Skip to content

feat: Add additional EC key validation for FIPS #5640

feat: Add additional EC key validation for FIPS

feat: Add additional EC key validation for FIPS #5640

Workflow file for this run

---
name: Compliance
on:
push:
branches: [main]
pull_request:
branches: [main]
merge_group:
types: [checks_requested]
branches: [main]
jobs:
duvet:
runs-on: ubuntu-latest
steps:
- name: Clone s2n-tls
uses: actions/checkout@v3
- name: Clone s2n-quic
uses: actions/checkout@v3
with:
repository: aws/s2n-quic
path: ./s2n-quic
submodules: true
- name: Run duvet action
uses: ./s2n-quic/.github/actions/duvet
with:
s2n-quic-dir: ./s2n-quic
report-script: compliance/generate_report.sh
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-s3-bucket-name: s2n-tls-ci-artifacts
aws-s3-region: us-west-2
cdn: https://d3fqnyekunr9xg.cloudfront.net
# The `duvet report` command generates some artifacts (specs folder) that
# interfere with detecting uncommitted files. This step cleans up those
# artifacts. Since the cleanup runs prior to the “Extract RFC spec data”
# phase, this is a safe operation.
- name: Cleanup intermediate artifacts
run: rm -r specs
shell: bash
- name: Extract RFC spec data
working-directory: ./compliance
run: ./initialize_duvet.sh
shell: bash
- name: Check if there are uncommitted changes
run: |
# If this fails you need to run `cd compliance && ./compliance/initialize_duvet.sh`
#
# FIXME: https://github.com/aws/s2n-tls/issues/4219
# We generate and commit the spec files to avoid re-downloading them each time in
# the CI (avoid flaky network calls). However, this currently doesn't work in
# s2n-tls since duvet assumes that the specs folder live in the project's base
# folder.
#
# Use 'git status --porcelain' instead of 'git diff --exit-code' since git diff
# only detects diffs but fails to detect new files. Ignore the s2n-quic dir
# `(:!s2n-quic)` since we explicitly clone the repo as part of this job.
git_status=$(git status --porcelain -- ':!s2n-quic')
if [ -n "$git_status" ]; then
echo "Found uncommitted changes:"
echo "$git_status"
exit 1
else
echo "Workspace is clean"
fi
shell: bash