Skip to content

[ci] Run Go unit tests with GODEBUG=fips140=only #13926

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mx-psi merged 10 commits into from
Jan 26, 2026
Merged

[ci] Run Go unit tests with GODEBUG=fips140=only #13926

mx-psi merged 10 commits into from
Jan 26, 2026

Conversation

@ycombinator
Copy link
Contributor

@ycombinator ycombinator commented Oct 3, 2025
edited
Loading

Description

This PR runs all Golang unit tests in this repository with the GODEBUG=fips140=only environment set. This is useful to detect any FIPS-140 violations of code covered by these unit tests.

To achieve the above, this PR introduces a new gotest-fips140-only target in Makefile and a corresponding test-fips140-only target in Makefile.Common.

Link to tracking issue

Relates to #13925

Testing

Documentation

@codecov
Copy link

codecov bot commented Oct 3, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.12%. Comparing base (a9aaa99) to head (e32b4fe).
⚠️ Report is 94 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #13926      +/-   ##
==========================================
- Coverage   92.13%   92.12%   -0.02%     
==========================================
  Files         668      668              
  Lines       41529    41529              
==========================================
- Hits        38263    38258       -5     
- Misses       2230     2233       +3     
- Partials     1036     1038       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ycombinator ycombinator changed the title Add Makefile targets for running unit tests with GODEBUG=fips140=only [chore] Add Makefile targets for running unit tests with GODEBUG=fips140=only Oct 3, 2025
@ycombinator
Copy link
Contributor Author

ycombinator commented Oct 3, 2025
edited
Loading

Running make gotest-fips140-only fails fast, so instead I'm running make test-fips140-only in each module, with Golang 1.25.0, like so:

$ go version
go version go1.25.0 linux/arm64

$ for m in $(find . -iname go.mod); do d=$(dirname $m); cd $d; make test-fips140-only; cd -; done

Ignoring passing and skipped tests, here are the failures:

=== Failed
=== FAIL: internal/builder TestVersioning/defaults (0.16s)
2025-10-09T23:03:01.172-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/otelcol-distribution2818115018"}
    main_test.go:220:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:220
        	Error:      	Target error should be in err chain:
        	            	expected: ""
        	            	in chain: "failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/maps@v0.1.2: Get \"https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod\": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode\n"
        	            		"go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/maps@v0.1.2: Get \"https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod\": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode\n"
        	            		"exit status 1"
        	Test:       	TestVersioning/defaults

=== FAIL: internal/builder TestVersioning/old_component_version (0.16s)
2025-10-09T23:03:01.341-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/otelcol-distribution2842198807"}
    main_test.go:220:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:220
        	Error:      	Target error should be in err chain:
        	            	expected: ""
        	            	in chain: "failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/maps@v0.1.2: Get \"https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod\": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode\n"
        	            		"go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/maps@v0.1.2: Get \"https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod\": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode\n"
        	            		"exit status 1"
        	Test:       	TestVersioning/old_component_version

=== FAIL: internal/builder TestVersioning/old_component_version_without_strict_mode (0.17s)
2025-10-09T23:03:01.503-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/otelcol-distribution1917550671"}
    main_test.go:220:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:220
        	Error:      	Target error should be in err chain:
        	            	expected: ""
        	            	in chain: "failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/maps@v0.1.2: Get \"https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod\": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode\n"
        	            		"go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/maps@v0.1.2: Get \"https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod\": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode\n"
        	            		"exit status 1"
        	Test:       	TestVersioning/old_component_version_without_strict_mode

=== FAIL: internal/builder TestVersioning (0.50s)

=== FAIL: internal/builder TestGenerateAndCompile/Default_Configuration_Compilation (0.19s)
2025-10-09T23:03:01.676-0700	INFO	builder/config.go:160	Using go	{"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:01.679-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/TestGenerateAndCompileDefault_Configuration_Compilation252918051/001"}
    main_test.go:338:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
        	Error:      	Received unexpected error:
        	            	failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/maps@v0.1.2: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestGenerateAndCompile/Default_Configuration_Compilation

=== FAIL: internal/builder TestGenerateAndCompile/LDFlags_Compilation (0.18s)
2025-10-09T23:03:01.863-0700	INFO	builder/config.go:160	Using go	{"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:01.867-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/TestGenerateAndCompileLDFlags_Compilation3165267322/001"}
    main_test.go:338:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
        	Error:      	Received unexpected error:
        	            	failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/maps@v0.1.2: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestGenerateAndCompile/LDFlags_Compilation

