feat: Add optional FIPS support

.github/workflows/ci.yml

@@ -22,10 +22,17 @@ jobs:
         os: [ubuntu-latest, macos-latest]
         # Earliest and latest supported
         rubyVersion: ["3.3", "4.0"]
-
+        # Opt-in FIPS build (aws-lc-rs); Linux only, the aws-lc-rs FIPS toolchain is not exercised on macOS.
+        fips: [false, true]
+
+        exclude:
+          - os: macos-latest
+            fips: true
+
         include:
           - os: ubuntu-latest
             rubyVersion: "4.0"
+            fips: false
             checkTarget: true
             docsTarget: true
     runs-on: ${{ matrix.os }}
@@ -79,12 +86,25 @@ jobs:
         run: |
           bundle exec rake proto:check_generated
 
+      - name: Assert FIPS build is free of `ring`
+        if: ${{ matrix.fips }}
+        working-directory: ./temporalio
+        run: |
+          if cargo tree -p temporalio_bridge --no-default-features --features fips -i ring; then
+            echo "::error::ring is present in the FIPS dependency tree — TLS is not fully aws-lc-rs backed"
+            exit 1
+          fi
+          echo "ring is absent from the FIPS dependency tree"
+
       - name: Lint, compile, test Ruby
         working-directory: ./temporalio
         # Timeout just in case there's a hanging part in rake
         timeout-minutes: 20
         # Set env vars for cloud tests. If secrets aren't present, tests will be skipped.
         env:
+          # Selects the FIPS-mode aws-lc-rs crypto backend for the `fips: true` matrix legs.
+          TEMPORALIO_FIPS: ${{ matrix.fips && '1' || '' }}
+
           # For mTLS tests
           TEMPORAL_CLOUD_MTLS_TEST_TARGET_HOST: ${{ vars.TEMPORAL_CLIENT_NAMESPACE }}.tmprl.cloud:7233
           TEMPORAL_CLOUD_MTLS_TEST_NAMESPACE: ${{ vars.TEMPORAL_CLIENT_NAMESPACE }}

README.md

@@ -1348,6 +1348,35 @@ section for how to build a the repository.
 The SDK works on Ruby 3.2+, but due to [an issue](https://github.com/temporalio/sdk-ruby/issues/162), fibers (and
 `async` gem) are only supported on Ruby versions 3.3 and newer.
 
+### FIPS Compliance
+
+FIPS 140-3 compliant cryptography is available as an **opt-in source build**. The default published gems are **not**
+FIPS compliant: they use the `ring` crypto backend, which is not FIPS-validated. The opt-in build instead uses
+[`aws-lc-rs`](https://github.com/aws/aws-lc-rs) compiled in FIPS mode (wrapping AWS-LC's FIPS 140-3 validated module)
+for both the gRPC client and the OTLP metric exporter.
+
+Because the crypto backend is chosen at compile time, FIPS cannot be enabled on a precompiled platform gem. You must
+build the native extension yourself with the `TEMPORALIO_FIPS=1` environment variable set. Building requires a recursive
+clone (the published "source" gem cannot be built directly — see [Platform Support](#platform-support)), along with
+Rust, Go, and protoc (see the [Build](#build) section for prerequisites):
+
+    # From a recursive clone, in the temporalio/ directory:
+    TEMPORALIO_FIPS=1 bundle exec rake compile
+
+To produce an installable FIPS gem for your platform, pass the variable through `rb-sys-dock` (see
+[Build Platform-specific Gem](#build-platform-specific-gem)):
+
+    TEMPORALIO_FIPS=1 bundle exec rb-sys-dock --platform x86_64-linux --ruby-versions 3.4 --build
+
+Additional considerations for a fully FIPS-compliant deployment:
+
+* **Ruby's own crypto must be FIPS-capable.** The SDK uses `SecureRandom` (for request IDs) and `Digest::SHA256` (for
+  the default worker build id). Both are FIPS-approved, but rely on Ruby being built against a FIPS-enabled OpenSSL. The
+  default build id was changed from MD5 to SHA-256 so it does not fail under FIPS-mode OpenSSL.
+* **Toolchain.** The `aws-lc-rs` FIPS build compiles AWS-LC from C/assembly and requires Go and a compatible C compiler.
+  On some Linux toolchains you may need to pin `CC=gcc-10`/`CXX=g++-10` (the cross-compilation Docker image already does
+  this).
+
 ### Migration from Coinbase Ruby SDK
 
 The [Coinbase Ruby SDK](https://github.com/coinbase/temporal-ruby) predates this official Temporal SDK and has been a
@@ -1411,6 +1440,9 @@ not work for other Ruby versions or other OS/arch combinations. For that, see "B
 **NOTE**: This is not `compile:dev` because debug-mode in Rust has
 [an issue](https://github.com/rust-lang/rust/issues/34283) that causes runtime stack size problems.
 
+**NOTE**: Set `TEMPORALIO_FIPS=1` before compiling to build with the FIPS-mode `aws-lc-rs` crypto backend. See the
+[FIPS Compliance](#fips-compliance) section.
+
 To lint, build, and test:
 
     bundle exec rake