Merge pull request #101 from dokku/versioned-build

fix: version-aware nginx binary caching and prebuilt downloads
2026-04-23 17:17:36 +00:00 · 2026-04-23 03:39:51 -04:00 · 2026-04-23 03:36:20 -04:00 · 2026-04-23 03:16:46 -04:00 · 2026-04-23 03:16:18 -04:00 · 2026-04-23 01:45:30 -04:00
4 changed files with 169 additions and 66 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -0,0 +1,68 @@
+---
+name: "ci"
+
+# yamllint disable-line rule:truthy
+on:
+  pull_request:
+    branches:
+      - master
+      - main
+  push:
+    branches:
+      - master
+      - main
+  release:
+    types: [created]
+
+jobs:
+  lint:
+    if: github.event_name != 'release'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Run shellcheck
+        run: make test
+
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Download source tarballs
+        run: |
+          source "$GITHUB_WORKSPACE/conf/nginx-configure-flags"
+          cd /tmp
+          curl -sSL "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" | tar xz
+          curl -sSL "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE_VERSION}/pcre2-${PCRE_VERSION}.tar.gz" | tar xz
+          curl -sSL "https://github.com/madler/zlib/archive/v${ZLIB_VERSION}.tar.gz" | tar xz
+
+      - name: Compile nginx
+        run: |
+          source "$GITHUB_WORKSPACE/conf/nginx-configure-flags"
+          cd /tmp/nginx-${NGINX_VERSION}
+          ./configure \
+            --prefix=/tmp/nginx-build \
+            --with-pcre=../pcre2-${PCRE_VERSION} \
+            --with-zlib=../zlib-${ZLIB_VERSION} \
+            "${NGINX_CONFIGURE_FLAGS[@]}"
+          sed -i "/CFLAGS/s/ \-O //g" objs/Makefile
+          make -j"$(nproc)"
+
+      - name: Verify nginx binary
+        run: |
+          source "$GITHUB_WORKSPACE/conf/nginx-configure-flags"
+          /tmp/nginx-${NGINX_VERSION}/objs/nginx -V
+
+      - name: Upload release assets
+        if: github.event_name == 'release'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          source "$GITHUB_WORKSPACE/conf/nginx-configure-flags"
+          cp /tmp/nginx-${NGINX_VERSION}/objs/nginx "/tmp/nginx-${NGINX_VERSION}-linux-amd64"
+          chmod +x "/tmp/nginx-${NGINX_VERSION}-linux-amd64"
+          gh release upload "${{ github.event.release.tag_name }}" \
+            "/tmp/nginx-${NGINX_VERSION}-linux-amd64"
--- a/bin/ci-pre-deploy
+++ b/bin/ci-pre-deploy
@ -20,9 +20,12 @@ if [ "$IS_REVIEW_APP" = "true" ]; then
  git commit -qm "feat: specify custom mime.types"

  echo "-----> Setting the buildpack to the current ref $GITHUB_HEAD_REF"
-  echo "https://github.com/${GITHUB_REPOSITORY}.git#$GITHUB_HEAD_REF" > .buildpacks
+  echo "https://github.com/${GITHUB_REPOSITORY}.git#$GITHUB_HEAD_REF" >.buildpacks
  git add .buildpacks
  git commit -qm "feat: specify $GITHUB_SHA as buildpack"

  git rev-parse HEAD >ci-commit-override
+else
+  echo "-----> Setting the buildpack to the current ref $GITHUB_REF_NAME"
+  ssh "$SSH_REMOTE" -- buildpacks:set "$APP_NAME" "https://github.com/${GITHUB_REPOSITORY}.git#${GITHUB_REF_NAME}"
 fi
--- a/bin/compile
+++ b/bin/compile
@ -3,17 +3,12 @@
 set -eo pipefail
 [[ $TRACE ]] && set -x

-# https://nginx.org/en/download.html
-NGINX_VERSION="1.29.5"
+# shellcheck source=conf/nginx-configure-flags
+source "$(cd "$(dirname "$0")" && cd .. && pwd)/conf/nginx-configure-flags"
 NGINX_TARBALL="nginx-${NGINX_VERSION}.tar.gz"
-# https://github.com/PCRE2Project/pcre2/releases
-PCRE_VERSION="10.47"
 PCRE_TARBALL="pcre2-${PCRE_VERSION}.tar.gz"
-# https://github.com/gliderlabs/sigil/releases
-SIGIL_VERSION="0.11.5"
-# https://github.com/madler/zlib/releases
-ZLIB_VERSION="1.3.2"
 ZLIB_TARBALL="zlib-${ZLIB_VERSION}.tar.gz"
+BUILDPACK_REPO="dokku/heroku-buildpack-nginx"

 suppress() {
  /bin/rm --force /tmp/surpress.out 2>/dev/null
@ -52,24 +47,6 @@ fi

 cd "$CACHE_DIR"

