Refactor Github action, OpenSSL 3.4.0, njs 0.8.7, configuration synta…

…x update
robvanoostenrijk · Oct 23, 2024 · 9ca176e · 9ca176e
1 parent 5069f2c
commit 9ca176e
Show file tree

Hide file tree

Showing 5 changed files with 92 additions and 23 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -1,13 +1,14 @@
-name: Build container(s) & Upload Artifacts
+name: Build release containers and create binary release
 
 on:
   push:
     tags:
       - '*'
 
 jobs:
-  build-container-and-deploy:
+  build-linux-containers:
     runs-on: ubuntu-latest
+    name: Build Linux Containers
     if: github.event_name == 'push'
     strategy:
       matrix:
@@ -29,6 +30,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Determine Image Version
+        shell: bash
         run: |
           # Strip git ref prefix from version
           VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
@@ -38,39 +40,102 @@ jobs:
           [ "$VERSION" == "main" ] && VERSION=latest
           echo "VERSION=${VERSION}-${{ matrix.library }}" >> $GITHUB_ENV
       - name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v6
         with:
           build-args: SSL_LIBRARY=${{ matrix.library }}
           context: .
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ghcr.io/${{ github.repository }}:${{ matrix.library }},ghcr.io/${{ github.repository }}:${{ env.VERSION }}
       - name: Extract docker build artifacts
+        shell: bash
         run: |
           ./extract-artifacts.sh ghcr.io/${{ github.repository }} ${{ env.VERSION }} ${{ matrix.library }}
-      - name: Release
-        uses: softprops/action-gh-release@v1
+      - name: Upload artifacts 
+        uses: actions/upload-artifact@v4
         with:
-          files: |
+          name: nginx-${{ matrix.library }}
+          path: |
             dist/nginx-http3-${{ matrix.library }}-linux-amd64.tar.xz
             dist/nginx-http3-${{ matrix.library }}-linux-arm64.tar.xz
+            dist/version.txt
+          retention-days: 1
 
-  freebsd:
+  build-freebsd:
     runs-on: ubuntu-latest
     name: Build FreeBSD version
     steps:
       - name: Checkout from GitHub
         uses: actions/checkout@v4
-      - uses: vmactions/freebsd-vm@v1
+      - name: Build on FreeBSD VM
+        uses: vmactions/freebsd-vm@v1
         with:
           release: "13.2"
           usesh: true
           prepare: |
             pkg install -y cmake git go gtar libxml2 libxslt pcre2 rust samurai
           run: |
             ./build-freebsd.sh
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: nginx-freebsd
+          path: |
+            nginx-http3-aws-lc-freebsd-amd64.tar.xz
+            version.txt
+          retention-days: 1
+
+  release:
+    needs:
+      - build-freebsd
+      - build-linux-containers
+    runs-on: ubuntu-latest
+    name: Create Release
+    steps:
+      - name: Checkout from GitHub
+        uses: actions/checkout@v4
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: nginx-*
+      - name: Release Text
+        shell: bash
+        run: |
+          platforms=("linux-amd64" "linux-arm64")
+          libraries=("aws-lc" "libressl" "openssl")
+
+          git log -1 --no-merges --pretty=%B > ./release.txt
+
+          echo "#### Versions:" >> ./release.txt
+
+          for library in ${libraries[@]}; do
+            echo " - nginx-${library}" >> ./release.txt
+            echo "    \`$(cat ./nginx-${library}/version.txt)\`" >> ./release.txt
+          done
+
+          echo " - nginx-freebsd" >> ./release.txt
+          echo "    \`$(cat ./nginx-freebsd/version.txt)\`" >> ./release.txt
+
+          echo "#### SHA256 Checksums:" >> ./release.txt
+
+          for library in ${libraries[@]}; do
+            for platform in ${platforms[@]}; do
+              echo "    nginx-${library}-${platform}.tar.xz: $(sha256sum ./nginx-${library}/nginx-http3-${library}-${platform}.tar.xz | cut -d ' ' -f 1)" >> ./release.txt
+            done
+
+            echo "" >> ./release.txt
+          done
+
+          echo "    nginx-aws-lc-freebsd-amd64.tar.xz: $(sha256sum ./nginx-freebsd/nginx-http3-aws-lc-freebsd-amd64.tar.xz | cut -d ' ' -f 1)" >> ./release.txt
       - name: Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
+          body_path: ./release.txt
           files: |
-            nginx-http3-aws-lc-freebsd-amd64.tar.xz
+            ./nginx-aws-lc/nginx-http3-aws-lc-linux-amd64.tar.xz
+            ./nginx-aws-lc/nginx-http3-aws-lc-linux-arm64.tar.xz
+            ./nginx-libressl/nginx-http3-libressl-linux-amd64.tar.xz
+            ./nginx-libressl/nginx-http3-libressl-linux-arm64.tar.xz
+            ./nginx-openssl/nginx-http3-openssl-linux-amd64.tar.xz
+            ./nginx-openssl/nginx-http3-openssl-linux-arm64.tar.xz
+            ./nginx-freebsd/nginx-http3-aws-lc-freebsd-amd64.tar.xz
diff --git a/Dockerfile b/Dockerfile
@@ -6,15 +6,15 @@ FROM alpine:latest AS builder
 
