From 27155d8eaf3213ab9174de73b2fe21ea69be222b Mon Sep 17 00:00:00 2001
From: Jose Diaz-Gonzalez <email@josediazgonzalez.com>
Date: Sun, 19 Apr 2026 19:16:11 -0400
Subject: [PATCH] feat: precompile nginx binary on release and download during
 builds

On release creation, a GitHub Actions workflow compiles a statically-linked
nginx binary and uploads it as a release asset. During builds, the compile
script now attempts to download the precompiled binary before falling back
to source compilation, significantly speeding up cold-cache deploys.
---
 .github/workflows/release.yml | 81 +++++++++++++++++++++++++++++++++++
 bin/compile                   | 61 +++++++++++++++-----------
 2 files changed, 116 insertions(+), 26 deletions(-)
 create mode 100644 .github/workflows/release.yml

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..04b17e5
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,81 @@
+---
+name: "release"
+
+# yamllint disable-line rule:truthy
+on:
+  release:
+    types: [created]
+
+jobs:
+  build-assets:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Extract version variables
+        id: versions
+        run: |
+          NGINX_VERSION=$(grep '^NGINX_VERSION=' bin/compile | cut -d'"' -f2)
+          PCRE_VERSION=$(grep '^PCRE_VERSION=' bin/compile | cut -d'"' -f2)
+          ZLIB_VERSION=$(grep '^ZLIB_VERSION=' bin/compile | cut -d'"' -f2)
+          echo "NGINX_VERSION=$NGINX_VERSION" >> "$GITHUB_OUTPUT"
+          echo "PCRE_VERSION=$PCRE_VERSION" >> "$GITHUB_OUTPUT"
+          echo "ZLIB_VERSION=$ZLIB_VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Download source tarballs
+        run: |
+          cd /tmp
+          curl -sSL "https://nginx.org/download/nginx-${{ steps.versions.outputs.NGINX_VERSION }}.tar.gz" | tar xz
+          curl -sSL "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${{ steps.versions.outputs.PCRE_VERSION }}/pcre2-${{ steps.versions.outputs.PCRE_VERSION }}.tar.gz" | tar xz
+          curl -sSL "https://github.com/madler/zlib/archive/v${{ steps.versions.outputs.ZLIB_VERSION }}.tar.gz" | tar xz
+
+      - name: Compile nginx
+        run: |
+          cd /tmp/nginx-${{ steps.versions.outputs.NGINX_VERSION }}
+          ./configure \
+            --with-cpu-opt=generic \
+            --prefix=/tmp/nginx-build \
+            --with-pcre=../pcre2-${{ steps.versions.outputs.PCRE_VERSION }} \
+            --sbin-path=. \
+            --pid-path=./nginx.pid \
+            --conf-path=./nginx.conf \
+            --with-ld-opt="-static" \
+            --with-http_stub_status_module \
+            --with-http_gzip_static_module \
+            --with-file-aio \
+            --with-zlib=../zlib-${{ steps.versions.outputs.ZLIB_VERSION }} \
+            --with-pcre \
+            --with-cc-opt="-O2 -static -static-libgcc" \
+            --without-http_ssi_module \
+            --without-http_userid_module \
+            --without-http_access_module \
+            --without-http_autoindex_module \
+            --without-http_geo_module \
+            --without-http_map_module \
+            --without-http_split_clients_module \
+            --without-http_referer_module \
+            --without-http_fastcgi_module \
+            --without-http_uwsgi_module \
+            --without-http_scgi_module \
+            --without-http_memcached_module \
+            --without-http_empty_gif_module \
+            --without-http_browser_module \
+            --without-http_upstream_ip_hash_module \
+            --without-http_upstream_least_conn_module \
+            --without-http_upstream_keepalive_module \
+            --without-mail_pop3_module \
+            --without-mail_imap_module \
+            --without-mail_smtp_module \
+            --with-http_realip_module
+          sed -i "/CFLAGS/s/ \-O //g" objs/Makefile
+          make -j"$(nproc)"
+          cp objs/nginx /tmp/nginx-linux-amd64
+          chmod +x /tmp/nginx-linux-amd64
+
+      - name: Upload release assets
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh release upload "${{ github.event.release.tag_name }}" \
+            /tmp/nginx-linux-amd64
diff --git a/bin/compile b/bin/compile
index eee3177..88a1c35 100755
--- a/bin/compile
+++ b/bin/compile
@@ -14,6 +14,7 @@ SIGIL_VERSION="0.11.5"
 # https://github.com/madler/zlib/releases
 ZLIB_VERSION="1.3.2"
 ZLIB_TARBALL="zlib-${ZLIB_VERSION}.tar.gz"
+BUILDPACK_REPO="dokku/heroku-buildpack-nginx"
 
 suppress() {
   /bin/rm --force /tmp/surpress.out 2>/dev/null
@@ -52,24 +53,6 @@ fi
 
 cd "$CACHE_DIR"
 
