diff --git a/.github/workflows/alpine-mainline.yml b/.github/workflows/alpine-mainline.yml index ca5ed322..dfe86707 100644 --- a/.github/workflows/alpine-mainline.yml +++ b/.github/workflows/alpine-mainline.yml @@ -8,7 +8,7 @@ on: jobs: version: name: Fetch NGINX mainline version - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 outputs: major: ${{ steps.nginx_version.outputs.major }} minor: ${{ steps.nginx_version.outputs.minor }} @@ -16,7 +16,7 @@ jobs: distro: ${{ steps.distro_version.outputs.release }} steps: - name: Check out the codebase - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Parse NGINX mainline version id: nginx_version @@ -28,27 +28,27 @@ jobs: - name: Parse Alpine version id: distro_version run: | - echo "release=$(cat update.sh | grep -m5 '\[mainline\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT" + echo "release=$(cat update.sh | grep -m7 '\[mainline\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT" slim: name: Build Alpine NGINX mainline slim Docker image - runs-on: ubuntu-22.04 + needs: version + runs-on: ubuntu-24.04 strategy: fail-fast: false - needs: version steps: - name: Check out the codebase - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 - name: Configure AWS credentials if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 with: aws-region: ${{ secrets.AWS_REGION }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -56,20 +56,20 @@ jobs: - name: Login to Amazon ECR Public Gallery if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: public.ecr.aws - name: Login to Docker Hub if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -77,15 +77,15 @@ jobs: - name: Login to Quay if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (tags, labels) for Docker + - name: Extract metadata (annotations, labels, tags) for Docker id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | docker.io/nginxinc/nginx-unprivileged @@ -103,15 +103,18 @@ jobs: type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-slim type=raw,value=alpine-slim type=raw,value=alpine${{ needs.version.outputs.distro }}-slim + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - name: Build and push NGINX mainline slim Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay id: build - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/s390x + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:mainline/alpine-slim" - tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} # cache-from: type=gha,scope=alpine-slim # cache-to: type=gha,mode=min,scope=alpine-slim @@ -147,23 +150,23 @@ jobs: core: name: Build Alpine NGINX mainline Docker image - runs-on: ubuntu-22.04 + needs: [version, slim] + runs-on: ubuntu-24.04 strategy: fail-fast: false - needs: [version, slim] steps: - name: Check out the codebase - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 - name: Configure AWS credentials if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 with: aws-region: ${{ secrets.AWS_REGION }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -171,20 +174,20 @@ jobs: - name: Login to Amazon ECR Public Gallery if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: public.ecr.aws - name: Login to Docker Hub if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -192,15 +195,15 @@ jobs: - name: Login to Quay if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (tags, labels) for Docker + - name: Extract metadata (annotations, labels, tags) for Docker id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | docker.io/nginxinc/nginx-unprivileged @@ -218,15 +221,18 @@ jobs: type=raw,value=mainline-alpine${{ needs.version.outputs.distro }} type=raw,value=alpine type=raw,value=alpine${{ needs.version.outputs.distro }} + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - name: Build and push NGINX mainline Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay id: build - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/s390x + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:mainline/alpine" - tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} # cache-from: type=gha,scope=debian-perl # cache-to: type=gha,mode=min,scope=debian-perl @@ -262,23 +268,23 @@ jobs: perl: name: Build Alpine NGINX mainline perl Docker image - runs-on: ubuntu-22.04 + needs: [version, core] + runs-on: ubuntu-24.04 strategy: fail-fast: false - needs: [version, core] steps: - name: Check out the codebase - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 - name: Configure AWS credentials if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 with: aws-region: ${{ secrets.AWS_REGION }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -286,20 +292,20 @@ jobs: - name: Login to Amazon ECR Public Gallery if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: public.ecr.aws - name: Login to Docker Hub if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -307,15 +313,15 @@ jobs: - name: Login to Quay if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (tags, labels) for Docker + - name: Extract metadata (annotations, labels, tags) for Docker id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | docker.io/nginxinc/nginx-unprivileged @@ -333,15 +339,18 @@ jobs: type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-perl type=raw,value=alpine-perl type=raw,value=alpine${{ needs.version.outputs.distro }}-perl + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - name: Build and push NGINX mainline perl Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay id: build - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/s390x + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:mainline/alpine-perl" - tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} # cache-from: type=gha,scope=alpine-perl # cache-to: type=gha,mode=min,scope=alpine-perl @@ -374,25 +383,3 @@ jobs: DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - - cleanup: - name: Delete untagged Alpine NGINX mainline Docker images on the Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} - runs-on: ubuntu-22.04 - strategy: - fail-fast: false - needs: [slim, core, perl] - steps: - - name: Check out the codebase - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Delete untagged Alpine NGINX mainline Docker images on the Amazon ECR Public Gallery - run: | - .github/workflows/scripts/delete-untagged-amazon-public-ecr-images.sh diff --git a/.github/workflows/alpine-stable.yml b/.github/workflows/alpine-stable.yml index 1be0651d..bb6d0a2e 100644 --- a/.github/workflows/alpine-stable.yml +++ b/.github/workflows/alpine-stable.yml @@ -8,7 +8,7 @@ on: jobs: version: name: Fetch NGINX stable version - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 outputs: major: ${{ steps.nginx_version.outputs.major }} minor: ${{ steps.nginx_version.outputs.minor }} @@ -16,7 +16,7 @@ jobs: distro: ${{ steps.distro_version.outputs.release }} steps: - name: Check out the codebase - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Parse NGINX stable version id: nginx_version @@ -28,27 +28,27 @@ jobs: - name: Parse Alpine version id: distro_version run: | - echo "release=$(cat update.sh | grep -m5 '\[stable\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT" + echo "release=$(cat update.sh | grep -m7 '\[stable\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT" slim: name: Build Alpine NGINX stable slim Docker image - runs-on: ubuntu-22.04 + needs: version + runs-on: ubuntu-24.04 strategy: fail-fast: false - needs: version steps: - name: Check out the codebase - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 - name: Configure AWS credentials if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 with: aws-region: ${{ secrets.AWS_REGION }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -56,20 +56,20 @@ jobs: - name: Login to Amazon ECR Public Gallery if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: public.ecr.aws - name: Login to Docker Hub if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -77,15 +77,15 @@ jobs: - name: Login to Quay if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (tags, labels) for Docker + - name: Extract metadata (annotations, labels, tags) for Docker id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | docker.io/nginxinc/nginx-unprivileged @@ -99,15 +99,18 @@ jobs: type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-slim type=raw,value=stable-alpine-slim type=raw,value=stable-alpine${{ needs.version.outputs.distro }}-slim + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - name: Build and push NGINX stable slim Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay id: build - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/s390x + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:stable/alpine-slim" - tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} # cache-from: type=gha,scope=stable-alpine-slim # cache-to: type=gha,mode=min,scope=stable-alpine-slim @@ -139,23 +142,23 @@ jobs: core: name: Build Alpine NGINX stable Docker image - runs-on: ubuntu-22.04 + needs: [version, slim] + runs-on: ubuntu-24.04 strategy: fail-fast: false - needs: [version, slim] steps: - name: Check out the codebase - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 - name: Configure AWS credentials if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 with: aws-region: ${{ secrets.AWS_REGION }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -163,20 +166,20 @@ jobs: - name: Login to Amazon ECR Public Gallery if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: public.ecr.aws - name: Login to Docker Hub if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -184,15 +187,15 @@ jobs: - name: Login to Quay if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (tags, labels) for Docker + - name: Extract metadata (annotations, labels, tags) for Docker id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | docker.io/nginxinc/nginx-unprivileged @@ -206,15 +209,18 @@ jobs: type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }} type=raw,value=stable-alpine type=raw,value=stable-alpine${{ needs.version.outputs.distro }} + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - name: Build and push NGINX stable Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay id: build - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/s390x + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:stable/alpine" - tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} # cache-from: type=gha,scope=stable-alpine # cache-to: type=gha,mode=min,scope=stable-alpine @@ -246,23 +252,23 @@ jobs: perl: name: Build Alpine NGINX stable perl Docker image - runs-on: ubuntu-22.04 + needs: [version, core] + runs-on: ubuntu-24.04 strategy: fail-fast: false - needs: [version, core] steps: - name: Check out the codebase - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 - name: Configure AWS credentials if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 with: aws-region: ${{ secrets.AWS_REGION }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -270,20 +276,20 @@ jobs: - name: Login to Amazon ECR Public Gallery if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: public.ecr.aws - name: Login to Docker Hub if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -291,15 +297,15 @@ jobs: - name: Login to Quay if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (tags, labels) for Docker + - name: Extract metadata (annotations, labels, tags) for Docker id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | docker.io/nginxinc/nginx-unprivileged @@ -313,15 +319,18 @@ jobs: type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-perl type=raw,value=stable-alpine-perl type=raw,value=stable-alpine${{ needs.version.outputs.distro }}-perl + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - name: Build and push NGINX stable perl Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay id: build - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 with: - platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/s390x + platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x context: "{{ defaultContext }}:stable/alpine-perl" - tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} # cache-from: type=gha,scope=stable-alpine-perl # cache-to: type=gha,mode=min,scope=stable-alpine-perl @@ -350,25 +359,3 @@ jobs: DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - - cleanup: - name: Delete untagged Alpine NGINX stable Docker images on the Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} - runs-on: ubuntu-22.04 - strategy: - fail-fast: false - needs: [slim, core, perl] - steps: - - name: Check out the codebase - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Delete untagged Alpine NGINX stable Docker images on the Amazon ECR Public Gallery - run: | - .github/workflows/scripts/delete-untagged-amazon-public-ecr-images.sh diff --git a/.github/workflows/debian-mainline.yml b/.github/workflows/debian-mainline.yml index fa571119..469f4666 100644 --- a/.github/workflows/debian-mainline.yml +++ b/.github/workflows/debian-mainline.yml @@ -8,7 +8,7 @@ on: jobs: version: name: Fetch NGINX mainline version - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 outputs: major: ${{ steps.nginx_version.outputs.major }} minor: ${{ steps.nginx_version.outputs.minor }} @@ -16,7 +16,7 @@ jobs: distro: ${{ steps.distro_version.outputs.release }} steps: - name: Check out the codebase - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Parse NGINX mainline version id: nginx_version @@ -28,27 +28,27 @@ jobs: - name: Parse Debian version id: distro_version run: | - echo "release=$(cat update.sh | grep -m4 '\[mainline\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT" + echo "release=$(cat update.sh | grep -m6 '\[mainline\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT" core: name: Build Debian NGINX mainline Docker image - runs-on: ubuntu-22.04 + needs: version + runs-on: ubuntu-24.04 strategy: fail-fast: false - needs: version steps: - name: Check out the codebase - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 - name: Configure AWS credentials if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 with: aws-region: ${{ secrets.AWS_REGION }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -56,20 +56,20 @@ jobs: - name: Login to Amazon ECR Public Gallery if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: public.ecr.aws - name: Login to Docker Hub if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -77,15 +77,15 @@ jobs: - name: Login to Quay if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (tags, labels) for Docker + - name: Extract metadata (annotations, labels, tags) for Docker id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | docker.io/nginxinc/nginx-unprivileged @@ -103,15 +103,19 @@ jobs: type=raw,value=mainline-${{ needs.version.outputs.distro }} type=raw,value=latest type=raw,value=${{ needs.version.outputs.distro }} + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - name: Build and push NGINX mainline Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay id: build - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 with: - platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x + platforms: linux/amd64, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x + # platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x context: "{{ defaultContext }}:mainline/debian" - tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} # cache-from: type=gha,scope=debian-perl # cache-to: type=gha,mode=min,scope=debian-perl @@ -147,23 +151,23 @@ jobs: perl: name: Build Debian NGINX mainline perl Docker image - runs-on: ubuntu-22.04 + needs: [version, core] + runs-on: ubuntu-24.04 strategy: fail-fast: false - needs: [version, core] steps: - name: Check out the codebase - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 - name: Configure AWS credentials if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 with: aws-region: ${{ secrets.AWS_REGION }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -171,20 +175,20 @@ jobs: - name: Login to Amazon ECR Public Gallery if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: public.ecr.aws - name: Login to Docker Hub if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -192,15 +196,15 @@ jobs: - name: Login to Quay if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (tags, labels) for Docker + - name: Extract metadata (annotations, labels, tags) for Docker id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | docker.io/nginxinc/nginx-unprivileged @@ -218,15 +222,19 @@ jobs: type=raw,value=mainline-${{ needs.version.outputs.distro }}-perl type=raw,value=perl type=raw,value=${{ needs.version.outputs.distro }}-perl + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - name: Build and push NGINX mainline perl Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay id: build - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 with: - platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x + platforms: linux/amd64, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x + # platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x context: "{{ defaultContext }}:mainline/debian-perl" - tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} # cache-from: type=gha,scope=debian-perl # cache-to: type=gha,mode=min,scope=debian-perl @@ -259,25 +267,3 @@ jobs: DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - - cleanup: - name: Delete untagged Debian NGINX mainline Docker images on the Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} - runs-on: ubuntu-22.04 - strategy: - fail-fast: false - needs: [core, perl] - steps: - - name: Check out the codebase - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Delete untagged Debian NGINX mainline Docker images on the Amazon ECR Public Gallery - run: | - .github/workflows/scripts/delete-untagged-amazon-public-ecr-images.sh diff --git a/.github/workflows/debian-stable.yml b/.github/workflows/debian-stable.yml index 76567db2..a6b5d385 100644 --- a/.github/workflows/debian-stable.yml +++ b/.github/workflows/debian-stable.yml @@ -8,7 +8,7 @@ on: jobs: version: name: Fetch NGINX stable version - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 outputs: major: ${{ steps.nginx_version.outputs.major }} minor: ${{ steps.nginx_version.outputs.minor }} @@ -16,7 +16,7 @@ jobs: distro: ${{ steps.distro_version.outputs.release }} steps: - name: Check out the codebase - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Parse NGINX stable version id: nginx_version @@ -28,27 +28,27 @@ jobs: - name: Parse Alpine version id: distro_version run: | - echo "release=$(cat update.sh | grep -m4 '\[stable\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT" + echo "release=$(cat update.sh | grep -m6 '\[stable\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT" core: name: Build Debian NGINX stable Docker image - runs-on: ubuntu-22.04 + needs: version + runs-on: ubuntu-24.04 strategy: fail-fast: false - needs: version steps: - name: Check out the codebase - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 - name: Configure AWS credentials if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 with: aws-region: ${{ secrets.AWS_REGION }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -56,20 +56,20 @@ jobs: - name: Login to Amazon ECR Public Gallery if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: public.ecr.aws - name: Login to Docker Hub if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -77,15 +77,15 @@ jobs: - name: Login to Quay if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (tags, labels) for Docker + - name: Extract metadata (annotations, labels, tags) for Docker id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | docker.io/nginxinc/nginx-unprivileged @@ -99,15 +99,19 @@ jobs: type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }} type=raw,value=stable type=raw,value=stable-${{ needs.version.outputs.distro }} + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - name: Build and push NGINX stable Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay id: build - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 with: - platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x + platforms: linux/amd64, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x + # platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x context: "{{ defaultContext }}:stable/debian" - tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} # cache-from: type=gha,scope=stable-debian # cache-to: type=gha,mode=min,scope=stable-debian @@ -139,23 +143,23 @@ jobs: perl: name: Build Debian NGINX stable perl Docker image - runs-on: ubuntu-22.04 + needs: [version, core] + runs-on: ubuntu-24.04 strategy: fail-fast: false - needs: [version, core] steps: - name: Check out the codebase - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 - name: Configure AWS credentials if: ${{ github.event_name != 'pull_request' }} - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 with: aws-region: ${{ secrets.AWS_REGION }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -163,20 +167,20 @@ jobs: - name: Login to Amazon ECR Public Gallery if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: public.ecr.aws - name: Login