From 7339a0fb29285e2a70bc96cfa287c96063984214 Mon Sep 17 00:00:00 2001 From: David Luna Date: Wed, 27 Aug 2025 13:40:40 +0200 Subject: [PATCH 1/7] chore: update fips image sha --- .github/workflows/test-fips.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test-fips.yml b/.github/workflows/test-fips.yml index b7ee35e68b..393f4ab277 100644 --- a/.github/workflows/test-fips.yml +++ b/.github/workflows/test-fips.yml @@ -21,7 +21,8 @@ jobs: # https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container # docker run -it --rm --name fipsy docker.elastic.co/wolfi/chainguard-base-fips:latest container: - image: docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:60d2da332337ed2252d3ad06d0b51416adf72448e61215103e9e73657dff63a9 + #image: docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:60d2da332337ed2252d3ad06d0b51416adf72448e61215103e9e73657dff63a9 + image: docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:c2e3771ba212b95d41a1aed93b223eef1fe96c5a3a00e2e0cb34e18ad9c1e134 credentials: username: ${{ secrets.ELASTIC_DOCKER_USERNAME }} password: ${{ secrets.ELASTIC_DOCKER_PASSWORD }} From 1ec01152f7d45b8ae97417856becee5cb4562379 Mon Sep 17 00:00:00 2001 From: David Luna Date: Wed, 27 Aug 2025 13:47:49 +0200 Subject: [PATCH 2/7] chore: update fips sha --- .github/workflows/test-fips.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-fips.yml b/.github/workflows/test-fips.yml index 393f4ab277..a0a377c7e6 100644 --- a/.github/workflows/test-fips.yml +++ b/.github/workflows/test-fips.yml @@ -22,7 +22,7 @@ jobs: # docker run -it --rm --name fipsy docker.elastic.co/wolfi/chainguard-base-fips:latest container: #image: docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:60d2da332337ed2252d3ad06d0b51416adf72448e61215103e9e73657dff63a9 - image: docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:c2e3771ba212b95d41a1aed93b223eef1fe96c5a3a00e2e0cb34e18ad9c1e134 + image: docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:9ae6bd36ec10db0cba0824065c4f4aa9e8d1d975eda3410e9e63ef3bd8015b7c credentials: username: ${{ secrets.ELASTIC_DOCKER_USERNAME }} password: ${{ secrets.ELASTIC_DOCKER_PASSWORD }} From 0ce3cd627429060486a94d194c84381847a2726c Mon Sep 17 00:00:00 2001 From: David Luna Date: Wed, 27 Aug 2025 13:51:03 +0200 Subject: [PATCH 3/7] chore: remove old sha --- .github/workflows/test-fips.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/test-fips.yml b/.github/workflows/test-fips.yml index a0a377c7e6..f5801858b5 100644 --- a/.github/workflows/test-fips.yml +++ b/.github/workflows/test-fips.yml @@ -21,7 +21,6 @@ jobs: # https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container # docker run -it --rm --name fipsy docker.elastic.co/wolfi/chainguard-base-fips:latest container: - #image: docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:60d2da332337ed2252d3ad06d0b51416adf72448e61215103e9e73657dff63a9 image: docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:9ae6bd36ec10db0cba0824065c4f4aa9e8d1d975eda3410e9e63ef3bd8015b7c credentials: username: ${{ secrets.ELASTIC_DOCKER_USERNAME }} From 33b2c6b7e9742d1e10f3e23a64b338a2b1743e73 Mon Sep 17 00:00:00 2001 From: David Luna Date: Wed, 27 Aug 2025 17:22:26 +0200 Subject: [PATCH 4/7] chore: update dependabot config for docker --- .github/dependabot.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 8532840d62..96f4036f27 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -102,7 +102,9 @@ updates: # Docker - package-ecosystem: "docker" - directory: "/" + directories: + - "/" + - ".github/workflows" registries: "*" schedule: interval: "weekly" From 92159f7547fc972fb054f7b5a477f3a2fd76e6c0 Mon Sep 17 00:00:00 2001 From: David Luna Date: Wed, 3 Sep 2025 08:42:37 +0200 Subject: [PATCH 5/7] chore: add script and update image sha --- .github/workflows/test-fips.yml | 2 +- dev-utils/update-fips-image.js | 72 +++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 dev-utils/update-fips-image.js diff --git a/.github/workflows/test-fips.yml b/.github/workflows/test-fips.yml index