feat: precompile nginx binary on release and download during builds

On release creation, a GitHub Actions workflow compiles a statically-linked
nginx binary and uploads it as a release asset. During builds, the compile
script now attempts to download the precompiled binary before falling back
to source compilation, significantly speeding up cold-cache deploys.

.github/dependabot.yaml

@@ -0,0 +1,8 @@
+---
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 10

.github/workflows/deploy.yml

@@ -1,5 +1,5 @@
 ---
-name: 'review-app'
+name: 'deploy'
 
 # yamllint disable-line rule:truthy
 on:
@@ -9,11 +9,11 @@ on:
       - main
 
 jobs:
-  review_app:
+  deploy:
     runs-on: ubuntu-latest
     steps:
       - name: Cloning repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/release.yml

@@ -0,0 +1,81 @@
+---
+name: "release"
+
+# yamllint disable-line rule:truthy
+on:
+  release:
+    types: [created]
+
+jobs:
+  build-assets:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Extract version variables
+        id: versions
+        run: |
+          NGINX_VERSION=$(grep '^NGINX_VERSION=' bin/compile | cut -d'"' -f2)
+          PCRE_VERSION=$(grep '^PCRE_VERSION=' bin/compile | cut -d'"' -f2)
+          ZLIB_VERSION=$(grep '^ZLIB_VERSION=' bin/compile | cut -d'"' -f2)
+          echo "NGINX_VERSION=$NGINX_VERSION" >> "$GITHUB_OUTPUT"
+          echo "PCRE_VERSION=$PCRE_VERSION" >> "$GITHUB_OUTPUT"
+          echo "ZLIB_VERSION=$ZLIB_VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Download source tarballs
+        run: |
+          cd /tmp
+          curl -sSL "https://nginx.org/download/nginx-${{ steps.versions.outputs.NGINX_VERSION }}.tar.gz" | tar xz
+          curl -sSL "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${{ steps.versions.outputs.PCRE_VERSION }}/pcre2-${{ steps.versions.outputs.PCRE_VERSION }}.tar.gz" | tar xz
+          curl -sSL "https://github.com/madler/zlib/archive/v${{ steps.versions.outputs.ZLIB_VERSION }}.tar.gz" | tar xz
+
+      - name: Compile nginx
+        run: |
+          cd /tmp/nginx-${{ steps.versions.outputs.NGINX_VERSION }}
+          ./configure \
+            --with-cpu-opt=generic \
+            --prefix=/tmp/nginx-build \
+            --with-pcre=../pcre2-${{ steps.versions.outputs.PCRE_VERSION }} \
+            --sbin-path=. \
+            --pid-path=./nginx.pid \
+            --conf-path=./nginx.conf \
+            --with-ld-opt="-static" \
+            --with-http_stub_status_module \
+            --with-http_gzip_static_module \
+            --with-file-aio \
+            --with-zlib=../zlib-${{ steps.versions.outputs.ZLIB_VERSION }} \
+            --with-pcre \
+            --with-cc-opt="-O2 -static -static-libgcc" \
+            --without-http_ssi_module \
+            --without-http_userid_module \
+            --without-http_access_module \
+            --without-http_autoindex_module \
+            --without-http_geo_module \
+            --without-http_map_module \
+            --without-http_split_clients_module \
+            --without-http_referer_module \
+            --without-http_fastcgi_module \
+            --without-http_uwsgi_module \
+            --without-http_scgi_module \
+            --without-http_memcached_module \
+            --without-http_empty_gif_module \
+            --without-http_browser_module \
+            --without-http_upstream_ip_hash_module \
+            --without-http_upstream_least_conn_module \
+            --without-http_upstream_keepalive_module \
+            --without-mail_pop3_module \
+            --without-mail_imap_module \
+            --without-mail_smtp_module \
+            --with-http_realip_module
+          sed -i "/CFLAGS/s/ \-O //g" objs/Makefile
+          make -j"$(nproc)"
+          cp objs/nginx /tmp/nginx-linux-amd64
+          chmod +x /tmp/nginx-linux-amd64
+
+      - name: Upload release assets
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh release upload "${{ github.event.release.tag_name }}" \
+            /tmp/nginx-linux-amd64

.github/workflows/review-app-cleanup.yml

@@ -12,6 +12,9 @@ jobs:
   destroy_review_app:
     runs-on: ubuntu-latest
     steps:
+      - name: Cloning repo
+        uses: actions/checkout@v6
+
       - name: Destroy the review app
         uses: dokku/github-action@master
         with:

