name: FIPS Build Test

on:
  pull_request:
    branches:
    - master

# This ensures that previous jobs for the PR are canceled when the PR is
# updated.
concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref }}
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  build:
    name: Go BoringCrypto ${{ matrix.go-version }} on ${{ matrix.os }}
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        go-version: [1.17.11b7, 1.18.3b7]
        os: [ubuntu-latest]
    steps:
      - uses: actions/checkout@v2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Setup dockerfile for build test
        run: |
          echo "FROM us-docker.pkg.dev/google.com/api-project-999119582588/go-boringcrypto/golang:${{ matrix.go-version }}" > Dockerfile.fips.test
          echo "COPY . /minio" >> Dockerfile.fips.test
          echo "WORKDIR /minio" >> Dockerfile.fips.test
          echo "RUN make" >> Dockerfile.fips.test

      - name: Build
        uses: docker/build-push-action@v3
        with:
          context: .
          file: Dockerfile.fips.test
          push: false
          load: true
          tags: minio/fips-test:latest

      # This should fail if grep returns non-zero exit
      - name: Test binary
        run: |
          docker run --rm minio/fips-test:latest ./minio --version
          docker run --rm -i minio/fips-test:latest /bin/bash -c 'go tool nm ./minio' | grep -q FIPS