From d9cdaf8e92f5d471ed998537b0beaed1891fbcfc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ramon=20R=C3=BCttimann?= <ramon.ruttimann@snyk.io>
Date: Mon, 27 Nov 2023 12:49:28 +0100
Subject: [PATCH] wip

---
 .github/workflows/release.yml | 32 +++++++++++++++++++++++++++-
 Dockerfile                    | 39 +++++++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+), 1 deletion(-)
 create mode 100644 Dockerfile

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 331eccff7b4..43c4d12aa62 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,6 +3,31 @@ name: Build TF Provider
 on: [push]
 
 jobs:
+  static-build:
+    runs-on: ubuntu-latest
+    container:
+      image: golang:1.21.3-bullseye
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install GCC
+        run: |
+          apt update && apt install -y gcc-x86-64-linux-gnu
+      - name: go mod download
+        run: go mod download
+      - name: Build
+        run: |
+          CC=x86_64-linux-gnu-gcc \
+          GOARCH=amd64 \
+          CGO_ENABLED=1 \
+          GOEXPERIMENT=boringcrypto \
+          go build -v -o /go/bin/app .
+      - name: LDD check
+        run: |
+          ldd /go/bin/app
+      - name: Verify Boringcrypto
+        run: |
+          go run rsc.io/goversion@master -crypto /go/bin/app | grep -q '(boring crypto)'
+
   build:
     runs-on: ubuntu-latest
     steps:
@@ -27,7 +52,12 @@ jobs:
       - name: Build Linux binary with Boringcrypto
         run: |
           CC=x86_64-linux-gnu-gcc CGO_ENABLED=1 GOARCH=amd64 GOOS=linux GOEXPERIMENT=boringcrypto \
-          go build -o bin/terraform-provider-google.linux.amd64 .
+          go build \
+            -ldflags "-linkmode external -extldflags -static"
+            -o bin/terraform-provider-google.linux.amd64 .
+      - name: Verify statically linked
+        run: |
+          ldd bin/terraform-provider-google.linux.amd64
       - name: Verify Boringcrypto
         run: |
           go run rsc.io/goversion@master -crypto bin/terraform-provider-google.linux.amd64 | grep -q '(boring crypto)'
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 00000000000..ad7be58928b
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,39 @@
+# syntax=docker/dockerfile:1
+ARG GO_VERSION=1.21.3
+
+###############
+# Build stage #
+###############
+FROM golang:${GO_VERSION}-bullseye as builder
+
+# Our base image is AMD64 only, so we need to compile for that. Because we use
+# CGO (for boringcrypto), we either need to cross-compile or run the builder in
+# an AMD64-emulated environment. That emulated environment gets slow (build
+# times >3mins), so we opted for cross-compilation instead.
+RUN apt update && apt install -y gcc-x86-64-linux-gnu
+
+ARG APP
+WORKDIR /go/src/${APP}
+
+# Add go module files
+COPY go.mod go.sum ./
+
+# Download and cache dependencies in a dedicated layer.
+RUN go mod download 
+
+# Add source code
+COPY . .
+
+# Build
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    # use the C toolchain that the *target image* requires, and compile for \
+    # that arch. Our images are ubuntu-based, so GCC. \
+    CC=x86_64-linux-gnu-gcc \
+    GOARCH=amd64 \
+    # CGO is required for boringcrypto. \
+    CGO_ENABLED=1 \
+    # BoringCrypto is a FIPS-compliant Crypto library. \
+    GOEXPERIMENT=boringcrypto \
+    go build -v -o /go/bin/app .
+    # ensure the binary uses BoringCrypto and not StandardCrypto. \
+    #go run rsc.io/goversion@master -crypto /go/bin/app | grep -q  '(boring crypto) +crypto/tls/fipsonly'