.github/workflows/review-app.yml

@@ -1,5 +1,5 @@
 ---
-name: 'review-app'
+name: "review-app"
 
 # yamllint disable-line rule:truthy
 on:
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Cloning repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -20,9 +20,9 @@ jobs:
         with:
           # create a review app
           command: review-apps:create
-          git_remote_url: 'ssh://dokku@dokku.com/nginx-buildpack'
+          git_remote_url: "ssh://dokku@dokku.com/nginx-buildpack"
           # specify `--force` as a flag for git pushes
-          git_push_flags: '--force'
+          git_push_flags: "--force"
           # specify a name for the review app
           review_app_name: nginx-buildpack-${{ github.event.pull_request.number }}
           ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY }}

README.md

@@ -30,7 +30,7 @@ You can override the nginx root via setting the `NGINX_ROOT` environment variabl
 # where the app is named `static-app`
 # and the root dir is _site
 dokku config:set static-app NGINX_ROOT=_site
-````
+```
 
 ### Default to index for history routing
 
@@ -42,6 +42,23 @@ By default, this buildpack will 404 if a requested file is not found. For static
 dokku config:set static-app NGINX_DEFAULT_REQUEST=index.html
 ```
 
+### Custom nginx directives
+
+You can configure following nginx directives via environment variables.
+
+- `NGINX_WORKERS` : `worker_processes` directive
+- `NGINX_WORKER_CONNECTIONS` : `worker_connections` directive
+- `NGINX_CLIENT_BODY_TIMEOUT` : `client_body_timeout` directive
+- `NGINX_CLIENT_MAX_BODY_SIZE` : `client_max_body_size` directive (in MB)
+
+```shell
+# where the app is named `static-app`
+dokku config:set static-app NGINX_WORKERS=4 \
+                            NGINX_WORKER_CONNECTIONS=1024 \
+                            NGINX_CLIENT_BODY_TIMEOUT=5 \
+                            NGINX_CLIENT_MAX_BODY_SIZE=1
+```
+
 ### Custom nginx config file
 
 You may completely override the built-in nginx config by placing an `app-nginx.conf.sigil` file in the root, modeled after our own [`conf/app-nginx.conf.sigil`](https://github.com/dokku/buildpack-nginx/blob/master/conf/app-nginx.conf.sigil). This will be used inside of the container, and not by the host Dokku instance. See the [sigil project](https://github.com/gliderlabs/sigil) for more information concerning the sigil format.

bin/ci-post-review-app-destroy

@@ -0,0 +1,3 @@
+#!/bin/sh -l
+
+echo "Running ci-post-review-app-destroy"

bin/compile

@@ -3,14 +3,18 @@
 set -eo pipefail
 [[ $TRACE ]] && set -x
 
-NGINX_VERSION="1.25.2"
+# https://nginx.org/en/download.html
+NGINX_VERSION="1.29.8"
 NGINX_TARBALL="nginx-${NGINX_VERSION}.tar.gz"
-PCRE_VERSION="10.42"
+# https://github.com/PCRE2Project/pcre2/releases
+PCRE_VERSION="10.47"
 PCRE_TARBALL="pcre2-${PCRE_VERSION}.tar.gz"
-SIGIL_VERSION="0.10.1"
-SIGIL_TARBALL="gliderlabs-sigil_${SIGIL_VERSION}_linux_amd64.tgz"
-ZLIB_VERSION="1.3"
+# https://github.com/gliderlabs/sigil/releases
