feat(ci): FIPS base image for FIPS Docker builds + Go 1.25 (#963)

* feat(ci): FIPS base image for FIPS Docker builds + Go 1.25

Regenerated CI files from gromit policy (gromit#444).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat(ci): FIPS base image for FIPS Docker builds + Go 1.25

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: buger

.github/workflows/release.yml

@@ -22,10 +22,6 @@ on:
       - release-**
     tags:
       - 'v*'
-
-permissions:
-  contents: read
-
 env:
   GOPRIVATE: github.com/TykTechnologies
   VARIATION: prod-variation
@@ -34,10 +30,17 @@ env:
   # startsWith covers pull_request_target too
   BASE_REF: ${{startsWith(github.event_name, 'pull_request') && github.base_ref || github.ref_name}}
 jobs:
+  dep-guard:
+    if: github.event_name == 'pull_request'
+    uses: TykTechnologies/github-actions/.github/workflows/dependency-guard.yml@d3fa20888fa2878e877e22bb7702141217290e7c # main
+    permissions:
+      contents: read
   goreleaser:
+    needs:
+      - dep-guard
     if: github.event.pull_request.draft == false
     name: '${{ matrix.golang_cross }}'
-    runs-on: warp-ubuntu-latest-x64-4x
+    runs-on: ${{ vars.DEFAULT_RUNNER }}
     permissions:
       id-token: write # AWS OIDC JWT
       contents: read # actions/checkout
@@ -71,8 +74,8 @@ jobs:
           echo "branch=${HEAD_REF##*/}" >> $GITHUB_OUTPUT
       - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
       - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+      - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3
       - name: Login to DockerHub
-        if: startsWith(github.ref, 'refs/tags')
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
@@ -84,6 +87,18 @@ jobs:
           registry: docker.tyk.io
           username: ${{ secrets.CLOUDSMITH_USERNAME }}
           password: ${{ secrets.CLOUDSMITH_API_KEY }}
+      - uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4
+        with:
+          role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk
+          role-session-name: cipush
+          aws-region: eu-central-1
+          # Don't mask to pass it across job boundaries
+          mask-aws-account-id: false
+      - uses: aws-actions/amazon-ecr-login@f2e9fc6c2b355c1890b65e6f6f0e2ac3e6e22f78 # v2
+        id: ecr
+        if: ${{ matrix.golang_cross == '1.25-bookworm' }}
+        with:
+          mask-password: 'true'
       - uses: WarpBuilds/cache@f643a1ba29942d56621d07fc2d4284c7219868ad # v1
         with:
           path: |
@@ -104,7 +119,6 @@ jobs:
           git config --global --add safe.directory /go/src/github.com/TykTechnologies/tyk-pump
           goreleaser release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot --skip=sign,docker' || '--skip=docker' }}' | tee /tmp/build.sh
           chmod +x /tmp/build.sh
-          mkdir -p ~/.docker && echo "{}" > ~/.docker/config.json
           docker run --rm --privileged -e GITHUB_TOKEN=${{ github.token }} \
           -e GOPRIVATE=github.com/TykTechnologies                                \
           -e DEBVERS='${{ matrix.debvers }}'                               \
@@ -124,18 +138,6 @@ jobs:
           -v /tmp/build.sh:/tmp/build.sh                                         \
           -w /go/src/github.com/TykTechnologies/tyk-pump                      \
           tykio/golang-cross:${{ matrix.golang_cross }} /tmp/build.sh
-      - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
-        with:
-          role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk
-          role-session-name: cipush
-          aws-region: eu-central-1
-          # Don't mask to pass it across job boundaries
-          mask-aws-account-id: false
-      - uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2
-        id: ecr
-        if: ${{ matrix.golang_cross == '1.25-bookworm' }}
-        with:
-          mask-password: 'true'
       - name: Docker metadata for fips CI
         id: ci_metadata_fips
         if: ${{ matrix.golang_cross == '1.25-bookworm' }}
@@ -168,6 +170,7 @@ jobs:
           labels: ${{ steps.ci_metadata_fips.outputs.labels }}
           build-args: |
             BUILD_PACKAGE_NAME=tyk-pump-fips
+            BASE_IMAGE=tykio/dhi-busybox:1.37-fips
       - name: Docker metadata for fips tag push
         id: tag_metadata_fips
         uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
@@ -182,7 +185,7 @@ jobs:
             type=semver,pattern={{version}}
           labels: |
             org.opencontainers.image.title=Tyk Analytics Pump FIPS
-            org.opencontainers.image.description=Tyk Analytics Pump to move analytics data from Redis to any supported back end (multiple back ends can be written to at once). This version is compiled with boringssl.
+            org.opencontainers.image.description=Tyk Analytics Pump to move analytics data from Redis to any supported back end (multiple back ends can be written to at once). Built with FIPS 140-3 compliant cryptography.
             org.opencontainers.image.vendor=tyk.io
             org.opencontainers.image.version=${{ github.ref_name }}
       - name: push fips image to prod
@@ -201,6 +204,19 @@ jobs:
           labels: ${{ steps.tag_metadata_fips.outputs.labels }}
           build-args: |
             BUILD_PACKAGE_NAME=tyk-pump-fips
+            BASE_IMAGE=tykio/dhi-busybox:1.37-fips
+      - name: Attach base image VEX to fips
+        if: ${{ matrix.golang_cross == '1.25-bookworm' && startsWith(github.ref, 'refs/tags') }}
+        run: |
+          # Install Docker Scout CLI
+          curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/v1.20.4/install.sh -o /tmp/scout-install.sh && sh /tmp/scout-install.sh 2>/dev/null
+          # Extract VEX from the DHI base image
