Backport FIPS dependency updates to release/v1.35

[Copilot]

Backports FIPS build dependency updates from main (PRs #43260, #43263) to ensure compatibility with latest BoringSSL FIPS module and build tooling.

Dependency Updates

Updated versions in bazel/repository_locations.bzl:

• boringssl: 0.20250514.0 → 0.20251124.0
• fips_ninja: 1.13.1 → 1.13.2
• fips_cmake_linux_x86_64: 4.1.2 → 4.2.3
• fips_cmake_linux_aarch64: 4.1.2 → 4.2.3

BoringSSL FIPS Build Changes

• Removed boringssl_fips.patch and its references in bazel/repositories.bzl (patch no longer needed)
• Added -DBUILD_TESTING=off to cmake configuration in bazel/external/boringssl_fips.genrule_cmd
• Removed ninja run_tests from validation step (tests built but not run during FIPS validation)

Signed-off-by: phlax

Original prompt

Summary

Backport the FIPS-related dependency updates from main to the release/v1.35 branch.

Dependencies to Update

The following dependencies in bazel/repository_locations.bzl need to be updated:

1. boringssl

• Current version (v1.35): 0.20250514.0
• Target version: 0.20251124.0
• New sha256: d47f89b894bf534c82071d7426c5abf1e5bd044fee242def53cd5d3d0f656c09
• Update release_date to: 2025-11-25
• Source PR: deps: Bump boringssl -> 0.20251124.0 #43260

Additionally for boringssl FIPS build:

• In bazel/repositories.bzl, remove the patches and patch_args lines from the _boringssl_fips() function for boringssl_fips
• Delete the file bazel/boringssl_fips.patch (it's no longer needed)
• In bazel/external/boringssl_fips.genrule_cmd, add -DBUILD_TESTING=off to the cmake command and remove the ninja run_tests line

2. fips_ninja

• Current version (v1.35): 1.13.1
• Target version: 1.13.2
• New sha256: 974d6b2f4eeefa25625d34da3cb36bdcebe7fbce40f4c16ac0835fd1c0cbae17
• Update release_date to: 2025-11-20
• Source PR: deps: Bump fips_ninja -> 1.13.2 #43263

3. fips_cmake_linux_x86_64

• Current version (v1.35): 4.1.2
• Target version: 4.2.3
• New sha256: 5bb505d5e0cca0480a330f7f27ccf52c2b8b5214c5bba97df08899f5ef650c23
• Update release_date to: 2026-01-27

4. fips_cmake_linux_aarch64

• Current version (v1.35): 4.1.2
• Target version: 4.2.3
• New sha256: e529c75f18f27ba27c52b329efe7b1f98dc32ccc0c6d193c7ab343f888962672
• Update release_date to: 2026-01-27

Files to Modify

1. bazel/repository_locations.bzl - Update the version, sha256, and release_date for all four dependencies listed above

2. bazel/repositories.bzl - In the _boringssl_fips() function, remove these two lines from the boringssl_fips external_http_archive call:

   patches = ["@envoy//bazel:boringssl_fips.patch"],
   patch_args = ["-p1"],
   

3. bazel/boringssl_fips.patch - Delete this file entirely

4. bazel/external/boringssl_fips.genrule_cmd - In the build_boringssl_fips() function:

   • Add -DBUILD_TESTING=off \ as a new line in the cmake configuration (before the .. line)
   • In the validate_fips() function, remove the line ninja run_tests

Important Notes

• The release/v1.35 branch uses the old format where metadata is inline in repository_locations.bzl (not in a separate deps.yaml file)
• Go versions (fips_go_linux_amd64 and fips_go_linux_arm64) are already at 1.24.4 on v1.35, so no update needed
• These updates ensure FIPS builds work correctly with the latest dependency versions

Signed-off-by: phlax

This pull request was created from Copilot chat.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[repokitteh-read-only]

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #43275 was opened by Copilot.

see: more, trace.

[rahulrphadke21-dotcom]

Could this be back ported into v1.34 train as well?