test: test FIPS 140 compliance #14
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: test-fips | |
| # Test FIPS 140 compliance by running tests inside a FIPS-140-configured | |
| # Docker container (the Chainguard base FIPS container). | |
| on: | |
| workflow_dispatch: | |
| #XXX | |
| # schedule: | |
| # # Every Tuesday at 6:00 AM | |
| # - cron: '0 6 * * 2' | |
| # XXX | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - '**/*.md' | |
| - '**/*.asciidoc' | |
| - 'docs/**' | |
| - 'examples/**' | |
| pull_request: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - '**/*.md' | |
| - '**/*.asciidoc' | |
| - 'docs/**' | |
| - 'examples/**' | |
| # Limit the access of the generated GITHUB_TOKEN. | |
| permissions: | |
| contents: read | |
| jobs: | |
| test-fips: | |
| runs-on: ubuntu-24.04 | |
| # https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container | |
| # docker run -it --rm --name fipsy docker.elastic.co/wolfi/chainguard-base-fips:latest | |
| container: | |
| image: docker.elastic.co/wolfi/chainguard-base-fips:latest | |
| credentials: | |
| username: ${{ secrets.ELASTIC_DOCKER_USERNAME }} | |
| password: ${{ secrets.ELASTIC_DOCKER_PASSWORD }} | |
| volumes: | |
| - /home/runner | |
| timeout-minutes: 30 | |
| steps: | |
| - run: | | |
| apk update | |
| apk add nodejs npm | |
| - uses: actions/checkout@v4 | |
| - name: Is Node.js running in FIPS mode? | |
| run: | | |
| node -e 'const isFips = require("node:crypto").getFips(); console.log("isFips:", isFips); assert(isFips)' | |
| # XXX https://github.com/elastic/apm-agent-nodejs/actions/runs/13001086210/job/36259730139?pr=4441 | |
| # node_modules/https-pem | |
| - run: npm ci --ignore-scripts | |
| # XXX | |
| # - run: node test/instrumentation/modules/express/basic.test.js | |
| # - run: npm test | |
| - run: node test/test.js | |
| env: | |
| # TEST_WITHOUT_SERVICES skips instrumentation tests that rely on a | |
| # running service, like a database. This var was added because I | |
| # don't know how to get GH Action `services:` to be available to this | |
| # test suite running in the `container:`. This shouldn't matter for | |
| # FIPS-related testing because no instrumentations use crypto. | |
| TEST_WITHOUT_SERVICES: 'true' | |
| # This TEST_ var was added for this test suite run. Some of the tests | |
| # rely on an old `https-pem` module that creates a client certificate | |
| # using old crypto usage that isn't allowed for FIPS. It isn't | |
| # currently worth the effort to update these tests to use an | |
| # alternative. None of this old crypto is used at runtime. | |
| TEST_SKIP_HTTPS_PEM: 'true' | |
| # - name: Notify in Slack | |
| # if: ${{ failure() }} | |
| # uses: elastic/oblt-actions/slack/[email protected] | |
| # with: | |
| # bot-token: ${{ secrets.SLACK_BOT_TOKEN }} | |
| # channel-id: "#apm-agent-node" | |
| # message: 'test-fips failed XXX' |