ci: Install FIPS prerequisites when testing 'pavex' with the 'fips' feature enabled

Author: LukeMathWalker

.github/workflows/docs.yml

@@ -795,6 +795,17 @@ jobs:
         rustflags: ""
         cache-workspaces: "./libs -> ./target"
     - uses: taiki-e/install-action@cargo-hack
+    - name: Install NASM for aws-lc-rs on Windows
+      if: runner.os == 'Windows'
+      uses: ilammy/setup-nasm@v1
+    - name: Install ninja-build tool for aws-lc-fips-sys on Windows
+      if: runner.os == 'Windows'
+      uses: seanmiddleditch/gha-setup-ninja@v6
+    - name: Install golang for aws-lc-fips-sys on macos
+      if: runner.os == 'MacOS'
+      uses: actions/setup-go@v6
+      with:
+        go-version: "1.25.0"
     - name: Download pavex CLI artifact
       uses: actions/download-artifact@v4
       with:
@@ -820,8 +831,16 @@ jobs:
         pavexc self setup
     - name: Run Pavex tests with multiple feature combinations
       working-directory: libs
+      if: runner.os != 'Windows'
       run: |
         cargo hack -p pavex --feature-powerset --depth 2 test --tests
+    - name: Run Pavex tests with multiple feature combinations
+      working-directory: libs
+      if: runner.os == 'Windows'
+      run: |
+        # FIPS only builds in `release` mode on Windows
+        cargo hack -p pavex --feature-powerset --exclude-features="fips" --depth 2 test --tests
+        cargo test -p pavex --release --tests --features fips,tls_crypto_provider_aws_lc_rs
     - uses: ./.github/actions/finalize-check
       if: ${{ always() && github.event_name != 'push' }}
       with:
@@ -1114,6 +1133,17 @@ jobs:
         rustflags: ""
         cache-workspaces: "./libs -> ./target"
     - uses: taiki-e/install-action@cargo-hack
+    - name: Install NASM for aws-lc-rs on Windows
+      if: runner.os == 'Windows'
+      uses: ilammy/setup-nasm@v1
+    - name: Install ninja-build tool for aws-lc-fips-sys on Windows
+      if: runner.os == 'Windows'
+      uses: seanmiddleditch/gha-setup-ninja@v6
+    - name: Install golang for aws-lc-fips-sys on macos
+      if: runner.os == 'MacOS'
+      uses: actions/setup-go@v6
+      with:
+        go-version: "1.25.0"
     - name: Download pavex CLI artifact
       uses: actions/download-artifact@v4
       with:
@@ -1139,8 +1169,16 @@ jobs:
         pavexc self setup
     - name: Run Pavex tests with multiple feature combinations
       working-directory: libs
+      if: runner.os != 'Windows'
       run: |
         cargo hack -p pavex --feature-powerset --depth 2 test --tests
+    - name: Run Pavex tests with multiple feature combinations
+      working-directory: libs
+      if: runner.os == 'Windows'
+      run: |
+        # FIPS only builds in `release` mode on Windows
+        cargo hack -p pavex --feature-powerset --exclude-features="fips" --depth 2 test --tests
+        cargo test -p pavex --release --tests --features fips,tls_crypto_provider_aws_lc_rs
     - uses: ./.github/actions/finalize-check
       if: ${{ always() && github.event_name != 'push' }}
       with:
@@ -1427,6 +1465,17 @@ jobs:
         rustflags: ""
         cache-workspaces: "./libs -> ./target"
     - uses: taiki-e/install-action@cargo-hack
+    - name: Install NASM for aws-lc-rs on Windows
+      if: runner.os == 'Windows'
+      uses: ilammy/setup-nasm@v1
+    - name: Install ninja-build tool for aws-lc-fips-sys on Windows
+      if: runner.os == 'Windows'
+      uses: seanmiddleditch/gha-setup-ninja@v6
+    - name: Install golang for aws-lc-fips-sys on macos
+      if: runner.os == 'MacOS'
+      uses: actions/setup-go@v6
+      with:
+        go-version: "1.25.0"
     - name: Download pavex CLI artifact
       uses: actions/download-artifact@v4
       with:
@@ -1446,8 +1495,16 @@ jobs:
         pavexc self setup
     - name: Run Pavex tests with multiple feature combinations
       working-directory: libs
+      if: runner.os != 'Windows'
       run: |
         cargo hack -p pavex --feature-powerset --depth 2 test --tests
+    - name: Run Pavex tests with multiple feature combinations
+      working-directory: libs
+      if: runner.os == 'Windows'
+      run: |
+        # FIPS only builds in `release` mode on Windows
+        cargo hack -p pavex --feature-powerset --exclude-features="fips" --depth 2 test --tests
+        cargo test -p pavex --release --tests --features fips,tls_crypto_provider_aws_lc_rs
     - uses: ./.github/actions/finalize-check
       if: ${{ always() && github.event_name != 'push' }}
       with:

ci_utils/templates/job_steps/pavex_tests.jinja

@@ -7,9 +7,28 @@
     rustflags: ""
     cache-workspaces: "./libs -> ./target"
 - uses: taiki-e/install-action@cargo-hack
+- name: Install NASM for aws-lc-rs on Windows
+  if: runner.os == 'Windows'
+  uses: ilammy/setup-nasm@v1
+- name: Install ninja-build tool for aws-lc-fips-sys on Windows
+  if: runner.os == 'Windows'
+  uses: seanmiddleditch/gha-setup-ninja@v6
+- name: Install golang for aws-lc-fips-sys on macos
+  if: runner.os == 'MacOS'
+  uses: actions/setup-go@v6
+  with:
+    go-version: "1.25.0"
 <% include 'setup_pavex' %>
 - name: Run Pavex tests with multiple feature combinations
   working-directory: libs
+  if: runner.os != 'Windows'
   run: |
     cargo hack -p pavex --feature-powerset --depth 2 test --tests
+- name: Run Pavex tests with multiple feature combinations
+  working-directory: libs
+  if: runner.os == 'Windows'
+  run: |
+    # FIPS only builds in `release` mode on Windows
+    cargo hack -p pavex --feature-powerset --exclude-features="fips" --depth 2 test --tests
+    cargo test -p pavex --release --tests --features fips,tls_crypto_provider_aws_lc_rs
 <%- endblock %>