Skip to content

ci: install Go in CI builder for aws-lc-fips-sys#35849

Closed
jasonhernandez wants to merge 1 commit intoMaterializeInc:mainfrom
jasonhernandez:jason/ci-install-go
Closed

ci: install Go in CI builder for aws-lc-fips-sys#35849
jasonhernandez wants to merge 1 commit intoMaterializeInc:mainfrom
jasonhernandez:jason/ci-install-go

Conversation

@jasonhernandez
Copy link
Copy Markdown
Contributor

@jasonhernandez jasonhernandez commented Apr 2, 2026

Summary

Install Go 1.24.2 in the CI builder image (ci/builder/Dockerfile). Required by aws-lc-fips-sys, which builds BoringSSL's FIPS module from source and needs Go for integrity verification.

This is needed because cargo-test runs with --all-features, which enables the mz-ore fips feature → aws-lc-rs/fipsaws-lc-fips-sys → cmake → requires Go.

Without this, rust-cargo-test-2 fails with:

CMake Error at aws-lc/cmake/go.cmake:6 (message):
  Could not find Go

Change

# +4 lines in ci/builder/Dockerfile
RUN curl -fsSL https://go.dev/dl/go1.24.2.linux-$ARCH_GO.tar.gz | tar -C /usr/local -xzf -
ENV PATH="/usr/local/go/bin:${PATH}"

Fixes SEC-232.

Test plan

  • CI builder image builds successfully
  • rust-cargo-test-2 passes with --all-features (no more "Could not find Go")

🤖 Generated with Claude Code

@jasonhernandez @claude
ci: install Go in CI builder for aws-lc-fips-sys
8b2c3c1 
The upcoming FIPS 140-3 compliance work adds a `fips` feature to mz-ore
that enables `aws-lc-rs/fips`, pulling in `aws-lc-fips-sys`. That crate
builds BoringSSL's FIPS module from source via cmake, which requires Go
for integrity verification.

Since `cargo-test` runs with `--all-features`, this feature is activated
in CI and the build fails with "Could not find Go". Install Go 1.24.2 in
the CI builder image to unblock FIPS feature builds.

Fixes SEC-232.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 2, 2026

Thanks for opening this PR! Here are a few tips to help make the review process smooth for everyone.

PR title guidelines

  • Use imperative mood: "Fix X" not "Fixed X" or "Fixes X"
  • Be specific: "Fix panic in catalog sync when controller restarts" not "Fix bug" or "Update catalog code"
  • Prefix with area if helpful: compute: , storage: , adapter: , sql:

Pre-merge checklist

  • The PR title is descriptive and will make sense in the git log.
  • This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
  • If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.
  • This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
  • If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
  • If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).

@jasonhernandez
Copy link
Copy Markdown
Contributor Author

jasonhernandez commented Apr 2, 2026

Folded into PR #35843 (part of the FIPS PR chain where the fips feature is introduced).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonhernandez