enable fips140 builds

[motatoes]

Summary by CodeRabbit

• New Features

  • Introduced automated workflows to build and publish FIPS-compliant Docker images and CLI binaries for the enterprise edition on release events.
  • The CLI and backend now log whether FIPS 140 mode is enabled at runtime.
  • Added support in the release action to conditionally build and download FIPS-compliant enterprise CLI binaries.
  • Added documentation detailing how to enable and use FIPS 140 compliant binaries and workflows.

• Chores

  • Updated Docker image build process to support FIPS mode via new build arguments and environment variables.
  • Minor formatting and structural improvements to workflow and code files.

[coderabbitai]

Walkthrough

This update introduces two new GitHub Actions workflows for building and releasing FIPS-compliant Docker images and CLI binaries for the enterprise edition. The Dockerfile and CLI code are updated to support FIPS mode via build arguments and runtime logging. Minor formatting changes and blank lines are also added to existing files. The action.yml is enhanced to conditionally support FIPS builds and downloads. New documentation on FIPS 140 usage is added.

Changes

File(s)	Change Summary
.github/workflows/ee_backend_docker_release.yml, cli/cmd/digger/default.go	Added trailing blank lines to the workflow file and a blank line at the start of the initLogger() function. No functional changes.
.github/workflows/ee_backend_docker_release_fips.yml	Added a new workflow to automate building and publishing a FIPS-compliant EE backend Docker image on release events. Sets FIPS-related build arguments and tags/releases the image.
.github/workflows/ee_cli_release_fips.yml	Added a new workflow to automate building and releasing a FIPS-compliant Linux AMD64 CLI binary for the enterprise edition on release events from the go branch. Sets FIPS-related environment variables for the build.
Dockerfile_backend_ee	Introduced build arguments GODEBUG_VALUE and GOFIPS140_VALUE (default "off") to set FIPS-related environment variables in the container. Explicitly added ARG COMMIT_SHA in the runner stage. Reordered environment variable declarations. No other build logic changes.
ee/cli/cmd/digger/default.go	Imported crypto/fips140 and added a log statement in the defaultCmd's Run function to indicate whether FIPS 140 mode is enabled. No other logic changes.
ee/backend/main.go	Imported crypto/fips140 and added a log statement in the main function to indicate whether FIPS 140 mode is enabled. No other logic changes.
action.yml	Added a new input parameter fips to enable building or using FIPS 140 compliant versions. Conditional logic added to export FIPS environment variables when fips and ee are true, and to modify the CLI binary download URL accordingly.
docs/ee/fips-140.mdx	Added new documentation explaining FIPS 140 compliance for the digger backend and CLI, instructions for enabling FIPS in GitHub workflows, and usage notes for other version control systems.

Sequence Diagram(s)

Loading

sequenceDiagram
    participant GitHub Release Event
    participant GitHub Actions Workflow (FIPS)
    participant Docker Build
    participant Container Registry

    GitHub Release Event->>GitHub Actions Workflow (FIPS): Trigger on release (tag starts with 'v')
    GitHub Actions Workflow (FIPS)->>Docker Build: Build Docker image with FIPS args
    Docker Build->>Container Registry: Push image with FIPS tags

Loading

sequenceDiagram
    participant GitHub Release Event (go branch)
    participant GitHub Actions Workflow (CLI FIPS)
    participant Go Build
    participant GitHub Releases

    GitHub Release Event (go branch)->>GitHub Actions Workflow (CLI FIPS): Trigger on publish
    GitHub Actions Workflow (CLI FIPS)->>Go Build: Build CLI with FIPS env vars
    Go Build->>GitHub Releases: Publish FIPS-compliant CLI binary

Poem

🐇
In the land of FIPS and code so neat,
New workflows hop with nimble feet.
Docker and CLI now secure and strong,
With logs that tell where FIPS belongs.
Blank lines and logs, a gentle tune—
This rabbit’s work will launch soon!

✨ Finishing Touches

🧪 Generate Unit Tests

• Create PR with Unit Tests
• Commit Unit Tests in branch fips140
• Post Copyable Unit Tests in Comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai auto-generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[greptile-apps]

PR Summary

Added FIPS 140 compliance support across Digger's backend and CLI components, enabling secure cryptographic operations in regulated environments.

