From 480b965362a6478f8805d72c2be57a6b424604d5 Mon Sep 17 00:00:00 2001
From: Gerard Ryan <git@grdryn.xyz>
Date: Mon, 20 Apr 2026 23:40:55 +0100
Subject: [PATCH] Build binaries in FIPS compliant manner

JIRA: https://redhat.atlassian.net/browse/RHOAIENG-58628
---
 Dockerfile.konflux | 2 +-
 Makefile           | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Dockerfile.konflux b/Dockerfile.konflux
index 254b6d75..671c9caa 100644
--- a/Dockerfile.konflux
+++ b/Dockerfile.konflux
@@ -45,7 +45,7 @@ USER root
 
 COPY ./yq .
 
-RUN CGO_ENABLED=0 go build -ldflags "-s -w" .
+RUN CGO_ENABLED=1 GOEXPERIMENT=strictfipsruntime go build -tags strictfipsruntime -ldflags "-s -w" .
 
 # Runtime stage
 FROM registry.redhat.io/openshift4/ose-cli-rhel9:v4.21.0
diff --git a/Makefile b/Makefile
index 0c899f08..be299c14 100644
--- a/Makefile
+++ b/Makefile
@@ -40,8 +40,8 @@ SHELL = /usr/bin/env bash -o pipefail
 # Build the binary
 .PHONY: build
 build:
-	CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) \
-		go build -ldflags "$(LDFLAGS)" -o $(BINARY_NAME) cmd/main.go
+	CGO_ENABLED=1 GOEXPERIMENT=strictfipsruntime GOOS=$(GOOS) GOARCH=$(GOARCH) \
+		go build -tags strictfipsruntime -ldflags "$(LDFLAGS)" -o $(BINARY_NAME) cmd/main.go
 
 # Run the doctor command
 .PHONY: run
@@ -134,4 +134,4 @@ help:
 	@echo "  vulncheck   - Run vulnerability scanner"
 	@echo "  check       - Run all checks (lint)"
 	@echo "  test        - Run tests"
-	@echo "  help        - Show this help message"
\ No newline at end of file
+	@echo "  help        - Show this help message"