github · jeffwidman · Feb 21, 2026 · Feb 19, 2026
@@ -235,4 +235,56 @@ integration('ProxyBuilder', () => {
 
     await proxy.shutdown()
   })
+
+  jest.setTimeout(20000)
+  it('forwards OPENSSL_FORCE_FIPS_MODE if configured', async () => {
+    process.env.OPENSSL_FORCE_FIPS_MODE = '0'
+
+    const proxy = await builder.run(
+      jobId,
+      jobToken,
+      dependabotApiUrl,
+      credentials
+    )
+    await proxy.container.start()
+
+    const id = proxy.container.id
+    const proc = spawnSync('docker', [
+      'exec',
+      id,
+      'printenv',
+      'OPENSSL_FORCE_FIPS_MODE'
+    ])
+    const output = proc.stdout.toString().trim()
+    expect(output).toEqual('0')
+
+    await proxy.shutdown()
+    delete process.env.OPENSSL_FORCE_FIPS_MODE
+  })
+
+  jest.setTimeout(20000)
+  it('does not set OPENSSL_FORCE_FIPS_MODE when not configured', async () => {
+    delete process.env.OPENSSL_FORCE_FIPS_MODE
+
+    const proxy = await builder.run(
+      jobId,
+      jobToken,
+      dependabotApiUrl,
+      credentials
+    )
+    await proxy.container.start()
+
+    const id = proxy.container.id
+    const proc = spawnSync('docker', [
+      'exec',
+      id,
+      'printenv',
+      'OPENSSL_FORCE_FIPS_MODE'
+    ])
+    // printenv exits with 1 when the variable is not set
+    expect(proc.status).toEqual(1)
+    expect(proc.stdout.toString().trim()).toEqual('')
+
+    await proxy.shutdown()
+  })
 })
@@ -75,4 +75,79 @@ integration('UpdaterBuilder', () => {
     await proxy.shutdown()
     await container.remove()
   }, 15000)
+
+  it('passes through OPENSSL_FORCE_FIPS_MODE when set on host', async () => {
+    process.env.OPENSSL_FORCE_FIPS_MODE = '0'
+
+    const cachedMode = true
+    const proxy = await new ProxyBuilder(
+      docker,
+      PROXY_IMAGE_NAME,
+      cachedMode
+    ).run(1, dependabotApiUrl, jobToken, credentials)
+    await proxy.container.start()
+    const input = {job: details}
+    const params = new JobParameters(
+      1,
+      'job-token',
+      'cred-token',
+      'https://example.com',
+      '172.17.0.1',
+      updaterImageName('bundler')
+    )
+    const container = await new UpdaterBuilder(
+      docker,
+      params,
+      input,
+      proxy,
+      updaterImageName('bundler')
+    ).run('updater-fips-test')
+
+    const containerInfo = await container.inspect()
+    expect(containerInfo.Config.Env).toEqual(
+      expect.arrayContaining(['OPENSSL_FORCE_FIPS_MODE=0'])
+    )
+
+    await proxy.shutdown()
+    await container.remove()
+    delete process.env.OPENSSL_FORCE_FIPS_MODE
+  }, 15000)
+
+  it('does not set OPENSSL_FORCE_FIPS_MODE when not set on host', async () => {
+    delete process.env.OPENSSL_FORCE_FIPS_MODE
+
+    const cachedMode = true
+    const proxy = await new ProxyBuilder(
+      docker,
+      PROXY_IMAGE_NAME,
+      cachedMode
+    ).run(1, dependabotApiUrl, jobToken, credentials)
+    await proxy.container.start()
+    const input = {job: details}
+    const params = new JobParameters(
+      1,
+      'job-token',
+      'cred-token',
+      'https://example.com',
+      '172.17.0.1',
+      updaterImageName('bundler')
+    )
+    const container = await new UpdaterBuilder(
+      docker,
+      params,
+      input,
+      proxy,
+      updaterImageName('bundler')
+    ).run('updater-no-fips-test')
+
+    const containerInfo = await container.inspect()
+    expect(containerInfo.Config.Env).not.toEqual(
+      expect.arrayContaining([
+        expect.stringMatching(/OPENSSL_FORCE_FIPS_MODE=/)
+      ])
+    )
+
+    await proxy.shutdown()
+    await container.remove()
+  }, 15000)
 })
@@ -236,7 +236,14 @@ export class ProxyBuilder {
         `PROXY_CACHE=${this.cachedMode ? 'true' : 'false'}`,
         `DEPENDABOT_API_URL=${dependabotApiUrl}`,
         `ACTIONS_ID_TOKEN_REQUEST_TOKEN=${process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN || ''}`,
-        `ACTIONS_ID_TOKEN_REQUEST_URL=${process.env.ACTIONS_ID_TOKEN_REQUEST_URL || ''}`
+        `ACTIONS_ID_TOKEN_REQUEST_URL=${process.env.ACTIONS_ID_TOKEN_REQUEST_URL || ''}`,
+        // Pass through OPENSSL_FORCE_FIPS_MODE from the host if set.
+        // The container does not have the OpenSSL FIPS provider installed, so OpenSSL fails while running update-ca-certificates on FIPS-enabled self-hosted runners.
+        // Setting OPENSSL_FORCE_FIPS_MODE=0 on the host works around this by explicitly preventing OpenSSL from using FIPS.
+        // We only propagate the env variable when it is explicitly set so as not to alter default behavior.
+        ...(process.env.OPENSSL_FORCE_FIPS_MODE !== undefined
+          ? [`OPENSSL_FORCE_FIPS_MODE=${process.env.OPENSSL_FORCE_FIPS_MODE}`]
+          : [])
       ],
       Entrypoint: [
         'sh',

@@ -54,6 +54,16 @@ export class UpdaterBuilder {
       envVars.push(`DEPENDABOT_UPDATER_SHA=${updaterSha}`)
     }
 
+    // Pass through OPENSSL_FORCE_FIPS_MODE from the host if set.
+    // The container does not have the OpenSSL FIPS provider installed, so OpenSSL fails while running update-ca-certificates on FIPS-enabled self-hosted runners.
+    // Setting OPENSSL_FORCE_FIPS_MODE=0 on the host works around this by explicitly preventing OpenSSL from using FIPS.
+    // We only propagate the env variable when it is explicitly set so as not to alter default behavior.
+    if (process.env.OPENSSL_FORCE_FIPS_MODE !== undefined) {
+      envVars.push(
+        `OPENSSL_FORCE_FIPS_MODE=${process.env.OPENSSL_FORCE_FIPS_MODE}`
+      )
+    }
+
     const container = await this.docker.createContainer({
       Image: this.updaterImage,
       name: containerName,