=== FAIL: internal/builder TestGenerateAndCompile/GCFlags_Compilation (0.18s)
2025-10-09T23:03:02.048-0700	INFO	builder/config.go:160	Using go	{"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:02.050-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/TestGenerateAndCompileGCFlags_Compilation937123693/001"}
    main_test.go:338:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
        	Error:      	Received unexpected error:
        	            	failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/maps@v0.1.2: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestGenerateAndCompile/GCFlags_Compilation

=== FAIL: internal/builder TestGenerateAndCompile/Build_Tags_Compilation (0.19s)
2025-10-09T23:03:02.226-0700	INFO	builder/config.go:160	Using go	{"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:02.230-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/TestGenerateAndCompileBuild_Tags_Compilation452952742/001"}
    main_test.go:338:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
        	Error:      	Received unexpected error:
        	            	failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/maps@v0.1.2: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestGenerateAndCompile/Build_Tags_Compilation

=== FAIL: internal/builder TestGenerateAndCompile/Debug_Compilation (0.19s)
    main_test.go:338:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
        	Error:      	Received unexpected error:
        	            	failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/maps@v0.1.2: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestGenerateAndCompile/Debug_Compilation

=== FAIL: internal/builder TestGenerateAndCompile/No_providers (0.18s)
2025-10-09T23:03:02.604-0700	INFO	builder/config.go:160	Using go	{"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:02.607-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/TestGenerateAndCompileNo_providers3344910177/001"}
    main_test.go:338:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
        	Error:      	Received unexpected error:
        	            	failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/maps@v0.1.2: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestGenerateAndCompile/No_providers

=== FAIL: internal/builder TestGenerateAndCompile/With_confmap_factories (0.18s)
2025-10-09T23:03:02.783-0700	INFO	builder/config.go:160	Using go	{"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:02.785-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/TestGenerateAndCompileWith_confmap_factories465256339/001"}
    main_test.go:338:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
        	Error:      	Received unexpected error:
        	            	failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/maps@v0.1.2: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestGenerateAndCompile/With_confmap_factories

=== FAIL: internal/builder TestGenerateAndCompile/ConfResolverDefaultURIScheme_set (0.19s)
2025-10-09T23:03:02.967-0700	INFO	builder/config.go:160	Using go	{"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:02.971-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/TestGenerateAndCompileConfResolverDefaultURIScheme_set2737885439/001"}
    main_test.go:338:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
        	Error:      	Received unexpected error:
        	            	failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/maps@v0.1.2: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestGenerateAndCompile/ConfResolverDefaultURIScheme_set

=== FAIL: internal/builder TestGenerateAndCompile (1.48s)

=== FAIL: internal/builder TestReplaceStatementsAreComplete (0.29s)
2025-10-09T23:03:03.275-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/TestReplaceStatementsAreComplete182791686/001"}
    main_test.go:420:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:420
        	Error:      	Received unexpected error:
        	            	failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/maps@v0.1.2: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestReplaceStatementsAreComplete

DONE 39 tests, 14 failures in 2.484s
make: *** [../../Makefile.Common:33: test-fips140-only] Error 1
...
=== Failed
=== FAIL: . TestHttpReception/TLS (2.01s)
    configgrpc_test.go:754:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/config/configgrpc/configgrpc_test.go:754
        	Error:      	Received unexpected error:
        	            	rpc error: code = DeadlineExceeded desc = latest balancer error: connection error: desc = "transport: authentication handshake failed: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode"
        	Test:       	TestHttpReception/TLS

=== FAIL: . TestHttpReception/mTLS (2.03s)
    configgrpc_test.go:754:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/config/configgrpc/configgrpc_test.go:754
        	Error:      	Received unexpected error:
        	            	rpc error: code = DeadlineExceeded desc = latest balancer error: connection error: desc = "transport: authentication handshake failed: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode"
        	Test:       	TestHttpReception/mTLS

=== FAIL: . TestHttpReception (10.08s)

DONE 73 tests, 3 failures in 10.121s
make: *** [../../Makefile.Common:33: test-fips140-only] Error 1
...
=== Failed
=== FAIL: . TestHttpReception/TLS (0.00s)
    server_test.go:267:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267
        	Error:      	Received unexpected error:
        	            	Get "https://127.0.0.1:39113": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestHttpReception/TLS

