feat: Publish FIPS versions (#21516)

murarustefaan · web-flow · commit e7e8b98980db · 2025-10-23T11:08:44.000Z
This pull request introduces support for FIPS-enabled builds for the BigQuery destination plugin, including workflow updates and code changes to differentiate between standard and FIPS builds. The changes ensure that FIPS-compliant binaries are built, tested, and published through the dedicated workflow.
diff --git a/.github/workflows/dest_bigquery.yml b/.github/workflows/dest_bigquery.yml
@@ -68,3 +68,41 @@ jobs:
           BIGQUERY_PROJECT_ID: ${{ secrets.BIGQUERY_TEST_PROJECT_ID }}
           BIGQUERY_DATASET_ID: ${{ secrets.BIGQUERY_TEST_DATASET_ID }}
           BIGQUERY_DATASET_LOCATION: us-west1
+
+  validate-fips:
+    timeout-minutes: 30
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./plugins/destination/bigquery
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-1.25.3-validate-plugin-fips-cache-${{ hashFiles('plugins/destination/bigquery/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-1.25.3-validate-plugin-fips-cache-destination-bigquery
+
+      - name: Set up Go 1.x
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: plugins/destination/bigquery/go.mod
+          cache: false
+
+      - name: Run package command
+        env:
+          GOFLAGS: "-tags=fipsEnabled"
+        run: |
+          rm -rf docs/tables.md
+          go run main_fips.go package -m "chore: Test FIPS" "v1.0.0" .
+
+      - name: Unzip package artifacts
+        run: |
+          unzip -o dist/plugin-bigquery-v1.0.0-linux-amd64.zip
+          chmod +x plugin-bigquery-v1.0.0-linux-amd64
+          ./plugin-bigquery-v1.0.0-linux-amd64 --version 2>&1 | grep -E 'FIPS enabled: true'
diff --git a/.github/workflows/dest_kafka.yml b/.github/workflows/dest_kafka.yml
@@ -53,3 +53,41 @@ jobs:
         run: go build .
       - name: Test
         run: make test
+
+  validate-fips:
+    timeout-minutes: 30
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./plugins/destination/kafka
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-1.25.3-validate-plugin-fips-cache-${{ hashFiles('plugins/destination/kafka/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-1.25.3-validate-plugin-fips-cache-destination-kafka
+
+      - name: Set up Go 1.x
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: plugins/destination/kafka/go.mod
+          cache: false
+
+      - name: Run package command
+        env:
+          GOFLAGS: "-tags=fipsEnabled"
+        run: |
+          rm -rf docs/tables.md
+          go run main_fips.go package -m "chore: Test FIPS" "v1.0.0" .
+
+      - name: Unzip package artifacts
+        run: |
+          unzip -o dist/plugin-kafka-v1.0.0-linux-amd64.zip
+          chmod +x plugin-kafka-v1.0.0-linux-amd64
+          ./plugin-kafka-v1.0.0-linux-amd64 --version 2>&1 | grep -E 'FIPS enabled: true'
diff --git a/.github/workflows/dest_postgresql.yml b/.github/workflows/dest_postgresql.yml
@@ -55,3 +55,41 @@ jobs:
         run: make test
       - name: Test CockroachDB
         run: make test-cockroachdb
+
+  validate-fips:
+    timeout-minutes: 30
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./plugins/destination/postgresql
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-1.25.3-validate-plugin-fips-cache-${{ hashFiles('plugins/destination/postgresql/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-1.25.3-validate-plugin-fips-cache-destination-postgresql
+
+      - name: Set up Go 1.x
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: plugins/destination/postgresql/go.mod
+          cache: false
+
+      - name: Run package command
+        env:
+          GOFLAGS: "-tags=fipsEnabled"
+        run: |
+          rm -rf docs/tables.md
+          go run main_fips.go package -m "chore: Test FIPS" "v1.0.0" .
+
+      - name: Unzip package artifacts
+        run: |
+          unzip -o dist/plugin-postgresql-v1.0.0-linux-amd64.zip
+          chmod +x plugin-postgresql-v1.0.0-linux-amd64
+          ./plugin-postgresql-v1.0.0-linux-amd64 --version 2>&1 | grep -E 'FIPS enabled: true'
diff --git a/.github/workflows/publish_plugin_to_hub_fips.yml b/.github/workflows/publish_plugin_to_hub_fips.yml
@@ -3,6 +3,9 @@ on:
   push:
     tags:
       - "plugins-source-test-v*.*.*"
+      - "plugins-destination-bigquery-v*.*.*"
+      - "plugins-destination-kafka-v*.*.*"
+      - "plugins-destination-postgresql-v*.*.*"
 permissions:
   contents: read
 
diff --git a/plugins/destination/bigquery/main.go b/plugins/destination/bigquery/main.go
@@ -1,3 +1,5 @@
+//go:build !fipsEnabled
+
 package main
 
 import (
@@ -12,6 +14,7 @@ import (
 
 func main() {
 	p := plugin.NewPlugin(internalPlugin.Name, internalPlugin.Version, client.New,
+		plugin.WithBuildTargets(plugin.DefaultBuildTargets),
 		plugin.WithKind(internalPlugin.Kind),
 		plugin.WithTeam(internalPlugin.Team),
 		plugin.WithJSONSchema(client.JSONSchema),
diff --git a/plugins/destination/bigquery/main_fips.go b/plugins/destination/bigquery/main_fips.go
@@ -0,0 +1,42 @@
+//go:build fipsEnabled
+
+//go:debug fips140=on
+
+package main
+
+import (
+	"context"
+	"crypto/fips140"
+	"log"
+
+	"github.com/cloudquery/cloudquery/plugins/destination/bigquery/v4/client"
+	internalPlugin "github.com/cloudquery/cloudquery/plugins/destination/bigquery/v4/resources/plugin"
+	"github.com/cloudquery/plugin-sdk/v4/plugin"
+	"github.com/cloudquery/plugin-sdk/v4/serve"
+)
+
+func main() {
+	log.Printf("FIPS enabled: %t", fips140.Enabled())
+
+	p := plugin.NewPlugin(internalPlugin.Name, internalPlugin.Version, client.New,
+		plugin.WithBuildTargets(buildTargets()),
+		plugin.WithKind(internalPlugin.Kind),
+		plugin.WithTeam(internalPlugin.Team),
+		plugin.WithJSONSchema(client.JSONSchema),
+		plugin.WithConnectionTester(client.TestConnection),
+	)
+	if err := serve.Plugin(p, serve.WithDestinationV0V1Server()).Serve(context.Background()); err != nil {
+		log.Fatal(err)
+	}
+}
+
+func buildTargets() []plugin.BuildTarget {
+	// default build targets for FIPS builds
+	// fipsEnabled is used to enable FIPS mode
+	targets := make([]plugin.BuildTarget, len(plugin.DefaultBuildTargets))
+	for i := range plugin.DefaultBuildTargets {
+		targets[i] = plugin.DefaultBuildTargets[i]
+		targets[i].Tags = append(targets[i].Tags, "fipsEnabled")
+	}
+	return targets
+}
diff --git a/plugins/destination/kafka/main.go b/plugins/destination/kafka/main.go
@@ -1,3 +1,5 @@
+//go:build !fipsEnabled
+
 package main
 
 import (
diff --git a/plugins/destination/kafka/main_fips.go b/plugins/destination/kafka/main_fips.go
@@ -0,0 +1,42 @@
+//go:build fipsEnabled
+
+//go:debug fips140=on
+
+package main
+
+import (
+	"context"
+	"crypto/fips140"
+	"log"
+
+	"github.com/cloudquery/cloudquery/plugins/destination/kafka/v5/client"
+	"github.com/cloudquery/cloudquery/plugins/destination/kafka/v5/client/spec"
+	internalPlugin "github.com/cloudquery/cloudquery/plugins/destination/kafka/v5/resources/plugin"
+	"github.com/cloudquery/plugin-sdk/v4/plugin"
+	"github.com/cloudquery/plugin-sdk/v4/serve"
+)
+
+func main() {
+	log.Printf("FIPS enabled: %t", fips140.Enabled())
+
+	p := plugin.NewPlugin(internalPlugin.Name, internalPlugin.Version, client.New,
+		plugin.WithBuildTargets(buildTargets()),
+		plugin.WithKind(internalPlugin.Kind),
+		plugin.WithTeam(internalPlugin.Team),
+		plugin.WithJSONSchema(spec.JSONSchema),
+	)
+	if err := serve.Plugin(p, serve.WithDestinationV0V1Server()).Serve(context.Background()); err != nil {
+		log.Fatal(err)
+	}
+}
+
+func buildTargets() []plugin.BuildTarget {
+	// default build targets for FIPS builds
+	// fipsEnabled is used to enable FIPS mode
+	targets := make([]plugin.BuildTarget, len(plugin.DefaultBuildTargets))
+	for i := range plugin.DefaultBuildTargets {
+		targets[i] = plugin.DefaultBuildTargets[i]
+		targets[i].Tags = append(targets[i].Tags, "fipsEnabled")
+	}
+	return targets
+}
diff --git a/plugins/destination/postgresql/main.go b/plugins/destination/postgresql/main.go
@@ -1,3 +1,5 @@
+//go:build !fipsEnabled
+
 package main
 
