From 688b995caf0a031ec66dffbd208e7bb775b03d26 Mon Sep 17 00:00:00 2001 From: kruskal <99559985+kruskall@users.noreply.github.com> Date: Wed, 13 Aug 2025 08:11:07 +0200 Subject: [PATCH 01/11] feat: bump go to 1.25.0 bump to latest stable version --- .go-version | 2 +- cmd/intake-receiver/go.mod | 2 +- go.mod | 2 +- integrationservertest/go.mod | 2 +- systemtest/go.mod | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.go-version b/.go-version index 7a429d68a36..ad2191947f7 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.24.6 +1.25.0 diff --git a/cmd/intake-receiver/go.mod b/cmd/intake-receiver/go.mod index 02e9330101e..747fc0f3e16 100644 --- a/cmd/intake-receiver/go.mod +++ b/cmd/intake-receiver/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/apm-server/cmd/intake-receiver -go 1.24.6 +go 1.25.0 require ( github.com/stretchr/testify v1.6.1 diff --git a/go.mod b/go.mod index c6431bd4830..0be0d8e0605 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/apm-server -go 1.24.6 +go 1.25.0 require ( github.com/KimMachineGun/automemlimit v0.7.4 diff --git a/integrationservertest/go.mod b/integrationservertest/go.mod index e5d6b0ad569..2dce02a880c 100644 --- a/integrationservertest/go.mod +++ b/integrationservertest/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/apm-server/integrationservertest -go 1.24.6 +go 1.25.0 require ( github.com/dnaeon/go-vcr v1.2.0 diff --git a/systemtest/go.mod b/systemtest/go.mod index 33c3a864005..6e58f16a6df 100644 --- a/systemtest/go.mod +++ b/systemtest/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/apm-server/systemtest -go 1.24.6 +go 1.25.0 require ( github.com/docker/docker v28.3.3+incompatible From 2cb30d30c3621db27dd45715e0f1713cb16922e2 Mon Sep 17 00:00:00 2001 From: kruskal <99559985+kruskall@users.noreply.github.com> Date: Wed, 13 Aug 2025 08:15:01 +0200 Subject: [PATCH 02/11] feat: remove unused automaxprocs dependency and related tests go 1.25 adds native auto maxprocs so we don't need the automaxprocs lib anymore. remove dependency and related tests --- go.mod | 1 - go.sum | 4 -- internal/beatcmd/beat.go | 4 -- internal/beatcmd/beat_test.go | 36 -------------- internal/beatcmd/maxprocs.go | 72 ---------------------------- internal/beatcmd/maxprocs_test.go | 79 ------------------------------- 6 files changed, 196 deletions(-) delete mode 100644 internal/beatcmd/maxprocs.go delete mode 100644 internal/beatcmd/maxprocs_test.go diff --git a/go.mod b/go.mod index 0be0d8e0605..4e5642b67bb 100644 --- a/go.mod +++ b/go.mod @@ -40,7 +40,6 @@ require ( go.opentelemetry.io/otel/sdk v1.37.0 go.opentelemetry.io/otel/sdk/metric v1.37.0 go.opentelemetry.io/otel/trace v1.37.0 - go.uber.org/automaxprocs v1.6.0 go.uber.org/zap v1.27.0 go.uber.org/zap/exp v0.3.0 golang.org/x/net v0.43.0 diff --git a/go.sum b/go.sum index 0a278ba8afc..df76ed6532e 100644 --- a/go.sum +++ b/go.sum @@ -487,8 +487,6 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/power-devops/perfstat v0.0.0-20220216144756-c35f1ee13d7c h1:NRoLoZvkBTKvR5gQLgA3e0hqjkY9u1wm+iOL45VN/qI= github.com/power-devops/perfstat v0.0.0-20220216144756-c35f1ee13d7c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE= -github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g= -github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U= github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q= github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0= github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk= @@ -649,8 +647,6 @@ go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFh go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps= go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4= go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0= -go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= -go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= diff --git a/internal/beatcmd/beat.go b/internal/beatcmd/beat.go index d529569b275..abb5d42dacf 100644 --- a/internal/beatcmd/beat.go +++ b/internal/beatcmd/beat.go @@ -368,10 +368,6 @@ func (b *Beat) Run(ctx context.Context) error { } } - g.Go(func() error { - return adjustMaxProcs(ctx, 30*time.Second, b.Info.Logger) - }) - slogger := slog.New(zapslog.NewHandler(b.Info.Logger.Core())) g.Go(func() error { return adjustMemlimit(ctx, 30*time.Second, slogger) diff --git a/internal/beatcmd/beat_test.go b/internal/beatcmd/beat_test.go index 005838f5b5b..09bc15ff46a 100644 --- a/internal/beatcmd/beat_test.go +++ b/internal/beatcmd/beat_test.go @@ -24,7 +24,6 @@ import ( "fmt" "net/http" "os" - "strconv" "strings" "sync/atomic" "testing" @@ -54,41 +53,6 @@ import ( "github.com/elastic/go-docappender/v2/docappendertest" ) -// TestRunMaxProcs ensures Beat.Run calls the GOMAXPROCS adjustment code by looking for log messages. -func TestRunMaxProcs(t *testing.T) { - for _, n := range []int{1, 2, 4} { - t.Run(fmt.Sprintf("%d_GOMAXPROCS", n), func(t *testing.T) { - t.Setenv("GOMAXPROCS", strconv.Itoa(n)) - beat := newNopBeat(t, "output.console.enabled: true") - logs := logp.ObserverLogs() - - stop := runBeat(t, beat) - timeout := time.NewTimer(10 * time.Second) - defer timeout.Stop() - for { - select { - case <-timeout.C: - t.Error("timed out waiting for log message, total logs observed:", logs.Len()) - for _, log := range logs.All() { - t.Log(log.LoggerName, log.Message) - } - return - case <-time.After(10 * time.Millisecond): - } - - logs := logs.FilterMessageSnippet(fmt.Sprintf( - `maxprocs: Honoring GOMAXPROCS="%d" as set in environment`, n, - )) - if logs.Len() > 0 { - break - } - } - - assert.NoError(t, stop()) - }) - } -} - func TestRunnerParams(t *testing.T) { calls := make(chan RunnerParams, 1) b := newBeat(t, "output.console.enabled: true\nname: my-custom-name", func(args RunnerParams) (Runner, error) { diff --git a/internal/beatcmd/maxprocs.go b/internal/beatcmd/maxprocs.go deleted file mode 100644 index 4a5b6d30c67..00000000000 --- a/internal/beatcmd/maxprocs.go +++ /dev/null @@ -1,72 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package beatcmd - -import ( - "context" - "fmt" - "time" - - "go.uber.org/automaxprocs/maxprocs" - - "github.com/elastic/elastic-agent-libs/logp" -) - -// adjustMaxProcs uses `maxprocs` to change the GOMAXPROCS respecting any -// CFS quotas, if set. -// -// This is necessary since the Go runtime will default to the number of CPUs -// available in the machine it's running in, however, when running in a -// container or in a cgroup with resource limits, the disparity can be extreme. -// -// Having a significantly greater GOMAXPROCS set than the granted CFS quota -// results in a significant amount of time spent "throttling", essentially -// pausing the the running OS threads for the throttled period. -// Since the quotas may be updated without restarting the process, the -// GOMAXPROCS are adjusted every 30s. -func adjustMaxProcs(ctx context.Context, d time.Duration, logger *logp.Logger) error { - infof := diffInfof(logger) - setMaxProcs := func() { - if _, err := maxprocs.Set(maxprocs.Logger(infof)); err != nil { - logger.Errorf("failed to set GOMAXPROCS: %v", err) - } - } - // set the gomaxprocs immediately. - setMaxProcs() - ticker := time.NewTicker(d) - defer ticker.Stop() - for { - select { - case <-ctx.Done(): - return ctx.Err() - case <-ticker.C: - setMaxProcs() - } - } -} - -func diffInfof(logger *logp.Logger) func(string, ...interface{}) { - var last string - return func(format string, args ...interface{}) { - msg := fmt.Sprintf(format, args...) - if msg != last { - logger.Info(msg) - last = msg - } - } -} diff --git a/internal/beatcmd/maxprocs_test.go b/internal/beatcmd/maxprocs_test.go deleted file mode 100644 index 7bd2fd65c35..00000000000 --- a/internal/beatcmd/maxprocs_test.go +++ /dev/null @@ -1,79 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package beatcmd - -import ( - "context" - "fmt" - "testing" - "time" - - "github.com/stretchr/testify/assert" - "go.uber.org/zap" - "go.uber.org/zap/zapcore" - "go.uber.org/zap/zaptest/observer" - "golang.org/x/sync/errgroup" - - "github.com/elastic/elastic-agent-libs/logp/logptest" -) - -func TestAdjustMaxProcs(t *testing.T) { - ctx, cancel := context.WithCancel(context.Background()) - g, ctx := errgroup.WithContext(ctx) - defer g.Wait() - defer cancel() - - core, observedLogs := observer.New(zapcore.DebugLevel) - logger := logptest.NewTestingLogger(t, "", zap.WrapCore(func(in zapcore.Core) zapcore.Core { - return zapcore.NewTee(in, core) - })) - - expectAdjustment := func(n int) { - // Wait for GOMAXPROCS to be updated, and ensure only a single log message is logged. - filterMsg := fmt.Sprintf(`maxprocs: Honoring GOMAXPROCS="%d"`, n) - deadline := time.Now().Add(10 * time.Second) - for { - if time.Now().After(deadline) { - t.Error("timed out waiting for GOMAXPROCS to be set") - return - } - logs := observedLogs.FilterMessageSnippet(filterMsg) - if logs.Len() >= 1 { - assert.Len(t, observedLogs.TakeAll(), 1) - break - } - } - - // Duplicate logs should be suppressed. - time.Sleep(50 * time.Millisecond) - logs := observedLogs.FilterMessageSnippet(filterMsg) - assert.Zero(t, logs.Len(), logs) - } - - // Adjust maxprocs every 1ms. We set GOMAXPROCS up front - // to handle the initial adjustment which runs before the - // loop kicks in. - t.Setenv("GOMAXPROCS", "3") // Set before calling - refreshDuration := time.Millisecond - g.Go(func() error { - return adjustMaxProcs(ctx, refreshDuration, logger) - }) - expectAdjustment(3) - t.Setenv("GOMAXPROCS", "7") - expectAdjustment(7) -} From 7ebc44ee8512cb3c1b9562eb56e22d00b89fb720 Mon Sep 17 00:00:00 2001 From: kruskall <99559985+kruskall@users.noreply.github.com> Date: Mon, 8 Sep 2025 09:01:40 +0200 Subject: [PATCH 03/11] Update .go-version --- .go-version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.go-version b/.go-version index ad2191947f7..d905a6d1d61 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.25.0 +1.25.1 From ff2c2363641f125709fcb8b6708f3833c6fe1b61 Mon Sep 17 00:00:00 2001 From: kruskall <99559985+kruskall@users.noreply.github.com> Date: Mon, 8 Sep 2025 09:01:51 +0200 Subject: [PATCH 04/11] Update go.mod --- cmd/intake-receiver/go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/intake-receiver/go.mod b/cmd/intake-receiver/go.mod index 747fc0f3e16..5330ecd1817 100644 --- a/cmd/intake-receiver/go.mod +++ b/cmd/intake-receiver/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/apm-server/cmd/intake-receiver -go 1.25.0 +go 1.25.1 require ( github.com/stretchr/testify v1.6.1 From aef4f996f76bda0f270f7ec3d3e4738ae43f6298 Mon Sep 17 00:00:00 2001 From: kruskall <99559985+kruskall@users.noreply.github.com> Date: Mon, 8 Sep 2025 09:02:02 +0200 Subject: [PATCH 05/11] Update go.mod --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 4e5642b67bb..937bf1c7049 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/apm-server -go 1.25.0 +go 1.25.1 require ( github.com/KimMachineGun/automemlimit v0.7.4 From b0a8f8077a98a7c1d88b14233460906ccfad88e6 Mon Sep 17 00:00:00 2001 From: kruskall <99559985+kruskall@users.noreply.github.com> Date: Mon, 8 Sep 2025 09:02:17 +0200 Subject: [PATCH 06/11] Update go.mod --- integrationservertest/go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integrationservertest/go.mod b/integrationservertest/go.mod index 2dce02a880c..092a480e664 100644 --- a/integrationservertest/go.mod +++ b/integrationservertest/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/apm-server/integrationservertest -go 1.25.0 +go 1.25.1 require ( github.com/dnaeon/go-vcr v1.2.0 From 3856b571a3093acaaa6e199f3b04b27b5ee1babb Mon Sep 17 00:00:00 2001 From: kruskall <99559985+kruskall@users.noreply.github.com> Date: Mon, 8 Sep 2025 09:02:29 +0200 Subject: [PATCH 07/11] Update go.mod --- systemtest/go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemtest/go.mod b/systemtest/go.mod index 6e58f16a6df..77f365e18f0 100644 --- a/systemtest/go.mod +++ b/systemtest/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/apm-server/systemtest -go 1.25.0 +go 1.25.1 require ( github.com/docker/docker v28.3.3+incompatible From 3a54fc4cb2d9ded0ad72e76b77e7dac0f5e6a6d5 Mon Sep 17 00:00:00 2001 From: kruskal <99559985+kruskall@users.noreply.github.com> Date: Mon, 8 Sep 2025 09:05:52 +0200 Subject: [PATCH 08/11] lint: regenerate notice files --- NOTICE-fips.txt | 28 ---------------------------- NOTICE.txt | 28 ---------------------------- 2 files changed, 56 deletions(-) diff --git a/NOTICE-fips.txt b/NOTICE-fips.txt index 3ae7bb22474..5c6a698d2f4 100644 --- a/NOTICE-fips.txt +++ b/NOTICE-fips.txt @@ -5110,34 +5110,6 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --------------------------------------------------------------------------------- -Dependency : go.uber.org/automaxprocs -Version: v1.6.0 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/go.uber.org/automaxprocs@v1.6.0/LICENSE: - -Copyright (c) 2017 Uber Technologies, Inc. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. - -------------------------------------------------------------------------------- Dependency : go.uber.org/zap Version: v1.27.0 diff --git a/NOTICE.txt b/NOTICE.txt index 8cd6068e6a4..cb563ffab94 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -5110,34 +5110,6 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --------------------------------------------------------------------------------- -Dependency : go.uber.org/automaxprocs -Version: v1.6.0 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/go.uber.org/automaxprocs@v1.6.0/LICENSE: - -Copyright (c) 2017 Uber Technologies, Inc. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. - -------------------------------------------------------------------------------- Dependency : go.uber.org/zap Version: v1.27.0 From 44f89d7f6d77e5466bf93ffc8f311a6b717e36a8 Mon Sep 17 00:00:00 2001 From: kruskal <99559985+kruskall@users.noreply.github.com> Date: Tue, 9 Sep 2025 15:10:56 +0200 Subject: [PATCH 09/11] test: remove subjectkeyid fips workaround go 1.25 switched to SHA-256 to fill in missing SubjectKeyId in crypto/x509.CreateCertificate. Remove the manual key generation to avoid sha1 --- systemtest/apmservertest/server.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/systemtest/apmservertest/server.go b/systemtest/apmservertest/server.go index 2e021f5f9e9..0483fcfe5b4 100644 --- a/systemtest/apmservertest/server.go +++ b/systemtest/apmservertest/server.go @@ -23,7 +23,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/sha256" "crypto/tls" "crypto/x509" "crypto/x509/pkix" @@ -343,9 +342,6 @@ func generateCerts(dir string, ca bool, keyUsage x509.ExtKeyUsage, hosts ...stri return "", "", fmt.Errorf("unable to marshal private key: %w", err) } - h := sha256.Sum256(privBytes) - template.SubjectKeyId = h[:] - derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, clientKey.Public(), clientKey) if err != nil { return "", "", fmt.Errorf("failed to create certificate: %w", err) From 3af7347f5fb9e69e584353eefd7ba3fd42132f86 Mon Sep 17 00:00:00 2001 From: kruskal <99559985+kruskall@users.noreply.github.com> Date: Tue, 9 Sep 2025 16:59:06 +0200 Subject: [PATCH 10/11] ci: disable X25519MLKEM768 in fips tests pass GODEBUG=tlsmlkem=0 to remove X25519MLKEM768 from enabled by default curve list. Go 1.25 allowed X25519MLKEM768 in fips mode but this might fail if X25519 is used in fipsonly mode because X25519 is not allowed. remove the curve from the default list until this is fixed upstream --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3c482ae11b0..ef0b63e1df7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -106,7 +106,7 @@ jobs: go- - env: GOFIPS140: "latest" - GODEBUG: "fips140=only" + GODEBUG: "fips140=only,tlsmlkem=0" run: go test -v -race -tags=requirefips ./... system-test: @@ -149,7 +149,7 @@ jobs: - env: GOTESTFLAGS: "-v -tags=requirefips" GOFIPS140: "latest" - GODEBUG: "fips140=only" + GODEBUG: "fips140=only,tlsmlkem=0" GH_TOKEN: ${{ github.token }} run: make system-test From 82724ce3d8812fe91933d87778a08a7850ba909d Mon Sep 17 00:00:00 2001 From: kruskall <99559985+kruskall@users.noreply.github.com> Date: Wed, 10 Sep 2025 13:44:28 +0200 Subject: [PATCH 11/11] Update ci.yml --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ef0b63e1df7..c98ea1fc0e8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -106,6 +106,7 @@ jobs: go- - env: GOFIPS140: "latest" + # TODO: disable X25519MLKEM768 until upstream go issue is fixed https://github.com/golang/go/issues/74630#issuecomment-3224191006 GODEBUG: "fips140=only,tlsmlkem=0" run: go test -v -race -tags=requirefips ./... @@ -149,6 +150,7 @@ jobs: - env: GOTESTFLAGS: "-v -tags=requirefips" GOFIPS140: "latest" + # TODO: disable X25519MLKEM768 until upstream go issue is fixed https://github.com/golang/go/issues/74630#issuecomment-3224191006 GODEBUG: "fips140=only,tlsmlkem=0" GH_TOKEN: ${{ github.token }} run: make system-test