+SIGIL_VERSION="0.11.5"
+# https://github.com/madler/zlib/releases
+ZLIB_VERSION="1.3.2"
 ZLIB_TARBALL="zlib-${ZLIB_VERSION}.tar.gz"
+BUILDPACK_REPO="dokku/heroku-buildpack-nginx"
 
 suppress() {
   /bin/rm --force /tmp/surpress.out 2>/dev/null
@@ -49,39 +53,53 @@ fi
 
 cd "$CACHE_DIR"
 
-if [[ ! -d "${NGINX_TARBALL%.tar.gz}" ]]; then
-  echo "-----> Download and unzip nginx ${NGINX_VERSION} via http"
-  curl -sSL "http://nginx.org/download/${NGINX_TARBALL}" -o "${NGINX_TARBALL}"
-  tar xzf "${NGINX_TARBALL}" && rm -f "${NGINX_TARBALL}"
-fi
-
-if [[ ! -d "${PCRE_TARBALL%.tar.gz}" ]]; then
-  echo "-----> Download and unzip pcre ${PCRE_VERSION} via http"
-  curl -sSL "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE_VERSION}/${PCRE_TARBALL}" -o "${PCRE_TARBALL}"
-  tar xzf "${PCRE_TARBALL}" && rm -f "${PCRE_TARBALL}"
-fi
-
-if [[ ! -d "${ZLIB_TARBALL%.tar.gz}" ]]; then
-  echo "-----> Download and unzip zlib ${ZLIB_VERSION} via http"
-  curl -sSL "https://github.com/madler/zlib/archive/v${ZLIB_VERSION}.tar.gz" -o "${ZLIB_TARBALL}"
-  tar xzf "${ZLIB_TARBALL}" && rm -rf "${ZLIB_TARBALL}"
-fi
-
-if [[ ! -f "gliderlabs-sigil-amd64" ]]; then
-  echo "-----> Download and unzip sigil ${SIGIL_VERSION} via http"
-  curl -sSL "https://github.com/gliderlabs/sigil/releases/download/v${SIGIL_VERSION}/gliderlabs-sigil_${SIGIL_VERSION}_linux_amd64.tgz" -o "${SIGIL_TARBALL}"
-  tar xzf "${SIGIL_TARBALL}" && rm -rf "${SIGIL_TARBALL}"
-fi
-
 mkdir -p "$BUILD_DIR/sigil"
-if [[ ! -f "gliderlabs-sigil-amd64" ]]; then
-  echo " !     Missing gliderlabs-sigil-amd64 binary"
+if [[ ! -f "$BUILD_DIR/sigil/sigil-${SIGIL_VERSION}" ]]; then
+  echo "-----> Download and unzip sigil ${SIGIL_VERSION} via http"
+  curl -fsSL "https://github.com/gliderlabs/sigil/releases/download/v${SIGIL_VERSION}/sigil-linux-amd64" -o "$BUILD_DIR/sigil/sigil-${SIGIL_VERSION}"
+  cp "$BUILD_DIR/sigil/sigil-${SIGIL_VERSION}" "$BUILD_DIR/sigil/sigil"
+  chmod +x "$BUILD_DIR/sigil/sigil"
+fi
+
+if [[ ! -f "$BUILD_DIR/sigil/sigil" ]]; then
+  echo " !     Missing sigil binary"
   exit 1
 fi
-cp -r gliderlabs-sigil-amd64 "$BUILD_DIR/sigil/sigil"
 
-cd "nginx-${NGINX_VERSION}"
-if [[ ! -f "${CACHE_DIR}/bin/nginx" ]]; then
+if [[ -f "${CACHE_DIR}/bin/nginx" ]]; then
+  echo "-----> Reusing nginx binary from cache"
+  mkdir -p "$BUILD_DIR/nginx"
+  # shellcheck disable=SC2086
+  cp -r $CACHE_DIR/bin/* "$BUILD_DIR/nginx/"
+
+elif curl -fsSL "https://github.com/${BUILDPACK_REPO}/releases/latest/download/nginx-linux-amd64" -o /tmp/nginx-linux-amd64 2>/dev/null; then
+  echo "-----> Using precompiled nginx binary"
+  mkdir -p "$BUILD_DIR/nginx" "${CACHE_DIR}/bin"
+  chmod +x /tmp/nginx-linux-amd64
+  cp /tmp/nginx-linux-amd64 "$BUILD_DIR/nginx/nginx"
+  cp /tmp/nginx-linux-amd64 "${CACHE_DIR}/bin/nginx"
+  rm -f /tmp/nginx-linux-amd64
+
+else
+  if [[ ! -d "${NGINX_TARBALL%.tar.gz}" ]]; then
+    echo "-----> Download and unzip nginx ${NGINX_VERSION} via http"
+    curl -sSL "https://nginx.org/download/${NGINX_TARBALL}" -o "${NGINX_TARBALL}"