to Docker Hub if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -184,15 +188,15 @@ jobs: - name: Login to Quay if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} - - name: Extract metadata (tags, labels) for Docker + - name: Extract metadata (annotations, labels, tags) for Docker id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: | docker.io/nginxinc/nginx-unprivileged @@ -206,15 +210,19 @@ jobs: type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-perl type=raw,value=stable-perl type=raw,value=stable-${{ needs.version.outputs.distro }}-perl + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - name: Build and push NGINX stable perl Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay id: build - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 with: - platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x + platforms: linux/amd64, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x + # platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x context: "{{ defaultContext }}:stable/debian-perl" - tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + tags: ${{ steps.meta.outputs.tags }} push: ${{ github.event_name != 'pull_request' }} # cache-from: type=gha,scope=stable-debian-perl # cache-to: type=gha,mode=min,scope=stable-debian-perl @@ -243,25 +251,3 @@ jobs: DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }} DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }} - - cleanup: - name: Delete untagged Debian NGINX stable Docker images on the Amazon ECR Public Gallery - if: ${{ github.event_name != 'pull_request' }} - runs-on: ubuntu-22.04 - strategy: - fail-fast: false - needs: [core, perl] - steps: - - name: Check out the codebase - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 - with: - aws-region: ${{ secrets.AWS_REGION }} - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Delete untagged Debian NGINX stable Docker images on the Amazon ECR Public Gallery - run: | - .github/workflows/scripts/delete-untagged-amazon-public-ecr-images.sh diff --git a/.github/workflows/image-cleanup.yml b/.github/workflows/image-cleanup.yml new file mode 100644 index 00000000..73941661 --- /dev/null +++ b/.github/workflows/image-cleanup.yml @@ -0,0 +1,37 @@ +--- +name: Image Cleanup +on: + workflow_dispatch: + workflow_run: + workflows: [Alpine Mainline, Alpine Stable, Debian Mainline, Debian Stable] + types: [completed] +jobs: + cleanup: + name: Delete untagged NGINX Unprivileged Docker images on the Amazon ECR Public Gallery and the GitHub Container Registry + if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} + runs-on: ubuntu-24.04 + strategy: + fail-fast: false + steps: + - name: Check out the codebase + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + with: + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + - name: Delete untagged NGINX Unprivileged Docker images on the Amazon ECR Public Gallery + run: | + .github/workflows/scripts/delete-untagged-amazon-public-ecr-images.sh + + - name: Delete untagged NGINX Unprivileged Docker images on the GitHub Container Registry + uses: stumpylog/image-cleaner-action/untagged@48f1aa2111ae929cea4a0e056045f7de0e1b2618 # v0.10.0 + with: + is_org: true + owner: nginxinc + package_name: nginx-unprivileged + do_delete: true + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index a3ae351a..8b4d720f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -6,7 +6,7 @@ The following is a set of guidelines for contributing to the Docker Unprivileged [Ask a Question](#ask-a-question) -[Getting Started](#getting-started) +[Project Overview](#project-overview) [Contributing](#contributing) @@ -34,7 +34,7 @@ To report a bug, open an issue on GitHub with the label `bug` using the availabl ### Report a Security vulnerability -To report a security vulnerability, open an issue on GitHub with the label `security` using the available security report issue template. Please ensure the security vulnerability directly impacts one of the NGINX dependencies listed in the [`SECURITY`](https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/.github/SECURITY.md) doc. Other security vulnerabilities should be addressed by the weekly Monday night build and as such will be promptly closed. +To report a security vulnerability, open an issue on GitHub with the label `security` using the available security report issue template. Please ensure the security vulnerability directly impacts one of the NGINX dependencies listed in the [`SECURITY`](https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/SECURITY.md) doc. Other security vulnerabilities should be addressed by the weekly Monday night build and as such will be promptly closed. ### Suggest a Feature or Enhancement diff --git a/Dockerfile-alpine-perl.template b/Dockerfile-alpine-perl.template index ccf4bbf5..ac2f023c 100644 --- a/Dockerfile-alpine-perl.template +++ b/Dockerfile-alpine-perl.template @@ -16,17 +16,7 @@ RUN set -x \ && case "$apkArch" in \ x86_64|aarch64) \ # arches officially built by upstream - set -x \ - && KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655" \ - && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \ - && if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \ - echo "key verification succeeded!"; \ - mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \ - else \ - echo "key verification failed!"; \ - exit 1; \ - fi \ - && apk add -X "%%PACKAGEREPO%%v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \ + apk add -X "%%PACKAGEREPO%%v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \ ;; \ *) \ # we're on an architecture upstream doesn't officially build for @@ -46,10 +36,11 @@ RUN set -x \ bash \ alpine-sdk \ findutils \ + curl \ && su nobody -s /bin/sh -c " \ export HOME=${tempDir} \ && cd ${tempDir} \ - && curl -f -O https://hg.nginx.org/pkg-oss/archive/%%REVISION%%.tar.gz \ + && curl -f -L -O https://github.com/nginx/pkg-oss/archive/%%REVISION%%.tar.gz \ && PKGOSSCHECKSUM=\"%%PKGOSSCHECKSUM%% *%%REVISION%%.tar.gz\" \ && if [ \"\$(openssl sha512 -r %%REVISION%%.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \ echo \"pkg-oss tarball checksum verification succeeded!\"; \ @@ -61,7 +52,7 @@ RUN set -x \ && cd pkg-oss-%%REVISION%% \ && cd alpine \ && make %%BUILDTARGET%% \ - && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ + && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ @@ -72,8 +63,7 @@ RUN set -x \ # remove checksum deps && apk del --no-network .checksum-deps \ # if we have leftovers from building, let's purge them (including extra, unnecessary build deps) - && if [ -f "$tempDir" ]; then rm -rf "$tempDir"; fi \ - && if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ - && if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi + && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \ + && if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi USER $UID diff --git a/Dockerfile-alpine-slim.template b/Dockerfile-alpine-slim.template index 55dd5ecd..609c4ada 100644 --- a/Dockerfile-alpine-slim.template +++ b/Dockerfile-alpine-slim.template @@ -3,8 +3,9 @@ FROM $IMAGE LABEL maintainer="NGINX Docker Maintainers " -ENV NGINX_VERSION %%NGINX_VERSION%% -ENV PKG_RELEASE %%PKG_RELEASE%% +ENV NGINX_VERSION=%%NGINX_VERSION%% +ENV PKG_RELEASE=%%PKG_RELEASE%% +ENV DYNPKG_RELEASE=%%DYNPKG_RELEASE%% ARG UID=101 ARG GID=101 @@ -51,10 +52,11 @@ RUN set -x \ bash \ alpine-sdk \ findutils \ + curl \ && su nobody -s /bin/sh -c " \ export HOME=${tempDir} \ && cd ${tempDir} \ - && curl -f -O https://hg.nginx.org/pkg-oss/archive/%%REVISION%%.tar.gz \ + && curl -f -L -O https://github.com/nginx/pkg-oss/archive/%%REVISION%%.tar.gz \ && PKGOSSCHECKSUM=\"%%PKGOSSCHECKSUM%% *%%REVISION%%.tar.gz\" \ && if [ \"\$(openssl sha512 -r %%REVISION%%.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \ echo \"pkg-oss tarball checksum verification succeeded!\"; \ @@ -66,7 +68,7 @@ RUN set -x \ && cd pkg-oss-%%REVISION%% \ && cd alpine \ && make %%BUILDTARGET%% \ - && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ + && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ @@ -77,9 +79,8 @@ RUN set -x \ # remove checksum deps && apk del --no-network .checksum-deps \ # if we have leftovers from building, let's purge them (including extra, unnecessary build deps) - && if [ -f "$tempDir" ]; then rm -rf "$tempDir"; fi \ - && if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ - && if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \ + && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \ + && if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ # Bring in gettext so we can get `envsubst`, then throw # the rest away. To do this, we need to install `gettext` # then move `envsubst` out of the way so `gettext` can diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index 69e4bd92..b8140092 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -1,7 +1,8 @@ ARG IMAGE=nginxinc/nginx-unprivileged:%%NGINX_VERSION%%-alpine-slim FROM $IMAGE -ENV NJS_VERSION %%NJS_VERSION%% +ENV NJS_VERSION=%%NJS_VERSION%% +ENV NJS_RELEASE=%%NJS_RELEASE%% ARG UID=101 ARG GID=101 @@ -18,17 +19,7 @@ RUN set -x \ && case "$apkArch" in \ x86_64|aarch64) \ # arches officially built by upstream - set -x \ - && KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655" \ - && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \ - && if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \ - echo "key verification succeeded!"; \ - mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \ - else \ - echo "key verification failed!"; \ - exit 1; \ - fi \ - && apk add -X "%%PACKAGEREPO%%v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \ + apk add -X "%%PACKAGEREPO%%v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \ ;; \ *) \ # we're on an architecture upstream doesn't officially build for @@ -51,10 +42,11 @@ RUN set -x \ bash \ alpine-sdk \ findutils \ + curl \ && su nobody -s /bin/sh -c " \ export HOME=${tempDir} \ && cd ${tempDir} \ - && curl -f -O https://hg.nginx.org/pkg-oss/archive/%%REVISION%%.tar.gz \ + && curl -f -L -O https://github.com/nginx/pkg-oss/archive/%%REVISION%%.tar.gz \ && PKGOSSCHECKSUM=\"%%PKGOSSCHECKSUM%% *%%REVISION%%.tar.gz\" \ && if [ \"\$(openssl sha512 -r %%REVISION%%.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \ echo \"pkg-oss tarball checksum verification succeeded!