-if [[ ! -d "${NGINX_TARBALL%.tar.gz}" ]]; then
-  echo "-----> Download and unzip nginx ${NGINX_VERSION} via http"
-  curl -sSL "https://nginx.org/download/${NGINX_TARBALL}" -o "${NGINX_TARBALL}"
-  tar xzf "${NGINX_TARBALL}" && rm -f "${NGINX_TARBALL}"
-fi
-
-if [[ ! -d "${PCRE_TARBALL%.tar.gz}" ]]; then
-  echo "-----> Download and unzip pcre ${PCRE_VERSION} via http"
-  curl -sSL "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE_VERSION}/${PCRE_TARBALL}" -o "${PCRE_TARBALL}"
-  tar xzf "${PCRE_TARBALL}" && rm -f "${PCRE_TARBALL}"
-fi
-
-if [[ ! -d "${ZLIB_TARBALL%.tar.gz}" ]]; then
-  echo "-----> Download and unzip zlib ${ZLIB_VERSION} via http"
-  curl -sSL "https://github.com/madler/zlib/archive/v${ZLIB_VERSION}.tar.gz" -o "${ZLIB_TARBALL}"
-  tar xzf "${ZLIB_TARBALL}" && rm -rf "${ZLIB_TARBALL}"
-fi
-
 mkdir -p "$BUILD_DIR/sigil"
 if [[ ! -f "$BUILD_DIR/sigil/sigil-${SIGIL_VERSION}" ]]; then
  echo "-----> Download and unzip sigil ${SIGIL_VERSION} via http"
@ -83,45 +60,58 @@ if [[ ! -f "$BUILD_DIR/sigil/sigil" ]]; then
  exit 1
 fi

-cd "nginx-${NGINX_VERSION}"
-if [[ ! -f "${CACHE_DIR}/bin/nginx" ]]; then
+# Invalidate cache if version doesn't match
+if [[ -f "${CACHE_DIR}/bin/nginx" ]] && [[ ! -f "${CACHE_DIR}/bin/.nginx-version" ]]; then
+  echo "-----> Cached nginx binary has no version marker, rebuilding"
+  rm -rf "${CACHE_DIR:?}/bin"
+elif [[ -f "${CACHE_DIR}/bin/nginx" ]] && [[ -f "${CACHE_DIR}/bin/.nginx-version" ]] && [[ "$(cat "${CACHE_DIR}/bin/.nginx-version")" != "$NGINX_VERSION" ]]; then
+  CACHED_VERSION="$(cat "${CACHE_DIR}/bin/.nginx-version")"
+  echo "-----> Cached nginx ${CACHED_VERSION} does not match required ${NGINX_VERSION}, rebuilding"
+  rm -rf "${CACHE_DIR:?}/bin"
+fi
+
+if [[ -f "${CACHE_DIR}/bin/nginx" ]]; then
+  echo "-----> Reusing nginx ${NGINX_VERSION} binary from cache"
+  mkdir -p "$BUILD_DIR/nginx"
+  # shellcheck disable=SC2086
+  cp -r $CACHE_DIR/bin/* "$BUILD_DIR/nginx/"
+
+elif curl -fsSL "https://github.com/${BUILDPACK_REPO}/releases/latest/download/nginx-${NGINX_VERSION}-linux-amd64" -o /tmp/nginx-linux-amd64 2>/dev/null; then
+  echo "-----> Using precompiled nginx ${NGINX_VERSION} binary"
+  mkdir -p "$BUILD_DIR/nginx" "${CACHE_DIR}/bin"
+  chmod +x /tmp/nginx-linux-amd64
+  cp /tmp/nginx-linux-amd64 "$BUILD_DIR/nginx/nginx"
+  cp /tmp/nginx-linux-amd64 "${CACHE_DIR}/bin/nginx"
+  echo "$NGINX_VERSION" >"${CACHE_DIR}/bin/.nginx-version"
+  rm -f /tmp/nginx-linux-amd64
+
+else
+  if [[ ! -d "${NGINX_TARBALL%.tar.gz}" ]]; then
+    echo "-----> Download and unzip nginx ${NGINX_VERSION} via http"
+    curl -sSL "https://nginx.org/download/${NGINX_TARBALL}" -o "${NGINX_TARBALL}"
+    tar xzf "${NGINX_TARBALL}" && rm -f "${NGINX_TARBALL}"
+  fi
+
+  if [[ ! -d "${PCRE_TARBALL%.tar.gz}" ]]; then
+    echo "-----> Download and unzip pcre ${PCRE_VERSION} via http"
+    curl -sSL "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE_VERSION}/${PCRE_TARBALL}" -o "${PCRE_TARBALL}"
+    tar xzf "${PCRE_TARBALL}" && rm -f "${PCRE_TARBALL}"
+  fi
+
+  if [[ ! -d "${ZLIB_TARBALL%.tar.gz}" ]]; then
+    echo "-----> Download and unzip zlib ${ZLIB_VERSION} via http"
+    curl -sSL "https://github.com/madler/zlib/archive/v${ZLIB_VERSION}.tar.gz" -o "${ZLIB_TARBALL}"
+    tar xzf "${ZLIB_TARBALL}" && rm -rf "${ZLIB_TARBALL}"
+  fi
+
+  cd "nginx-${NGINX_VERSION}"
  echo "-----> Compiling static nginx binary"
  mkdir "$BUILD_DIR/nginx"
  suppress ./configure \
-    --with-cpu-opt=generic \
    --prefix="$BUILD_DIR/nginx" \
    --with-pcre=../pcre2-${PCRE_VERSION} \
-    --sbin-path=. \
-    --pid-path=./nginx.pid \
-    --conf-path=./nginx.conf \
-    --with-ld-opt="-static" \
-    --with-http_stub_status_module \
-    --with-http_gzip_static_module \
-    --with-file-aio \
    --with-zlib=../zlib-${ZLIB_VERSION} \
-    --with-pcre \
-    --with-cc-opt="-O2 -static -static-libgcc" \
-    --without-http_ssi_module \
-    --without-http_userid_module \
-    --without-http_access_module \
-    --without-http_autoindex_module \
-    --without-http_geo_module \
-    --without-http_map_module \
-    --without-http_split_clients_module \
-    --without-http_referer_module \
-    --without-http_fastcgi_module \
-    --without-http_uwsgi_module \
-    --without-http_scgi_module \
-    --without-http_memcached_module \
-    --without-http_empty_gif_module \
-    --without-http_browser_module \
-    --without-http_upstream_ip_hash_module \
-    --without-http_upstream_least_conn_module \
-    --without-http_upstream_keepalive_module \
-    --without-mail_pop3_module \
-    --without-mail_imap_module \
-    --without-mail_smtp_module \
-    --with-http_realip_module
+    "${NGINX_CONFIGURE_FLAGS[@]}"

