/bin
+
+      # As described in
+      # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
+      - uses: actions/cache@v3
+        with:
+          path: |
+            /home/runner/go/pkg/mod
+            /home/runner/.cache/go-build
+            /Users/runner/go/pkg/mod
+            /Users/runner/Library/Caches/go-build
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Add opentelemetry-collector-builder installation dir to PATH
+        run: echo "$HOME/bin" >> $GITHUB_PATH
+
+      - name: Install opentelemetry-collector-builder
+        run: make install-builder
+        working-directory: ./otelcolbuilder
+
+      - name: Build
+        run: make otelcol-sumo-${{matrix.arch_os}} BINARY_FIPS_SUFFIX="-fips"
+        working-directory: ./otelcolbuilder
+
+      - name: Show included modules
+        working-directory: ./otelcolbuilder/cmd
+        run: |
+          go version -m otelcol-sumo-${{matrix.arch_os}}-fips | \
+          grep -E "/(receiver|exporter|processor|extension)/" | \
+          tee otelcol-sumo-${{matrix.arch_os}}-fips_modules.txt
+
+      - name: Store binary as action artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: otelcol-sumo-${{matrix.arch_os}}-fips
+          path: ./otelcolbuilder/cmd/otelcol-sumo-${{matrix.arch_os}}-fips
+          if-no-files-found: error
+
+      - name: Store list of included modules as action artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: otelcol-sumo-${{matrix.arch_os}}-fips_modules.txt
+          path: ./otelcolbuilder/cmd/otelcol-sumo-${{matrix.arch_os}}-fips_modules.txt
+          if-no-files-found: error
+
+  # pipeline to build FIPS compliance binary on Go+BoringCrypto for darwin
+  build-go-boringcrypto-darwin:
+    name: Build
+    runs-on: macos-latest
+    strategy:
+      matrix:
+        go: [ '1.18.2b7' ]
+        arch_os: [ 'darwin_amd64' ]
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Fetch current branch
+        run: ./ci/fetch_current_branch.sh
+
+      - name: Build and install Go+BoringCrypto
+        run: |
+          wget https://go-boringcrypto.storage.googleapis.com/go${{ matrix.go }}.src.tar.gz \
+            && tar -xf go${{ matrix.go }}.src.tar.gz \
+            && cd go/src/ \
+            && GOROOT_BOOTSTRAP=/usr ./make.bash \
+            && cd .. \
+            && sudo rm -rf /usr/local/bin/go \
+            && sudo cp bin/go* /usr/local/bin/
+
+      - name: Check go version
+        run: go version
+
+      # As described in
+      # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
+      - uses: actions/cache@v3
+        with:
+          path: |
+            /home/runner/go/pkg/mod
+            /home/runner/.cache/go-build
+            /Users/runner/go/pkg/mod
+            /Users/runner/Library/Caches/go-build
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Add opentelemetry-collector-builder installation dir to PATH
+        run: echo "$HOME/bin" >> $GITHUB_PATH
+
+      - name: Install opentelemetry-collector-builder
+        run: make install-builder
+        working-directory: ./otelcolbuilder
+
+      - name: Build
+        run: make otelcol-sumo-${{matrix.arch_os}} BINARY_FIPS_SUFFIX="-fips"
+        working-directory: ./otelcolbuilder
+
+      - name: Test that binary can be run on ${{matrix.arch_os}}
+        working-directory: ./otelcolbuilder/cmd
+        run: ./otelcol-sumo-${{matrix.arch_os}}-fips --version
+
+      - name: Show included modules
+        working-directory: ./otelcolbuilder/cmd
+        run: |
+          go version -m otelcol-sumo-${{matrix.arch_os}}-fips | \
+          grep -E "/(receiver|exporter|processor|extension)/" | \
+          tee otelcol-sumo-${{matrix.arch_os}}-fips_modules.txt
+
+      - name: Store binary as action artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: otelcol-sumo-${{matrix.arch_os}}-fips
+          path: ./otelcolbuilder/cmd/otelcol-sumo-${{matrix.arch_os}}-fips
+          if-no-files-found: error
+
+      - name: Store list of included modules as action artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: otelcol-sumo-${{matrix.arch_os}}-fips_modules.txt
+          path: ./otelcolbuilder/cmd/otelcol-sumo-${{matrix.arch_os}}-fips_modules.txt
+          if-no-files-found: error
+
   build-container-images:
     name: Build container
     runs-on: ubuntu-20.04
@@ -153,24 +297,37 @@ jobs:
       - name: Show Buildx platforms
         run: echo ${{ steps.buildx.outputs.platforms }}
 
-      - name: Download binary action artifact from build phase
-        uses: actions/download-artifact@v3
-        with:
-          name: otelcol-sumo-${{ matrix.arch_os }}
-
       - name: Login to Open Source ECR
         run: make login
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_DEV }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_DEV }}
 
+      - name: Download binary action artifact from build phase
+        uses: actions/download-artifact@v3
+        with:
+          name: otelcol-sumo-${{ matrix.arch_os }}
+
       - name: Build and push image to Open Source ECR
         run: |
           cp otelcol-sumo-${{ matrix.arch_os }} otelcol-sumo
           make build-push-container-multiplatform-dev \
             BUILD_TAG=${{ steps.extract_tag.outputs.tag }} \
             PLATFORM=${{ matrix.arch_os }}
 
+      - name: Download FIPS binary action artifact from build phase
+        uses: actions/download-artifact@v3
+        with:
+          name: ${{matrix.arch_os}}-fips
+          path: artifacts/
+
+      - name: Build and push FIPS image to Open Source ECR
+        run: |
+          cp artifacts/${{ steps.set_filename.outputs.filename }}-fips otelcol-sumo
+          make build-push-container-multiplatform \
+            BUILD_TAG=${{ steps.extract_tag.outputs.tag }}-fips \
+            PLATFORM=${{ matrix.arch_os }}
+
   push-docker-manifest:
     name: Push joint container manifest
     runs-on: ubuntu-20.04
@@ -207,3 +364,9 @@ jobs:
           make push-container-manifest-dev \
             BUILD_TAG=${{ steps.extract_tag.outputs.tag }} \
             PLATFORMS="linux/amd64 linux/arm64"
+
+      - name: Push joint FIPS container manifest for all platforms to Open Source ECR
+        run: |
+          make push-container-manifest \
+            BUILD_TAG=${{ steps.extract_tag.outputs.tag }}-fips \
+            PLATFORMS="linux/amd64 linux/arm64"