\"; \ @@ -66,7 +58,7 @@ RUN set -x \ && cd pkg-oss-%%REVISION%% \ && cd alpine \ && make %%BUILDTARGET%% \ - && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ + && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ @@ -77,9 +69,8 @@ RUN set -x \ # remove checksum deps && apk del --no-network .checksum-deps \ # if we have leftovers from building, let's purge them (including extra, unnecessary build deps) - && if [ -f "$tempDir" ]; then rm -rf "$tempDir"; fi \ - && if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ - && if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \ + && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \ + && if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ # Bring in curl and ca-certificates to make registering on DNS SD easier && apk add --no-cache curl ca-certificates diff --git a/Dockerfile-debian-perl.template b/Dockerfile-debian-perl.template index b3683fba..764c208c 100644 --- a/Dockerfile-debian-perl.template +++ b/Dockerfile-debian-perl.template @@ -6,26 +6,9 @@ ARG GID=101 USER root -RUN set -x \ - && apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \ - && \ - NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \ - NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \ - export GNUPGHOME="$(mktemp -d)"; \ - found=''; \ - for server in \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu \ - ; do \ - echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ - gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ - done; \ - test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ - gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \ - rm -rf "$GNUPGHOME"; \ - apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \ - && dpkgArch="$(dpkg --print-architecture)" \ +RUN set -x; \ + NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \ + dpkgArch="$(dpkg --print-architecture)" \ && nginxPackages="%%PACKAGES%% " \ && case "$dpkgArch" in \ @@ -36,24 +19,46 @@ RUN set -x \ ;; \ *) \ # we're on an architecture upstream doesn't officially build for -# let's build binaries from the published source packages - echo "deb-src [signed-by=$NGINX_GPGKEY_PATH] %%PACKAGEREPO%% %%DEBIAN_VERSION%% nginx" >> /etc/apt/sources.list.d/nginx.list \ - \ +# let's build binaries from the published packaging sources # new directory for storing sources and .deb files - && tempDir="$(mktemp -d)" \ + tempDir="$(mktemp -d)" \ && chmod 777 "$tempDir" \ # (777 to ensure APT's "_apt" user can access it too) \ # save list of currently-installed packages so build dependencies can be cleanly removed later && savedAptMark="$(apt-mark showmanual)" \ \ -# build .deb files from upstream's source packages (which are verified by apt-get) +# build .deb files from upstream's packaging sources && apt-get update \ - && apt-get build-dep -y %%BUILDTARGET%% \ + && apt-get install --no-install-recommends --no-install-suggests -y \ + curl \ + devscripts \ + equivs \ + git \ + libxml2-utils \ + lsb-release \ + xsltproc \ && ( \ cd "$tempDir" \ - && DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \ - apt-get source --compile %%BUILDTARGET%% \ + && REVISION="%%REVISION%%" \ + && REVISION=${REVISION%~*} \ + && curl -f -L -O https://github.com/nginx/pkg-oss/archive/${REVISION}.tar.gz \ + && PKGOSSCHECKSUM="%%PKGOSSCHECKSUM%% *${REVISION}.tar.gz" \ + && if [ "$(openssl sha512 -r ${REVISION}.tar.gz)" = "$PKGOSSCHECKSUM" ]; then \ + echo "pkg-oss tarball checksum verification succeeded!"; \ + else \ + echo "pkg-oss tarball checksum verification failed!"; \ + exit 1; \ + fi \ + && tar xzvf ${REVISION}.tar.gz \ + && cd pkg-oss-${REVISION} \ + && cd debian \ + && for target in %%BUILDTARGET%%; do \ + make rules-$target; \ + mk-build-deps --install --tool="apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes" \ + debuild-$target/nginx-$NGINX_VERSION/debian/control; \ + done \ + && make %%BUILDTARGET%% \ ) \ # we don't remove APT lists here because they get re-downloaded and removed later \ diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template index 52cb331a..bc864472 100644 --- a/Dockerfile-debian.template +++ b/Dockerfile-debian.template @@ -3,9 +3,11 @@ FROM $IMAGE LABEL maintainer="NGINX Docker Maintainers " -ENV NGINX_VERSION %%NGINX_VERSION%% -ENV NJS_VERSION %%NJS_VERSION%% -ENV PKG_RELEASE %%PKG_RELEASE%% +ENV NGINX_VERSION=%%NGINX_VERSION%% +ENV NJS_VERSION=%%NJS_VERSION%% +ENV NJS_RELEASE=%%NJS_RELEASE%% +ENV PKG_RELEASE=%%PKG_RELEASE%% +ENV DYNPKG_RELEASE=%%DYNPKG_RELEASE%% ARG UID=101 ARG GID=101 @@ -17,19 +19,21 @@ RUN set -x \ && apt-get update \ && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \ && \ - NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \ - NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \ + NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \ + NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \ export GNUPGHOME="$(mktemp -d)"; \ found=''; \ - for server in \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu \ - ; do \ - echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ - gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ + for NGINX_GPGKEY in $NGINX_GPGKEYS; do \ + for server in \ + hkp://keyserver.ubuntu.com:80 \ + pgp.mit.edu \ + ; do \ + echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ + gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ + done; \ + test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ done; \ - test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ - gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \ + gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \ rm -rf "$GNUPGHOME"; \ apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \ && dpkgArch="$(dpkg --print-architecture)" \ @@ -43,24 +47,46 @@ RUN set -x \ ;; \ *) \ # we're on an architecture upstream doesn't officially build for -# let's build binaries from the published source packages - echo "deb-src [signed-by=$NGINX_GPGKEY_PATH] %%PACKAGEREPO%% %%DEBIAN_VERSION%% nginx" >> /etc/apt/sources.list.d/nginx.list \ - \ +# let's build binaries from the published packaging sources # new directory for storing sources and .deb files - && tempDir="$(mktemp -d)" \ + tempDir="$(mktemp -d)" \ && chmod 777 "$tempDir" \ # (777 to ensure APT's "_apt" user can access it too) \ # save list of currently-installed packages so build dependencies can be cleanly removed later && savedAptMark="$(apt-mark showmanual)" \ \ -# build .deb files from upstream's source packages (which are verified by apt-get) +# build .deb files from upstream's packaging sources && apt-get update \ - && apt-get build-dep -y %%BUILDTARGET%% \ + && apt-get install --no-install-recommends --no-install-suggests -y \ + curl \ + devscripts \ + equivs \ + git \ + libxml2-utils \ + lsb-release \ + xsltproc \ && ( \ cd "$tempDir" \ - && DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \ - apt-get source --compile %%BUILDTARGET%% \ + && REVISION="%%REVISION%%" \ + && REVISION=${REVISION%~*} \ + && curl -f -L -O https://github.com/nginx/pkg-oss/archive/${REVISION}.tar.gz \ + && PKGOSSCHECKSUM="%%PKGOSSCHECKSUM%% *${REVISION}.tar.gz" \ + && if [ "$(openssl sha512 -r ${REVISION}.tar.gz)" = "$PKGOSSCHECKSUM" ]; then \ + echo "pkg-oss tarball checksum verification succeeded!"; \ + else \ + echo "pkg-oss tarball checksum verification failed!"; \ + exit 1; \ + fi \ + && tar xzvf ${REVISION}.tar.gz \ + && cd pkg-oss-${REVISION} \ + && cd debian \ + && for target in %%BUILDTARGET%%; do \ + make rules-$target; \ + mk-build-deps --install --tool="apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes" \ + debuild-$target/nginx-$NGINX_VERSION/debian/control; \ + done \ + && make %%BUILDTARGET%% \ ) \ # we don't remove APT lists here because they get re-downloaded and removed later \ diff --git a/README.md b/README.md index 9524d430..8beb8989 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,12 @@ Most images are built for the `amd64`, `arm32v5` (for Debian), `arm32v6` (for Al ## Troubleshooting Tips +* If you wish to use a different user ID and/or group ID when running the Docker Unprivileged image, rebuild the image using the following Docker build arguments: + + ```bash + docker build --build-arg UID= --build-arg GID= -t nginx-unprivileged . + ``` + * If you override the default `nginx.conf` file you may encounter various types of error messages: * To fix `nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)`, you have to specify a valid `pid` location by adding the line `pid /tmp/nginx.pid;` at the top level of your config. * To fix `nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (30: Read-only file system)`, you have to specify a valid location for the various NGINX temporary paths by adding these lines within the `http` context: diff --git a/entrypoint/15-local-resolvers.envsh b/entrypoint/15-local-resolvers.envsh index 450a999f..e830ddac 100755 --- a/entrypoint/15-local-resolvers.envsh +++ b/entrypoint/15-local-resolvers.envsh @@ -9,4 +9,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin [ "${NGINX_ENTRYPOINT_LOCAL_RESOLVERS:-}" ] || return 0 NGINX_LOCAL_RESOLVERS=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {if ($2 ~ ":") {print "["$2"]"} else {print $2}}' /etc/resolv.conf) + +NGINX_LOCAL_RESOLVERS="${NGINX_LOCAL_RESOLVERS% }" + export NGINX_LOCAL_RESOLVERS diff --git a/mainline/alpine-perl/Dockerfile b/mainline/alpine-perl/Dockerfile index b28dea01..a4df0436 100644 --- a/mainline/alpine-perl/Dockerfile +++ b/mainline/alpine-perl/Dockerfile @@ -3,7 +3,7 @@ # # PLEASE DO NOT EDIT IT DIRECTLY. # -ARG IMAGE=nginxinc/nginx-unprivileged:1.25.4-alpine +ARG IMAGE=nginxinc/nginx-unprivileged:1.27.4-alpine FROM $IMAGE ARG UID=101 @@ -15,11 +15,11 @@ RUN set -x \ && apkArch="$(cat /etc/apk/arch)" \ && nginxPackages=" \ nginx=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-perl=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${PKG_RELEASE} \ + nginx-module-xslt=${NGINX_VERSION}-r${DYNPKG_RELEASE} \ + nginx-module-geoip=${NGINX_VERSION}-r${DYNPKG_RELEASE} \ + nginx-module-image-filter=${NGINX_VERSION}-r${DYNPKG_RELEASE} \ + nginx-module-perl=${NGINX_VERSION}-r${DYNPKG_RELEASE} \ + nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${NJS_RELEASE} \ " \ # install prerequisites for public key and pkg-oss checks && apk add --no-cache --virtual .checksum-deps \ @@ -27,17 +27,7 @@ RUN set -x \ && case "$apkArch" in \ x86_64|aarch64) \ # arches officially built by upstream - set -x \ - && KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655" \ - && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \ - && if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \ - echo "key verification succeeded!"; \ - mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \ - else \ - echo "key verification failed!"; \ - exit 1; \ - fi \ - && apk add -X "https://nginx.org/packages/mainline/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \ + apk add -X "https://nginx.org/packages/mainline/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \ ;; \ *) \ # we're on an architecture upstream doesn't officially build for @@ -57,11 +47,12 @@ RUN set -x \ bash \ alpine-sdk \ findutils \ + curl \ && su nobody -s /bin/sh -c " \ export HOME=${tempDir} \ && cd ${tempDir} \ - && curl -f -O https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \ - && PKGOSSCHECKSUM=\"79bf214256bf55700c776a87abfc3cf542323a267d879e89110aa44b551d12f6df7d56676a68f255ebbb54275185980d1fa37075f000d98e0ecac28db9e89fe3 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \ + && curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \ + && PKGOSSCHECKSUM=\"973690e64fa47e3704e817a3b08205b9e3f8c0cbe31825d9d62a81c11eb3aa186df015f27fdfd48c8799ffc528e38a9168c592ae665e4835c2d28638ec5f7845 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \ && if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \ echo \"pkg-oss tarball checksum verification succeeded!