+          docker scout vex get --org tykio -o /tmp/fips-vex.json tykio/dhi-busybox:1.37-fips || true
+          if [ -f /tmp/fips-vex.json ]; then
+            cosign attest --yes --type openvex \
+              --predicate /tmp/fips-vex.json \
+              tykio/tyk-pump-fips:${{ github.ref_name }} || true
+          fi
       - name: Docker metadata for std CI
         id: ci_metadata_std
         if: ${{ matrix.golang_cross == '1.25-bookworm' }}
@@ -222,7 +238,7 @@ jobs:
         uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           context: "dist"
-          platforms: linux/amd64,linux/arm64,linux/s390x
+          platforms: linux/amd64,linux/arm64
           file: ci/Dockerfile.distroless
           provenance: mode=max
           sbom: true
@@ -256,7 +272,7 @@ jobs:
         uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           context: "dist"
-          platforms: linux/amd64,linux/arm64,linux/s390x
+          platforms: linux/amd64,linux/arm64
           file: ci/Dockerfile.distroless
           provenance: mode=max
           sbom: true
@@ -291,14 +307,14 @@ jobs:
     if: github.event.pull_request.draft == false
     needs:
       - goreleaser
-    runs-on: warp-ubuntu-latest-x64-2x
+    runs-on: ${{ vars.DEFAULT_RUNNER }}
     outputs:
       envfiles: ${{ steps.params.outputs.envfiles }}
       pump: ${{ steps.params.outputs.pump }}
       sink: ${{ steps.params.outputs.sink }}
     steps:
       - name: Set test parameters
-        uses: TykTechnologies/github-actions/.github/actions/tests/test-controller@d3fa20888fa2878e877e22bb7702141217290e7c # main
+        uses: TykTechnologies/github-actions/.github/actions/tests/test-controller@42304edda365365e0a887cf018d8edc34b960b82 # main
         id: params
         with:
           variation: ${{ env.VARIATION }}
@@ -308,7 +324,7 @@ jobs:
     needs:
       - test-controller-api
       - goreleaser
-    runs-on: warp-ubuntu-latest-x64-4x
+    runs-on: ${{ vars.DEFAULT_RUNNER }}
     env:
       XUNIT_REPORT_PATH: ${{ github.workspace}}/test-results.xml
     permissions:
@@ -320,13 +336,13 @@ jobs:
         envfiles: ${{ fromJson(needs.test-controller-api.outputs.envfiles) }}
         sink: ${{ fromJson(needs.test-controller-api.outputs.sink) }}
     steps:
-      - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
+      - uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4
         with:
           role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk
           role-session-name: cipush
           aws-region: eu-central-1
       - id: ecr
-        uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2
+        uses: aws-actions/amazon-ecr-login@f2e9fc6c2b355c1890b65e6f6f0e2ac3e6e22f78 # v2
         with:
           mask-password: 'true'
       - name: Setup tmate session only in debug mode
@@ -338,11 +354,11 @@ jobs:
           # Only ${{ github.actor }} has access
           # See https://github.com/mxschmitt/action-tmate#use-registered-public-ssh-keys
       - name: Fetch environment from tyk-pro
-        uses: TykTechnologies/github-actions/.github/actions/tests/checkout-tyk-pro@d3fa20888fa2878e877e22bb7702141217290e7c # main
+        uses: TykTechnologies/github-actions/.github/actions/tests/checkout-tyk-pro@42304edda365365e0a887cf018d8edc34b960b82 # main
         with:
           org_gh_token: ${{ github.token }}
       - name: Set up test environment
-        uses: TykTechnologies/github-actions/.github/actions/tests/env-up@d3fa20888fa2878e877e22bb7702141217290e7c # main
+        uses: TykTechnologies/github-actions/.github/actions/tests/env-up@42304edda365365e0a887cf018d8edc34b960b82 # main
         timeout-minutes: 5
         id: env_up
         with:
@@ -352,25 +368,25 @@ jobs:
           TYK_DB_LICENSEKEY: ${{ secrets.DASH_LICENSE }}
           TYK_MDCB_LICENSE: ${{ secrets.MDCB_LICENSE }}
       - name: Choose test code branch
-        uses: TykTechnologies/github-actions/.github/actions/tests/choose-test-branch@d3fa20888fa2878e877e22bb7702141217290e7c # main
+        uses: TykTechnologies/github-actions/.github/actions/tests/choose-test-branch@42304edda365365e0a887cf018d8edc34b960b82 # main
         with:
           test_folder: api
           org_gh_token: ${{ secrets.ORG_GH_TOKEN }}
       - name: Run API tests
-        uses: TykTechnologies/github-actions/.github/actions/tests/api-tests@d3fa20888fa2878e877e22bb7702141217290e7c # main
+        uses: TykTechnologies/github-actions/.github/actions/tests/api-tests@42304edda365365e0a887cf018d8edc34b960b82 # main
         timeout-minutes: 30
         id: test_execution
         with:
           user_api_secret: ${{ steps.env_up.outputs.USER_API_SECRET }}
       - name: Generate test reports and collect logs
-        uses: TykTechnologies/github-actions/.github/actions/tests/reporting@d3fa20888fa2878e877e22bb7702141217290e7c # main
+        uses: TykTechnologies/github-actions/.github/actions/tests/reporting@42304edda365365e0a887cf018d8edc34b960b82 # main
         if: always() && (steps.test_execution.conclusion != 'skipped')
         with:
           report_xml: 'true'
           execution_status: ${{ steps.test_execution.outcome }}
   aggregator-ci-test:
     name: Aggregated CI Status
-    runs-on: warp-ubuntu-latest-x64-2x
+    runs-on: ${{ vars.DEFAULT_RUNNER }}
     # Dynamically determine which jobs to depend on based on repository configuration
     needs: [goreleaser, api-tests]
     if: ${{ always() && github.event_name == 'pull_request' }}
@@ -393,16 +409,16 @@ jobs:
           if (( ${#failed[@]} )); then
             # Join the failed job names with commas
             failed_jobs=$(IFS=", "; echo "${failed[*]}")
-            echo "Failed jobs ----- : $failed_jobs"
+            echo "❌ Failed jobs ----- : $failed_jobs"
             exit 1
           fi
 