=== FAIL: . TestHttpReception/TLS_(HTTP/1.1) (0.00s)
    server_test.go:267:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267
        	Error:      	Received unexpected error:
        	            	Get "https://127.0.0.1:34695": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestHttpReception/TLS_(HTTP/1.1)

=== FAIL: . TestHttpReception/mTLS (0.01s)
    server_test.go:267:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267
        	Error:      	Received unexpected error:
        	            	Get "https://127.0.0.1:42475": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestHttpReception/mTLS

=== FAIL: . TestHttpReception (0.02s)

DONE 159 tests, 4 failures in 0.160s
make: *** [../../Makefile.Common:33: test-fips140-only] Error 1
...
=== Failed
=== FAIL: . TestTPM_loadCertificate (0.00s)
panic: crypto/cipher: use of CFB is not allowed in FIPS 140-only mode [recovered, repanicked]

goroutine 173 [running]:
testing.tRunner.func1.2({0x813860, 0x91ee50})
	/usr/local/go/src/testing/testing.go:1872 +0x2b4
testing.tRunner.func1()
	/usr/local/go/src/testing/testing.go:1875 +0x460
panic({0x813860?, 0x91ee50?})
	/usr/local/go/src/runtime/panic.go:783 +0x120
crypto/cipher.NewCFBEncrypter(...)
	/usr/local/go/src/crypto/cipher/cfb.go:65
github.com/google/go-tpm/tpm2.(*hmacSession).Encrypt(0xc000170300, {0xc00001a982, 0x4, 0x3e})
	/home/shaunak/go/pkg/mod/github.com/google/go-tpm@v0.9.6/tpm2/sessions.go:634 +0x36c
github.com/google/go-tpm/tpm2.cmdParameters[...]({0x922b28, 0xc0001b8380}, {0xc0002261a0, 0x2, 0x10})
	/home/shaunak/go/pkg/mod/github.com/google/go-tpm@v0.9.6/tpm2/reflect.go:882 +0x288
github.com/google/go-tpm/tpm2.execute[...]({0xffff95968420, 0xc00022c540}, {0x922b28, 0xc0001b8380}, 0xc0002f4120, {0xc00039eb38, 0x1, 0xc00039e801})
	/home/shaunak/go/pkg/mod/github.com/google/go-tpm@v0.9.6/tpm2/reflect.go:49 +0x318
github.com/google/go-tpm/tpm2.Create.Execute({{0x922790, 0xc00038a930}, {0x0}, {0xc000590fc0, {0x0, 0x0, 0x0}}, {{}, {0x0, 0x0, ...}}, ...}, ...)
	/home/shaunak/go/pkg/mod/github.com/google/go-tpm@v0.9.6/tpm2/tpm2.go:193 +0xd0
github.com/foxboron/go-tpm-keyfiles.createKeyWithHandle(0xc00039ec40, {0x80000000, {{}, {0xc00051e7e0, 0x22, 0x22}}, {0x925a58, 0xc0000d73c8}}, 0x23, 0x100, ...)
	/home/shaunak/go/pkg/mod/github.com/foxboron/go-tpm-keyfiles@v0.0.0-20250903184740-5d135037bd4d/tpm.go:575 +0xa3c
github.com/foxboron/go-tpm-keyfiles.NewLoadableKeyWithResponse({0x922ba0, 0xc00022c540}, 0x23, 0x100, {0x1b55ea0, 0x0, 0x0}, {0x0, 0x0, 0x0})
	/home/shaunak/go/pkg/mod/github.com/foxboron/go-tpm-keyfiles@v0.0.0-20250903184740-5d135037bd4d/loadablekey.go:31 +0x19c
github.com/foxboron/go-tpm-keyfiles.NewLoadableKey(...)
	/home/shaunak/go/pkg/mod/github.com/foxboron/go-tpm-keyfiles@v0.0.0-20250903184740-5d135037bd4d/loadablekey.go:15
go.opentelemetry.io/collector/config/configtls.createTPMKeyCert(0xc0002fb880, {0x922ba0, 0xc00022c540})
	/home/shaunak/development/github/opentelemetry-collector/config/configtls/tpm_test.go:191 +0x68
go.opentelemetry.io/collector/config/configtls.TestTPM_loadCertificate(0xc0002fb880)
	/home/shaunak/development/github/opentelemetry-collector/config/configtls/tpm_test.go:41 +0xf4
testing.tRunner(0xc0002fb880, 0x8ae980)
	/usr/local/go/src/testing/testing.go:1934 +0x168
created by testing.(*T).Run in goroutine 1
	/usr/local/go/src/testing/testing.go:1997 +0x6e4

