Update .github/workflows/build-node.yml #43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Node with options around OpenSSL dynamic linking and FIPS | ||
|
Check failure on line 1 in .github/workflows/build-node-openssl-fips.yml
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| enableFips: | ||
| description: 'Whether OpenSSL should be FIPS-enabled' | ||
| default: true | ||
| type: boolean | ||
| dynamicLink: | ||
| description: 'If OpenSSL should be dynamically linked with node (rather than statically linked)' | ||
| default: false | ||
| type: boolean | ||
| sharedOpenSSLIncludes: | ||
| description: 'dir containing header files for OpenSSL' | ||
| default: '' | ||
| type: string | ||
| sharedOpenSSLLibname: | ||
| description: 'libname for dynamically linking to OpenSSL' | ||
| default: '' | ||
| type: string | ||
| sharedOpenSSLLibpath: | ||
| description: 'dir for searching for shared OpenSSL dlls' | ||
| default: '' | ||
| type: string | ||
| BUILD_REF: | ||
| description: 'ref to build' | ||
| required: true | ||
| default: 'main' | ||
| type: string | ||
| jobs: | ||
| build-node: | ||
| name: Build ${{ matrix.platform }}-${{ matrix.arch }} with statically-linked FIPS OpenSSL | ||
| strategy: | ||
| matrix: | ||
| include: | ||
| - platform: linux | ||
| arch: x64 | ||
| runs_on: ubuntu-22.04 | ||
| - platform: linux | ||
| arch: arm64 | ||
| runs_on: ubuntu-22.04-arm | ||
| runs-on: ${{ matrix.runs_on }} | ||
| env: | ||
| S3_BUCKET: your-bucket-name | ||
| AWS_REGION: us-east-1 | ||
| REPO: ${{ github.repository }} | ||
| steps: | ||
| - name: Checkout Node fork | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| repository: Asana/node | ||
| path: node | ||
| ref: ${{ BUILD_REF }} | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Extract Node Version | ||
| id: extract-node-version | ||
| run: | | ||
| NODE_MAJOR_VERSION=$(grep '#define NODE_MAJOR_VERSION' node/src/node_version.h | awk '{print $3}') | ||
| NODE_MINOR_VERSION=$(grep '#define NODE_MINOR_VERSION' node/src/node_version.h | awk '{print $3}') | ||
| NODE_PATCH_VERSION=$(grep '#define NODE_PATCH_VERSION' node/src/node_version.h | awk '{print $3}') | ||
| NODE_VERSION="v${NODE_MAJOR_VERSION}.${NODE_MINOR_VERSION}.${NODE_PATCH_VERSION}" | ||
| echo "NODE_VERSION=${NODE_VERSION}" >> $GITHUB_ENV | ||
| - name: Set build metadata | ||
| id: meta | ||
| working-directory: node | ||
| run: | | ||
| TIMESTAMP=$(date -u +%Y-%m-%dT%H-%M) | ||
| SHORT_SHA=$(git rev-parse --short HEAD) | ||
| echo "BUILD_ID=${TIMESTAMP}-${SHORT_SHA}" >> $GITHUB_ENV | ||
| echo "build_id=${TIMESTAMP}-${SHORT_SHA}" >> $GITHUB_OUTPUT | ||
| - name: Install dependencies (Linux) | ||
| if: matrix.platform == 'linux' | ||
| run: | | ||
| sudo apt-get update | ||
| sudo apt-get install -y python3 g++ make curl tar xz-utils | ||
| - name: Configure OpenSSL for fips | ||
| id: openssl-is-fips | ||
| if: inputs.enableFips | ||
| run: | | ||
| ./configure --openssl-is-fips | ||
| - name: Dynamically link OpenSSL in Node.js | ||
| id: openssl-dynamic-link | ||
| if: inputs.dynamicLink | ||
| run: | | ||
| ./configure --shared-openssl | ||
| - name: Define headers for OpenSSL | ||
| id: openssl-dynamic-link-headers | ||
| if: ${{ !empty(inputs.sharedOpenSSLIncludes) }} | ||
| run: | | ||
| ./configure --shared-openssl-includes ${{inputs.sharedOpenSSLIncludes}} | ||
| - name: alternative libname for openssl | ||
| id: openssl-dynamic-link-libname | ||
| if: ${{ !empty(inputs.sharedOpenSSLLibname) }} | ||
| run: | | ||