-          echo "All required jobs succeeded"
+          echo "✅ All required jobs succeeded"
   test-controller-distros:
     if: github.event.pull_request.draft == false
     needs:
       - goreleaser
-    runs-on: warp-ubuntu-latest-x64-2x
+    runs-on: ${{ vars.DEFAULT_RUNNER }}
     outputs:
       deb: ${{ steps.params.outputs.deb }}
       rpm: ${{ steps.params.outputs.rpm }}
@@ -415,7 +431,6 @@ jobs:
           BASE_REF: ${{startsWith(github.event_name, 'pull_request') && github.base_ref || github.ref_name}}
         run: |
           set -eo pipefail
-          # WARNING: curl piped to shell - consider downloading and verifying before executing
           curl -s --retry 5 --retry-delay 10 --fail-with-body "http://tui.internal.dev.tyk.technology/v2/$VARIATION/tyk-pump/$BASE_REF/${{ github.event_name}}/api/Distros.gho" | tee -a "$GITHUB_OUTPUT"
           if ! [[ $VARIATION =~ prod ]];then
             echo "::warning file=.github/workflows/release.yml,line=24,col=1,endColumn=8::Using test variation"
@@ -424,7 +439,7 @@ jobs:
     services:
       httpbin.org:
         image: kennethreitz/httpbin
-    runs-on: warp-ubuntu-latest-x64-2x
+    runs-on: ${{ vars.DEFAULT_RUNNER }}
     needs:
       - test-controller-distros
     strategy:
@@ -450,7 +465,8 @@ jobs:
           ARG TARGETARCH
           COPY tyk-pump*_${TARGETARCH}.deb /tyk-pump.deb
           RUN apt-get update && apt-get install -y curl
-          RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-pump/script.deb.sh | bash || echo "Repository setup failed, but continuing" # WARNING: curl piped to shell - pinning not possible for packagecloud install script
+          # TODO(security): curl|bash - consider fetching script and verifying checksum before execution
+          RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-pump/script.deb.sh | bash || echo "Repository setup failed, but continuing" # SECURITY: accepted risk, see TODO above
           RUN apt-get install -y tyk-pump=1.6.0 || echo "Previous version not found, testing fresh install"
           RUN dpkg -i /tyk-pump.deb
 
