Skip to content

FIPS compliant v3.5.17-dd.3 build#10

Merged
aneesh1 merged 6 commits intorelease-3.5-dd-v3.5.17-dd.3from
release-3.5-dd-v3.5.17-dd.2-fips-test
Mar 28, 2025
Merged

FIPS compliant v3.5.17-dd.3 build#10
aneesh1 merged 6 commits intorelease-3.5-dd-v3.5.17-dd.3from
release-3.5-dd-v3.5.17-dd.2-fips-test

Conversation

@aneesh1
Copy link

@aneesh1 aneesh1 commented Mar 11, 2025
edited
Loading

What's changing in .github/workflows/dd-build.yaml

  • Original build job is split up into build-arm64 and build-amd64
    • Doing this b/c we're running with CGO_ENABLED=1 and I was having issues cross-compiling. The build-arm64 job runs on an arm64 machine and build-amd64 job runs on an amd64 machine. I use a matrix strategy for both rather than hardcoding environment variables.
  • Artifacts uploaded separately under different names etcd_output_arm64 and etcd_output_amd64
  • Release job depends on both build-amd64 and build-arm64
  • Artifact Download Adjustment
    • We introduced a job Set artifact name to set the name of the artifact to be downloaded properly in releaseassets.
  • Combine checksums and then upload (because we're running two separate jobs on two separate runners)
  • Renamed releaseassets --> releaseassetsarm

New script ./scripts/build-binary-single-target

  • Very similar to ./scripts/build-binary
  • Builds etcd and creates a .tar.gz release artifact.
  • Takes in variables TARGET_OS and TARGET_ARCH to build the binary

Modifications to build.sh

Added fips.go to etcd, etcdctl, etcdutl main packages

Details about cherry-picked commits:

@aneesh1 aneesh1 changed the base branch from main to release-3.5-dd-v3.5.17-dd.2-fips March 11, 2025 20:59
@aneesh1 aneesh1 force-pushed the release-3.5-dd-v3.5.17-dd.2-fips-test branch 11 times, most recently from f82296c to 08ab516 Compare March 14, 2025 02:49
datadog-datadog-prod-us1[bot]
datadog-datadog-prod-us1 bot reviewed Mar 14, 2025
View reviewed changes
.github/workflows/dd-build.yaml
- "windows/arm64"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Copy link

@datadog-datadog-prod-us1 datadog-datadog-prod-us1 bot Mar 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)

Pin GitHub Actions by commit hash to ensure supply chain security.

Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

View in Datadog  Leave us feedback  Documentation

.github/workflows/dd-build.yaml
shell: bash
working-directory: release/
run: ls . | grep -E '\.tar.gz$|\.zip$' | xargs shasum -a 256 > ./SHA256SUMS
- uses: actions/upload-artifact@v4
Copy link

@datadog-datadog-prod-us1 datadog-datadog-prod-us1 bot Mar 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)

Pin GitHub Actions by commit hash to ensure supply chain security.

Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

View in Datadog  Leave us feedback  Documentation

@aneesh1 aneesh1 force-pushed the release-3.5-dd-v3.5.17-dd.2-fips-test branch 6 times, most recently from ef8ca58 to 3438b26 Compare March 14, 2025 15:04
datadog-datadog-prod-us1[bot]
datadog-datadog-prod-us1 bot reviewed Mar 14, 2025
View reviewed changes
.github/workflows/dd-build.yaml Outdated
- name: Create output directory
run: mkdir -p _output/checksums
- name: Download all artifacts
uses: actions/download-artifact@v4
Copy link

@datadog-datadog-prod-us1 datadog-datadog-prod-us1 bot Mar 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)

Pin GitHub Actions by commit hash to ensure supply chain security.

Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

View in Datadog  Leave us feedback  Documentation

@aneesh1 aneesh1 marked this pull request as ready for review March 14, 2025 17:44
@aneesh1 aneesh1 force-pushed the release-3.5-dd-v3.5.17-dd.2-fips-test branch from 3438b26 to 57dc0c7 Compare March 14, 2025 17:49
datadog-datadog-prod-us1[bot]
datadog-datadog-prod-us1 bot reviewed Mar 14, 2025
View reviewed changes
.github/workflows/dd-build.yaml Outdated
echo "ARTIFACT_NAME=etcd_output_amd64" >> $GITHUB_ENV
fi
- name: Download artifacts
uses: actions/download-artifact@v4
Copy link

@datadog-datadog-prod-us1 datadog-datadog-prod-us1 bot Mar 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)

Pin GitHub Actions by commit hash to ensure supply chain security.

Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

View in Datadog  Leave us feedback  Documentation

@aneesh1 aneesh1 force-pushed the release-3.5-dd-v3.5.17-dd.2-fips-test branch 7 times, most recently from c84d409 to f10fa56 Compare March 14, 2025 19:27
joshjms and others added 2 commits March 27, 2025 16:13
@joshjms @aneesh1
bump go to v1.23.6
799d248 
Signed-off-by: joshjms <joshjms1607@gmail.com>

change go directive to 1.23

Signed-off-by: joshjms <joshjms1607@gmail.com>
@ivanvc @aneesh1
Bump go toolchain to 1.23.7
204ae64 
Signed-off-by: Ivan Valdes <ivan@vald.es>
@aneesh1 aneesh1 force-pushed the release-3.5-dd-v3.5.17-dd.2-fips-test branch from 6603caf to f6f71cc Compare March 27, 2025 20:14
badouralix
badouralix reviewed Mar 27, 2025
View reviewed changes
Copy link
Member

@badouralix badouralix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given we want to build one arch at a time, I don't think we have the choice but to fork scripts/build-binary into scripts/build-binary-single-target indeed

@aneesh1 aneesh1 force-pushed the release-3.5-dd-v3.5.17-dd.2-fips-test branch 2 times, most recently from 3947777 to be103d1 Compare March 27, 2025 20:44
badouralix
badouralix reviewed Mar 27, 2025
View reviewed changes
@aneesh1 aneesh1 force-pushed the release-3.5-dd-v3.5.17-dd.2-fips-test branch 2 times, most recently from 1277868 to 0ba05b0 Compare March 27, 2025 20:52
@aneesh1 aneesh1 changed the title FIPS compliant v3.5.17-dd.2 build FIPS compliant v3.5.17-dd.3 build Mar 27, 2025
@aneesh1 aneesh1 changed the base branch from release-3.5-dd-v3.5.17-dd.2-fips to release-3.5-dd-v3.5.17-dd.3 March 27, 2025 21:06
badouralix
badouralix reviewed Mar 27, 2025
View reviewed changes
@aneesh1 aneesh1 force-pushed the release-3.5-dd-v3.5.17-dd.2-fips-test branch from 5528a4b to d89cb6a Compare March 27, 2025 21:21
@aneesh1 aneesh1 force-pushed the release-3.5-dd-v3.5.17-dd.2-fips-test branch 2 times, most recently from bbe15b8 to 32617d5 Compare March 28, 2025 13:31
aneesh1 added 2 commits March 28, 2025 10:19
@aneesh1
local fork supports building fips compliant binary
a033891
@aneesh1
version: bump up to 3.5.17-dd.3
e2c2a0f 
command: DRY_RUN=false TARGET_VERSION="v3.5.17-dd.3" ./scripts/release_mod.sh update_versions
@aneesh1 aneesh1 force-pushed the release-3.5-dd-v3.5.17-dd.2-fips-test branch from 32617d5 to e2c2a0f Compare March 28, 2025 14:19
ahrtr added 2 commits March 28, 2025 10:34
@ahrtr @aneesh1
Bump actions/upload-artifact to v4.6.0
1bb7e72 
Signed-off-by: Benjamin Wang <benjamin.ahrtr@gmail.com>
@ahrtr @aneesh1
Bump actions/download-artifact to v4.1.8
d546bb3 
Signed-off-by: Benjamin Wang <benjamin.ahrtr@gmail.com>
@aneesh1 aneesh1 merged commit 4217071 into release-3.5-dd-v3.5.17-dd.3 Mar 28, 2025
38 checks passed
@aneesh1 aneesh1 deleted the release-3.5-dd-v3.5.17-dd.2-fips-test branch March 28, 2025 17:01
badouralix pushed a commit that referenced this pull request Nov 24, 2025
@aneesh1 @badouralix
FIPS compliant v3.5.17-dd.3 build (#10)
197bffb
@badouralix badouralix mentioned this pull request Nov 24, 2025
Merged
badouralix pushed a commit that referenced this pull request Nov 24, 2025
@aneesh1 @badouralix
FIPS compliant v3.5.17-dd.3 build (#10)
ab68c09
badouralix pushed a commit that referenced this pull request Nov 27, 2025
@aneesh1 @badouralix
FIPS compliant v3.5.17-dd.3 build (#10)
51994e0
badouralix pushed a commit that referenced this pull request Nov 27, 2025
@aneesh1 @badouralix
FIPS compliant v3.5.17-dd.3 build (#10)
b008ede
badouralix pushed a commit that referenced this pull request Dec 10, 2025
@aneesh1 @badouralix
FIPS compliant v3.5.17-dd.3 build (#10)
5b9fe2e
badouralix pushed a commit that referenced this pull request Feb 4, 2026
@aneesh1 @badouralix
FIPS compliant v3.5.17-dd.3 build (#10)
cf1c9b3 
Signed-off-by: Ayaz Badouraly <ayaz.badouraly@datadoghq.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@datadog-datadog-prod-us1 datadog-datadog-prod-us1[bot] datadog-datadog-prod-us1[bot] left review comments

@nyodas nyodas nyodas approved these changes

@badouralix badouralix badouralix approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@aneesh1 @nyodas @badouralix @joshjms @ivanvc @ahrtr