name: FIPS Build Test

on:
  pull_request:
    branches:
    - master
    - next

# This ensures that previous jobs for the PR are canceled when the PR is
# updated.
concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref }}
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  build:
    name: Go BoringCrypto ${{ matrix.go-version }} on ${{ matrix.os }}
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        go-version: [1.21.x]
        os: [ubuntu-latest]
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version: ${{ matrix.go-version }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Setup dockerfile for build test
        run: |
          GO_VERSION=$(go version | cut -d ' ' -f 3 | sed 's/go//')
          echo Detected go version $GO_VERSION
          cat > Dockerfile.fips.test <<EOF
          FROM golang:${GO_VERSION}
          COPY . /minio
          WORKDIR /minio
          ENV GOEXPERIMENT=boringcrypto
          RUN make
          EOF

      - name: Build
        uses: docker/build-push-action@v3
        with:
          context: .
          file: Dockerfile.fips.test
          push: false
          load: true
          tags: minio/fips-test:latest

      # This should fail if grep returns non-zero exit
      - name: Test binary
        run: |
          docker run --rm minio/fips-test:latest ./minio --version
          docker run --rm -i minio/fips-test:latest /bin/bash -c 'go tool nm ./minio | grep FIPS | grep -q FIPS'