Pass through OPENSSL_FORCE_FIPS_MODE env var to containers

[jeffwidman]

On FIPS-enabled self-hosted runners, OpenSSL inside the updater and proxy containers fails with "out of memory" errors when running update-ca-certificates because the FIPS provider is not installed in the container images (Ubuntu 24.04).

If the host has OPENSSL_FORCE_FIPS_MODE set (e.g. to "0"), propagate it into both the updater and proxy containers. When the variable is not set on the host, nothing changes — default behavior is preserved.

Fixes: dependabot/dependabot-core#13433

[jeffwidman]

I think this will allow OpenSSL to work based on user reports in dependabot/dependabot-core#13433 , but I didn't take the time to actually spin up a FIPS host to test.

[Copilot]

Pull request overview

This PR addresses OpenSSL failures on FIPS-enabled self-hosted runners by propagating the OPENSSL_FORCE_FIPS_MODE environment variable from the host to both updater and proxy containers. The container images (Ubuntu 24.04) lack the OpenSSL FIPS provider, causing "out of memory" errors during update-ca-certificates execution. By passing through the host's OPENSSL_FORCE_FIPS_MODE setting (typically set to "0"), OpenSSL is explicitly prevented from attempting FIPS mode, allowing updates to proceed normally.

Changes:

• Added conditional pass-through of OPENSSL_FORCE_FIPS_MODE environment variable to updater containers
• Added conditional pass-through of OPENSSL_FORCE_FIPS_MODE environment variable to proxy containers
• Both implementations only propagate the variable when explicitly set, preserving default behavior when unset

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
src/updater-builder.ts	Adds OPENSSL_FORCE_FIPS_MODE pass-through to updater container environment using conditional block
src/proxy.ts	Adds OPENSSL_FORCE_FIPS_MODE pass-through to proxy container environment using spread operator with conditional array

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[yeikel]

I think this will allow OpenSSL to work based on user reports in dependabot/dependabot-core#13433 , but I didn't take the time to actually spin up a FIPS host to test.

@jeffwidman I tested this out

All of these tests were running from a self-hosted runner I setup (Machine name: 'yeikel-VirtualBox' in the logs)

1. Without the flag ( That is, running main: crashes as expected): https://github.com/yeikel/test-FIPS/actions/runs/22225864371/job/64292259611

Running with the allow-injecting-OPENSSL_FORCE_FIPS_MODE-env-var branch:

2. With OPENSSL_FORCE_FIPS_MODE=0 = https://github.com/yeikel/test-FIPS/actions/runs/22227372955/job/64297446751

Ignore the first failure, it was because I had the wrong initial test setup(the part of the ssl setup did run though)

3. With OPENSSL_FORCE_FIPS_MODE=1 = Fails as expected

https://github.com/yeikel/test-FIPS/actions/runs/22227623749/job/64298338812

That said, I don’t think the action should proceed when OPENSSL_FORCE_FIPS_MODE=1, or when the host is FIPS-enabled and OPENSSL_FORCE_FIPS_MODE!=0, since it will eventually fail with an OOM error/similar errors. Instead, it would be better to detect this upfront and exit early with a clear, helpful message to explain that Dependabot does not support running without disabling FIPS mode. What do you think?

[jeffwidman]

Thanks for testing it! Glad to see it working.

Instead, it would be better to detect this upfront and exit early with a clear, helpful message to explain that
Dependabot does not support running without disabling FIPS mode. What do you think?

That'd be a nice improvement. For now though, I'm planning to start with this.

I should add that once 26.04 lands, then OpenSSL will catch/return a very googlable error string that will lead folks to https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/2066990 so that should provide a little context.

But yeah, it'd be nice to eventually to surface to them "if you want to workaround this, you can disable FIPS on OpenSSL via setting this env var"

[yeikel]

But yeah, it'd be nice to eventually to surface to them "if you want to workaround this, you can disable FIPS on OpenSSL via setting this env var"

If I can secure a review from you(big if!), I'd be happy to send that over as a follow up after this is merged

[kbukum1]

LGTM: Everything is clean and specs are covering it properly.

[jeffwidman]

If I can secure a review from you(big if!), I'd be happy to send that over as a follow up after this is merged

@yeikel if it's simple you're welcome to do it... I think there's a 50/50 chance it gets complicated since this code is happening in dockerfile invoking openssl rather than in ruby or Go... so if it gets complicated then not worth it IMO... eg if it needs a custom wrapper script etc.

This only affects users running self-hosted runners on FIPS. As long as we provide a solution and a clearly searchable answer (which is why I added the exact error string to the issue), then there are other more impactful problems to solve.