• Added FIPS build configuration in Dockerfile_backend_ee with GODEBUG_VALUE and GOFIPS140_VALUE build args
• Added new workflow .github/workflows/ee_backend_docker_release_fips.yml for FIPS-compliant Docker image builds
• Added FIPS status logging in ee/cli/cmd/digger/default.go using crypto/fips140.Enabled()
• Added .github/workflows/ee_cli_release_fips.yml for FIPS-compliant CLI builds (note: Go 1.24.0 version needs correction)
• Potential issue: CGO_ENABLED=0 in CLI workflow may conflict with FIPS requirements

_{6 file(s) reviewed, 2 comment(s)
Edit PR Review Bot Settings | Greptile}

[greptile-apps]

logic: matrix.ldflags is referenced but no matrix is defined in the workflow

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

.github/workflows/ee_backend_docker_release.yml (1)

48-49: Remove trailing spaces in YAML file.

The static analysis tools flagged trailing spaces on line 49, which violates YAML best practices.

-            
+

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 49-49: trailing spaces

(trailing-spaces)

.github/workflows/ee_backend_docker_release_fips.yml (2)

48-51: Remove trailing whitespace
YAMLLint flagged trailing spaces on the last two lines of build-args. Trim these to clean up the YAML.

Suggested diff:

-          build-args: |
-            GODEBUG_VALUE=fips140=only  
-            GOFIPS140_VALUE=v1.0.0            
+          build-args: |
+            GODEBUG_VALUE=fips140=only
+            GOFIPS140_VALUE=v1.0.0

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 50-50: trailing spaces

(trailing-spaces)

---

[error] 51-51: trailing spaces

(trailing-spaces)

---

40-48: Enhance Docker build performance with caching
Consider enabling layer caching to speed up future builds. You can leverage the actions/cache step and the cache-from/cache-to fields in the Docker action.

Example snippet:

      - uses: actions/cache@v3
        with:
          path: /tmp/.build-cache
          key: ${{ runner.os }}-docker-cache-${{ github.sha }}
      - name: Build and push Docker image
        uses: docker/build-push-action@v5.3.0
        with:
          context: .
          file: Dockerfile_backend_ee
          push: true
          cache-from: type=local,src=/tmp/.build-cache
          cache-to: type=local,dest=/tmp/.build-cache
          tags: ...
          labels: ...
          build-args: |
            GODEBUG_VALUE=fips140=only
            GOFIPS140_VALUE=v1.0.0

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 20cefd9 and bd5d11a.

📒 Files selected for processing (6)

• .github/workflows/ee_backend_docker_release.yml (1 hunks)
• .github/workflows/ee_backend_docker_release_fips.yml (1 hunks)
• .github/workflows/ee_cli_release_fips.yml (1 hunks)
• Dockerfile_backend_ee (1 hunks)
• cli/cmd/digger/default.go (1 hunks)
• ee/cli/cmd/digger/default.go (2 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/ee_backend_docker_release.yml

[error] 49-49: trailing spaces

(trailing-spaces)

.github/workflows/ee_backend_docker_release_fips.yml

[error] 50-50: trailing spaces

(trailing-spaces)

---

[error] 51-51: trailing spaces

(trailing-spaces)

🪛 actionlint (1.7.7)

.github/workflows/ee_cli_release_fips.yml

6-6: "branches" filter is not available for release event. it is only for merge_group, push, pull_request, pull_request_target, workflow_run events

(events)

---

36-36: property "ldflags" is not defined in object type {}

(expression)

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: Build
• GitHub Check: Build
• GitHub Check: Build

🔇 Additional comments (5)

cli/cmd/digger/default.go (1)

21-22: LGTM! Minor formatting improvement.

The added blank line improves code readability by separating the function signature from its implementation.

Dockerfile_backend_ee (1)

24-31: Well-structured FIPS 140 support implementation.

The added build arguments and environment variables provide a clean way to enable FIPS 140 compliance at build time. Using default values of "off" maintains backward compatibility while allowing explicit activation when needed for FIPS-compliant builds.

ee/cli/cmd/digger/default.go (2)

4-4: LGTM! Appropriate import for FIPS 140 functionality.

The addition of the crypto/fips140 package import is necessary for checking FIPS mode status.

---

29-29: Good addition of FIPS 140 status logging.

This log statement provides valuable runtime visibility into whether FIPS 140 mode is enabled, which is essential for validating that FIPS-compliant builds are working correctly.