DONE 119 tests, 1 failure in 0.135s
make: *** [../../Makefile.Common:33: test-fips140-only] Error 1
...
=== FAIL: provider/internal/configurablehttpprovider TestFunctionalityDownloadFileHTTPS (0.02s)
panic: crypto/sha1: use of SHA-1 is not allowed in FIPS 140-only mode [recovered, repanicked]

goroutine 4 [running]:
testing.tRunner.func1.2({0x1048c0a20, 0x1049564c0})
	/Users/shaunak/.gvm/gos/go1.25.1/src/testing/testing.go:1872 +0x2b4
testing.tRunner.func1()
	/Users/shaunak/.gvm/gos/go1.25.1/src/testing/testing.go:1875 +0x460
panic({0x1048c0a20?, 0x1049564c0?})
	/Users/shaunak/.gvm/gos/go1.25.1/src/runtime/panic.go:783 +0x120
crypto/sha1.Sum({0xc0002d0240, 0x10e, 0x10e})
	/Users/shaunak/.gvm/gos/go1.25.1/src/crypto/sha1/sha1.go:278 +0x154
crypto/x509.CreateCertificate({0x104958b20, 0xc00011c250}, 0xc0002c2e58, 0xc0002c2e58, {0x1048e2160, 0xc000280230}, {0x104925f00, 0xc000280230})
	/Users/shaunak/.gvm/gos/go1.25.1/src/crypto/x509/x509.go:1738 +0x5a4
go.opentelemetry.io/collector/confmap/provider/internal/configurablehttpprovider.generateCertificate(0xc000005180, {0x1047c868d, 0x9})
	/Users/shaunak/development/github/opentelemetry-collector/confmap/provider/internal/configurablehttpprovider/provider_test.go:81 +0x510
go.opentelemetry.io/collector/confmap/provider/internal/configurablehttpprovider.TestFunctionalityDownloadFileHTTPS(0xc000005180)
	/Users/shaunak/development/github/opentelemetry-collector/confmap/provider/internal/configurablehttpprovider/provider_test.go:126 +0x40
testing.tRunner(0xc000005180, 0x1049535d0)
	/Users/shaunak/.gvm/gos/go1.25.1/src/testing/testing.go:1934 +0x168
created by testing.(*T).Run in goroutine 1
	/Users/shaunak/.gvm/gos/go1.25.1/src/testing/testing.go:1997 +0x6e4

DONE 243 tests, 1 skipped, 1 failure in 3.058s
...
=== Failed
=== FAIL: . TestSendTracesWhenEndpointHasHttpScheme/Use_https_scheme (10.01s)
    otlp_test.go:461:
        	Error Trace:	/Users/shaunak/development/github/opentelemetry-collector/exporter/otlpexporter/otlp_test.go:461
        	Error:      	Condition never satisfied
        	Test:       	TestSendTracesWhenEndpointHasHttpScheme/Use_https_scheme

=== FAIL: . TestSendTracesWhenEndpointHasHttpScheme (10.02s)

=== FAIL: . TestSendProfilesWhenEndpointHasHttpScheme/Use_https_scheme (10.01s)
    otlp_test.go:1034:
        	Error Trace:	/Users/shaunak/development/github/opentelemetry-collector/exporter/otlpexporter/otlp_test.go:1034
        	Error:      	Condition never satisfied
        	Test:       	TestSendProfilesWhenEndpointHasHttpScheme/Use_https_scheme

=== FAIL: . TestSendProfilesWhenEndpointHasHttpScheme (10.03s)

DONE 62 tests, 4 failures in 28.041s
...

@atoulme
Copy link
Contributor

atoulme commented Oct 3, 2025

I think you can just set GODEBUG as an env var before running make.

GODEBUG=fips140=only make test

Please feel free to open issues for each test occurrence failing, and request fips140-3 be considered for support.

