feat: add FIPS compatibility reusable workflow

[williaby]

Summary

Add org-level reusable workflow for FIPS 140-2/140-3 compliance checking in Python projects, converted from the homelab-infra repository workflow.

Changes

New Features

• Reusable FIPS Workflow: Centralized workflow for FIPS compliance checking across all Python repositories
• Configurable Inputs: 7 customizable parameters (strict mode, test inclusion, Python version, etc.)
• PR Integration: Automatic comments with compliance summaries and fix hints
• Runtime Testing: Optional simulated FIPS environment testing
• Comprehensive Documentation: Complete usage guide with examples and troubleshooting

Files Added

• .github/workflows/python-fips-compatibility.yml - Reusable workflow definition
• workflow-templates/python-fips-compatibility.yml - Template for downstream repos
• workflow-templates/python-fips-compatibility.properties.json - GitHub template metadata
• docs/workflows/python-fips-compatibility.md - Complete documentation

Bug Fixes

• python-reuse.yml: Updated fsfe/reuse-action from v4.0.0 (invalid commit hash) to v6.0.0 (latest stable)

Usage Example

Downstream repositories can now use:

name: FIPS Compatibility

on:
  pull_request:
  schedule:
    - cron: '0 10 * * 1'

jobs:
  fips-check:
    uses: ByronWilliamsCPA/.github/.github/workflows/python-fips-compatibility.yml@main
    with:
      strict-mode: false
      include-tests: true
    permissions:
      contents: read
      pull-requests: write

Benefits

• ✅ Centralized FIPS compliance checking across org
• ✅ Reduces workflow duplication in individual repositories
• ✅ Easy to maintain and update in one location
• ✅ Consistent FIPS validation standards
• ✅ Comprehensive documentation for adoption

Test Plan

• Workflow syntax validated
• Documentation includes usage examples
• Template metadata configured for GitHub UI
• Test in downstream repository (post-merge)

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Added a reusable FIPS 140-2/140-3 compliance workflow for Python with PR comments, artifact reports, summarized status, and an optional runtime simulation test.

• Documentation

  • Added a comprehensive guide describing workflow usage, inputs, outputs, troubleshooting, and remediation tips.

• Chores

  • Added workflow template metadata for easier repo setup.
  • Updated REUSE compliance checker to v6.0.0.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds a reusable GitHub Actions workflow for Python FIPS 140-2/140-3 compatibility checking, documentation and template files, and updates a REUSE action version in an existing workflow.

Changes

Cohort / File(s)	Change Summary
FIPS Compatibility Workflow (Reusable) .github/workflows/python-fips-compatibility.yml	New reusable workflow that validates Python cryptographic usage against FIPS standards. Introduces fips-check job (runner hardening, checkout, UV & Python setup, script verification, FIPS analysis, text/JSON report generation, artifact upload, PR comment creation/update) and optional fips-runtime-test job for simulated runtime checks.
Workflow Documentation docs/workflows/python-fips-compatibility.md	New documentation detailing overview, inputs, usage examples, outputs (text/JSON reports, PR comments), runtime test behavior, troubleshooting, and example checker script interface.
Workflow Template Metadata workflow-templates/python-fips-compatibility.properties.json	New metadata defining name, description, icon, categories, and file patterns for Python projects relevant to the workflow.
Workflow Template workflow-templates/python-fips-compatibility.yml	New template workflow that invokes the reusable FIPS workflow with parameters (strict-mode, include-tests, fix-hints, artifact-retention-days, python-version, script-path, enable-runtime-test) and triggers (push/PR to main/master, weekly schedule, manual).
Dependency Update .github/workflows/python-reuse.yml	Updated REUSE compliance action from fsfe/reuse-action@3ae3c6b... (v4.0.0) to fsfe/reuse-action@6ac5c823... (v6.0.0).