.github/workflows/ee_cli_release_fips.yml (1)

36-36: Static analysis false positive: custom action input
actionlint flagged ldflags as undefined, but this is a valid input for wangyoucao577/go-release-action. You can safely ignore this warning.

🧰 Tools

🪛 actionlint (1.7.7)

36-36: property "ldflags" is not defined in object type {}

(expression)

[coderabbitai]

⚠️ Potential issue

Fix invalid branches filter on release event
GitHub Actions’ release event does not support a branches filter. This filter will be ignored, potentially causing unintended triggers. Remove the branches key and, if you need to scope to the go branch, use a job-level if condition on github.event.release.target_commitish.

Suggested diff:

-on:
-  release:
-    branches:
-      - 'go'
-    types:
-      - 'released'
+on:
+  release:
+    types:
+      - 'released'

And at the job level:

jobs:
  binary:
    if: github.event.release.target_commitish == 'go'
    runs-on: ubuntu-latest
    ...

🧰 Tools

🪛 actionlint (1.7.7)

6-6: "branches" filter is not available for release event. it is only for merge_group, push, pull_request, pull_request_target, workflow_run events

(events)

🤖 Prompt for AI Agents

In .github/workflows/ee_cli_release_fips.yml around lines 4 to 10, the release
event incorrectly uses a branches filter, which is unsupported and ignored by
GitHub Actions. Remove the branches key under the release event entirely. To
restrict the workflow to the 'go' branch, add an if condition at the job level
checking if github.event.release.target_commitish equals 'go'.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

action.yml (2)

11-14: Add input type for fips for stronger validation
To avoid misconfiguration and automatically coerce values, consider declaring the fips input as a boolean.

   fips:
     description: build with fips140 standard?
     required: false
     default: 'false'
+    type: boolean

---

478-482: Reduce duplication in the FIPS vs standard download block
You can consolidate the two curl calls by prepending the -fips suffix via a variable. This makes the logic easier to read and maintain:

-        if [[ ${{ inputs.fips }} == "true" ]]; then
-          curl -sL https://github.com/diggerhq/digger/releases/download/${actionref}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }}-fips -o digger
-        else
-          curl -sL https://github.com/diggerhq/digger/releases/download/${actionref}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }} -o digger
-        fi
+        suffix=${{ inputs.fips == 'true' && '-fips' || '' }}
+        curl -sL https://github.com/diggerhq/digger/releases/download/${actionref}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }}${suffix} -o digger

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6326962 and 8d1f832.

📒 Files selected for processing (1)

• action.yml (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: Build
• GitHub Check: Build
• GitHub Check: Build

[coderabbitai]

⚠️ Potential issue

Critical: FIPS env vars not persisted across steps
Using export inside this step only affects the local shell. Subsequent steps (e.g., the Go build) won’t see GODEBUG or GOFIPS140. You need to write to $GITHUB_ENV so the variables persist for later steps.

-         if [[ ${{ inputs.fips }} == "true" ]]; then
-           export GODEBUG=fips140=only
-           export GOFIPS140=v1.0.0
-         fi
+         if [[ ${{ inputs.fips }} == "true" ]]; then
+           echo "GODEBUG=fips140=only" >> "$GITHUB_ENV"
+           echo "GOFIPS140=v1.0.0" >> "$GITHUB_ENV"
+         fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if [[ ${{ inputs.fips }} == "true" ]]; then
	export GODEBUG=fips140=only
	export GOFIPS140=v1.0.0
	fi
	if [[ ${{ inputs.fips }} == "true" ]]; then
	echo "GODEBUG=fips140=only" >> "$GITHUB_ENV"
	echo "GOFIPS140=v1.0.0" >> "$GITHUB_ENV"
	fi

🤖 Prompt for AI Agents

In action.yml around lines 365 to 368, the environment variables GODEBUG and
GOFIPS140 are set using export, which only affects the current shell and does
not persist across steps. To fix this, write these variables to the $GITHUB_ENV
file instead of using export, so they are available in subsequent steps like the
Go build.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

action.yml (3)

11-14: Clarify valid values for fips input
The new fips input is a string flag that drives FIPS‐mode builds, but the description doesn’t specify its accepted values. Consider updating it to something like:

description: 'Build with FIPS140 standard? Accepts "true" or "false"'

Or add an input‐validation step to catch invalid inputs.

