Skip to content
test-fips

test: test FIPS 140 compliance #24

Sign in to view logs

test: test FIPS 140 compliance

test: test FIPS 140 compliance #24

Workflow file for this run

.github/workflows/test-fips.yml at daa76e8
name: test-fips
# Test FIPS 140 compliance by running tests inside a FIPS-140-configured
# Docker container (the Chainguard base FIPS container).
on:
workflow_dispatch:
#XXX
# schedule:
# # Every Tuesday at 6:00 AM
# - cron: '0 6 * * 2'
# XXX
push:
branches:
- main
paths-ignore:
- '**/*.md'
- '**/*.asciidoc'
- 'docs/**'
- 'examples/**'
pull_request:
branches:
- main
paths-ignore:
- '**/*.md'
- '**/*.asciidoc'
- 'docs/**'
- 'examples/**'
# Limit the access of the generated GITHUB_TOKEN.
permissions:
contents: read
jobs:
test-fips:
runs-on: ubuntu-24.04
# https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container
# docker run -it --rm --name fipsy docker.elastic.co/wolfi/chainguard-base-fips:latest
container:
image: docker.elastic.co/wolfi/chainguard-base-fips:latest
credentials:
username: ${{ secrets.ELASTIC_DOCKER_USERNAME }}
password: ${{ secrets.ELASTIC_DOCKER_PASSWORD }}
timeout-minutes: 30
steps:
- run: false #XXX force failure for now
- run: |
apk update
apk add nodejs npm
- uses: actions/checkout@v4
- name: Is Node.js running in FIPS mode?
run: |
node -e 'const isFips = require("node:crypto").getFips(); console.log("isFips:", isFips); assert(isFips)'
- run: npm ci
- run: node test/test.js
env:
# TEST_WITHOUT_SERVICES skips instrumentation tests that rely on a
# running service, like a database. This var was added because I
# don't know how to get GH Action `services:` to be available to this
# test suite running in the `container:`. This shouldn't matter for
# FIPS-related testing because no instrumentations use crypto.
TEST_WITHOUT_SERVICES: 'true'
# - name: Notify in Slack
# if: ${{ failure() }}
# uses: elastic/oblt-actions/slack/[email protected]
# with:
# bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
# channel-id: "#apm-agent-node"
# # message: |
# # :warning: `test-fips` workflow run ${{ github.run_id }} failed'
# # https://github.com/elastic/apm-agent-nodejs/actions/runs/${{ github.run_id }}
# message: ':warning: test-fips workflow run ${{ github.run_id }} failed XXX'
# - name: Post Slack message if failed
# if: ${{ failure() }}
# uses: slackapi/[email protected]
# with:
# method: chat.postMessage
# token: ${{ secrets.SLACK_BOT_TOKEN }}
# payload: |
# {
# "channel": "#apm-agent-nodejs",
# "text": ":warning: test-fips workflow run ${{ github.run_id }} failed XXX"
# }
notify-on-failure:
if: always()
runs-on: ubuntu-24.04
needs: test-fips
steps:
- id: check
uses: elastic/oblt-actions/check-dependent-jobs@v1
with:
jobs: ${{ toJSON(needs) }}
- name: Notify in Slack
if: steps.check.outputs.status == 'failure'
uses: elastic/oblt-actions/slack/[email protected]
with:
bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
# channel-id: "#apm-agent-node"
channel-id: "@trentm"
# message: |
# :warning: `test-fips` workflow run ${{ github.run_id }} failed'
# https://github.com/elastic/apm-agent-nodejs/actions/runs/${{ github.run_id }}
message: ':warning: test-fips workflow run ${{ github.run_id }} failed XXX'
# - name: Post Slack message if failed
# if: ${{ failure() }}
# uses: slackapi/[email protected]
# with:
# method: chat.postMessage
# token: ${{ secrets.SLACK_BOT_TOKEN }}
# payload: |
# {
# "channel": "#apm-agent-nodejs",
# "text": ":warning: test-fips workflow run ${{ github.run_id }} failed XXX"
# }