ci: add fips check

Author: JasonPowr

.tekton/gitsign-pull-request.yaml

@@ -40,21 +40,30 @@ spec:
     value: "true"
   - name: go_test_command
     value: go test $(go list ./... | grep -v github.com/sigstore/gitsign/pkg/version)
+  - name: build-platforms
+    value:
+      - linux/x86_64
+      - linux/arm64
+      - linux/ppc64le
+      - linux/s390x
+  - name: fips-check
+    value: "true"
   pipelineRef:
     params:
     - name: url
       value: https://github.com/securesign/pipelines.git
     - name: revision
       value: main
     - name: pathInRepo
-      value: pipelines/docker-build-oci-ta.yaml
+      value: pipelines/docker-build-multi-platform-oci-ta.yaml
     resolver: git
   taskRunSpecs:
   - pipelineTaskName: run-unit-test
-    podTemplate:
-      imagePullSecrets:
-      - name: brew-registry-pull-secret
-    serviceAccountName: appstudio-pipeline
+    stepSpecs:
+    - computeResources:
+        limits:
+          memory: 4Gi
+      name: run-tests
   taskRunTemplate:
     serviceAccountName: build-pipeline-gitsign
   workspaces:

.tekton/gitsign-push.yaml

@@ -37,21 +37,30 @@ spec:
     value: "true"
   - name: go_test_command
     value: go test $(go list ./... | grep -v github.com/sigstore/gitsign/pkg/version)
+  - name: build-platforms
+    value:
+      - linux/x86_64
+      - linux/arm64
+      - linux/ppc64le
+      - linux/s390x
+  - name: fips-check
+    value: "true"
   pipelineRef:
     params:
     - name: url
       value: https://github.com/securesign/pipelines.git
     - name: revision
       value: main
     - name: pathInRepo
-      value: pipelines/docker-build-oci-ta.yaml
+      value: pipelines/docker-build-multi-platform-oci-ta.yaml
     resolver: git
   taskRunSpecs:
   - pipelineTaskName: run-unit-test
-    podTemplate:
-      imagePullSecrets:
-      - name: brew-registry-pull-secret
-    serviceAccountName: appstudio-pipeline
+    stepSpecs:
+    - computeResources:
+        limits:
+          memory: 4Gi
+      name: run-tests
   taskRunTemplate:
     serviceAccountName: build-pipeline-gitsign
   workspaces:

Build.mak

@@ -1,4 +1,3 @@
-
 GIT_VERSION ?= $(shell git describe --tags --always --dirty)
 
 GIT_HASH ?= $(shell git rev-parse HEAD)
@@ -16,34 +15,19 @@ ifeq ($(DIFF), 1)
 endif
 
 LDFLAGS=-buildid= -X github.com/sigstore/gitsign/pkg/version.gitVersion=$(GIT_VERSION)
+FIPS_MODULE ?= latest
 
 .PHONY: 
-cross-platform: gitsign-cli-darwin-arm64 gitsign-cli-darwin-amd64 gitsign-cli-linux-amd64 gitsign-cli-linux-arm64 gitsign-cli-linux-ppc64le gitsign-cli-linux-s390x gitsign-cli-windows ## Build all distributable (cross-platform) binaries
+cross-platform: gitsign-cli-darwin-arm64 gitsign-cli-darwin-amd64 gitsign-cli-windows ## Build all distributable (cross-platform) binaries
 
 .PHONY:	gitsign-cli-darwin-arm64
 gitsign-cli-darwin-arm64: ## Build for mac M1
-	env CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -mod=readonly -o gitsign_cli_darwin_arm64 -trimpath -ldflags "$(LDFLAGS) -w -s" .
+	env CGO_ENABLED=0 GOFIPS140=$(FIPS_MODULE) GOOS=darwin GOARCH=arm64 go build -mod=readonly -o gitsign_cli_darwin_arm64 -trimpath -ldflags "$(LDFLAGS) -w -s" .
 
 .PHONY: gitsign-cli-darwin-amd64
 gitsign-cli-darwin-amd64:  ## Build for Darwin (macOS)
-	env CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -mod=readonly -o gitsign_cli_darwin_amd64 -trimpath -ldflags "$(LDFLAGS) -w -s" .
-
-.PHONY: gitsign-cli-linux-amd64 
-gitsign-cli-linux-amd64: ## Build for Linux amd64
-	env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -mod=readonly -o gitsign_cli_linux_amd64 -trimpath -ldflags "$(LDFLAGS) -w -s" .
-
-.PHONY: gitsign-cli-linux-arm64
-gitsign-cli-linux-arm64: ## Build for Linux arm64
-	env CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -mod=readonly -o gitsign_cli_linux_arm64 -trimpath -ldflags "$(LDFLAGS) -w -s" .
-
-.PHONY: gitsign-cli-linux-ppc64le
-gitsign-cli-linux-ppc64le: ## Build for Linux ppc64le
-	env CGO_ENABLED=0 GOOS=linux GOARCH=ppc64le go build -mod=readonly -o gitsign_cli_linux_ppc64le -trimpath -ldflags "$(LDFLAGS) -w -s" .
-
-.PHONY: gitsign-cli-linux-s390x
-gitsign-cli-linux-s390x:  ## Build for Linux s390x
-	env CGO_ENABLED=0 GOOS=linux GOARCH=s390x go build -mod=readonly -o gitsign_cli_linux_s390x -trimpath -ldflags "$(LDFLAGS) -w -s" .
+	env CGO_ENABLED=0 GOFIPS140=$(FIPS_MODULE) GOOS=darwin GOARCH=amd64 go build -mod=readonly -o gitsign_cli_darwin_amd64 -trimpath -ldflags "$(LDFLAGS) -w -s" .
 
