From a9c1bc75bb59047aaa77e1b65ae33a6d2e8d9e21 Mon Sep 17 00:00:00 2001 From: Kris Buno <106196105+asana-kristoferbuno@users.noreply.github.com> Date: Thu, 5 Jun 2025 16:13:06 -0700 Subject: [PATCH 1/6] inputs.BUILDREF --- .github/workflows/build-node-openssl-fips.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-node-openssl-fips.yml b/.github/workflows/build-node-openssl-fips.yml index 524f20d42cb787..7c3803a27d5db6 100644 --- a/.github/workflows/build-node-openssl-fips.yml +++ b/.github/workflows/build-node-openssl-fips.yml @@ -53,7 +53,7 @@ jobs: with: repository: Asana/node path: node - ref: ${{ BUILD_REF }} + ref: ${{ inputs.BUILD_REF }} token: ${{ secrets.GITHUB_TOKEN }} - name: Extract Node Version From 83c8d869811d993dd72ed5e086d8edc95e27ebe3 Mon Sep 17 00:00:00 2001 From: Kris Buno Date: Fri, 6 Jun 2025 16:01:41 -0700 Subject: [PATCH 2/6] dockerized node build with fips and dylink --- .github/workflows/Dockerfile.node20fips | 32 +++++ .github/workflows/build-node-openssl-fips.yml | 111 +++++++++++------- 2 files changed, 102 insertions(+), 41 deletions(-) create mode 100644 .github/workflows/Dockerfile.node20fips diff --git a/.github/workflows/Dockerfile.node20fips b/.github/workflows/Dockerfile.node20fips new file mode 100644 index 00000000000000..42379ac2118595 --- /dev/null +++ b/.github/workflows/Dockerfile.node20fips @@ -0,0 +1,32 @@ +# Stage 1 +FROM ubuntu:20.04 AS base +ARG ENABLE_FIPS +ARG DYNAMIC_LINK +ARG SHARED_OPENSSL_INCLUDES +ARG SHARED_OPENSSL_LIBNAME +ARG SHARED_OPENSSL_LIBPATH + +# Set non-interactive mode to avoid prompts during installation +ENV DEBIAN_FRONTEND=noninteractive + +# Install necessary dependencies +RUN apt-get update +RUN apt-get install -y software-properties-common +RUN add-apt-repository -y ppa:ubuntu-toolchain-r/test +RUN apt-get update && apt-get install -y build-essential python3 python3-distutils g++-10 make curl git pkg-config libssl-dev libffi-dev libgmp-dev libtool autoconf automake cmake wget xz-utils unzip vim +RUN rm -rf /var/lib/apt/lists/* + +# Set g++ 10 as the default +RUN update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-10 100 + +# Copy local Node.js source into the image +WORKDIR /usr/src/node +COPY . . + +RUN ./configure --openssl-is-fips +RUN ./configure --shared-openssl + +RUN ./configure --experimental-enable-pointer-compression +RUN make -j4 install DESTDIR=./node-install + +CMD ["bash"] diff --git a/.github/workflows/build-node-openssl-fips.yml b/.github/workflows/build-node-openssl-fips.yml index 7c3803a27d5db6..f57ab14ec9c47b 100644 --- a/.github/workflows/build-node-openssl-fips.yml +++ b/.github/workflows/build-node-openssl-fips.yml @@ -28,6 +28,11 @@ on: required: true default: 'main' type: string + DOCKER_FILE: + description: 'Dockerfile to use for building Node.js' + required: true + default: 'Dockerfile.Node20' + type: string jobs: build-node: @@ -79,51 +84,75 @@ jobs: run: | sudo apt-get update sudo apt-get install -y python3 g++ make curl tar xz-utils - - - name: Configure OpenSSL for fips - id: openssl-is-fips - if: inputs.enableFips - run: | - ./configure --openssl-is-fips - - - name: Dynamically link OpenSSL in Node.js - id: openssl-dynamic-link - if: inputs.dynamicLink - run: | - ./configure --shared-openssl - - - name: Define headers for OpenSSL - id: openssl-dynamic-link-headers - if: ${{ !empty(inputs.sharedOpenSSLIncludes) }} - run: | - ./configure --shared-openssl-includes ${{inputs.sharedOpenSSLIncludes}} - - name: alternative libname for openssl - id: openssl-dynamic-link-libname - if: ${{ !empty(inputs.sharedOpenSSLLibname) }} - run: | - ./configure --shared-openssl-libname ${{inputs.sharedOpenSSLLibname}} - - - name: Define headers for