@ycombinator
Copy link
Contributor Author

ycombinator commented Oct 4, 2025
edited
Loading

Thanks @atoulme, I'll run the Go unit tests as you suggested.

The goal would be to eventually run these unit tests with GODEBUG=fips140=only in CI so we can detect any regressions once all the test failures are addressed. I'll amend this PR accordingly and file separate issues for each failing test. Once those issues are resolved, we can return to this PR, rebasing it on main, and making sure it passes CI.

@ycombinator ycombinator changed the title [chore] Add Makefile targets for running unit tests with GODEBUG=fips140=only [chore] Run Go unit tests with GODEBUG=fips140=only Oct 4, 2025
@ycombinator ycombinator changed the title [chore] Run Go unit tests with GODEBUG=fips140=only [ci] Run Go unit tests with GODEBUG=fips140=only Oct 4, 2025
@ycombinator ycombinator force-pushed the unit-tests-fips140-only branch 2 times, most recently from d9eb679 to b269e9d Compare October 10, 2025 05:57
This was referenced Oct 10, 2025
Open
Closed
Closed
Closed
Closed
Closed
@ycombinator
Copy link
Contributor Author

ycombinator commented Oct 10, 2025

Please feel free to open issues for each test occurrence failing, and request fips140-3 be considered for support.

This was referenced Oct 20, 2025
Merged
Merged
@ycombinator ycombinator force-pushed the unit-tests-fips140-only branch from b269e9d to 063717e Compare October 24, 2025 18:24
@ycombinator ycombinator mentioned this pull request Oct 24, 2025
Merged
@ycombinator ycombinator force-pushed the unit-tests-fips140-only branch from 4fbf367 to c4a20ca Compare October 24, 2025 23:08
github-merge-queue bot pushed a commit that referenced this pull request Nov 3, 2025
@ycombinator
[fips140][cmd/builder] Unit tests: Add GODEBUG=tlsmklem=0 if `GOD…
82f2534 
…EBUG=fips140=only` is set (#14068)

<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue.
Ex. Adding a feature - Explain what this achieves.-->
#### Description

When
#13926 is
merged, all unit tests in this repository will be run with
`GODEBUG=fips140=only` to help surface any FIPS-140 violations in all
the Go modules in this repository.

The `cmd/builder` module is not used when _running_ the OpenTelemetry
Collector. It is a tool used to _build_ OpenTelemetry Collector
distributions. As such, strictly speaking, we do not need to worry about
FIPS-140 violations in this module.

However, since unit tests for _all_ modules will be run with
`GODEBUG=fips140=only`, it is convenient to address any FIPS-140
violations in this module as well.

The module is responsible for building OpenTelemetry Collector
distributions from a configuration file. The configuration file lists Go
modules which are then downloaded in order to compile the distribution.
During the download, if `GODEBUG=fips140=only` is set, the following
error will be thrown:

```
crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
```

To suppress this error, we append `tlsmklem=0` to the `GODEBUG`
environment variable. This is OK to do because a) we are only doing this
from unit test code, not the module's code itself and b) as mentioned
above, this particular module is not involved in the running of the
OpenTelemetry Collector itself, i.e. we are not suppressing a legitimate
FIPS violation in OpenTelemetry Collector code.

<!-- Issue number if applicable -->
#### Link to tracking issue
Fixes #13997

<!--Describe what testing was performed and which tests were added.-->
#### Testing

Run the existing unit tests in the `cmd/builder` module with Go >=
1.24.6 and `GODEBUG=fips140=only`.

```
cd cmd/builder
GODEBUG=fips140=only go test -v ./... -count 1
```
@ycombinator ycombinator force-pushed the unit-tests-fips140-only branch from c4a20ca to fd1a96e Compare November 3, 2025 22:41
github-merge-queue bot pushed a commit that referenced this pull request Nov 10, 2025
@ycombinator
[fips140][`configurablehttpprovider.TestFunctionalityDownloadFileHTTP…
c08dbf5 
…S`] Skip test if `GODEBUG=fips140=only` is set (#14076)

<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue.
Ex. Adding a feature - Explain what this achieves.-->
#### Description

When
#13926 is
merged, all unit tests in this repository will be run with
`GODEBUG=fips140=only` to help surface any FIPS-140 violations in all
the Go modules in this repository.

