This PR introduces support for building FIPS-compliant Go plugins and corrects the build tag configuration for all plugin types.

Files Changed Analysis

• .github/workflows/plugin-compiler-build.yml: Adds a new workflow step to build and publish a tykio/tyk-plugin-compiler-fips Docker image. This is the main change, enabling FIPS builds by setting GOFIPS140=v1.0.0 and BUILD_TAG=ee,fips.
• ci/images/plugin-compiler/data/build.sh: Simplifies and corrects the build command. It now ensures the goplugin build tag is always included, fixing a bug where it was omitted in EE/FIPS builds. The logic is now a single command: go build ... -tags=goplugin${BUILD_TAG:+,$BUILD_TAG}.
• ci/images/plugin-compiler/Dockerfile: The embedded Tyk Gateway test binary is now built with the correct build tags (goplugin plus any provided BUILD_TAG). This ensures the test binary can correctly load the plugins it's intended to validate. It also adds support for the GOFIPS140 build argument.
• Taskfile.yml: The version of the tykio/golang-cross base image is updated from 1.22 to 1.24 for local testing tasks.

Architecture & Impact Assessment

This PR enhances the Go plugin development toolchain for Tyk Gateway, with no direct changes to the gateway's core runtime. Its primary accomplishments are:

1. Introducing FIPS Support: Provides a dedicated Docker image for compiling Go plugins in a FIPS-compliant environment.
2. Fixing Build Tags: Corrects a flaw where the essential goplugin tag was missing from EE and FIPS plugin builds, which would cause them to fail to load.
3. Ensuring Consistency: The embedded test binary within the compiler image is now built with the same tags as the plugins, ensuring reliable local testing.

The main affected component is the CI/CD pipeline for the plugin compiler and the development environment for users creating custom Go plugins, particularly for Enterprise and FIPS deployments.

graph TD
    subgraph "Plugin Compiler Build Matrix"
        A[Build Trigger] --> B{Edition};
        B -- Standard --> C[Image: tyk-plugin-compiler<br/>Tags: goplugin];
        B -- Enterprise --> D[Image: tyk-plugin-compiler-ee<br/>Tags: goplugin,ee];
        B -- FIPS --> E[Image: tyk-plugin-compiler-fips<br/>Tags: goplugin,ee,fips<br/>Env: GOFIPS140=v1.0.0];
    end

Scope Discovery & Context Expansion

The changes are scoped to the plugin compilation tooling. The goplugin tag is critical for the Go toolchain to produce a shared object (.so) file that the Tyk Gateway can recognize and load. By fixing its omission in certain build configurations, this PR ensures that plugins built for any edition (Standard, EE, or FIPS) are correctly structured. The update to the embedded test binary is a necessary follow-up to ensure that the testing environment within the compiler image accurately reflects the target runtime environment.

Powered by Visor from Probelabs

Last updated: 2026-04-15T09:46:43.929Z | Triggered by: pr_opened | Commit: ec21214

💡 TIP: You can chat with Visor using /visor ask <your question>

API Changes

no api changes detected

Security Issues (2)

    GOBIN=/usr/local/bin go install -tags="goplugin${BUILD_TAG:+,$BUILD_TAG}" -trimpath .

CC=$CC CGO_ENABLED=1 GOOS=$GOOS GOARCH=$GOARCH go build -buildmode=plugin -trimpath -tags="goplugin${BUILD_TAG:+,$BUILD_TAG}" -o $plugin_name

Architecture Issues (1)

✅ Performance Check Passed

No performance issues found – changes LGTM.

Powered by Visor from Probelabs

Last updated: 2026-04-15T09:46:34.743Z | Triggered by: pr_opened | Commit: ec21214

💡 TIP: You can chat with Visor using /visor ask <your question>

🚨 Jira Linter Failed

Commit: ec21214
Failed at: 2026-04-21 10:11:29 UTC

The Jira linter failed to validate your PR. Please check the error details below:

failed to get Jira issue: failed to fetch Jira issue TT-16951: Issue does not exist or you do not have permission to see it.: request failed. Please analyze the request body for more details. Status code: 404

Next Steps

• Ensure your branch name contains a valid Jira ticket ID (e.g., ABC-123)
• Verify your PR title matches the branch's Jira ticket ID
• Check that the Jira ticket exists and is accessible

This comment will be automatically deleted once the linter passes.