.github/workflows/build-node-openssl-fips.yml #17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Node with options around OpenSSL dynamic linking and FIPS | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| enableFips: | |
| description: 'Whether OpenSSL should be FIPS-enabled' | |
| default: true | |
| type: boolean | |
| dynamicLink: | |
| description: 'If OpenSSL should be dynamically linked with node (rather than statically linked)' | |
| default: false | |
| type: boolean | |
| sharedOpenSSLIncludes: | |
| description: 'dir containing header files for OpenSSL' | |
| default: '' | |
| type: string | |
| sharedOpenSSLLibname: | |
| description: 'libname for dynamically linking to OpenSSL' | |
| default: '' | |
| type: string | |
| sharedOpenSSLLibpath: | |
| description: 'dir for searching for shared OpenSSL dlls' | |
| default: '' | |
| type: string | |
| BUILD_REF: | |
| description: 'ref to build' | |
| required: true | |
| default: 'main' | |
| type: string | |
| DOCKER_FILE: | |
| description: 'Dockerfile to use for building Node.js' | |
| required: true | |
| default: 'Dockerfile.Node20fips' | |
| type: string | |
| jobs: | |
| build-node: | |
| name: Build ${{ matrix.platform }}-${{ matrix.arch }} with statically-linked FIPS OpenSSL | |
| strategy: | |
| matrix: | |
| include: | |
| - platform: linux | |
| arch: x64 | |
| runs_on: ubuntu-22.04 | |
| - platform: linux | |
| arch: arm64 | |
| runs_on: ubuntu-22.04-arm | |
| runs-on: ${{ matrix.runs_on }} | |
| env: | |
| S3_BUCKET: your-bucket-name | |
| AWS_REGION: us-east-1 | |
| steps: | |
| - name: Checkout Node fork | |
| uses: actions/checkout@v3 | |
| with: | |
| repository: Asana/node | |
| path: node | |
| ref: ${{ inputs.BUILD_REF }} | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract Node Version | |
| id: extract-node-version | |
| run: | | |
| NODE_MAJOR_VERSION=$(grep '#define NODE_MAJOR_VERSION' node/src/node_version.h | awk '{print $3}') | |
| NODE_MINOR_VERSION=$(grep '#define NODE_MINOR_VERSION' node/src/node_version.h | awk '{print $3}') | |
| NODE_PATCH_VERSION=$(grep '#define NODE_PATCH_VERSION' node/src/node_version.h | awk '{print $3}') | |
| NODE_VERSION="v${NODE_MAJOR_VERSION}.${NODE_MINOR_VERSION}.${NODE_PATCH_VERSION}" | |
| echo "NODE_VERSION=${NODE_VERSION}" >> $GITHUB_ENV | |
| - name: Set build metadata | |
| id: meta | |
| working-directory: node | |
| run: | | |
| TIMESTAMP=$(date -u +%Y-%m-%dT%H-%M) | |
| SHORT_SHA=$(git rev-parse --short HEAD) | |
| echo "BUILD_ID=${TIMESTAMP}-${SHORT_SHA}" >> $GITHUB_ENV | |
| echo "build_id=${TIMESTAMP}-${SHORT_SHA}" >> $GITHUB_OUTPUT | |
| - name: Install dependencies (Linux) | |
| if: matrix.platform == 'linux' | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y python3 g++ make curl tar xz-utils | |
| # - name: Configure OpenSSL for fips | |
| # id: openssl-is-fips | |
| # if: inputs.enableFips | |
| # run: | | |
| # ./configure --openssl-is-fips | |
| # - name: Dynamically link OpenSSL in Node.js | |
| # id: openssl-dynamic-link | |
| # if: inputs.dynamicLink | |
| # run: | | |
| # ./configure --shared-openssl | |
| # - name: Define headers for OpenSSL | |
| # id: openssl-dynamic-link-headers | |
| # if: ${{ !empty(inputs.sharedOpenSSLIncludes) }} | |
| # run: | | |
| # ./configure --shared-openssl-includes ${{inputs.sharedOpenSSLIncludes}} | |
| # - name: alternative libname for openssl | |
| # id: openssl-dynamic-link-libname | |
| # if: ${{ !empty(inputs.sharedOpenSSLLibname) }} | |
| # run: | | |
| # ./configure --shared-openssl-libname ${{inputs.sharedOpenSSLLibname}} | |
| # - name: Define headers for OpenSSL | |
| # id: openssl-dynamic-link-libpath | |
| # if: ${{ !empty(inputs.sharedOpenSSLLibpath) }} | |
| # run: | | |
| # ./configure --shared-openssl-includes ${{inputs.sharedOpenSSLLibpath}} | |
| # - name: Build Node (linux) | |
| # working-directory: node | |
| # if: matrix.platform == 'linux' | |
| # run: | | |
| # ./configure --experimental-enable-pointer-compression | |
| # make -j4 install DESTDIR=$GITHUB_WORKSPACE/node-install | |
| # - name: Build Node (darwin) | |
| # working-directory: node | |
| # if: matrix.platform == 'darwin' | |
| # run: | | |
| # ./configure --experimental-enable-pointer-compression --without-snapshot | |
| # make -j2 install DESTDIR=$GITHUB_WORKSPACE/node-install | |
| - name: Execute the Dockerfile | |
| working-directory: node | |
| run: | | |
| docker build -t node20_build -f ./${{inputs.DOCKER_FILE}} . --build-arg ENABLE_FIPS=true --build-arg DYNAMIC_LINK=true | |
| - name: Extract resources | |
| run: | | |
| docker create --name temp_node_extract node20_build | |
| docker cp temp_node_extract:/usr/src/node/node-install $GITHUB_WORKSPACE/node-install | |
| docker rm temp_node_extract | |
| - name: Archive Node | |
| run: | | |
| mkdir -p artifacts | |
| FILENAME=node-${NODE_VERSION}-fips-${{ matrix.platform }}-${{ matrix.arch }}-${{ steps.meta.outputs.build_id }}.tar.xz | |
| FILENAME_LATEST=node-${NODE_VERSION}-fips-${{ matrix.platform }}-${{ matrix.arch }}-LATEST.tar.xz | |
| tar -C node-install -cJf artifacts/$FILENAME . | |
| cp artifacts/$FILENAME artifacts/$FILENAME_LATEST | |
| echo "NODE_ARCHIVE=$FILENAME" >> $GITHUB_ENV | |
| echo "NODE_ARCHIVE_LATEST=$FILENAME_LATEST" >> $GITHUB_ENV | |
| - name: Upload Node archive | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: node-${{ env.NODE_VERSION }}-fips-${{ matrix.platform }}-${{ matrix.arch }}-${{ steps.meta.outputs.build_id }} | |
| path: artifacts/${{ env.NODE_ARCHIVE }} | |
| - name: Upload Node archive latest | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: node-${{ env.NODE_VERSION }}-fips-${{ matrix.platform }}-${{ matrix.arch }}-LATEST | |
| path: artifacts/${{ env.NODE_ARCHIVE_LATEST }} | |
| - name: Upload Node archive to release | |
| uses: softprops/action-gh-release@v1 | |
| with: | |
| name: node-${{ env.NODE_VERSION }}-fips-static-LATEST | |
| tag_name: node-${{ env.NODE_VERSION }}-fips-static-release | |
| files: ./artifacts/${{ env.NODE_ARCHIVE_LATEST }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |