ci: add fips check

Author: JasonPowr

.tekton/client-server-pull-request.yaml

@@ -33,6 +33,8 @@ spec:
     value: "true"
   - name: build-source-image
     value: "true"
+  - name: fips-check
+    value: "true"
   pipelineRef:
     params:
     - name: url

.tekton/client-server-push.yaml

@@ -30,6 +30,8 @@ spec:
     value: "true"
   - name: build-source-image
     value: "true"
+  - name: fips-check
+    value: "true"
   pipelineRef:
     params:
     - name: url

.tekton/cosign-pull-request.yaml

@@ -41,14 +41,22 @@ spec:
     value: "true"
   - name: go_unit_test
     value: "true"
+  - name: build-platforms
+    value:
+      - linux/x86_64
+      - linux/arm64
+      - linux/ppc64le
+      - linux/s390x
+  - name: fips-check
+    value: "true"
   pipelineRef:
     params:
     - name: url
       value: https://github.com/securesign/pipelines.git
     - name: revision
       value: main
     - name: pathInRepo
-      value: pipelines/docker-build-oci-ta.yaml
+      value: pipelines/docker-build-multi-platform-oci-ta.yaml
     resolver: git
   taskRunTemplate:
     serviceAccountName: build-pipeline-cosign

.tekton/cosign-push.yaml

@@ -38,14 +38,22 @@ spec:
     value: "true"
   - name: go_unit_test
     value: "true"
+  - name: build-platforms
+    value:
+      - linux/x86_64
+      - linux/arm64
+      - linux/ppc64le
+      - linux/s390x
+  - name: fips-check
+    value: "true"
   pipelineRef:
     params:
     - name: url
       value: https://github.com/securesign/pipelines.git
     - name: revision
       value: main
     - name: pathInRepo
-      value: pipelines/docker-build-oci-ta.yaml
+      value: pipelines/docker-build-multi-platform-oci-ta.yaml
     resolver: git
   taskRunTemplate:
     serviceAccountName: build-pipeline-cosign

Build.mak

@@ -1,4 +1,3 @@
-
 GIT_VERSION ?= $(shell git describe --tags --always --dirty)
 GIT_HASH ?= $(shell git rev-parse HEAD)
 DATE_FMT = +%Y-%m-%dT%H:%M:%SZ
@@ -18,34 +17,19 @@ LDFLAGS=-buildid= -X sigs.k8s.io/release-utils/version.gitVersion=$(GIT_VERSION)
         -X sigs.k8s.io/release-utils/version.gitCommit=$(GIT_HASH) \
         -X sigs.k8s.io/release-utils/version.gitTreeState=$(GIT_TREESTATE) \
         -X sigs.k8s.io/release-utils/version.buildDate=$(BUILD_DATE)
+FIPS_MODULE ?= latest
 
 .PHONY:
-cross-platform: cosign-darwin-arm64 cosign-darwin-amd64 cosign-linux-amd64 cosign-linux-arm64 cosign-linux-ppc64le cosign-linux-s390x cosign-windows-amd64 ## Build all distributable (cross-platform) binaries
+cross-platform: cosign-darwin-arm64 cosign-darwin-amd64 cosign-windows-amd64 ## Build all distributable (cross-platform) binaries
 
 .PHONY:	cosign-darwin-arm64
 cosign-darwin-arm64: ## Build for mac M1
-	env CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -o cosign-darwin-arm64 -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign
+	env CGO_ENABLED=0 GOFIPS140=$(FIPS_MODULE)  GOOS=darwin GOARCH=arm64 go build -o cosign-darwin-arm64 -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign
 
 .PHONY: cosign-darwin-amd64
 cosign-darwin-amd64:  ## Build for Darwin (macOS)
-	env CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -o cosign-darwin-amd64 -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign
-
-.PHONY: cosign-linux-amd64
-cosign-linux-amd64: ## Build for Linux amd64
-	env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o cosign-linux-amd64 -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign
-
-.PHONY: cosign-linux-arm64
-cosign-linux-arm64: ## Build for Linux arm64
-	env CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o cosign-linux-arm64 -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign
-
-.PHONY: cosign-linux-ppc64le
-cosign-linux-ppc64le: ## Build for Linux ppc64le
-	env CGO_ENABLED=0 GOOS=linux GOARCH=ppc64le go build -o cosign-linux-ppc64le -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign
-
-.PHONY: cosign-linux-s390x
-cosign-linux-s390x:  ## Build for Linux s390x
-	env CGO_ENABLED=0 GOOS=linux GOARCH=s390x go build -o cosign-linux-s390x -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign
+	env CGO_ENABLED=0 GOFIPS140=$(FIPS_MODULE)  GOOS=darwin GOARCH=amd64 go build -o cosign-darwin-amd64 -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign
 
 .PHONY: cosign-windows-amd64
 cosign-windows-amd64: ## Build for Windows
-	env CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -o cosign-windows-amd64.exe -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign
+	env CGO_ENABLED=0 GOFIPS140=$(FIPS_MODULE)  GOOS=windows GOARCH=amd64 go build -o cosign-windows-amd64.exe -trimpath -ldflags "$(LDFLAGS) -w -s" ./cmd/cosign