support GOFIPS140=latest

The previous version of the code did not correctly build with
`GOFIPS140=latest`, and namely did not link the binary such that FIPS
mode was on-by-default, which it should. This fixes that. We also revert
some misleading/incorrect changes from the prior in-progress commit
`7c5c55d859d1518f963a79abec87af34876cc2ee`.

See discussion [here](bazel-contrib#4449), and specifically
[this comment](bazel-contrib#4449 (comment)).

Author: rickystewart

docs/go/core/rules.bzl

@@ -11,7 +11,6 @@
   [config_setting]: https://docs.bazel.build/versions/master/be/general.html#config_setting
   [data dependencies]: https://bazel.build/concepts/dependencies#data-dependencies
   [goarch]: /go/modes.rst#goarch
-  [gofips140]: /go/modes.rst#gofips140
   [goos]: /go/modes.rst#goos
   [mode attributes]: /go/modes.rst#mode-attributes
   [nogo]: /go/nogo.rst#nogo
@@ -59,7 +58,6 @@ sufficient to match the capabilities of the normal go tools.
 - [config_setting]
 - [data dependencies]
 - [goarch]
-- [gofips140]
 - [goos]
 - [mode attributes]
 - [nogo]

go/core.rst

@@ -13,7 +13,6 @@ Core Go rules
 .. _config_setting: https://docs.bazel.build/versions/master/be/general.html#config_setting
 .. _data dependencies: https://bazel.build/concepts/dependencies#data-dependencies
 .. _goarch: modes.rst#goarch
-.. _gofips140: modes.rst#gofips140
 .. _goos: modes.rst#goos
 .. _mode attributes: modes.rst#mode-attributes
 .. _nogo: nogo.rst#nogo

go/modes.rst

@@ -69,13 +69,6 @@ or using `Bazel configuration transitions`_.
 | ``CGO_ENABLED=0``). Packages that contain cgo code may still be built, but   |
 | the cgo code will be filtered out, and the ``cgo`` build tag will be false.  |
 +------------------------+---------------------+-------------------------------+
-| :param:`gofips140`     | :type:`string`      | :value:`"off"`                |
-+------------------------+---------------------+-------------------------------+
-| Controls the ``GOFIPS140`` environment variable used by Go 1.24+ to select   |
-| the version of the Go Cryptographic Module. Can be set to ``"off"``          |
-| (default), ``"latest"``, or a specific version like ``"v1.0.0"``.            |
-| See the `Go 1.24 FIPS 140-3 documentation`_ for more details.                |
-+------------------------+---------------------+-------------------------------+
 | :param:`debug`         | :type:`bool`        | :value:`false`                |
 +------------------------+---------------------+-------------------------------+
 | Includes debugging information in compiled packages (using the ``-N`` and    |

go/private/BUILD.sdk.bazel

@@ -24,7 +24,10 @@ filegroup(
 filegroup(
     name = "srcs",
     srcs = glob(
-        ["src/**/*"],
+        [
+            "lib/fips140/**",
+            "src/**/*",
+        ],
         exclude = [
             "src/**/*_test.go",
             "src/**/testdata/**",

go/private/actions/link.bzl

@@ -167,6 +167,7 @@ def emit_link(
     builder_args.add("-o", executable)
     builder_args.add("-main", archive.data.file)
     builder_args.add("-p", archive.data.importmap)
+    builder_args.add("-work", "-v")
     tool_args.add_all(gc_linkopts)
     tool_args.add_all(go.toolchain.flags.link)
 

go/private/actions/stdlib.bzl

@@ -59,6 +59,7 @@ def _should_use_sdk_stdlib(go):
             not go.mode.race and  # TODO(jayconrod): use precompiled race
             not go.mode.msan and
             not go.mode.pure and
+            go.mode.gofips140 == "off" and
             not go.mode.gc_goopts and
             go.mode.linkmode == LINKMODE_NORMAL)
 
@@ -93,6 +94,9 @@ def _build_stdlib_list_json(go):
 def _build_env(go):
     env = go.env
 
+    if go.mode.gofips140 != "off":
+        env.update({"GOFIPS140": go.mode.gofips140})
+
     if go.mode.pure:
         env.update({"CGO_ENABLED": "0"})
         return env

go/private/context.bzl

@@ -564,6 +564,9 @@ def go_context(
     if mode.arm:
         env["GOARM"] = mode.arm
 
+    if mode.gofips140 != "off":
+        env["GOFIPS140"] = mode.gofips140
+
     if cgo_context_info:
         env.update(cgo_context_info.env)
         cc_toolchain_files = cgo_context_info.cc_toolchain_files

go/private/providers.bzl

@@ -35,6 +35,7 @@ GoSDK = provider(
     fields = {
         "goos": "The host OS the SDK was built for.",
         "goarch": "The host architecture the SDK was built for.",
+        "gofips140": "The value of GOFIPS140 to build with",
         "experiments": "Comma-separated Go experiments to enable via GOEXPERIMENT.",
         "root_file": "A file in the SDK root directory",
         "libs": ("Depset of pre-compiled .a files for the standard library " +

go/private/rules/binary.bzl

@@ -367,13 +367,6 @@ def _go_binary_kwargs(go_cc_aspects = []):
                 [pure].
                 """,
             ),
-            "gofips140": attr.string(
-                default = "off",
-                doc = """Controls the GOFIPS140 environment variable. May be any string value.
-                Common values include `"off"` (default), `"latest"`, and specific versions like `"v1.0.0"`.
-                See [mode attributes], specifically [gofips140].
-                """,
-            ),
             "static": attr.string(
                 default = "auto",
                 doc = """Controls whether a binary is statically linked. May be one of `on`,

go/private/rules/sdk.bzl

@@ -35,6 +35,7 @@ def _go_sdk_impl(ctx):
         GoSDK(
             goos = ctx.attr.goos,
             goarch = ctx.attr.goarch,
+            gofips140 = ctx.attr.gofips140,
             experiments = ",".join(ctx.attr.experiments),
             root_file = ctx.file.root_file,
             package_list = package_list,
@@ -58,6 +59,13 @@ go_sdk = rule(
             mandatory = True,
             doc = "The host architecture the SDK was built for",
         ),
+        "gofips140": attr.string(
+            default = "off",
+            doc = """Controls the GOFIPS140 environment variable. May be any string value.
+            Common values include `"off"` (default), `"latest"`, and specific versions like `"v1.0.0"`.
+            See [mode attributes], specifically [gofips140].
+            """,
+        ),
         "experiments": attr.string_list(
             mandatory = False,
             doc = "Go experiments to enable via GOEXPERIMENT",