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant Runner as Hardened Runner
    participant Checkout as Code Checkout
    participant Tools as Tool Setup (UV, Python)
    participant FIPS as FIPS Check Script
    participant Reports as Report Generation
    participant Artifacts as Artifact Upload
    participant PR as PR Commenter

    GH->>Runner: start job
    Runner->>Checkout: checkout repository
    Checkout-->>Runner: repo ready
    Runner->>Tools: install UV, setup Python
    Tools-->>Runner: tools ready
    Runner->>FIPS: verify script exists
    alt script present
        Runner->>FIPS: run FIPS check with inputs
        FIPS->>Reports: produce text + JSON reports
        Reports->>Artifacts: upload reports/artifacts
        Runner->>PR: create/update PR comment with summary
    else script missing
        FIPS-->>Runner: error -> fail job
    end
    alt enable-runtime-test == true
        Runner->>FIPS: run runtime import simulation (hashlib tests)
        FIPS-->>Runner: runtime test summary appended
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Pay attention to PR comment creation/update logic and formatting conditions.
• Verify conditional job execution and dependency (enable-runtime-test -> fips-runtime-test).
• Check script existence check, exit-code handling, and propagation of non-zero results.
• Validate JSON report schema, escaping, and artifact retention configuration.

Poem

🐰 I hopped through code with careful paws,

Seeking hashes, flags, and clause by clause.
Reports in paw, comments left on PR,
Secure the branches near and far.
🥕🔐

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: add FIPS compatibility reusable workflow' clearly and concisely summarizes the main change: adding a reusable GitHub Actions workflow for FIPS compliance checking.
Description check	✅ Passed	The PR description provides a clear summary, lists all files added, documents new features, includes a usage example, and explains benefits. However, it lacks explicit coverage of some template sections like 'Related Issue' linking and doesn't comprehensively check all required checklist items.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/fips-compatibility-reusable-workflow

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3d17e72 and 322ebb1.

📒 Files selected for processing (2)

• docs/workflows/python-fips-compatibility.md (1 hunks)
• workflow-templates/python-fips-compatibility.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• workflow-templates/python-fips-compatibility.yml

🧰 Additional context used

📓 Path-based instructions (1)

**/*

📄 CodeRabbit inference engine (.github/instructions/sonarqube_mcp.instructions.md)

After generating or modifying any code files, call the analyze_file_list tool to analyze the files you created or modified

Files:

• docs/workflows/python-fips-compatibility.md

🪛 LanguageTool

docs/workflows/python-fips-compatibility.md

[uncategorized] ~25-~25: The official name of this software platform is spelled with a capital “H”.
Context: ...# Basic Usage Add to your repository's .github/workflows/fips-compatibility.yml: ```...

(GITHUB)

---

[uncategorized] ~385-~385: The official name of this software platform is spelled with a capital “H”.
Context: ... 1. Submit issues to [ByronWilliamsCPA/.github](https://github.com/ByronWilliamsCPA/.g...

(GITHUB)

🪛 markdownlint-cli2 (0.18.1)

docs/workflows/python-fips-compatibility.md

192-192: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

197-197: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/python-fips-compatibility.yml (1)

119-170: Verify JSON parsing robustness when report generation fails.

The workflow attempts JSON report generation with || true (line 153) to suppress errors, but then parses the (potentially non-existent) file on line 159. If jq fails silently or the file is malformed, the summary extraction defaults to "0" values (lines 165-169). Confirm that this graceful degradation doesn't mask actual failures that should be reported.

The current implementation is defensive, but consider whether silently defaulting to zero counts might hide scenarios where JSON generation partially failed. Would you like me to suggest enhanced error handling that logs warnings when JSON parsing is skipped?

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 000bb33 and 3d17e72.

📒 Files selected for processing (5)

• .github/workflows/python-fips-compatibility.yml (1 hunks)
• .github/workflows/python-reuse.yml (1 hunks)
• docs/workflows/python-fips-compatibility.md (1 hunks)
• workflow-templates/python-fips-compatibility.properties.json (1 hunks)
• workflow-templates/python-fips-compatibility.yml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*

📄 CodeRabbit inference engine (.github/instructions/sonarqube_mcp.instructions.md)

After generating or modifying any code files, call the analyze_file_list tool to analyze the files you created or modified

Files:

• workflow-templates/python-fips-compatibility.properties.json
• workflow-templates/python-fips-compatibility.yml
• docs/workflows/python-fips-compatibility.md

🪛 LanguageTool

docs/workflows/python-fips-compatibility.md

[uncategorized] ~25-~25: The official name of this software platform is spelled with a capital “H”.
Context: ...# Basic Usage Add to your repository's .github/workflows/fips-compatibility.yml: ```...

