mattermost
Add FIPS compliance to agents plugin
Add FIPS Compliance to Agents Plugin
Summary
This PR adds Federal Information Processing Standards (FIPS) compliance support to the Mattermost Agents Plugin, enabling the plugin to be deployed in FIPS-compliant environments such as government agencies, financial institutions, and other regulated industries.
๐ฏ What's Changed
Core FIPS Support
- New FIPS Build Target: Added
make dist-fipscommand to build FIPS-compliant plugin distributions - Docker-based FIPS Builds: Uses official Mattermost FIPS-compliant Go image (
cgr.dev/mattermost.com/go-msft-fips:1.24.4) for building - Dual Distribution Support: Plugin now builds both standard and FIPS-compliant versions simultaneously
Build System Enhancements
- Updated Go Version: Upgraded from Go 1.23 to Go 1.24.0 for better FIPS compliance
- Enhanced Makefile: Added comprehensive FIPS build targets and helper functions
- Improved CI/CD: Updated GitHub Actions to build and distribute both plugin versions
CI/CD Improvements
- Dependabot Integration: Added automated dependency updates for GitHub Actions
- Enhanced Build Pipeline: CI now builds both normal and FIPS distributions
- Artifact Management: Improved artifact handling and retention policies
- Security Hardening: Pinned GitHub Actions to specific commit hashes for better security
๐ง Technical Details
FIPS Build Process
The FIPS build process:
- Uses the official Mattermost FIPS-compliant Go image
- Builds server binaries with FIPS-compliant cryptographic libraries
- Creates separate distribution packages with
-fipssuffix - Maintains compatibility with existing plugin deployment workflows
New Make Targets
make dist-fips- Builds FIPS-compliant plugin distributionmake dist-all- Builds both standard and FIPS distributionsmake server-fips- Builds only the FIPS-compliant server binaries
File Structure
dist/ # Standard plugin distribution dist-fips/ # FIPS-compliant plugin distribution โโโ plugin-linux-amd64-fips โโโ plugin.json
๐ Usage
Building FIPS Plugin
# Build FIPS-compliant plugin
make dist-fips
# Build both versions
make dist-all
Deployment
Both plugin versions are automatically built in CI and available as release artifacts. The FIPS version can be deployed to FIPS-compliant environments while maintaining the standard version for regular deployments.
๐งช Testing
- [x] FIPS build process tested locally
- [x] CI pipeline updated and tested
- [x] Both distributions build successfully
- [x] Plugin functionality verified in both versions
๐ Checklist
- [x] Add FIPS build support to Makefile
- [x] Update CI workflow for dual distribution builds
- [x] Pin GitHub Actions to specific versions
- [x] Add dependabot configuration
- [x] Update Go version to 1.24.0
- [x] Test FIPS build process
- [x] Verify plugin functionality in both distributions
๐ Security & Compliance
This change enables the plugin to meet FIPS 140-2 compliance requirements by:
- Using FIPS-validated cryptographic modules
- Building with FIPS-compliant Go toolchain
- Maintaining separate build processes for compliance verification
๏ฟฝ๏ฟฝ Related
- Issues: CLD-9438, CLD-9440
- Type: Enhancement
- Breaking Changes: None
- Migration: No migration required - existing deployments continue to work unchanged
๐ Impact
This enhancement significantly expands the plugin's deployment capabilities, making it suitable for:
- Government and military environments
- Financial services and healthcare organizations
- Any environment requiring FIPS compliance
- Enterprise customers with strict security requirements
The change maintains full backward compatibility while adding enterprise-grade compliance features.
Rebased this branch on top of the v1.3.1 tag to build off the latest prepackaged version. Sorry for the force-push!
This PR has been automatically labelled "stale" because it hasn't had recent activity. A core team member will check in on the status of the PR to help with questions. Thank you for your contribution!
@crspeller, can we keep this open until we ship proper FIPS support in the plugin? We're using this PR to build FIPS-compliant versions with each release (a manual effort @agarciamontoro has been kind enough to juggle).
