forked from nodejs/node
-
Notifications
You must be signed in to change notification settings - Fork 1
173 lines (152 loc) Β· 6.23 KB
/
build-node-openssl-fips.yml
File metadata and controls
173 lines (152 loc) Β· 6.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
name: Build Node with options around OpenSSL dynamic linking and FIPS
on:
workflow_dispatch:
inputs:
enableFips:
description: 'Whether OpenSSL should be FIPS-enabled'
default: true
type: boolean
dynamicLink:
description: 'If OpenSSL should be dynamically linked with node (rather than statically linked)'
default: false
type: boolean
sharedOpenSSLIncludes:
description: 'dir containing header files for OpenSSL'
default: ''
type: string
sharedOpenSSLLibname:
description: 'libname for dynamically linking to OpenSSL'
default: ''
type: string
sharedOpenSSLLibpath:
description: 'dir for searching for shared OpenSSL dlls'
default: ''
type: string
BUILD_REF:
description: 'ref to build'
required: true
default: 'main'
type: string
DOCKER_FILE:
description: 'Dockerfile to use for building Node.js'
required: true
default: 'Dockerfile.Node20fips'
type: string
jobs:
build-node:
name: Build ${{ matrix.platform }}-${{ matrix.arch }} with statically-linked FIPS OpenSSL
strategy:
matrix:
include:
- platform: linux
arch: x64
runs_on: ubuntu-22.04
- platform: linux
arch: arm64
runs_on: ubuntu-22.04-arm
runs-on: ${{ matrix.runs_on }}
env:
S3_BUCKET: your-bucket-name
AWS_REGION: us-east-1
steps:
- name: Checkout Node fork
uses: actions/checkout@v3
with:
repository: Asana/node
path: node
ref: ${{ inputs.BUILD_REF }}
token: ${{ secrets.GITHUB_TOKEN }}
- name: Extract Node Version
id: extract-node-version
run: |
NODE_MAJOR_VERSION=$(grep '#define NODE_MAJOR_VERSION' node/src/node_version.h | awk '{print $3}')
NODE_MINOR_VERSION=$(grep '#define NODE_MINOR_VERSION' node/src/node_version.h | awk '{print $3}')
NODE_PATCH_VERSION=$(grep '#define NODE_PATCH_VERSION' node/src/node_version.h | awk '{print $3}')
NODE_VERSION="v${NODE_MAJOR_VERSION}.${NODE_MINOR_VERSION}.${NODE_PATCH_VERSION}"
echo "NODE_VERSION=${NODE_VERSION}" >> $GITHUB_ENV
- name: Set build metadata
id: meta
working-directory: node
run: |
TIMESTAMP=$(date -u +%Y-%m-%dT%H-%M)
SHORT_SHA=$(git rev-parse --short HEAD)
echo "BUILD_ID=${TIMESTAMP}-${SHORT_SHA}" >> $GITHUB_ENV
echo "build_id=${TIMESTAMP}-${SHORT_SHA}" >> $GITHUB_OUTPUT
- name: Install dependencies (Linux)
if: matrix.platform == 'linux'
run: |
sudo apt-get update
sudo apt-get install -y python3 g++ make curl tar xz-utils
# - name: Configure OpenSSL for fips
# id: openssl-is-fips
# if: inputs.enableFips
# run: |
# ./configure --openssl-is-fips
# - name: Dynamically link OpenSSL in Node.js
# id: openssl-dynamic-link
# if: inputs.dynamicLink
# run: |
# ./configure --shared-openssl
# - name: Define headers for OpenSSL
# id: openssl-dynamic-link-headers
# if: ${{ !empty(inputs.sharedOpenSSLIncludes) }}
# run: |
# ./configure --shared-openssl-includes ${{inputs.sharedOpenSSLIncludes}}
# - name: alternative libname for openssl
# id: openssl-dynamic-link-libname
# if: ${{ !empty(inputs.sharedOpenSSLLibname) }}
# run: |
# ./configure --shared-openssl-libname ${{inputs.sharedOpenSSLLibname}}
# - name: Define headers for OpenSSL
# id: openssl-dynamic-link-libpath
# if: ${{ !empty(inputs.sharedOpenSSLLibpath) }}
# run: |
# ./configure --shared-openssl-includes ${{inputs.sharedOpenSSLLibpath}}
# - name: Build Node (linux)
# working-directory: node
# if: matrix.platform == 'linux'
# run: |
# ./configure --experimental-enable-pointer-compression
# make -j4 install DESTDIR=$GITHUB_WORKSPACE/node-install
# - name: Build Node (darwin)
# working-directory: node
# if: matrix.platform == 'darwin'
# run: |
# ./configure --experimental-enable-pointer-compression --without-snapshot
# make -j2 install DESTDIR=$GITHUB_WORKSPACE/node-install
- name: Execute the Dockerfile
working-directory: node
run: |
docker build -t node20_build -f ./${{inputs.DOCKER_FILE}} . --build-arg ENABLE_FIPS=true --build-arg DYNAMIC_LINK=true
- name: Extract resources
run: |
docker create --name temp_node_extract node20_build
docker cp temp_node_extract:/usr/src/node/node-install $GITHUB_WORKSPACE/node-install
docker rm temp_node_extract
- name: Archive Node
run: |
mkdir -p artifacts
FILENAME=node-${NODE_VERSION}-fips-${{ matrix.platform }}-${{ matrix.arch }}-${{ steps.meta.outputs.build_id }}.tar.xz
FILENAME_LATEST=node-${NODE_VERSION}-fips-${{ matrix.platform }}-${{ matrix.arch }}-LATEST.tar.xz
tar -C node-install -cJf artifacts/$FILENAME .
cp artifacts/$FILENAME artifacts/$FILENAME_LATEST
echo "NODE_ARCHIVE=$FILENAME" >> $GITHUB_ENV
echo "NODE_ARCHIVE_LATEST=$FILENAME_LATEST" >> $GITHUB_ENV
- name: Upload Node archive
uses: actions/upload-artifact@v4
with:
name: node-${{ env.NODE_VERSION }}-fips-${{ matrix.platform }}-${{ matrix.arch }}-${{ steps.meta.outputs.build_id }}
path: artifacts/${{ env.NODE_ARCHIVE }}
- name: Upload Node archive latest
uses: actions/upload-artifact@v4
with:
name: node-${{ env.NODE_VERSION }}-fips-${{ matrix.platform }}-${{ matrix.arch }}-LATEST
path: artifacts/${{ env.NODE_ARCHIVE_LATEST }}
- name: Upload Node archive to release
uses: softprops/action-gh-release@v1
with:
name: node-${{ env.NODE_VERSION }}-fips-static-LATEST
tag_name: node-${{ env.NODE_VERSION }}-fips-static-release
files: ./artifacts/${{ env.NODE_ARCHIVE_LATEST }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}