 import (
@@ -6,17 +8,17 @@ import (
 
 	"github.com/cloudquery/cloudquery/plugins/destination/postgresql/v8/client"
 	"github.com/cloudquery/cloudquery/plugins/destination/postgresql/v8/client/spec"
-	"github.com/cloudquery/cloudquery/plugins/destination/postgresql/v8/resources/plugin"
-	pluginSDK "github.com/cloudquery/plugin-sdk/v4/plugin"
+	internalPlugin "github.com/cloudquery/cloudquery/plugins/destination/postgresql/v8/resources/plugin"
+	"github.com/cloudquery/plugin-sdk/v4/plugin"
 	"github.com/cloudquery/plugin-sdk/v4/serve"
 )
 
 func main() {
-	p := pluginSDK.NewPlugin(plugin.Name, plugin.Version, client.New,
-		pluginSDK.WithKind(plugin.Kind),
-		pluginSDK.WithTeam(plugin.Team),
-		pluginSDK.WithJSONSchema(spec.JSONSchema),
-		pluginSDK.WithConnectionTester(client.ConnectionTester),
+	p := plugin.NewPlugin(internalPlugin.Name, internalPlugin.Version, client.New,
+		plugin.WithKind(internalPlugin.Kind),
+		plugin.WithTeam(internalPlugin.Team),
+		plugin.WithJSONSchema(spec.JSONSchema),
+		plugin.WithConnectionTester(client.ConnectionTester),
 	)
 
 	if err := serve.Plugin(p, serve.WithDestinationV0V1Server()).Serve(context.Background()); err != nil {
diff --git a/plugins/destination/postgresql/main_fips.go b/plugins/destination/postgresql/main_fips.go
@@ -0,0 +1,43 @@
+//go:build fipsEnabled
+
+//go:debug fips140=on
+
+package main
+
+import (
+	"context"
+	"crypto/fips140"
+	"log"
+
+	"github.com/cloudquery/cloudquery/plugins/destination/postgresql/v8/client"
+	"github.com/cloudquery/cloudquery/plugins/destination/postgresql/v8/client/spec"
+	internalPlugin "github.com/cloudquery/cloudquery/plugins/destination/postgresql/v8/resources/plugin"
+	"github.com/cloudquery/plugin-sdk/v4/plugin"
+	"github.com/cloudquery/plugin-sdk/v4/serve"
+)
+
+func main() {
+	log.Printf("FIPS enabled: %t", fips140.Enabled())
+
+	p := plugin.NewPlugin(internalPlugin.Name, internalPlugin.Version, client.New,
+		plugin.WithBuildTargets(buildTargets()),
+		plugin.WithKind(internalPlugin.Kind),
+		plugin.WithTeam(internalPlugin.Team),
+		plugin.WithJSONSchema(spec.JSONSchema),
+		plugin.WithConnectionTester(client.ConnectionTester),
+	)
+	if err := serve.Plugin(p, serve.WithDestinationV0V1Server()).Serve(context.Background()); err != nil {
+		log.Fatal(err)
+	}
+}
+
+func buildTargets() []plugin.BuildTarget {
+	// default build targets for FIPS builds
+	// fipsEnabled is used to enable FIPS mode
+	targets := make([]plugin.BuildTarget, len(plugin.DefaultBuildTargets))
+	for i := range plugin.DefaultBuildTargets {
+		targets[i] = plugin.DefaultBuildTargets[i]
+		targets[i].Tags = append(targets[i].Tags, "fipsEnabled")
+	}
+	return targets
+}
diff --git a/scripts/workflows/wait_for_required_workflows.js b/scripts/workflows/wait_for_required_workflows.js
@@ -62,7 +62,12 @@ module.exports = async ({github, context}) => {
         }
     }
 
-    const pluginsWithFipsVersion = ["plugins/source/test"]
+    const pluginsWithFipsVersion = [
+        "plugins/source/test",
+        "plugins/destination/bigquery",
+        "plugins/destination/kafka",
+        "plugins/destination/postgresql"
+    ]
     for (const action of actions) {
         if (pluginsWithFipsVersion.includes(action)) {
             console.log(`Adding validate-fips to the list of required workflows for plugin ${action}`)

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+//go:build !fipsEnabled`
	`2`	`+`
`1`	`3`	`package main`
`2`	`4`
`3`	`5`	`import (`