split FIPS unit tests from fips140=only test (#4766)

michel-laterman · web-flow · commit 9f65d34cb434 · 2025-04-04T14:56:04.000-06:00
split FIPS unit tests from fips140=only test
diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml
@@ -98,6 +98,18 @@ steps:
           - build/*.xml
           - build/coverage*.out
 
+      - label: ":smartbear-testexecute: Run fips140=only unit tests"
+        key: unit-test-fips140-only
+        command: ".buildkite/scripts/unit_test.sh"
+        env:
+          FIPS: "true"
+          GODEBUG: "fips140=only"
+        agents:
+          provider: "gcp"
+        artifact_paths:
+          - build/*.xml
+          - build/coverage*.out
+
       - label: ":smartbear-testexecute: Run unit tests: MacOS 13"
         key: unit-test-macos-13
         command: ".buildkite/scripts/unit_test.sh"
diff --git a/.buildkite/scripts/unit_test.sh b/.buildkite/scripts/unit_test.sh
@@ -9,8 +9,4 @@ add_bin_path
 with_go
 
 echo "Starting the unit tests..."
-if [[ ${FIPS:-} == "true" ]]; then
-    make test-unit-fips junit-report
-else
-    make test-unit junit-report
-fi
+make test-unit junit-report
diff --git a/Makefile b/Makefile
@@ -221,16 +221,13 @@ test: prepare-test-context  ## - Run all tests
 test-release:  ## - Check that all release binaries are created
 	./.buildkite/scripts/test-release.sh $(DEFAULT_VERSION)
 
-# If FIPS=true unit tests need microsoft/go + OpenSSL with FIPS
 .PHONY: test-unit
 test-unit: prepare-test-context  ## - Run unit tests only
-	set -o pipefail; ${GOFIPSEXPERIMENT} go test ${GO_TEST_FLAG} -tags=$(GOBUILDTAGS) -v -race -coverprofile=build/coverage-${OS_NAME}.out ./... | tee build/test-unit-${OS_NAME}.out
+	set -o pipefail; go test ${GO_TEST_FLAG} -tags=$(GOBUILDTAGS) -v -race -coverprofile=build/coverage-${OS_NAME}.out ./... | tee build/test-unit-${OS_NAME}.out
 
-# FIPS unit tests are meant to use go v1.24 to check FIPS compliance.
-# This check is very strict, and should be thought of as a static-code analysis tool.
-.PHONY: test-unit-fips
-test-unit-fips: prepare-test-context  ## - Run unit tests with go 1.24's fips140=only for testing
-	set -o pipefail; GOFIPS140=latest GODEBUG=fips140=only go test ${GO_TEST_FLAG} -tags=$(GOBUILDTAGS) -v -race -coverprofile=build/coverage-${OS_NAME}.out ./... | tee build/test-unit-fips-${OS_NAME}.out
+.PHONY: test-fips-provider-unit
+test-fips-provider-unit: prepare-test-context  ## - Run unit tests with GOEXPERIMENT=systemcrypto to check that system FIPS provider works
+	set -o pipefail; GOEXPERIMENT=systemcrypto CGO_ENABLED=1 go test ${GO_TEST_FLAG} -tags=$(GOBUILDTAGS) -v -race -coverprofile=build/coverage-${OS_NAME}.out ./... | tee build/test-unit-${OS_NAME}.out
 
 .PHONY: benchmark
 benchmark: prepare-test-context ## - Run benchmark tests only