| ./configure --shared-openssl-libname ${{inputs.sharedOpenSSLLibname}} | ||
| - name: Define headers for OpenSSL | ||
| id: openssl-dynamic-link-libpath | ||
| if: ${{ !empty(inputs.sharedOpenSSLLibpath) }} | ||
| run: | | ||
| ./configure --shared-openssl-includes ${{inputs.sharedOpenSSLLibpath}} | ||
| - name: Build Node (linux) | ||
| working-directory: node | ||
| if: matrix.platform == 'linux' | ||
| run: | | ||
| ./configure --experimental-enable-pointer-compression | ||
| make -j4 install DESTDIR=$GITHUB_WORKSPACE/node-install | ||
| - name: Build Node (darwin) | ||
| working-directory: node | ||
| if: matrix.platform == 'darwin' | ||
| run: | | ||
| ./configure --experimental-enable-pointer-compression --without-snapshot | ||
| make -j2 install DESTDIR=$GITHUB_WORKSPACE/node-install | ||
| - name: Archive Node | ||
| run: | | ||
| mkdir -p artifacts | ||
| FILENAME=node-${NODE_VERSION}-fips-${{ matrix.platform }}-${{ matrix.arch }}-${{ steps.meta.outputs.build_id }}.tar.xz | ||
| FILENAME_LATEST=node-${NODE_VERSION}-fips-${{ matrix.platform }}-${{ matrix.arch }}-LATEST.tar.xz | ||
| tar -C node-install -cJf artifacts/$FILENAME . | ||
| cp artifacts/$FILENAME artifacts/$FILENAME_LATEST | ||
| echo "NODE_ARCHIVE=$FILENAME" >> $GITHUB_ENV | ||
| echo "NODE_ARCHIVE_LATEST=$FILENAME_LATEST" >> $GITHUB_ENV | ||
| - name: Upload Node archive | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: node-${{ env.NODE_VERSION }}-fips-${{ matrix.platform }}-${{ matrix.arch }}-${{ steps.meta.outputs.build_id }} | ||
| path: artifacts/${{ env.NODE_ARCHIVE }} | ||
| - name: Upload Node archive latest | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: node-${{ env.NODE_VERSION }}-fips-${{ matrix.platform }}-${{ matrix.arch }}-LATEST | ||
| path: artifacts/${{ env.NODE_ARCHIVE_LATEST }} | ||
| - name: Upload Node archive to release | ||
| # Publish the FIPS-static Node build to its own release tag | ||
| # (node-${NODE_VERSION}-fips-static-release), separate from the default | ||
| # Node release so consumers can select the FIPS variant explicitly rather | ||
| # than relying on filename conventions inside a shared release. | ||
| # | ||
| # This workflow is workflow_dispatch-only, and the matrix has two arms | ||
| # (linux-x64, linux-arm64) running in parallel β on the first invocation | ||
| # for a new NODE_VERSION both arms race to create the release. The | ||
| # view-or-create guard with the trailing `|| gh release view` tolerates | ||
| # "already exists" from the losing racer and propagates any other create | ||
| # failure through the final view. | ||
| # | ||
| # `--clobber` makes re-uploads idempotent on asset name collisions by | ||
| # deleting the existing asset before uploading. If the new upload fails | ||
| # after the delete, just re-run the job. | ||
| # | ||
| # `gh release edit --title` after upload keeps the release title | ||
| # deterministically derived from NODE_VERSION, overriding any manual | ||
| # rename in the GitHub UI. | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| set -euo pipefail | ||
| TAG="node-${NODE_VERSION}-fips-static-release" | ||
| RELEASE_NAME="node-${NODE_VERSION}-fips-static-LATEST" | ||
| FILE="./artifacts/${NODE_ARCHIVE_LATEST}" | ||
| if ! gh release view "$TAG" --repo "$REPO" >/dev/null 2>&1; then | ||
| gh release create "$TAG" --title "$RELEASE_NAME" --notes "" --repo "$REPO" \ | ||
| || gh release view "$TAG" --repo "$REPO" >/dev/null | ||
| fi | ||
| gh release upload "$TAG" "$FILE" --clobber --repo "$REPO" | ||
| gh release edit "$TAG" --title "$RELEASE_NAME" --repo "$REPO" | ||