 .PHONY: gitsign-cli-windows
 gitsign-cli-windows: ## Build for Windows
-	env CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -mod=readonly -o gitsign_cli_windows_amd64.exe -trimpath -ldflags "$(LDFLAGS) -w -s" .
+	env CGO_ENABLED=0 GOFIPS140=$(FIPS_MODULE) GOOS=windows GOARCH=amd64 go build -mod=readonly -o gitsign_cli_windows_amd64.exe -trimpath -ldflags "$(LDFLAGS) -w -s" .

Dockerfile.gitsign.rh

@@ -1,5 +1,5 @@
 # Build stage
-FROM registry.redhat.io/ubi9/go-toolset:9.6@sha256:7b1828de52c3bac600a71b81996bf748776a456181a45e2b329b39702cf6486f AS build-env
+FROM registry.redhat.io/ubi9/go-toolset:9.6 AS build-env
 
 ENV GOEXPERIMENT=strictfipsruntime
 ENV CGO_ENABLED=1
@@ -14,15 +14,16 @@ RUN git stash && \
     export BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') && \
     git stash pop || true && \
     go mod download && \
+    LDFLAGS="-X sigs.k8s.io/release-utils/version.gitVersion=${GIT_VERSION} \
+                   -X sigs.k8s.io/release-utils/version.gitCommit=${GIT_HASH} \
+                   -X sigs.k8s.io/release-utils/version.gitTreeState="clean" \
+                   -X sigs.k8s.io/release-utils/version.buildDate=${BUILD_DATE}"; \
+    go build -mod=readonly -o gitsign_cli_linux -trimpath -ldflags "${LDFLAGS} -w -s" . && \
+    gzip -k gitsign_cli_linux && \
     make -f Build.mak cross-platform && \
     gzip gitsign_cli_darwin_amd64 && \
-    gzip gitsign_cli_linux_amd64 && \
     gzip gitsign_cli_windows_amd64.exe && \
-    gzip gitsign_cli_darwin_arm64 && \
-    gzip gitsign_cli_linux_arm64 && \
-    gzip gitsign_cli_linux_ppc64le && \
-    gzip gitsign_cli_linux_s390x && \
-    ls -la
+    gzip gitsign_cli_darwin_arm64
 
 # Install Gitsign
 FROM registry.access.redhat.com/ubi9-minimal@sha256:34880b64c07f28f64d95737f82f891516de9a3b43583f39970f7bf8e4cfa48b7
@@ -35,30 +36,22 @@ LABEL summary="Provides the gitsign CLI binary for signing and verifying contain
 LABEL com.redhat.component="gitsign"
 LABEL name="rhtas/gitsign-rhel9"
 
+COPY --from=build-env /gitsign/gitsign_cli_linux /usr/local/bin/gitsign_cli_linux
+COPY --from=build-env /gitsign/gitsign_cli_linux.gz /usr/local/bin/gitsign_cli_linux.gz
 COPY --from=build-env /gitsign/gitsign_cli_darwin_amd64.gz /usr/local/bin/gitsign_cli_darwin_amd64.gz
-COPY --from=build-env /gitsign/gitsign_cli_linux_amd64.gz /usr/local/bin/gitsign_cli_linux_amd64.gz
 COPY --from=build-env /gitsign/gitsign_cli_darwin_arm64.gz /usr/local/bin/gitsign_cli_darwin_arm64.gz
-COPY --from=build-env /gitsign/gitsign_cli_linux_arm64.gz /usr/local/bin/gitsign_cli_linux_arm64.gz
-COPY --from=build-env /gitsign/gitsign_cli_linux_ppc64le.gz /usr/local/bin/gitsign_cli_linux_ppc64le.gz
-COPY --from=build-env /gitsign/gitsign_cli_linux_s390x.gz /usr/local/bin/gitsign_cli_linux_s390x.gz
 COPY --from=build-env /gitsign/gitsign_cli_windows_amd64.exe.gz /usr/local/bin/gitsign_cli_windows_amd64.exe.gz
 COPY LICENSE /licenses/license.txt
 
-
 ENV HOME=/home
 WORKDIR ${HOME}
 
 RUN chown root:0 /usr/local/bin/gitsign_cli_darwin_amd64.gz && chmod g+wx /usr/local/bin/gitsign_cli_darwin_amd64.gz && \
-    chown root:0 /usr/local/bin/gitsign_cli_linux_amd64.gz && chmod g+wx /usr/local/bin/gitsign_cli_linux_amd64.gz && \
     chown root:0 /usr/local/bin/gitsign_cli_windows_amd64.exe.gz && chmod g+wx /usr/local/bin/gitsign_cli_windows_amd64.exe.gz && \
-    chown root:0 /usr/local/bin/gitsign_cli_linux_arm64.gz && chmod g+wx /usr/local/bin/gitsign_cli_linux_arm64.gz && \
     chown root:0 /usr/local/bin/gitsign_cli_darwin_arm64.gz && chmod g+wx /usr/local/bin/gitsign_cli_darwin_arm64.gz && \
-    chown root:0 /usr/local/bin/gitsign_cli_linux_ppc64le.gz && chmod g+wx /usr/local/bin/gitsign_cli_linux_ppc64le.gz && \
-    chown root:0 /usr/local/bin/gitsign_cli_linux_s390x.gz && chmod g+wx /usr/local/bin/gitsign_cli_linux_s390x.gz && \
+    chown root:0 /usr/local/bin/gitsign_cli_linux.gz && chmod g+wx /usr/local/bin/gitsign_cli_linux.gz && \
     chgrp -R 0 /${HOME} && chmod -R g=u /${HOME}
 
-LABEL com.redhat.component="gitsign"
-
 USER 65532:65532
 
 # Makes sure the container stays running