Skip to content

Finalize Node.js compilation workflows for FIPS #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Finalize Node.js compilation workflows for FIPS #14

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3b45fb0
Remove unused workflow parameters
asana-kristoferbuno Jul 21, 2025
3df8445
Cut down unused args in Dockerfile.Node20fips
asana-kristoferbuno Jul 21, 2025
05504ec
Actually remove unused args (what was the last commit about?)
asana-kristoferbuno Jul 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 14 additions & 63 deletions .github/workflows/build-node-openssl-fips.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,35 +3,20 @@ name: Build Node with options around OpenSSL dynamic linking and FIPS
on:
workflow_dispatch:
inputs:
enableFips:
description: 'Whether OpenSSL should be FIPS-enabled'
default: true
type: boolean
dynamicLink:
description: 'If OpenSSL should be dynamically linked with node (rather than statically linked)'
default: false
type: boolean
sharedOpenSSLIncludes:
description: 'dir containing header files for OpenSSL'
default: ''
type: string
sharedOpenSSLLibname:
description: 'libname for dynamically linking to OpenSSL'
default: ''
type: string
sharedOpenSSLLibpath:
description: 'dir for searching for shared OpenSSL dlls'
default: ''
type: string
BUILD_REF:
description: 'ref to build'
description: 'ref to build Node.js from'
required: true
default: 'main'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're default ref is main but your default Dockerfile is for Node20? main isn't Node 20 (I don't think it is)

type: string
DOCKER_FILE:
description: 'Dockerfile to use for building Node.js'
required: true
default: 'Dockerfile.Node20fips'
type: string

jobs:
build-node:
name: Build ${{ matrix.platform }}-${{ matrix.arch }} with statically-linked FIPS OpenSSL
name: Build ${{ matrix.platform }}-${{ matrix.arch }} with dynamically-linked FIPS OpenSSL
strategy:
matrix:
include:
Expand All @@ -53,7 +38,7 @@ jobs:
with:
repository: Asana/node
path: node
ref: ${{ BUILD_REF }}
ref: ${{ inputs.BUILD_REF }}
token: ${{ secrets.GITHUB_TOKEN }}

- name: Extract Node Version
Expand All @@ -79,51 +64,17 @@ jobs:
run: |
sudo apt-get update
sudo apt-get install -y python3 g++ make curl tar xz-utils

- name: Configure OpenSSL for fips
id: openssl-is-fips
if: inputs.enableFips
run: |
./configure --openssl-is-fips

- name: Dynamically link OpenSSL in Node.js
id: openssl-dynamic-link
if: inputs.dynamicLink
run: |
./configure --shared-openssl

- name: Define headers for OpenSSL
id: openssl-dynamic-link-headers
if: ${{ !empty(inputs.sharedOpenSSLIncludes) }}
run: |
./configure --shared-openssl-includes ${{inputs.sharedOpenSSLIncludes}}

- name: alternative libname for openssl
id: openssl-dynamic-link-libname
if: ${{ !empty(inputs.sharedOpenSSLLibname) }}
run: |
./configure --shared-openssl-libname ${{inputs.sharedOpenSSLLibname}}

- name: Define headers for OpenSSL
id: openssl-dynamic-link-libpath
if: ${{ !empty(inputs.sharedOpenSSLLibpath) }}
run: |
./configure --shared-openssl-includes ${{inputs.sharedOpenSSLLibpath}}


- name: Build Node (linux)
- name: Execute the Dockerfile
working-directory: node
if: matrix.platform == 'linux'
run: |
./configure --experimental-enable-pointer-compression
make -j4 install DESTDIR=$GITHUB_WORKSPACE/node-install
docker build -t node20_build -f ./${{inputs.DOCKER_FILE}} .
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since your docker file is paramterized, maybe don't have the build tagged as node20_build, maybe just node_build?


- name: Build Node (darwin)
working-directory: node
if: matrix.platform == 'darwin'
- name: Extract resources
run: |
./configure --experimental-enable-pointer-compression --without-snapshot
make -j2 install DESTDIR=$GITHUB_WORKSPACE/node-install
docker create --name temp_node_extract node20_build
docker cp temp_node_extract:/usr/src/node/node-install $GITHUB_WORKSPACE/node-install
docker rm temp_node_extract

- name: Archive Node
run: |
Expand Down
25 changes: 25 additions & 0 deletions Dockerfile.Node20fips
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Stage 1
FROM ubuntu:22.04 AS base

# Set non-interactive mode to avoid prompts during installation
ENV DEBIAN_FRONTEND=noninteractive

# Install necessary dependencies
RUN apt-get update
RUN apt-get install -y software-properties-common
RUN add-apt-repository -y ppa:ubuntu-toolchain-r/test
RUN apt-get update && apt-get install -y build-essential python3 python3-distutils g++-10 make curl git pkg-config libssl-dev libffi-dev libgmp-dev libtool autoconf automake cmake wget xz-utils unzip vim
RUN rm -rf /var/lib/apt/lists/*

# Set g++ 10 as the default
RUN update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-10 100

# Copy local Node.js source into the image
WORKDIR /usr/src/node
COPY . .

# Enable dynamic linking for OpenSSL, pointer compression, and using `openssl_conf` as the default OpenSSL configuration for Node.js
RUN ./configure --shared-openssl --experimental-enable-pointer-compression --openssl-conf-name 'openssl_conf'
RUN make -j4 install DESTDIR=./node-install

CMD ["bash"]
Loading