-if [[ ! -d "${NGINX_TARBALL%.tar.gz}" ]]; then
-  echo "-----> Download and unzip nginx ${NGINX_VERSION} via http"
-  curl -sSL "https://nginx.org/download/${NGINX_TARBALL}" -o "${NGINX_TARBALL}"
-  tar xzf "${NGINX_TARBALL}" && rm -f "${NGINX_TARBALL}"
-fi
-
-if [[ ! -d "${PCRE_TARBALL%.tar.gz}" ]]; then
-  echo "-----> Download and unzip pcre ${PCRE_VERSION} via http"
-  curl -sSL "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE_VERSION}/${PCRE_TARBALL}" -o "${PCRE_TARBALL}"
-  tar xzf "${PCRE_TARBALL}" && rm -f "${PCRE_TARBALL}"
-fi
-
-if [[ ! -d "${ZLIB_TARBALL%.tar.gz}" ]]; then
-  echo "-----> Download and unzip zlib ${ZLIB_VERSION} via http"
-  curl -sSL "https://github.com/madler/zlib/archive/v${ZLIB_VERSION}.tar.gz" -o "${ZLIB_TARBALL}"
-  tar xzf "${ZLIB_TARBALL}" && rm -rf "${ZLIB_TARBALL}"
-fi
-
 mkdir -p "$BUILD_DIR/sigil"
 if [[ ! -f "$BUILD_DIR/sigil/sigil-${SIGIL_VERSION}" ]]; then
   echo "-----> Download and unzip sigil ${SIGIL_VERSION} via http"
@@ -83,8 +66,40 @@ if [[ ! -f "$BUILD_DIR/sigil/sigil" ]]; then
   exit 1
 fi
 
-cd "nginx-${NGINX_VERSION}"
-if [[ ! -f "${CACHE_DIR}/bin/nginx" ]]; then
+if [[ -f "${CACHE_DIR}/bin/nginx" ]]; then
+  echo "-----> Reusing nginx binary from cache"
+  mkdir -p "$BUILD_DIR/nginx"
+  # shellcheck disable=SC2086
+  cp -r $CACHE_DIR/bin/* "$BUILD_DIR/nginx/"
+
+elif curl -fsSL "https://github.com/${BUILDPACK_REPO}/releases/latest/download/nginx-linux-amd64" -o /tmp/nginx-linux-amd64 2>/dev/null; then
+  echo "-----> Using precompiled nginx binary"
+  mkdir -p "$BUILD_DIR/nginx" "${CACHE_DIR}/bin"
+  chmod +x /tmp/nginx-linux-amd64
+  cp /tmp/nginx-linux-amd64 "$BUILD_DIR/nginx/nginx"
+  cp /tmp/nginx-linux-amd64 "${CACHE_DIR}/bin/nginx"
+  rm -f /tmp/nginx-linux-amd64
+
+else
+  if [[ ! -d "${NGINX_TARBALL%.tar.gz}" ]]; then
+    echo "-----> Download and unzip nginx ${NGINX_VERSION} via http"
+    curl -sSL "https://nginx.org/download/${NGINX_TARBALL}" -o "${NGINX_TARBALL}"
+    tar xzf "${NGINX_TARBALL}" && rm -f "${NGINX_TARBALL}"
+  fi
+
+  if [[ ! -d "${PCRE_TARBALL%.tar.gz}" ]]; then
+    echo "-----> Download and unzip pcre ${PCRE_VERSION} via http"
+    curl -sSL "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE_VERSION}/${PCRE_TARBALL}" -o "${PCRE_TARBALL}"
+    tar xzf "${PCRE_TARBALL}" && rm -f "${PCRE_TARBALL}"
+  fi
+
+  if [[ ! -d "${ZLIB_TARBALL%.tar.gz}" ]]; then
+    echo "-----> Download and unzip zlib ${ZLIB_VERSION} via http"
+    curl -sSL "https://github.com/madler/zlib/archive/v${ZLIB_VERSION}.tar.gz" -o "${ZLIB_TARBALL}"
+    tar xzf "${ZLIB_TARBALL}" && rm -rf "${ZLIB_TARBALL}"
+  fi
+
+  cd "nginx-${NGINX_VERSION}"
   echo "-----> Compiling static nginx binary"
   mkdir "$BUILD_DIR/nginx"
   suppress ./configure \
@@ -130,12 +145,6 @@ if [[ ! -f "${CACHE_DIR}/bin/nginx" ]]; then
   rm -rf "${CACHE_DIR:?}/bin" && mkdir -p "$CACHE_DIR/bin/"
   # shellcheck disable=SC2086
   cp -r $BUILD_DIR/nginx/* "$CACHE_DIR/bin/"
-
-else
-  echo "-----> Reusing nginx binary from cache"
-  mkdir -p "$BUILD_DIR/nginx"
-  # shellcheck disable=SC2086
-  cp -r $CACHE_DIR/bin/* "$BUILD_DIR/nginx/"
 fi
 
 # Update the PATH