(GITHUB)

---

[uncategorized] ~385-~385: The official name of this software platform is spelled with a capital “H”.
Context: ... 1. Submit issues to [ByronWilliamsCPA/.github](https://github.com/ByronWilliamsCPA/.g...

(GITHUB)

🪛 markdownlint-cli2 (0.18.1)

docs/workflows/python-fips-compatibility.md

192-192: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

197-197: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🔇 Additional comments (8)

workflow-templates/python-fips-compatibility.properties.json (1)

1-15: Metadata structure is well-formed.

The template metadata is correctly structured for GitHub's workflow template discovery system. File patterns appropriately trigger on Python, configuration, and dependency files.

workflow-templates/python-fips-compatibility.yml (1)

16-66: Template configuration is sound and well-structured.

The trigger conditions, input handling, and workflow job definition are correctly configured. Input mapping properly converts between naming conventions (underscores to hyphens), and conditional logic for enable-runtime-test appropriately defaults to true for scheduled runs.

docs/workflows/python-fips-compatibility.md (1)

1-390: Documentation is comprehensive and well-organized.

The guide effectively covers workflow purpose, features, usage patterns, inputs, outputs, common issues with fixes, and integration guidance. The example FIPS checker script and troubleshooting section add significant value for downstream users.

.github/workflows/python-fips-compatibility.yml (4)

86-180: FIPS check job logic is sound with appropriate error handling.

The workflow correctly verifies script existence before execution, gracefully degrades when the script is missing, and includes defensive fallbacks for JSON parsing (lines 165-169). Artifact uploads are conditional and properly configured with retention days.

---

182-268: PR commenting logic is well-implemented.

The script effectively finds and updates existing bot comments to prevent spam, constructs clear status summaries with metrics, and provides actionable FIPS information in collapsed details. The status determination logic (PASSED/NEEDS REVIEW/FAILED based on errors/warnings) is appropriate.

---

269-318: Step summary provides clear status reporting.

The summary correctly reflects the FIPS check outcome with conditional status messages based on errors/warnings counts, includes a metrics table, and provides helpful FIPS resources. The defensive check for missing script (line 275) prevents misleading summary output.

---

326-394: Runtime test job is appropriately scoped and documented.

The optional FIPS runtime test simulates basic cryptographic operations (MD5 with usedforsecurity, SHA-256) and correctly disclaims that it is not a true FIPS mode test (line 394 note). Condition on enable-runtime-test input and dependency on fips-check job are properly configured.

.github/workflows/python-reuse.yml (1)

78-78: Commit hash for v6.0.0 is valid; however, document the breaking changes for downstream users.

The commit hash 6ac5c823270d369f01e3c491c708f706f2bdc355 correctly corresponds to fsfe/reuse-action v6.0.0. The upgrade from v4.0.0 to v6.0.0 introduces significant behavioral changes: reuse-tool v6 now reads entire files, detects file encodings, and surfaces invalid SPDX expressions. This may expose previously hidden metadata and require downstream repositories using this workflow to add REUSE-IgnoreStart/REUSE-IgnoreEnd tags to avoid new false positives. Consider adding a comment in the workflow documenting these breaking changes for users.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add language specifications to code blocks.

Per markdown linting standards, fenced code blocks should specify a language. The "Problem:" and "Fix:" examples showing bcrypt==4.1.2 and argon2-cffi==23.1.0 should be marked as text or configuration format (e.g., ```text).

Apply this diff to add language specifications:

 **Problem:**
-```
+```text
 bcrypt==4.1.2  # ❌ Uses Blowfish (not FIPS-approved)

Fix:
- +text
argon2-cffi==23.1.0 # ✅ Argon2 can work in FIPS mode

Or use passlib with bcrypt_sha256 for FIPS compliance

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

192-192: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

197-197: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

docs/workflows/python-fips-compatibility.md around lines 192 to 200: the fenced
code blocks showing the "Problem" and "Fix" examples lack language annotations;
update the opening fences to "```text" for both blocks (the bcrypt example and
the argon2/passlib example) so they conform to markdown linting standards and
render as plain text, keeping the existing content and closing fences unchanged.