f5801858b5..f8e1c18d0b 100644 --- a/.github/workflows/test-fips.yml +++ b/.github/workflows/test-fips.yml @@ -21,7 +21,7 @@ jobs: # https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container # docker run -it --rm --name fipsy docker.elastic.co/wolfi/chainguard-base-fips:latest container: - image: docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:9ae6bd36ec10db0cba0824065c4f4aa9e8d1d975eda3410e9e63ef3bd8015b7c + image: docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:091dcf0eab7fc666cc929adbb52c6e1d6692c4b52f7f0a15905a9ad48960dbd6 credentials: username: ${{ secrets.ELASTIC_DOCKER_USERNAME }} password: ${{ secrets.ELASTIC_DOCKER_PASSWORD }} diff --git a/dev-utils/update-fips-image.js b/dev-utils/update-fips-image.js new file mode 100644 index 0000000000..34997021e3 --- /dev/null +++ b/dev-utils/update-fips-image.js @@ -0,0 +1,72 @@ +#!/usr/bin/env node + +/* + * Copyright Elasticsearch B.V. and other contributors where applicable. + * Licensed under the BSD 2-Clause License; you may not use this file except in + * compliance with the BSD 2-Clause License. + */ + +'use strict'; + +// Update the wolfi image for testing with FIPS in the `test-fips.yml` workflow file. +// Assumes docker daemon is installed and running +// +// Usage: +// node dev-utils/update-fips-image.js + +const { execSync } = require('child_process'); +const fs = require('fs'); +const path = require('path'); + +const TOP = path.resolve(__dirname, '..'); +const file = path.resolve(TOP, '.github', 'workflows', 'test-fips.yml'); + +// ---- mainline + +function main() { + // We should replace any reference to the fips image in the yml + // file. It's easy to detect since it has the form + // ``` + // image: docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:SHA_VALUE + // ``` + // So checking for a substring maybe is enough. We will replace that line for a + // new one. + const imageRef = 'docker.elastic.co/wolfi/chainguard-base-fips:latest'; + + // Get the latest and extract the SHA + const out = execSync(`docker image pull ${imageRef}`, { encoding: 'utf-8' }); + let sha256; + for (const line of out.split('\n')) { + if (line.startsWith('Digest: ')) { + sha256 = line.slice(8); + } + } + console.log('Latest FIPS image sha256 is', sha256); + + // Read the file content and replace any reference to the FIPS image + const content = fs.readFileSync(file, { encoding: 'utf-8' }).split('\n'); + const search = `image: ${imageRef}@sha256:`; + let shouldUpdate = false; + + for (let i = 0; i < content.length; i++) { + const line = content[i]; + const isImageLine = line.indexOf(search) !== -1; + const isShaOutdated = isImageLine && line.indexOf(sha256) === -1; + + if (isImageLine && isShaOutdated) { + console.log('Found FIPS image with outdated sha256. Updating'); + shouldUpdate = true; + content[i] = line.replace(/image:.+/, `image: ${imageRef}@${sha256}`); + } + } + + if (shouldUpdate) { + fs.writeFileSync(file, content.join('\n'), { encoding: 'utf-8' }); + } else { + console.log('No outdated FIPS images found.'); + } +} + +if (require.main === module) { + main(); +} From e006d1e690e99b17eae128fc2bca7b1bb69496dd Mon Sep 17 00:00:00 2001 From: David Luna Date: Wed, 3 Sep 2025 08:43:23 +0200 Subject: [PATCH 6/7] chore: revert dependabot change --- .github/dependabot.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 96f4036f27..ffa63baef2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -102,9 +102,7 @@ updates: # Docker - package-ecosystem: "docker" - directories: - - "/" - - ".github/workflows" + directories: "/" registries: "*" schedule: interval: "weekly" From 7e409b59613489191cf5e49158a757080b8dd1ec Mon Sep 17 00:00:00 2001 From: David Luna Date: Wed, 3 Sep 2025 08:44:47 +0200 Subject: [PATCH 7/7] chore: fix dependabot syntax --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ffa63baef2..8532840d62 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -102,7 +102,7 @@ updates: # Docker - package-ecosystem: "docker" - directories: "/" + directory: "/" registries: "*" schedule: interval: "weekly"