@@ -470,7 +486,7 @@ jobs:
     services:
       httpbin.org:
         image: kennethreitz/httpbin
-    runs-on: warp-ubuntu-latest-x64-2x
+    runs-on: ${{ vars.DEFAULT_RUNNER }}
     needs:
       - test-controller-distros
     strategy:
@@ -497,7 +513,8 @@ jobs:
           COPY tyk-pump*.${RHELARCH}.rpm /tyk-pump.rpm
           RUN command -v curl || yum install -y curl
           RUN command -v useradd || yum install -y shadow-utils
-          RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-pump/script.rpm.sh | bash || echo "Repository setup failed, but continuing" # WARNING: curl piped to shell - pinning not possible for packagecloud install script
+          # TODO(security): curl|bash - consider fetching script and verifying checksum before execution
+          RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-pump/script.rpm.sh | bash || echo "Repository setup failed, but continuing" # SECURITY: accepted risk, see TODO above
           RUN yum install -y tyk-pump-1.6.0-1 || echo "Previous version not found, testing fresh install"
           RUN curl https://keyserver.tyk.io/tyk.io.rpm.signing.key.2020 -o tyk-pump.key && rpm --import tyk-pump.key
           RUN rpm --checksig /tyk-pump.rpm
@@ -514,4 +531,4 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
           file: Dockerfile
-          push: false
+          push: false