 ARG SSL_LIBRARY=openssl
 
-ENV OPENSSL_TAG=openssl-3.3.2 \
+ENV OPENSSL_TAG=openssl-3.4.0 \
     LIBRESSL_TAG=v3.9.2 \
     AWS_LC_TAG=v1.37.0 \
     MODULE_NGINX_COOKIE_FLAG=v1.1.0 \
     MODULE_NGINX_DEVEL_KIT=v0.3.3 \
     MODULE_NGINX_ECHO=v0.63 \
     MODULE_NGINX_HEADERS_MORE=v0.37 \
     MODULE_NGINX_MISC=v0.33 \
-    MODULE_NGINX_NJS=0.8.6 \
+    MODULE_NGINX_NJS=0.8.7 \
     MODULE_NGINX_VTS=v0.2.2 \
     NGINX=1.27.2
 
@@ -140,7 +140,6 @@ curl --silent --location https://github.com/nginx/njs/archive/refs/tags/${MODULE
 #
 # nginx
 #
-#curl --silent --location https://hg.nginx.org/nginx-quic/archive/${NGINX_QUIC_COMMIT}.tar.gz | tar xz -C /usr/src --one-top-level=nginx-quic --strip-components=1 || exit 1
 curl --silent --location https://nginx.org/download/nginx-${NGINX}.tar.gz | tar xz -C /usr/src --one-top-level=nginx --strip-components=1 || exit 1
 curl --silent --location -o /usr/src/aws-lc-nginx.patch https://raw.githubusercontent.com/aws/aws-lc/main/tests/ci/integration/nginx_patch/aws-lc-nginx.patch || exit 1
 
@@ -224,7 +223,7 @@ patch -p1 < /usr/src/aws-lc-nginx.patch || exit 1
 CC=/usr/bin/clang \
 CXX=/usr/bin/clang++ \
 ./configure \
-   --build="${SSL_COMMIT} ngx_brotli-$(git --git-dir=/usr/src/ngx_brotli/.git rev-parse --short HEAD) ngx-devel-kit-${MODULE_NGINX_DEVEL_KIT} headers-more-nginx-module-${MODULE_NGINX_HEADERS_MORE} echo-nginx-module-${MODULE_NGINX_ECHO} nginx-module-vts-${MODULE_NGINX_VTS} nginx-cookie-flag-module-${MODULE_NGINX_COOKIE_FLAG} set-misc-nginx-module-${MODULE_NGINX_HEADERS_MORE} njs-${MODULE_NGINX_NJS} ngx-http-substitutions-filter-module-latest" \
+   --build="${SSL_COMMIT} ngx_brotli-$(git --git-dir=/usr/src/ngx_brotli/.git rev-parse --short HEAD) ngx-devel-kit-${MODULE_NGINX_DEVEL_KIT} headers-more-nginx-module-${MODULE_NGINX_HEADERS_MORE} echo-nginx-module-${MODULE_NGINX_ECHO} nginx-module-vts-${MODULE_NGINX_VTS} nginx-cookie-flag-module-${MODULE_NGINX_COOKIE_FLAG} set-misc-nginx-module-${MODULE_NGINX_MISC} njs-${MODULE_NGINX_NJS} ngx-http-substitutions-filter-module-latest" \
    --prefix=/var/lib/nginx \
    --sbin-path=/usr/sbin/nginx \
    --modules-path=/usr/lib/nginx/modules \
@@ -286,7 +285,7 @@ make -j$(getconf _NPROCESSORS_ONLN) install || exit 1
 
 ls -lh /usr/sbin/nginx
 file /usr/sbin/nginx
-/usr/sbin/nginx -vv
+/usr/sbin/nginx -v
 
 # Populate /scratchfs
 cp /etc/nginx/mime.types /scratchfs/etc/nginx/

diff --git a/build-freebsd.sh b/build-freebsd.sh
@@ -182,7 +182,8 @@ make -j$(getconf _NPROCESSORS_ONLN) || exit 1
 
 ls -lh /usr/src/nginx/objs/nginx
 file /usr/src/nginx/objs/nginx
-/usr/src/nginx/objs/nginx -vv
+/usr/src/nginx/objs/nginx -v
 
+# Generate artifacts
+/usr/src/nginx/objs/nginx -v 2> ${BASE_DIR}/version.txt
 tar -C /usr/src/nginx/objs -Jcvf ${BASE_DIR}/nginx-http3-aws-lc-freebsd-amd64.tar.xz nginx
-
diff --git a/extract-artifacts.sh b/extract-artifacts.sh
@@ -22,3 +22,7 @@ do
     echo "[i] Removing container ${CONTAINER:0:12}"
     docker rm $CONTAINER
 done
+
+echo "[i] Grab version information"
+docker pull --platform linux/amd64 "${IMAGE}:${VERSION}"
+docker run --platform linux/amd64 --rm -i --log-driver=none -a stdin -a stdout -a stderr --entrypoint "/usr/sbin/nginx" "${IMAGE}:${VERSION}" -v 2> ./dist/version.txt
diff --git a/scratchfs/etc/nginx/conf.d/http3.conf b/scratchfs/etc/nginx/conf.d/http3.conf
@@ -9,14 +9,14 @@ server {
 #
 server {
   # HTTP/1 & HTTP/2
-  listen 8443 ssl http2;
+  listen 8443 ssl;
 
   # HTTP/3 (QUIC)
-  listen 8443 http3 reuseport;
+  listen 8443 quic reuseport;
 
-  server_name localhost;
+  http2 on;
 
-  http2_push_preload on;
+  server_name localhost;
 
   gzip on;
   gzip_http_version 1.1;
@@ -51,9 +51,9 @@ server {
   ssl_prefer_server_ciphers on;
 
   # Add Alt-Svc header to negotiate HTTP/3.
-  add_header alt-svc 'h3=":443"; ma=86400' always;
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
 
-  add_header x-frame-options "deny";
+  add_header X-Frame-Options "deny";
   add_header Strict-Transport-Security "max-age=31536000" always;
 
   root /var/lib/nginx/html;