Merge pull request #16 from Asana/add-build-node-packages-workflow #28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Node with options around OpenSSL dynamic linking and FIPS | ||
|
Check failure on line 1 in .github/workflows/build-node-openssl-fips.yml
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| enableFips: | ||
| description: 'Whether OpenSSL should be FIPS-enabled' | ||
| default: true | ||
| type: boolean | ||
| dynamicLink: | ||
| description: 'If OpenSSL should be dynamically linked with node (rather than statically linked)' | ||
| default: false | ||
| type: boolean | ||
| sharedOpenSSLIncludes: | ||
| description: 'dir containing header files for OpenSSL' | ||
| default: '' | ||
| type: string | ||
| sharedOpenSSLLibname: | ||
| description: 'libname for dynamically linking to OpenSSL' | ||
| default: '' | ||
| type: string | ||
| sharedOpenSSLLibpath: | ||
| description: 'dir for searching for shared OpenSSL dlls' | ||
| default: '' | ||
| type: string | ||
| BUILD_REF: | ||
| description: 'ref to build' | ||
| required: true | ||
| default: 'main' | ||
| type: string | ||
| jobs: | ||
| build-node: | ||
| name: Build ${{ matrix.platform }}-${{ matrix.arch }} with statically-linked FIPS OpenSSL | ||
| strategy: | ||
| matrix: | ||
| include: | ||
| - platform: linux | ||
| arch: x64 | ||
| runs_on: ubuntu-22.04 | ||
| - platform: linux | ||
| arch: arm64 | ||
| runs_on: ubuntu-22.04-arm | ||
| runs-on: ${{ matrix.runs_on }} | ||
| env: | ||
| S3_BUCKET: your-bucket-name | ||
| AWS_REGION: us-east-1 | ||
| steps: | ||
| - name: Checkout Node fork | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| repository: Asana/node | ||
| path: node | ||
| ref: ${{ BUILD_REF }} | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Extract Node Version | ||
| id: extract-node-version | ||
| run: | | ||
| NODE_MAJOR_VERSION=$(grep '#define NODE_MAJOR_VERSION' node/src/node_version.h | awk '{print $3}') | ||
| NODE_MINOR_VERSION=$(grep '#define NODE_MINOR_VERSION' node/src/node_version.h | awk '{print $3}') | ||
| NODE_PATCH_VERSION=$(grep '#define NODE_PATCH_VERSION' node/src/node_version.h | awk '{print $3}') | ||
| NODE_VERSION="v${NODE_MAJOR_VERSION}.${NODE_MINOR_VERSION}.${NODE_PATCH_VERSION}" | ||
| echo "NODE_VERSION=${NODE_VERSION}" >> $GITHUB_ENV | ||
| - name: Set build metadata | ||
| id: meta | ||
| working-directory: node | ||
| run: | | ||
| TIMESTAMP=$(date -u +%Y-%m-%dT%H-%M) | ||
| SHORT_SHA=$(git rev-parse --short HEAD) | ||
| echo "BUILD_ID=${TIMESTAMP}-${SHORT_SHA}" >> $GITHUB_ENV | ||
| echo "build_id=${TIMESTAMP}-${SHORT_SHA}" >> $GITHUB_OUTPUT | ||
| - name: Install dependencies (Linux) | ||
| if: matrix.platform == 'linux' | ||
| run: | | ||
| sudo apt-get update | ||
| sudo apt-get install -y python3 g++ make curl tar xz-utils | ||
| - name: Configure OpenSSL for fips | ||
| id: openssl-is-fips | ||
| if: inputs.enableFips | ||
| run: | | ||
| ./configure --openssl-is-fips | ||
| - name: Dynamically link OpenSSL in Node.js | ||
| id: openssl-dynamic-link | ||
| if: inputs.dynamicLink | ||
| run: | | ||
| ./configure --shared-openssl | ||
| - name: Define headers for OpenSSL | ||
| id: openssl-dynamic-link-headers | ||
| if: ${{ !empty(inputs.sharedOpenSSLIncludes) }} | ||
| run: | | ||
| ./configure --shared-openssl-includes ${{inputs.sharedOpenSSLIncludes}} | ||
| - name: alternative libname for openssl | ||
| id: openssl-dynamic-link-libname | ||
| if: ${{ !empty(inputs.sharedOpenSSLLibname) }} | ||
| run: | | ||
| ./configure --shared-openssl-libname ${{inputs.sharedOpenSSLLibname}} | ||
| - name: Define headers for OpenSSL | ||
| id: openssl-dynamic-link-libpath | ||
| if: ${{ !empty(inputs.sharedOpenSSLLibpath) }} | ||
| run: | | ||
| ./configure --shared-openssl-includes ${{inputs.sharedOpenSSLLibpath}} | ||
| - name: Build Node (linux) | ||
| working-directory: node | ||
| if: matrix.platform == 'linux' | ||
| run: | | ||
| ./configure --experimental-enable-pointer-compression | ||
| make -j4 install DESTDIR=$GITHUB_WORKSPACE/node-install | ||
| - name: Build Node (darwin) | ||
| working-directory: node | ||
| if: matrix.platform == 'darwin' | ||
| run: | | ||
| ./configure --experimental-enable-pointer-compression --without-snapshot | ||
| make -j2 install DESTDIR=$GITHUB_WORKSPACE/node-install | ||
| - name: Archive Node | ||
| run: | | ||
| mkdir -p artifacts | ||
| FILENAME=node-${NODE_VERSION}-fips-${{ matrix.platform }}-${{ matrix.arch }}-${{ steps.meta.outputs.build_id }}.tar.xz | ||
| FILENAME_LATEST=node-${NODE_VERSION}-fips-${{ matrix.platform }}-${{ matrix.arch }}-LATEST.tar.xz | ||
| tar -C node-install -cJf artifacts/$FILENAME . | ||
| cp artifacts/$FILENAME artifacts/$FILENAME_LATEST | ||
| echo "NODE_ARCHIVE=$FILENAME" >> $GITHUB_ENV | ||
| echo "NODE_ARCHIVE_LATEST=$FILENAME_LATEST" >> $GITHUB_ENV | ||
| - name: Upload Node archive | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: node-${{ env.NODE_VERSION }}-fips-${{ matrix.platform }}-${{ matrix.arch }}-${{ steps.meta.outputs.build_id }} | ||
| path: artifacts/${{ env.NODE_ARCHIVE }} | ||
| - name: Upload Node archive latest | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: node-${{ env.NODE_VERSION }}-fips-${{ matrix.platform }}-${{ matrix.arch }}-LATEST | ||
| path: artifacts/${{ env.NODE_ARCHIVE_LATEST }} | ||
| - name: Upload Node archive to release | ||
| uses: softprops/action-gh-release@v1 | ||
| with: | ||
| name: node-${{ env.NODE_VERSION }}-fips-static-LATEST | ||
| tag_name: node-${{ env.NODE_VERSION }}-fips-static-release | ||
| files: ./artifacts/${{ env.NODE_ARCHIVE_LATEST }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