OpenSSL - id: openssl-dynamic-link-libpath - if: ${{ !empty(inputs.sharedOpenSSLLibpath) }} - run: | - ./configure --shared-openssl-includes ${{inputs.sharedOpenSSLLibpath}} - - - - name: Build Node (linux) + # - name: Configure OpenSSL for fips + # id: openssl-is-fips + # if: inputs.enableFips + # run: | + # ./configure --openssl-is-fips + + # - name: Dynamically link OpenSSL in Node.js + # id: openssl-dynamic-link + # if: inputs.dynamicLink + # run: | + # ./configure --shared-openssl + + # - name: Define headers for OpenSSL + # id: openssl-dynamic-link-headers + # if: ${{ !empty(inputs.sharedOpenSSLIncludes) }} + # run: | + # ./configure --shared-openssl-includes ${{inputs.sharedOpenSSLIncludes}} + + # - name: alternative libname for openssl + # id: openssl-dynamic-link-libname + # if: ${{ !empty(inputs.sharedOpenSSLLibname) }} + # run: | + # ./configure --shared-openssl-libname ${{inputs.sharedOpenSSLLibname}} + + # - name: Define headers for OpenSSL + # id: openssl-dynamic-link-libpath + # if: ${{ !empty(inputs.sharedOpenSSLLibpath) }} + # run: | + # ./configure --shared-openssl-includes ${{inputs.sharedOpenSSLLibpath}} + + + # - name: Build Node (linux) + # working-directory: node + # if: matrix.platform == 'linux' + # run: | + # ./configure --experimental-enable-pointer-compression + # make -j4 install DESTDIR=$GITHUB_WORKSPACE/node-install + + # - name: Build Node (darwin) + # working-directory: node + # if: matrix.platform == 'darwin' + # run: | + # ./configure --experimental-enable-pointer-compression --without-snapshot + # make -j2 install DESTDIR=$GITHUB_WORKSPACE/node-install + + - name: Execute the Dockerfile working-directory: node - if: matrix.platform == 'linux' run: | - ./configure --experimental-enable-pointer-compression - make -j4 install DESTDIR=$GITHUB_WORKSPACE/node-install - - - name: Build Node (darwin) - working-directory: node - if: matrix.platform == 'darwin' + docker build -t node20_build -f ./Dockerfile.Node20fips . \ + {{ if inputs.enableFips }} \ + --build-arg ENABLE_FIPS=true \ + {{ else }} \ + --build-arg ENABLE_FIPS=false \ + {{ end }} \ + {{ if inputs.dynamicLink }} \ + --build-arg DYNAMIC_LINK=true \ + {{ else }} \ + --build-arg DYNAMIC_LINK=false \ + {{ end }} \ + --build-arg SHARED_OPENSSL_INCLUDES=${{ inputs.sharedOpenSSLIncludes }} \ + --build-arg SHARED_OPENSSL_LIBNAME=${{ inputs.sharedOpenSSLLibname }} \ + --build-arg SHARED_OPENSSL_LIBPATH=${{ inputs.sharedOpenSSLLibpath }} + + - name: Extract resources run: | - ./configure --experimental-enable-pointer-compression --without-snapshot - make -j2 install DESTDIR=$GITHUB_WORKSPACE/node-install + docker create --name temp_node_extract node20_build + docker cp temp_node_extract:/usr/src/node/node-install $GITHUB_WORKSPACE/node-install + docker rm temp_node_extract - name: Archive Node run: | From 234d62fbf4f02e6afe4d21d00eb6b677a5f2a364 Mon Sep 17 00:00:00 2001 From: Kris Buno Date: Mon, 9 Jun 2025 10:28:03 -0700 Subject: [PATCH 3/6] filename --- .github/workflows/build-node-openssl-fips.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-node-openssl-fips.yml b/.github/workflows/build-node-openssl-fips.yml index f57ab14ec9c47b..5dae2d0dca6deb 100644 --- a/.github/workflows/build-node-openssl-fips.yml +++ b/.github/workflows/build-node-openssl-fips.yml @@ -133,7 +133,7 @@ jobs: - name: Execute the Dockerfile working-directory: node run: | - docker build -t node20_build -f ./Dockerfile.Node20fips . \ + docker build -t node20_build -f ./Dockerfile.node20fips . \ {{ if inputs.enableFips }} \ --build-arg ENABLE_FIPS=true \ {{ else }} \ From 3e5e40f5cccb0564bf4c196b5c37bc76e7d1c95e Mon Sep 17 00:00:00 2001 From: Kris Buno Date: Mon, 9 Jun 2025 10:35:56 -0700 Subject: [PATCH 4/6] remove pipe symbol eol --- .github/workflows/build-node-openssl-fips.yml | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build-node-openssl-fips.yml b/.github/workflows/build-node-openssl-fips.yml index 5dae2d0dca6deb..4e0ea1ed5ff23e 100644 --- a/.github/workflows/build-node-openssl-fips.yml +++ b/.github/workflows/build-node-openssl-fips.yml @@ -133,19 +133,19 @@ jobs: - name: Execute the Dockerfile working-directory: node run: | - docker build -t node20_build -f ./Dockerfile.node20fips . \ - {{ if inputs.enableFips }} \ - --build-arg ENABLE_FIPS=true \ - {{ else }} \ - --build-arg ENABLE_FIPS=false \ - {{ end }} \ - {{ if inputs.dynamicLink }} \ - --build-arg DYNAMIC_LINK=true \ - {{ else }} \ - --build-arg DYNAMIC_LINK=false \ - {{ end }} \ - --build-arg SHARED_OPENSSL_INCLUDES=${{ inputs.sharedOpenSSLIncludes }} \ - --build-arg SHARED_OPENSSL_LIBNAME=${{ inputs.sharedOpenSSLLibname }} \ + docker build -t node20_build -f ./Dockerfile.node20fips . + {{ if inputs.enableFips }} + --build-arg ENABLE_FIPS=true + {{ else }} + --build-arg ENABLE_FIPS=false + {{ end }} + {{ if inputs.dynamicLink }} + --build-arg DYNAMIC_LINK=true + {{ else }} + --build-arg DYNAMIC_LINK=false + {{ end }} + --build-arg SHARED_OPENSSL_INCLUDES=${{ inputs.sharedOpenSSLIncludes }} + --build-arg SHARED_OPENSSL_LIBNAME=${{ inputs.sharedOpenSSLLibname }} --build-arg SHARED_OPENSSL_LIBPATH=${{ inputs.sharedOpenSSLLibpath }} - name: Extract resources From 2d589874803400330671f49c0d55d541529ffe7c Mon Sep 17 00:00:00 2001 From: Kris Buno Date: Mon, 9 Jun 2025 10:48:04 -0700 Subject: [PATCH 5/6] var DOCKER_FILE in docker cmd --- .github/workflows/build-node-openssl-fips.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-node-openssl-fips.yml b/.github/workflows/build-node-openssl-fips.yml index 4e0ea1ed5ff23e..c27dda3a8947df 100644 --- a/.github/workflows/build-node-openssl-fips.yml +++ b/.github/workflows/build-node-openssl-fips.yml @@ -31,7 +31,7 @@ on: DOCKER_FILE: description: 'Dockerfile to use for building Node.js' required: true - default: 'Dockerfile.Node20' + default: 'Dockerfile.Node20fips' type: string jobs: @@ -133,7 +133,7 @@ jobs: - name: Execute the Dockerfile working-directory: node run: | - docker build -t node20_build -f ./Dockerfile.node20fips . + docker build -t node20_build -f ./${{inputs.DOCKER_FILE}} . {{ if inputs.enableFips }} --build-arg ENABLE_FIPS=true {{ else }} From 7365346f66567d9e408b1ce0470de1621c0aad8c Mon Sep 17 00:00:00 2001 From: Kris Buno Date: Mon, 9 Jun 2025 10:51:10 -0700 Subject: [PATCH 6/6] hardcode build args --- .github/workflows/build-node-openssl-fips.yml | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/.github/workflows/build-node-openssl-fips.yml b/.github/workflows/build-node-openssl-fips.yml index c27dda3a8947df..976e018bfb3268 100644 --- a/.github/workflows/build-node-openssl-fips.yml +++ b/.github/workflows/build-node-openssl-fips.yml @@ -133,20 +133,7 @@ jobs: - name: Execute the Dockerfile working-directory: node run: | - docker build -t node20_build -f ./${{inputs.DOCKER_FILE}} . - {{ if inputs.enableFips }} - --build-arg ENABLE_FIPS=true - {{ else }} - --build-arg ENABLE_FIPS=false - {{ end }} - {{ if inputs.dynamicLink }} - --build-arg DYNAMIC_LINK=true - {{ else }} - --build-arg DYNAMIC_LINK=false - {{ end }} - --build-arg SHARED_OPENSSL_INCLUDES=${{ inputs.sharedOpenSSLIncludes }} - --build-arg SHARED_OPENSSL_LIBNAME=${{ inputs.sharedOpenSSLLibname }} - --build-arg SHARED_OPENSSL_LIBPATH=${{ inputs.sharedOpenSSLLibpath }} + docker build -t node20_build -f ./${{inputs.DOCKER_FILE}} . --build-arg ENABLE_FIPS=true --build-arg DYNAMIC_LINK=true - name: Extract resources run: |