\"; \ else \ @@ -72,7 +63,7 @@ RUN set -x \ && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \ && cd alpine \ && make module-perl \ - && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ + && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ @@ -83,8 +74,7 @@ RUN set -x \ # remove checksum deps && apk del --no-network .checksum-deps \ # if we have leftovers from building, let's purge them (including extra, unnecessary build deps) - && if [ -f "$tempDir" ]; then rm -rf "$tempDir"; fi \ - && if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ - && if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi + && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \ + && if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi USER $UID diff --git a/mainline/alpine-slim/15-local-resolvers.envsh b/mainline/alpine-slim/15-local-resolvers.envsh index 450a999f..e830ddac 100755 --- a/mainline/alpine-slim/15-local-resolvers.envsh +++ b/mainline/alpine-slim/15-local-resolvers.envsh @@ -9,4 +9,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin [ "${NGINX_ENTRYPOINT_LOCAL_RESOLVERS:-}" ] || return 0 NGINX_LOCAL_RESOLVERS=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {if ($2 ~ ":") {print "["$2"]"} else {print $2}}' /etc/resolv.conf) + +NGINX_LOCAL_RESOLVERS="${NGINX_LOCAL_RESOLVERS% }" + export NGINX_LOCAL_RESOLVERS diff --git a/mainline/alpine-slim/Dockerfile b/mainline/alpine-slim/Dockerfile index b5481e41..ccf7acb2 100644 --- a/mainline/alpine-slim/Dockerfile +++ b/mainline/alpine-slim/Dockerfile @@ -3,13 +3,14 @@ # # PLEASE DO NOT EDIT IT DIRECTLY. # -ARG IMAGE=alpine:3.18 +ARG IMAGE=alpine:3.21 FROM $IMAGE LABEL maintainer="NGINX Docker Maintainers " -ENV NGINX_VERSION 1.25.4 -ENV PKG_RELEASE 1 +ENV NGINX_VERSION=1.27.4 +ENV PKG_RELEASE=1 +ENV DYNPKG_RELEASE=1 ARG UID=101 ARG GID=101 @@ -57,11 +58,12 @@ RUN set -x \ bash \ alpine-sdk \ findutils \ + curl \ && su nobody -s /bin/sh -c " \ export HOME=${tempDir} \ && cd ${tempDir} \ - && curl -f -O https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \ - && PKGOSSCHECKSUM=\"79bf214256bf55700c776a87abfc3cf542323a267d879e89110aa44b551d12f6df7d56676a68f255ebbb54275185980d1fa37075f000d98e0ecac28db9e89fe3 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \ + && curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \ + && PKGOSSCHECKSUM=\"973690e64fa47e3704e817a3b08205b9e3f8c0cbe31825d9d62a81c11eb3aa186df015f27fdfd48c8799ffc528e38a9168c592ae665e4835c2d28638ec5f7845 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \ && if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \ echo \"pkg-oss tarball checksum verification succeeded!\"; \ else \ @@ -72,7 +74,7 @@ RUN set -x \ && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \ && cd alpine \ && make base \ - && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ + && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ @@ -83,9 +85,8 @@ RUN set -x \ # remove checksum deps && apk del --no-network .checksum-deps \ # if we have leftovers from building, let's purge them (including extra, unnecessary build deps) - && if [ -f "$tempDir" ]; then rm -rf "$tempDir"; fi \ - && if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ - && if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \ + && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \ + && if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ # Bring in gettext so we can get `envsubst`, then throw # the rest away. To do this, we need to install `gettext` # then move `envsubst` out of the way so `gettext` can diff --git a/mainline/alpine/Dockerfile b/mainline/alpine/Dockerfile index f500fcd3..e9914fe8 100644 --- a/mainline/alpine/Dockerfile +++ b/mainline/alpine/Dockerfile @@ -3,10 +3,11 @@ # # PLEASE DO NOT EDIT IT DIRECTLY. # -ARG IMAGE=nginxinc/nginx-unprivileged:1.25.4-alpine-slim +ARG IMAGE=nginxinc/nginx-unprivileged:1.27.4-alpine-slim FROM $IMAGE -ENV NJS_VERSION 0.8.3 +ENV NJS_VERSION=0.8.9 +ENV NJS_RELEASE=1 ARG UID=101 ARG GID=101 @@ -17,10 +18,10 @@ RUN set -x \ && apkArch="$(cat /etc/apk/arch)" \ && nginxPackages=" \ nginx=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${PKG_RELEASE} \ + nginx-module-xslt=${NGINX_VERSION}-r${DYNPKG_RELEASE} \ + nginx-module-geoip=${NGINX_VERSION}-r${DYNPKG_RELEASE} \ + nginx-module-image-filter=${NGINX_VERSION}-r${DYNPKG_RELEASE} \ + nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${NJS_RELEASE} \ " \ # install prerequisites for public key and pkg-oss checks && apk add --no-cache --virtual .checksum-deps \ @@ -28,17 +29,7 @@ RUN set -x \ && case "$apkArch" in \ x86_64|aarch64) \ # arches officially built by upstream - set -x \ - && KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655" \ - && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \ - && if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \ - echo "key verification succeeded!"; \ - mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \ - else \ - echo "key verification failed!"; \ - exit 1; \ - fi \ - && apk add -X "https://nginx.org/packages/mainline/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \ + apk add -X "https://nginx.org/packages/mainline/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \ ;; \ *) \ # we're on an architecture upstream doesn't officially build for @@ -61,11 +52,12 @@ RUN set -x \ bash \ alpine-sdk \ findutils \ + curl \ && su nobody -s /bin/sh -c " \ export HOME=${tempDir} \ && cd ${tempDir} \ - && curl -f -O https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \ - && PKGOSSCHECKSUM=\"79bf214256bf55700c776a87abfc3cf542323a267d879e89110aa44b551d12f6df7d56676a68f255ebbb54275185980d1fa37075f000d98e0ecac28db9e89fe3 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \ + && curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \ + && PKGOSSCHECKSUM=\"973690e64fa47e3704e817a3b08205b9e3f8c0cbe31825d9d62a81c11eb3aa186df015f27fdfd48c8799ffc528e38a9168c592ae665e4835c2d28638ec5f7845 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \ && if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \ echo \"pkg-oss tarball checksum verification succeeded!\"; \ else \ @@ -76,7 +68,7 @@ RUN set -x \ && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \ && cd alpine \ && make module-geoip module-image-filter module-njs module-xslt \ - && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ + && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ @@ -87,9 +79,8 @@ RUN set -x \ # remove checksum deps && apk del --no-network .checksum-deps \ # if we have leftovers from building, let's purge them (including extra, unnecessary build deps) - && if [ -f "$tempDir" ]; then rm -rf "$tempDir"; fi \ - && if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ - && if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \ + && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \ + && if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ # Bring in curl and ca-certificates to make registering on DNS SD easier && apk add --no-cache curl ca-certificates diff --git a/mainline/debian-perl/Dockerfile b/mainline/debian-perl/Dockerfile index b46d92f1..dba8a658 100644 --- a/mainline/debian-perl/Dockerfile +++ b/mainline/debian-perl/Dockerfile @@ -3,7 +3,7 @@ # # PLEASE DO NOT EDIT IT DIRECTLY. # -ARG IMAGE=nginxinc/nginx-unprivileged:1.25.4 +ARG IMAGE=nginxinc/nginx-unprivileged:1.27.4 FROM $IMAGE ARG UID=101 @@ -11,33 +11,16 @@ ARG GID=101 USER root -RUN set -x \ - && apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \ - && \ - NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \ - NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \ - export GNUPGHOME="$(mktemp -d)"; \ - found=''; \ - for server in \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu \ - ; do \ - echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ - gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ - done; \ - test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ - gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \ - rm -rf "$GNUPGHOME"; \ - apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \ - && dpkgArch="$(dpkg --print-architecture)" \ +RUN set -x; \ + NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \ + dpkgArch="$(dpkg --print-architecture)" \ && nginxPackages=" \ nginx=${NGINX_VERSION}-${PKG_RELEASE} \ - nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} \ - nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} \ - nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} \ - nginx-module-perl=${NGINX_VERSION}-${PKG_RELEASE} \ - nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE} \ + nginx-module-xslt=${NGINX_VERSION}-${DYNPKG_RELEASE} \ + nginx-module-geoip=${NGINX_VERSION}-${DYNPKG_RELEASE} \ + nginx-module-image-filter=${NGINX_VERSION}-${DYNPKG_RELEASE} \ + nginx-module-perl=${NGINX_VERSION}-${DYNPKG_RELEASE} \ + nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \ " \ && case "$dpkgArch" in \ amd64|arm64) \ @@ -47,24 +30,46 @@ RUN set -x \ ;; \ *) \ # we're on an architecture upstream doesn't officially build for -# let's build binaries from the published source packages - echo "deb-src [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/mainline/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list \ - \ +# let's build binaries from the published packaging sources # new directory for storing sources and .deb files - && tempDir="$(mktemp -d)" \ + tempDir="$(mktemp -d)" \ && chmod 777 "$tempDir" \ # (777 to ensure APT's "_apt" user can access it too) \ # save list of currently-installed packages so build dependencies can be cleanly removed later && savedAptMark="$(apt-mark showmanual)" \ \ -# build .deb files from upstream's source packages (which are verified by apt-get) +# build .deb files from upstream's packaging sources && apt-get update \ - && apt-get build-dep -y nginx-module-perl=${NGINX_VERSION}-${PKG_RELEASE} \ + && apt-get install --no-install-recommends --no-install-suggests -y \ + curl \ + devscripts \ + equivs \ + git \ + libxml2-utils \ + lsb-release \ + xsltproc \ && ( \ cd "$tempDir" \ - && DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \ - apt-get source --compile nginx-module-perl=${NGINX_VERSION}-${PKG_RELEASE} \ + && REVISION="${NGINX_VERSION}-${PKG_RELEASE}" \ + && REVISION=${REVISION%~*} \ + && curl -f -L -O https://github.com/nginx/pkg-oss/archive/${REVISION}.tar.gz \ + && PKGOSSCHECKSUM="973690e64fa47e3704e817a3b08205b9e3f8c0cbe31825d9d62a81c11eb3aa186df015f27fdfd48c8799ffc528e38a9168c592ae665e4835c2d28638ec5f7845 *${REVISION}.tar.gz" \ + && if [ "$(openssl sha512 -r ${REVISION}.tar.gz)" = "$PKGOSSCHECKSUM" ]; then \ + echo "pkg-oss tarball checksum verification succeeded!"; \ + else \ + echo "pkg-oss tarball checksum verification failed!"; \ + exit 1; \ + fi \ + && tar xzvf ${REVISION}.tar.gz \ + && cd pkg-oss-${REVISION} \ + && cd debian \ + && for target in module-perl; do \ + make rules-$target; \ + mk-build-deps --install --tool="apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes" \ + debuild-$target/nginx-$NGINX_VERSION/debian/control; \ + done \ + && make module-perl \ ) \ # we don't remove APT lists here because they get re-downloaded and removed later \ diff --git a/mainline/debian/15-local-resolvers.envsh b/mainline/debian/15-local-resolvers.envsh index 450a999f..e830ddac 100755 --- a/mainline/debian/15-local-resolvers.envsh +++ b/mainline/debian/15-local-resolvers.envsh @@ -9,4 +9,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin [ "${NGINX_ENTRYPOINT_LOCAL_RESOLVERS:-}" ] || return 0 NGINX_LOCAL_RESOLVERS=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {if ($2 ~ ":") {print "["$2"]"} else {print $2}}' /etc/resolv.conf) + +NGINX_LOCAL_RESOLVERS="${NGINX_LOCAL_RESOLVERS% }" + export NGINX_LOCAL_RESOLVERS diff --git a/mainline/debian/Dockerfile b/mainline/debian/Dockerfile index d55d6f18..9b4f3252 100644 --- a/mainline/debian/Dockerfile +++ b/mainline/debian/Dockerfile @@ -8,9 +8,11 @@ FROM $IMAGE LABEL maintainer="NGINX Docker Maintainers " -ENV NGINX_VERSION 1.25.4 -ENV NJS_VERSION 0.8.3 -ENV PKG_RELEASE 1~bookworm +ENV NGINX_VERSION=1.27.4 +ENV NJS_VERSION=0.8.9 +ENV NJS_RELEASE=1~bookworm +ENV PKG_RELEASE=1~bookworm +ENV DYNPKG_RELEASE=1~bookworm ARG UID=101 ARG GID=101 @@ -22,28 +24,30 @@ RUN set -x \ && apt-get update \ && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \ && \ - NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \ - NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \ + NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \ + NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \ export GNUPGHOME="$(mktemp -d)"; \ found=''; \ - for server in \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu \ - ; do \ - echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ - gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ + for NGINX_GPGKEY in $NGINX_GPGKEYS; do \ + for server in \ + hkp://keyserver.ubuntu.com:80 \ + pgp.mit.edu \ + ; do \ + echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ + gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ + done; \ + test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ done; \ - test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ - gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \ + gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \ rm -rf "$GNUPGHOME"; \ apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \ && dpkgArch="$(dpkg --print-architecture)" \ && nginxPackages=" \ nginx=${NGINX_VERSION}-${PKG_RELEASE} \ - nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} \ - nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} \ - nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} \ - nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE} \ + nginx-module-xslt=${NGINX_VERSION}-${DYNPKG_RELEASE} \ + nginx-module-geoip=${NGINX_VERSION}-${DYNPKG_RELEASE} \ + nginx-module-image-filter=${NGINX_VERSION}-${DYNPKG_RELEASE} \ + nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \ " \ && case "$dpkgArch" in \ amd64|arm64) \ @@ -53,24 +57,46 @@ RUN set -x \ ;; \ *) \ # we're on an architecture upstream doesn't officially build for -# let's build binaries from the published source packages - echo "deb-src [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/mainline/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list \ - \ +# let's build binaries from the published packaging sources # new directory for storing sources and .deb files - && tempDir="$(mktemp -d)" \ + tempDir="$(mktemp -d)" \ && chmod 777 "$tempDir" \ # (777 to ensure APT's "_apt" user can access it too) \ # save list of currently-installed packages so build dependencies can be cleanly removed later && savedAptMark="$(apt-mark showmanual)" \ \ -# build .deb files from upstream's source packages (which are verified by apt-get) +# build .deb files from upstream's packaging sources && apt-get update \ - && apt-get build-dep -y $nginxPackages \ + && apt-get install --no-install-recommends --no-install-suggests -y \ + curl \ + devscripts \ + equivs \ + git \ + libxml2-utils \ + lsb-release \ + xsltproc \ && ( \ cd "$tempDir" \ - && DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \ - apt-get source --compile $nginxPackages \ + && REVISION="${NGINX_VERSION}-${PKG_RELEASE}" \ + && REVISION=${REVISION%~*} \ + && curl -f -L -O https://github.com/nginx/pkg-oss/archive/${REVISION}.tar.gz \ + && PKGOSSCHECKSUM="973690e64fa47e3704e817a3b08205b9e3f8c0cbe31825d9d62a81c11eb3aa186df015f27fdfd48c8799ffc528e38a9168c592ae665e4835c2d28638ec5f7845 *${REVISION}.tar.gz" \ + && if [ "$(openssl sha512 -r ${REVISION}.tar.gz)" = "$PKGOSSCHECKSUM" ]; then \ + echo "pkg-oss tarball checksum verification succeeded!"; \ + else \ + echo "pkg-oss tarball checksum verification failed!"; \ + exit 1; \ + fi \ + && tar xzvf ${REVISION}.tar.gz \ + && cd pkg-oss-${REVISION} \ + && cd debian \ + && for target in base module-geoip module-image-filter module-njs module-xslt; do \ + make rules-$target; \ + mk-build-deps --install --tool="apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes" \ + debuild-$target/nginx-$NGINX_VERSION/debian/control; \ + done \ + && make base module-geoip module-image-filter module-njs module-xslt \ ) \ # we don't remove APT lists here because they get re-downloaded and removed later \ diff --git a/stable/alpine-perl/Dockerfile b/stable/alpine-perl/Dockerfile index db21bacf..6394b321 100644 --- a/stable/alpine-perl/Dockerfile +++ b/stable/alpine-perl/Dockerfile @@ -3,7 +3,7 @@ # # PLEASE DO NOT EDIT IT DIRECTLY. # -ARG IMAGE=nginxinc/nginx-unprivileged:1.24.0-alpine +ARG IMAGE=nginxinc/nginx-unprivileged:1.26.3-alpine FROM $IMAGE ARG UID=101 @@ -15,11 +15,11 @@ RUN set -x \ && apkArch="$(cat /etc/apk/arch)" \ && nginxPackages=" \ nginx=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-perl=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${PKG_RELEASE} \ + nginx-module-xslt=${NGINX_VERSION}-r${DYNPKG_RELEASE} \ + nginx-module-geoip=${NGINX_VERSION}-r${DYNPKG_RELEASE} \ + nginx-module-image-filter=${NGINX_VERSION}-r${DYNPKG_RELEASE} \ + nginx-module-perl=${NGINX_VERSION}-r${DYNPKG_RELEASE} \ + nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${NJS_RELEASE} \ " \ # install prerequisites for public key and pkg-oss checks && apk add --no-cache --virtual .checksum-deps \ @@ -27,17 +27,7 @@ RUN set -x \ && case "$apkArch" in \ x86_64|aarch64) \ # arches officially built by upstream - set -x \ - && KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655" \ - && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \ - && if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \ - echo "key verification succeeded!"; \ - mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \ - else \ - echo "key verification failed!"; \ - exit 1; \ - fi \ - && apk add -X "https://nginx.org/packages/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \ + apk add -X "https://nginx.org/packages/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \ ;; \ *) \ # we're on an architecture upstream doesn't officially build for @@ -57,22 +47,23 @@ RUN set -x \ bash \ alpine-sdk \ findutils \ + curl \ && su nobody -s /bin/sh -c " \ export HOME=${tempDir} \ && cd ${tempDir} \ - && curl -f -O https://hg.nginx.org/pkg-oss/archive/e5d85b3424bb.tar.gz \ - && PKGOSSCHECKSUM=\"4f33347bf05e7d7dd42a52b6e7af7ec21e3ed71df05a8ec16dd1228425f04e4318d88b1340370ccb6ad02cde590fc102094ddffbb1fc86d2085295a43f02f67b *e5d85b3424bb.tar.gz\" \ - && if [ \"\$(openssl sha512 -r e5d85b3424bb.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \ + && curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \ + && PKGOSSCHECKSUM=\"3a4e869eded0c71e92f522e94edffea7fbfb5e78886ea7e484342fa2e028c62099a67d08860c249bf93776da97b924225e0d849dbb4697b298afe5421d7d6fea *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \ + && if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \ echo \"pkg-oss tarball checksum verification succeeded!\"; \ else \ echo \"pkg-oss tarball checksum verification failed!