---

434-437: Export within run block is correct, but trim trailing whitespace
Since the export GODEBUG and export GOFIPS140 lines live inside the same multi‐line run block as go build, the variables will be in scope for that build step. No persistence across steps is required here. However, line 437 (fi ) has trailing spaces—please remove them to satisfy YAML linting.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 437-437: trailing spaces

(trailing-spaces)

---

478-482: DRY up the conditional download logic
The two curl invocations for enterprise CLI only differ by the -fips suffix. You can collapse them into a single command by computing a SUFFIX variable:

SUFFIX=${{ inputs.fips == 'true' && '-fips' || '' }}
curl -sL \
  https://github.com/diggerhq/digger/releases/download/${actionref}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }}${SUFFIX} \
  -o digger

This reduces duplication and simplifies maintenance.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8d1f832 and 86ad2da.

📒 Files selected for processing (1)

• action.yml (3 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

action.yml

[error] 437-437: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: Build
• GitHub Check: Build
• GitHub Check: Build

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (5)

docs/ee/fips-140.mdx (5)

5-6: Refine description and casing.
Use consistent casing for product name and standard, and merge sentences for brevity:

- You can use digger binary with FIPS140 standard. FIPS 140 (Federal Information Processing Standard Publication 140) is a U.S. government standard that specifies security requirements for cryptographic modules protecting sensitive information.
+ The Digger binary supports FIPS 140 compliance, a U.S. government standard that specifies security requirements for cryptographic modules protecting sensitive information.

---

7-7: Fix grammar and style.
Capitalize and correct spelling, add missing comma, and clarify context:

- as of version v0.6.101 digger backend and cli are both compiled seperately with FIPS140 enabled. In order to enable it for github follow these steps:
+ Since version v0.6.101, the Digger backend and CLI are compiled separately with FIPS 140 enabled. To enable FIPS 140 on GitHub Actions, follow these steps:

🧰 Tools

🪛 LanguageTool

[style] ~7-~7: Consider a more concise word here.
Context: ...mpiled seperately with FIPS140 enabled. In order to enable it for github follow these steps...

(IN_ORDER_TO_PREMIUM)

---

[uncategorized] ~7-~7: A comma might be missing here.
Context: ...S140 enabled. In order to enable it for github follow these steps: - For the backend ...

(AI_EN_LECTOR_MISSING_PUNCTUATION_COMMA)

---

9-10: Clarify bullet points and naming.
Use imperative voice, correct casing, and inline code formatting:

- - For the backend you need to ensure you use the right docker image: `_backend_ee_fips` during the pull
- - For the cli you need to add the following argument in addition to `ee: true` :
+ - Use the `_backend_ee_fips` Docker image for the enterprise backend.
+ - For the Digger CLI, add `fips: 'true'` alongside `ee: 'true`:

---

12-17: Enhance code snippet clarity.
Specify YAML keys for GitHub Actions syntax and correct indentation:

- ```
-     - diggerhq/digger@vLatest
-       with:
-          ee: 'true'
-          fips: 'true'
- ```
+ ```yaml
+ - uses: diggerhq/digger@vLatest
+   with:
+     ee: 'true'
+     fips: 'true'
+ ```

---

19-19: Improve VCS instructions.
Clarify and correct casing, add punctuation:

- If you are using gitlab or other VCS then just ensure that you are downloading the fips enabled binary which is suffixed with '_fips'
+ For GitLab or other VCS, download the FIPS-enabled binary, which is suffixed with `_fips`.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 86ad2da and d290e28.

📒 Files selected for processing (1)

• docs/ee/fips-140.mdx (1 hunks)

🧰 Additional context used

🪛 LanguageTool

docs/ee/fips-140.mdx

[style] ~7-~7: Consider a more concise word here.
Context: ...mpiled seperately with FIPS140 enabled. In order to enable it for github follow these steps...

(IN_ORDER_TO_PREMIUM)

---

[uncategorized] ~7-~7: A comma might be missing here.
Context: ...S140 enabled. In order to enable it for github follow these steps: - For the backend ...

(AI_EN_LECTOR_MISSING_PUNCTUATION_COMMA)

⏰ Context from checks skipped due to timeout of 90000ms (10)

• GitHub Check: Build
• GitHub Check: Build
• GitHub Check: Build
• GitHub Check: Build
• GitHub Check: Build
• GitHub Check: Build
• GitHub Check: Build
• GitHub Check: Build
• GitHub Check: Build
• GitHub Check: Build