feat: Add additional EC key validation for FIPS #5640
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Compliance | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
merge_group: | |
types: [checks_requested] | |
branches: [main] | |
jobs: | |
duvet: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Clone s2n-tls | |
uses: actions/checkout@v3 | |
- name: Clone s2n-quic | |
uses: actions/checkout@v3 | |
with: | |
repository: aws/s2n-quic | |
path: ./s2n-quic | |
submodules: true | |
- name: Run duvet action | |
uses: ./s2n-quic/.github/actions/duvet | |
with: | |
s2n-quic-dir: ./s2n-quic | |
report-script: compliance/generate_report.sh | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-s3-bucket-name: s2n-tls-ci-artifacts | |
aws-s3-region: us-west-2 | |
cdn: https://d3fqnyekunr9xg.cloudfront.net | |
# The `duvet report` command generates some artifacts (specs folder) that | |
# interfere with detecting uncommitted files. This step cleans up those | |
# artifacts. Since the cleanup runs prior to the “Extract RFC spec data” | |
# phase, this is a safe operation. | |
- name: Cleanup intermediate artifacts | |
run: rm -r specs | |
shell: bash | |
- name: Extract RFC spec data | |
working-directory: ./compliance | |
run: ./initialize_duvet.sh | |
shell: bash | |
- name: Check if there are uncommitted changes | |
run: | | |
# If this fails you need to run `cd compliance && ./compliance/initialize_duvet.sh` | |
# | |
# FIXME: https://github.com/aws/s2n-tls/issues/4219 | |
# We generate and commit the spec files to avoid re-downloading them each time in | |
# the CI (avoid flaky network calls). However, this currently doesn't work in | |
# s2n-tls since duvet assumes that the specs folder live in the project's base | |
# folder. | |
# | |
# Use 'git status --porcelain' instead of 'git diff --exit-code' since git diff | |
# only detects diffs but fails to detect new files. Ignore the s2n-quic dir | |
# `(:!s2n-quic)` since we explicitly clone the repo as part of this job. | |
git_status=$(git status --porcelain -- ':!s2n-quic') | |
if [ -n "$git_status" ]; then | |
echo "Found uncommitted changes:" | |
echo "$git_status" | |
exit 1 | |
else | |
echo "Workspace is clean" | |
fi | |
shell: bash |