One such unit test that fails in these circumstances is
`confmap/provider/internal/configurablehttpprovider.TestFunctionalityDownloadFileHTTPS`.
However, the FIPS violation surfaced by this test is from the test code
itself (as opposed to from OpenTelemetry Collector core code that the
test is exercising), specifically when this call is made:
https://github.com/open-telemetry/opentelemetry-collector/blob/0f3b0c974e235da85282c6d6ff5734e55e8f4fbc/confmap/provider/internal/configurablehttpprovider/provider_test.go#L81

As such, this is not a FIPS violation we need to worry about when
running the OpenTelemetry Collector. To prevent the unit test from
failing when it's run with `GODEBUG=fips140=only`, we skip it.

<!-- Issue number if applicable -->
#### Link to tracking issue
Fixes #13998

<!--Describe what testing was performed and which tests were added.-->
#### Testing

Run the `configurablehttpprovider.TestFunctionalityDownloadFileHTTPS`
unit test with `GODEBUG=fips140=only`.
   ```
   $ cd confmap/
$ GODEBUG=fips140=only go test
./provider/internal/configurablehttpprovider/... -test.v -test.run
TestFunctionalityDownloadFileHTTPS -count 1
   ```
@github-actions
Copy link
Contributor

github-actions bot commented Nov 18, 2025

This PR was marked stale due to lack of activity. It will be closed in 14 days.

@github-actions github-actions bot added Stale and removed Stale labels Nov 18, 2025
@ycombinator ycombinator force-pushed the unit-tests-fips140-only branch from fd1a96e to 68db426 Compare November 25, 2025 22:30
@codspeed-hq
Copy link

codspeed-hq bot commented Nov 25, 2025
edited
Loading

CodSpeed Performance Report

Merging this PR will not alter performance

Comparing ycombinator:unit-tests-fips140-only (e32b4fe) with main (a9aaa99)

⚠️ Unknown Walltime execution environment detected

Using the Walltime instrument on standard Hosted Runners will lead to inconsistent data.

For the most accurate results, we recommend using CodSpeed Macro Runners: bare-metal machines fine-tuned for performance measurement consistency.

Summary

✅ 56 untouched benchmarks
⏩ 20 skipped benchmarks1

Footnotes

  1. 20 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

@ycombinator ycombinator mentioned this pull request Nov 26, 2025
Merged
@ycombinator ycombinator force-pushed the unit-tests-fips140-only branch from 39a20b3 to a72a473 Compare December 12, 2025 15:01
@ycombinator ycombinator force-pushed the unit-tests-fips140-only branch from a72a473 to fe1fab2 Compare December 23, 2025 05:19
@ycombinator ycombinator marked this pull request as ready for review December 23, 2025 05:56
@ycombinator ycombinator requested a review from a team as a code owner December 23, 2025 05:56
@github-actions github-actions bot added the release:risky-change This change may affect the release label Dec 23, 2025
@TylerHelmuth TylerHelmuth added the Skip Changelog PRs that do not require a CHANGELOG.md entry label Dec 23, 2025
TylerHelmuth
TylerHelmuth reviewed Dec 23, 2025
View reviewed changes
@ycombinator ycombinator force-pushed the unit-tests-fips140-only branch from fe1fab2 to e32b4fe Compare December 29, 2025 04:37
TylerHelmuth
TylerHelmuth reviewed Jan 5, 2026
View reviewed changes
@ycombinator
Copy link
Contributor Author

ycombinator commented Jan 21, 2026

Hi @TylerHelmuth, thanks for reviewing this PR. Do any additional labels need to be added for it to be considered for merging? Thanks again.

@dmathieu dmathieu added the ready-to-merge Code review completed; ready to merge by maintainers label Jan 22, 2026
@mx-psi mx-psi added this pull request to the merge queue Jan 26, 2026
Merged via the queue into open-telemetry:main with commit 5a205e5 Jan 26, 2026
81 checks passed
@ycombinator ycombinator deleted the unit-tests-fips140-only branch January 27, 2026 15:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dmathieu dmathieu dmathieu approved these changes

@TylerHelmuth TylerHelmuth TylerHelmuth approved these changes

Assignees

No one assigned

Labels

ready-to-merge Code review completed; ready to merge by maintainers release:risky-change This change may affect the release Skip Changelog PRs that do not require a CHANGELOG.md entry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ycombinator @atoulme @dmathieu @TylerHelmuth @mx-psi