+    tar xzf "${NGINX_TARBALL}" && rm -f "${NGINX_TARBALL}"
+  fi
+
+  if [[ ! -d "${PCRE_TARBALL%.tar.gz}" ]]; then
+    echo "-----> Download and unzip pcre ${PCRE_VERSION} via http"
+    curl -sSL "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE_VERSION}/${PCRE_TARBALL}" -o "${PCRE_TARBALL}"
+    tar xzf "${PCRE_TARBALL}" && rm -f "${PCRE_TARBALL}"
+  fi
+
+  if [[ ! -d "${ZLIB_TARBALL%.tar.gz}" ]]; then
+    echo "-----> Download and unzip zlib ${ZLIB_VERSION} via http"
+    curl -sSL "https://github.com/madler/zlib/archive/v${ZLIB_VERSION}.tar.gz" -o "${ZLIB_TARBALL}"
+    tar xzf "${ZLIB_TARBALL}" && rm -rf "${ZLIB_TARBALL}"
+  fi
+
+  cd "nginx-${NGINX_VERSION}"
   echo "-----> Compiling static nginx binary"
   mkdir "$BUILD_DIR/nginx"
   suppress ./configure \
@@ -127,12 +145,6 @@ if [[ ! -f "${CACHE_DIR}/bin/nginx" ]]; then
   rm -rf "${CACHE_DIR:?}/bin" && mkdir -p "$CACHE_DIR/bin/"
   # shellcheck disable=SC2086
   cp -r $BUILD_DIR/nginx/* "$CACHE_DIR/bin/"
-
-else
-  echo "-----> Reusing nginx binary from cache"
-  mkdir -p "$BUILD_DIR/nginx"
-  # shellcheck disable=SC2086
-  cp -r $CACHE_DIR/bin/* "$BUILD_DIR/nginx/"
 fi
 
 # Update the PATH
@@ -174,7 +186,7 @@ cat <<EOF >"$BUILD_DIR/start_nginx"
 #!/usr/bin/env bash
 rm -f /app/nginx/nginx.conf
 if [[ -f /app/nginx/app-nginx.conf.sigil ]]; then
-  /app/sigil/sigil -f /app/nginx/app-nginx.conf.sigil NGINX_ROOT="\$NGINX_ROOT" NGINX_DEFAULT_REQUEST="\$NGINX_DEFAULT_REQUEST" PORT="\$PORT" | cat -s > /app/nginx/nginx.conf
+  /app/sigil/sigil -f /app/nginx/app-nginx.conf.sigil NGINX_ROOT="\$NGINX_ROOT" NGINX_DEFAULT_REQUEST="\$NGINX_DEFAULT_REQUEST" NGINX_WORKERS="\$NGINX_WORKERS" NGINX_WORKER_CONNECTIONS="\$NGINX_WORKER_CONNECTIONS" NGINX_CLIENT_BODY_TIMEOUT="\$NGINX_CLIENT_BODY_TIMEOUT" NGINX_CLIENT_MAX_BODY_SIZE="\$NGINX_CLIENT_MAX_BODY_SIZE" PORT="\$PORT" | cat -s > /app/nginx/nginx.conf
 else
   erb /app/nginx/nginx.conf.erb > /app/nginx/nginx.conf
 fi

conf/app-nginx.conf.sigil

@@ -1,19 +1,38 @@
-worker_processes 1;
+{{ if ne $.NGINX_WORKERS "" }}
+  worker_processes {{ $.NGINX_WORKERS }};
+{{ else }}
+  worker_processes 1;
+{{ end }}
 error_log stderr;
 pid nginx.pid;
 daemon off;
 
 events {
-  worker_connections 768;
+  {{ if ne $.NGINX_WORKER_CONNECTIONS "" }}
+    worker_connections {{ $.NGINX_WORKER_CONNECTIONS }};
+  {{ else }}
+    worker_connections 768;
+  {{ end }}
 }
 
 http {
+  {{ if ne $.NGINX_CLIENT_BODY_TIMEOUT "" }}
+    client_body_timeout {{ $.NGINX_CLIENT_BODY_TIMEOUT }};
+  {{ else }}
+    client_body_timeout 5;
+  {{ end }}
   types_hash_max_size 2048;
   include mime.types;
   charset UTF-8;
+
   server {
     listen {{ $.PORT }};
     server_name  _;
+    {{ if ne $.NGINX_CLIENT_MAX_BODY_SIZE "" }}
+      client_max_body_size {{ $.NGINX_CLIENT_MAX_BODY_SIZE }}M;
+    {{ else }}
+      client_max_body_size 1M;
+    {{ end }}
     {{ if ne $.NGINX_ROOT "" }}
       root /app/www/{{ $.NGINX_ROOT }};
     {{ else }}