ci/Dockerfile.distroless

@@ -1,5 +1,7 @@
 # Generated by: gromit policy
 
+ARG BASE_IMAGE=gcr.io/distroless/static-debian13:nonroot
+
 FROM debian:trixie-slim AS deb
 ARG TARGETARCH
 ARG BUILD_PACKAGE_NAME
@@ -10,7 +12,7 @@ ENV DEBIAN_FRONTEND=noninteractive
 COPY ${BUILD_PACKAGE_NAME}_*${TARGETARCH}.deb /
 RUN dpkg -i /${BUILD_PACKAGE_NAME}_*${TARGETARCH}.deb && rm /*.deb
 
-FROM gcr.io/distroless/static-debian12:nonroot
+FROM ${BASE_IMAGE}
 
 COPY --from=deb /opt/tyk-pump /opt/tyk-pump
 

ci/Dockerfile.std

@@ -1,6 +1,6 @@
 # Generated by: gromit policy
 
-FROM debian:trixie-slim@sha256:edc9450a9fe37d30b508808052f8d0564e3ed9eaf565e043c6f5632957f7381e
+FROM debian:trixie-slim
 ARG TARGETARCH
 ARG BUILD_PACKAGE_NAME
 

ci/goreleaser/goreleaser.yml

@@ -8,10 +8,10 @@ version: 2
 builds:
   - id: fips-amd64
     flags:
-      - -tags=fips,boringcrypto
+      - -tags=fips
     env:
       - NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
-      - GOEXPERIMENT=boringcrypto
+      - GOFIPS140=v1.0.0
     ldflags:
       - -X github.com/TykTechnologies/tyk-pump/pumps.Version={{.Version}}
       - -X github.com/TykTechnologies/tyk-pump/pumps.Commit={{.FullCommit}}
@@ -24,10 +24,10 @@ builds:
     binary: tyk-pump
   - id: fips-arm64
     flags:
-      - -tags=fips,boringcrypto
+      - -tags=fips
     env:
       - NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
-      - GOEXPERIMENT=boringcrypto
+      - GOFIPS140=v1.0.0
     ldflags:
       - -X github.com/TykTechnologies/tyk-pump/pumps.Version={{.Version}}
       - -X github.com/TykTechnologies/tyk-pump/pumps.Commit={{.FullCommit}}
@@ -38,6 +38,22 @@ builds:
     goarch:
       - arm64
     binary: tyk-pump
+  - id: fips-s390x
+    flags:
+      - -tags=fips
+    env:
+      - NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
+      - GOFIPS140=v1.0.0
+    ldflags:
+      - -X github.com/TykTechnologies/tyk-pump/pumps.Version={{.Version}}
+      - -X github.com/TykTechnologies/tyk-pump/pumps.Commit={{.FullCommit}}
+      - -X github.com/TykTechnologies/tyk-pump/pumps.BuildDate={{.Date}}
+      - -X github.com/TykTechnologies/tyk-pump/pumps.BuiltBy=goreleaser
+    goos:
+      - linux
+    goarch:
+      - s390x
+    binary: tyk-pump
   - id: std-amd64
     env:
       - NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
@@ -82,12 +98,13 @@ nfpms:
     vendor: "Tyk Technologies Ltd"
     homepage: "https://tyk.io"
     maintainer: "Tyk <info@tyk.io>"
-    description: Tyk Analytics Pump to move analytics data from Redis to any supported back end (multiple back ends can be written to at once). This version is compiled with boringssl.
+    description: Tyk Analytics Pump to move analytics data from Redis to any supported back end (multiple back ends can be written to at once). Built with FIPS 140-3 compliant cryptography.
     package_name: tyk-pump-fips
     file_name_template: "{{ .ConventionalFileName }}"
     ids:
       - fips-amd64
       - fips-arm64
+      - fips-s390x
     formats:
       - deb
       - rpm