\"; \ exit 1; \ fi \ - && tar xzvf e5d85b3424bb.tar.gz \ - && cd pkg-oss-e5d85b3424bb \ + && tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \ + && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \ && cd alpine \ && make module-perl \ - && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ + && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ @@ -83,8 +74,7 @@ RUN set -x \ # remove checksum deps && apk del --no-network .checksum-deps \ # if we have leftovers from building, let's purge them (including extra, unnecessary build deps) - && if [ -f "$tempDir" ]; then rm -rf "$tempDir"; fi \ - && if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ - && if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi + && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \ + && if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi USER $UID diff --git a/stable/alpine-slim/15-local-resolvers.envsh b/stable/alpine-slim/15-local-resolvers.envsh index 450a999f..e830ddac 100755 --- a/stable/alpine-slim/15-local-resolvers.envsh +++ b/stable/alpine-slim/15-local-resolvers.envsh @@ -9,4 +9,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin [ "${NGINX_ENTRYPOINT_LOCAL_RESOLVERS:-}" ] || return 0 NGINX_LOCAL_RESOLVERS=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {if ($2 ~ ":") {print "["$2"]"} else {print $2}}' /etc/resolv.conf) + +NGINX_LOCAL_RESOLVERS="${NGINX_LOCAL_RESOLVERS% }" + export NGINX_LOCAL_RESOLVERS diff --git a/stable/alpine-slim/Dockerfile b/stable/alpine-slim/Dockerfile index fc721592..e1a8c976 100644 --- a/stable/alpine-slim/Dockerfile +++ b/stable/alpine-slim/Dockerfile @@ -3,13 +3,14 @@ # # PLEASE DO NOT EDIT IT DIRECTLY. # -ARG IMAGE=alpine:3.18 +ARG IMAGE=alpine:3.20 FROM $IMAGE LABEL maintainer="NGINX Docker Maintainers " -ENV NGINX_VERSION 1.24.0 -ENV PKG_RELEASE 1 +ENV NGINX_VERSION=1.26.3 +ENV PKG_RELEASE=1 +ENV DYNPKG_RELEASE=2 ARG UID=101 ARG GID=101 @@ -57,22 +58,23 @@ RUN set -x \ bash \ alpine-sdk \ findutils \ + curl \ && su nobody -s /bin/sh -c " \ export HOME=${tempDir} \ && cd ${tempDir} \ - && curl -f -O https://hg.nginx.org/pkg-oss/archive/e5d85b3424bb.tar.gz \ - && PKGOSSCHECKSUM=\"4f33347bf05e7d7dd42a52b6e7af7ec21e3ed71df05a8ec16dd1228425f04e4318d88b1340370ccb6ad02cde590fc102094ddffbb1fc86d2085295a43f02f67b *e5d85b3424bb.tar.gz\" \ - && if [ \"\$(openssl sha512 -r e5d85b3424bb.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \ + && curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \ + && PKGOSSCHECKSUM=\"3a4e869eded0c71e92f522e94edffea7fbfb5e78886ea7e484342fa2e028c62099a67d08860c249bf93776da97b924225e0d849dbb4697b298afe5421d7d6fea *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \ + && if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \ echo \"pkg-oss tarball checksum verification succeeded!\"; \ else \ echo \"pkg-oss tarball checksum verification failed!\"; \ exit 1; \ fi \ - && tar xzvf e5d85b3424bb.tar.gz \ - && cd pkg-oss-e5d85b3424bb \ + && tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \ + && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \ && cd alpine \ && make base \ - && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ + && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ @@ -83,9 +85,8 @@ RUN set -x \ # remove checksum deps && apk del --no-network .checksum-deps \ # if we have leftovers from building, let's purge them (including extra, unnecessary build deps) - && if [ -f "$tempDir" ]; then rm -rf "$tempDir"; fi \ - && if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ - && if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \ + && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \ + && if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ # Bring in gettext so we can get `envsubst`, then throw # the rest away. To do this, we need to install `gettext` # then move `envsubst` out of the way so `gettext` can diff --git a/stable/alpine/Dockerfile b/stable/alpine/Dockerfile index 27c61d75..724df6c0 100644 --- a/stable/alpine/Dockerfile +++ b/stable/alpine/Dockerfile @@ -3,10 +3,11 @@ # # PLEASE DO NOT EDIT IT DIRECTLY. # -ARG IMAGE=nginxinc/nginx-unprivileged:1.24.0-alpine-slim +ARG IMAGE=nginxinc/nginx-unprivileged:1.26.3-alpine-slim FROM $IMAGE -ENV NJS_VERSION 0.8.0 +ENV NJS_VERSION=0.8.9 +ENV NJS_RELEASE=1 ARG UID=101 ARG GID=101 @@ -17,10 +18,10 @@ RUN set -x \ && apkArch="$(cat /etc/apk/arch)" \ && nginxPackages=" \ nginx=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} \ - nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${PKG_RELEASE} \ + nginx-module-xslt=${NGINX_VERSION}-r${DYNPKG_RELEASE} \ + nginx-module-geoip=${NGINX_VERSION}-r${DYNPKG_RELEASE} \ + nginx-module-image-filter=${NGINX_VERSION}-r${DYNPKG_RELEASE} \ + nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${NJS_RELEASE} \ " \ # install prerequisites for public key and pkg-oss checks && apk add --no-cache --virtual .checksum-deps \ @@ -28,17 +29,7 @@ RUN set -x \ && case "$apkArch" in \ x86_64|aarch64) \ # arches officially built by upstream - set -x \ - && KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655" \ - && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \ - && if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then \ - echo "key verification succeeded!"; \ - mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \ - else \ - echo "key verification failed!"; \ - exit 1; \ - fi \ - && apk add -X "https://nginx.org/packages/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \ + apk add -X "https://nginx.org/packages/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \ ;; \ *) \ # we're on an architecture upstream doesn't officially build for @@ -61,22 +52,23 @@ RUN set -x \ bash \ alpine-sdk \ findutils \ + curl \ && su nobody -s /bin/sh -c " \ export HOME=${tempDir} \ && cd ${tempDir} \ - && curl -f -O https://hg.nginx.org/pkg-oss/archive/e5d85b3424bb.tar.gz \ - && PKGOSSCHECKSUM=\"4f33347bf05e7d7dd42a52b6e7af7ec21e3ed71df05a8ec16dd1228425f04e4318d88b1340370ccb6ad02cde590fc102094ddffbb1fc86d2085295a43f02f67b *e5d85b3424bb.tar.gz\" \ - && if [ \"\$(openssl sha512 -r e5d85b3424bb.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \ + && curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \ + && PKGOSSCHECKSUM=\"3a4e869eded0c71e92f522e94edffea7fbfb5e78886ea7e484342fa2e028c62099a67d08860c249bf93776da97b924225e0d849dbb4697b298afe5421d7d6fea *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \ + && if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \ echo \"pkg-oss tarball checksum verification succeeded!\"; \ else \ echo \"pkg-oss tarball checksum verification failed!\"; \ exit 1; \ fi \ - && tar xzvf e5d85b3424bb.tar.gz \ - && cd pkg-oss-e5d85b3424bb \ + && tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \ + && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \ && cd alpine \ && make module-geoip module-image-filter module-njs module-xslt \ - && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ + && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ @@ -87,9 +79,8 @@ RUN set -x \ # remove checksum deps && apk del --no-network .checksum-deps \ # if we have leftovers from building, let's purge them (including extra, unnecessary build deps) - && if [ -f "$tempDir" ]; then rm -rf "$tempDir"; fi \ - && if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ - && if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \ + && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \ + && if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ # Bring in curl and ca-certificates to make registering on DNS SD easier && apk add --no-cache curl ca-certificates diff --git a/stable/debian-perl/Dockerfile b/stable/debian-perl/Dockerfile index 62b37e8e..5973b2b2 100644 --- a/stable/debian-perl/Dockerfile +++ b/stable/debian-perl/Dockerfile @@ -3,7 +3,7 @@ # # PLEASE DO NOT EDIT IT DIRECTLY. # -ARG IMAGE=nginxinc/nginx-unprivileged:1.24.0 +ARG IMAGE=nginxinc/nginx-unprivileged:1.26.3 FROM $IMAGE ARG UID=101 @@ -11,60 +11,65 @@ ARG GID=101 USER root -RUN set -x \ - && apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \ - && \ - NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \ - NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \ - export GNUPGHOME="$(mktemp -d)"; \ - found=''; \ - for server in \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu \ - ; do \ - echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ - gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ - done; \ - test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ - gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \ - rm -rf "$GNUPGHOME"; \ - apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \ - && dpkgArch="$(dpkg --print-architecture)" \ +RUN set -x; \ + NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \ + dpkgArch="$(dpkg --print-architecture)" \ && nginxPackages=" \ nginx=${NGINX_VERSION}-${PKG_RELEASE} \ - nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} \ - nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} \ - nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} \ - nginx-module-perl=${NGINX_VERSION}-${PKG_RELEASE} \ - nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE} \ + nginx-module-xslt=${NGINX_VERSION}-${DYNPKG_RELEASE} \ + nginx-module-geoip=${NGINX_VERSION}-${DYNPKG_RELEASE} \ + nginx-module-image-filter=${NGINX_VERSION}-${DYNPKG_RELEASE} \ + nginx-module-perl=${NGINX_VERSION}-${DYNPKG_RELEASE} \ + nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \ " \ && case "$dpkgArch" in \ amd64|arm64) \ # arches officialy built by upstream - echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/debian/ bullseye nginx" >> /etc/apt/sources.list.d/nginx.list \ + echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list \ && apt-get update \ ;; \ *) \ # we're on an architecture upstream doesn't officially build for -# let's build binaries from the published source packages - echo "deb-src [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/debian/ bullseye nginx" >> /etc/apt/sources.list.d/nginx.list \ - \ +# let's build binaries from the published packaging sources # new directory for storing sources and .deb files - && tempDir="$(mktemp -d)" \ + tempDir="$(mktemp -d)" \ && chmod 777 "$tempDir" \ # (777 to ensure APT's "_apt" user can access it too) \ # save list of currently-installed packages so build dependencies can be cleanly removed later && savedAptMark="$(apt-mark showmanual)" \ \ -# build .deb files from upstream's source packages (which are verified by apt-get) +# build .deb files from upstream's packaging sources && apt-get update \ - && apt-get build-dep -y nginx-module-perl=${NGINX_VERSION}-${PKG_RELEASE} \ + && apt-get install --no-install-recommends --no-install-suggests -y \ + curl \ + devscripts \ + equivs \ + git \ + libxml2-utils \ + lsb-release \ + xsltproc \ && ( \ cd "$tempDir" \ - && DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \ - apt-get source --compile nginx-module-perl=${NGINX_VERSION}-${PKG_RELEASE} \ + && REVISION="${NGINX_VERSION}-${PKG_RELEASE}" \ + && REVISION=${REVISION%~*} \ + && curl -f -L -O https://github.com/nginx/pkg-oss/archive/${REVISION}.tar.gz \ + && PKGOSSCHECKSUM="3a4e869eded0c71e92f522e94edffea7fbfb5e78886ea7e484342fa2e028c62099a67d08860c249bf93776da97b924225e0d849dbb4697b298afe5421d7d6fea *${REVISION}.tar.gz" \ + && if [ "$(openssl sha512 -r ${REVISION}.tar.gz)" = "$PKGOSSCHECKSUM" ]; then \ + echo "pkg-oss tarball checksum verification succeeded!"; \ + else \ + echo "pkg-oss tarball checksum verification failed!"; \ + exit 1; \ + fi \ + && tar xzvf ${REVISION}.tar.gz \ + && cd pkg-oss-${REVISION} \ + && cd debian \ + && for target in module-perl; do \ + make rules-$target; \ + mk-build-deps --install --tool="apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes" \ + debuild-$target/nginx-$NGINX_VERSION/debian/control; \ + done \ + && make module-perl \ ) \ # we don't remove APT lists here because they get re-downloaded and removed later \ diff --git a/stable/debian/15-local-resolvers.envsh b/stable/debian/15-local-resolvers.envsh index 450a999f..e830ddac 100755 --- a/stable/debian/15-local-resolvers.envsh +++ b/stable/debian/15-local-resolvers.envsh @@ -9,4 +9,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin [ "${NGINX_ENTRYPOINT_LOCAL_RESOLVERS:-}" ] || return 0 NGINX_LOCAL_RESOLVERS=$(awk 'BEGIN{ORS=" "} $1=="nameserver" {if ($2 ~ ":") {print "["$2"]"} else {print $2}}' /etc/resolv.conf) + +NGINX_LOCAL_RESOLVERS="${NGINX_LOCAL_RESOLVERS% }" + export NGINX_LOCAL_RESOLVERS diff --git a/stable/debian/Dockerfile b/stable/debian/Dockerfile index e0d70d03..9f9aad0c 100644 --- a/stable/debian/Dockerfile +++ b/stable/debian/Dockerfile @@ -3,14 +3,16 @@ # # PLEASE DO NOT EDIT IT DIRECTLY. # -ARG IMAGE=debian:bullseye-slim +ARG IMAGE=debian:bookworm-slim FROM $IMAGE LABEL maintainer="NGINX Docker Maintainers " -ENV NGINX_VERSION 1.24.0 -ENV NJS_VERSION 0.8.0 -ENV PKG_RELEASE 1~bullseye +ENV NGINX_VERSION=1.26.3 +ENV NJS_VERSION=0.8.9 +ENV NJS_RELEASE=1~bookworm +ENV PKG_RELEASE=1~bookworm +ENV DYNPKG_RELEASE=2~bookworm ARG UID=101 ARG GID=101 @@ -22,55 +24,79 @@ RUN set -x \ && apt-get update \ && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \ && \ - NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \ - NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \ + NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \ + NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \ export GNUPGHOME="$(mktemp -d)"; \ found=''; \ - for server in \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu \ - ; do \ - echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ - gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ + for NGINX_GPGKEY in $NGINX_GPGKEYS; do \ + for server in \ + hkp://keyserver.ubuntu.com:80 \ + pgp.mit.edu \ + ; do \ + echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ + gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ + done; \ + test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ done; \ - test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ - gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \ + gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \ rm -rf "$GNUPGHOME"; \ apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \ && dpkgArch="$(dpkg --print-architecture)" \ && nginxPackages=" \ nginx=${NGINX_VERSION}-${PKG_RELEASE} \ - nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} \ - nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} \ - nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} \ - nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE} \ + nginx-module-xslt=${NGINX_VERSION}-${DYNPKG_RELEASE} \ + nginx-module-geoip=${NGINX_VERSION}-${DYNPKG_RELEASE} \ + nginx-module-image-filter=${NGINX_VERSION}-${DYNPKG_RELEASE} \ + nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \ " \ && case "$dpkgArch" in \ amd64|arm64) \ # arches officialy built by upstream - echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/debian/ bullseye nginx" >> /etc/apt/sources.list.d/nginx.list \ + echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list \ && apt-get update \ ;; \ *) \ # we're on an architecture upstream doesn't officially build for -# let's build binaries from the published source packages - echo "deb-src [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/debian/ bullseye nginx" >> /etc/apt/sources.list.d/nginx.list \ - \ +# let's build binaries from the published packaging sources # new directory for storing sources and .deb files - && tempDir="$(mktemp -d)" \ + tempDir="$(mktemp -d)" \ && chmod 777 "$tempDir" \ # (777 to ensure APT's "_apt" user can access it too) \ # save list of currently-installed packages so build dependencies can be cleanly removed later && savedAptMark="$(apt-mark showmanual)" \ \ -# build .deb files from upstream's source packages (which are verified by apt-get) +# build .deb files from upstream's packaging sources && apt-get update \ - && apt-get build-dep -y $nginxPackages \ + && apt-get install --no-install-recommends --no-install-suggests -y \ + curl \ + devscripts \ + equivs \ + git \ + libxml2-utils \ + lsb-release \ + xsltproc \ && ( \ cd "$tempDir" \ - && DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \ - apt-get source --compile $nginxPackages \ + && REVISION="${NGINX_VERSION}-${PKG_RELEASE}" \ + && REVISION=${REVISION%~*} \ + && curl -f -L -O https://github.com/nginx/pkg-oss/archive/${REVISION}.tar.gz \ + && PKGOSSCHECKSUM="3a4e869eded0c71e92f522e94edffea7fbfb5e78886ea7e484342fa2e028c62099a67d08860c249bf93776da97b924225e0d849dbb4697b298afe5421d7d6fea *${REVISION}.tar.gz" \ + && if [ "$(openssl sha512 -r ${REVISION}.tar.gz)" = "$PKGOSSCHECKSUM" ]; then \ + echo "pkg-oss tarball checksum verification succeeded!"; \ + else \ + echo "pkg-oss tarball checksum verification failed!"; \ + exit 1; \ + fi \ + && tar xzvf ${REVISION}.tar.gz \ + && cd pkg-oss-${REVISION} \ + && cd debian \ + && for target in base module-geoip module-image-filter module-njs module-xslt; do \ + make rules-$target; \ + mk-build-deps --install --tool="apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes" \ + debuild-$target/nginx-$NGINX_VERSION/debian/control; \ + done \ + && make base module-geoip module-image-filter module-njs module-xslt \ ) \ # we don't remove APT lists here because they get re-downloaded and removed later \ diff --git a/update.sh b/update.sh index 311330b4..243d9152 100755 --- a/update.sh +++ b/update.sh @@ -2,7 +2,7 @@ set -Eeuo pipefail shopt -s nullglob -cd "$(dirname "$(readlink -f "$BASH_SOURCE")")" +cd "$(dirname "$(greadlink -f "$BASH_SOURCE")")" declare branches=( "stable" @@ -12,48 +12,62 @@ declare branches=( # Current nginx versions # Remember to update pkgosschecksum when changing this. declare -A nginx=( - [mainline]='1.25.4' - [stable]='1.24.0' + [mainline]='1.27.4' + [stable]='1.26.3' ) # Current njs versions declare -A njs=( - [mainline]='0.8.3' - [stable]='0.8.0' + [mainline]='0.8.9' + [stable]='0.8.9' ) -# Current package patchlevel version +# Current njs patchlevel version +# Remember to update pkgosschecksum when changing this. +declare -A njspkg=( + [mainline]='1' + [stable]='1' +) + +# Current nginx package patchlevel version # Remember to update pkgosschecksum when changing this. declare -A pkg=( [mainline]=1 [stable]=1 ) +# Current built-in dynamic modules package patchlevel version +# Remember to update pkgosschecksum when changing this +declare -A dynpkg=( + [mainline]=1 + [stable]=2 +) + declare -A debian=( [mainline]='bookworm' - [stable]='bullseye' + [stable]='bookworm' ) declare -A alpine=( - [mainline]='3.18' - [stable]='3.18' + [mainline]='3.21' + [stable]='3.20' ) # When we bump njs version in a stable release we don't move the tag in the -# mercurial repo. This setting allows us to specify a revision to check out -# when building alpine packages on architectures not supported by nginx.org +# pkg-oss repo. This setting allows us to specify a revision to check out +# when building packages on architectures not supported by nginx.org # Remember to update pkgosschecksum when changing this. declare -A rev=( [mainline]='${NGINX_VERSION}-${PKG_RELEASE}' - [stable]='e5d85b3424bb' + [stable]='${NGINX_VERSION}-${PKG_RELEASE}' ) # Holds SHA512 checksum for the pkg-oss tarball produced by source code # revision/tag in the previous block -# Used in alpine builds for architectures not packaged by nginx.org +# Used in builds for architectures not packaged by nginx.org declare -A pkgosschecksum=( - [mainline]='79bf214256bf55700c776a87abfc3cf542323a267d879e89110aa44b551d12f6df7d56676a68f255ebbb54275185980d1fa37075f000d98e0ecac28db9e89fe3' - [stable]='4f33347bf05e7d7dd42a52b6e7af7ec21e3ed71df05a8ec16dd1228425f04e4318d88b1340370ccb6ad02cde590fc102094ddffbb1fc86d2085295a43f02f67b' + [mainline]='973690e64fa47e3704e817a3b08205b9e3f8c0cbe31825d9d62a81c11eb3aa186df015f27fdfd48c8799ffc528e38a9168c592ae665e4835c2d28638ec5f7845' + [stable]='3a4e869eded0c71e92f522e94edffea7fbfb5e78886ea7e484342fa2e028c62099a67d08860c249bf93776da97b924225e0d849dbb4697b298afe5421d7d6fea' ) get_packages() { @@ -89,11 +103,14 @@ get_packages() { done ;; *) - for p in nginx nginx-module-xslt nginx-module-geoip nginx-module-image-filter $perl; do + for p in nginx; do echo -n ' '"$p"'=${NGINX_VERSION}-'"$r"'${PKG_RELEASE} \\\n' done + for p in nginx-module-xslt nginx-module-geoip nginx-module-image-filter $perl; do + echo -n ' '"$p"'=${NGINX_VERSION}-'"$r"'${DYNPKG_RELEASE} \\\n' + done for p in nginx-module-njs; do - echo -n ' '"$p"'=${NGINX_VERSION}'"$sep"'${NJS_VERSION}-'"$r"'${PKG_RELEASE} \\' + echo -n ' '"$p"'=${NGINX_VERSION}'"$sep"'${NJS_VERSION}-'"$r"'${NJS_RELEASE} \\' done ;; esac @@ -116,11 +133,23 @@ get_packagever() { shift local branch="$1" shift + local package="$1" + shift local suffix= [ "${distro}" = "debian" ] && suffix="~${debianver}" - echo ${pkg[$branch]}${suffix} + case "${package}" in + "njs") + echo ${njspkg[$branch]}${suffix} + ;; + "dyn") + echo ${dynpkg[$branch]}${suffix} + ;; + *) + echo ${pkg[$branch]}${suffix} + ;; + esac } get_buildtarget() { @@ -129,17 +158,14 @@ get_buildtarget() { alpine-slim) echo base ;; - alpine-perl) - echo module-perl - ;; alpine) echo module-geoip module-image-filter module-njs module-xslt ;; debian) - echo "\$nginxPackages" + echo base module-geoip module-image-filter module-njs module-xslt ;; - debian-perl) - echo "nginx-module-perl=\${NGINX_VERSION}-\${PKG_RELEASE}" + *-perl) + echo module-perl ;; esac } @@ -179,14 +205,18 @@ for branch in "${branches[@]}"; do packagerepo=$(get_packagerepo "$variant" "$branch") packages=$(get_packages "$variant" "$branch") - packagever=$(get_packagever "$variant" "$branch") + packagever=$(get_packagever "$variant" "$branch" "any") + njspkgver=$(get_packagever "$variant" "$branch" "njs") + dynpkgver=$(get_packagever "$variant" "$branch" "dyn") buildtarget=$(get_buildtarget "$variant") - sed -i \ + gsed -i \ -e 's,%%ALPINE_VERSION%%,'"$alpinever"',' \ -e 's,%%DEBIAN_VERSION%%,'"$debianver"',' \ + -e 's,%%DYNPKG_RELEASE%%,'"$dynpkgver"',' \ -e 's,%%NGINX_VERSION%%,'"$nginxver"',' \ -e 's,%%NJS_VERSION%%,'"$njsver"',' \ + -e 's,%%NJS_RELEASE%%,'"$njspkgver"',' \ -e 's,%%PKG_RELEASE%%,'"$packagever"',' \ -e 's,%%PACKAGES%%,'"$packages"',' \ -e 's,%%PACKAGEREPO%%,'"$packagerepo"',' \