  sed -i "/CFLAGS/s/ \-O //g" objs/Makefile

@ -130,12 +120,7 @@ if [[ ! -f "${CACHE_DIR}/bin/nginx" ]]; then
  rm -rf "${CACHE_DIR:?}/bin" && mkdir -p "$CACHE_DIR/bin/"
  # shellcheck disable=SC2086
  cp -r $BUILD_DIR/nginx/* "$CACHE_DIR/bin/"
-
-else
-  echo "-----> Reusing nginx binary from cache"
-  mkdir -p "$BUILD_DIR/nginx"
-  # shellcheck disable=SC2086
-  cp -r $CACHE_DIR/bin/* "$BUILD_DIR/nginx/"
+  echo "$NGINX_VERSION" >"${CACHE_DIR}/bin/.nginx-version"
 fi

 # Update the PATH
--- a/conf/nginx-configure-flags
+++ b/conf/nginx-configure-flags
@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+# Shared nginx build configuration
+# Sourced by bin/compile and .github/workflows/release.yml
+# shellcheck disable=SC2034
+
+# https://nginx.org/en/download.html
+NGINX_VERSION="1.29.8"
+# https://github.com/PCRE2Project/pcre2/releases
+PCRE_VERSION="10.47"
+# https://github.com/gliderlabs/sigil/releases
+SIGIL_VERSION="0.11.5"
+# https://github.com/madler/zlib/releases
+ZLIB_VERSION="1.3.2"
+
+NGINX_CONFIGURE_FLAGS=(
+  --with-cpu-opt=generic
+  --sbin-path=.
+  --pid-path=./nginx.pid
+  --conf-path=./nginx.conf
+  "--with-ld-opt=-static"
+  --with-http_stub_status_module
+  --with-http_gzip_static_module
+  --with-file-aio
+  --with-pcre
+  "--with-cc-opt=-O2 -static -static-libgcc"
+  --without-http_ssi_module
+  --without-http_userid_module
+  --without-http_access_module
+  --without-http_autoindex_module
+  --without-http_geo_module
+  --without-http_map_module
+  --without-http_split_clients_module
+  --without-http_referer_module
+  --without-http_fastcgi_module
+  --without-http_uwsgi_module
+  --without-http_scgi_module
+  --without-http_memcached_module
+  --without-http_empty_gif_module
+  --without-http_browser_module
+  --without-http_upstream_ip_hash_module
+  --without-http_upstream_least_conn_module
+  --without-http_upstream_keepalive_module
+  --without-mail_pop3_module
+  --without-mail_imap_module
+  --without-mail_smtp_module
+  --with-http_realip_module
+)
Author	SHA1	Message	Date
Jose Diaz-Gonzalez	8d1b1afa9f	Merge pull request #101 from dokku/versioned-build fix: version-aware nginx binary caching and prebuilt downloads	2026-04-23 03:39:51 -04:00
Jose Diaz-Gonzalez	93f1162632	fix: version-aware nginx binary caching and prebuilt downloads Cached nginx binaries were reused regardless of NGINX_VERSION changes, and prebuilt releases always fetched the latest asset regardless of the configured version. Add a .nginx-version marker file to the cache and version the release asset filename so mismatched versions trigger a rebuild.	2026-04-23 03:36:20 -04:00
Jose Diaz-Gonzalez	73e762c693	Merge pull request #100 from dokku/deploy-head feat: set buildpack ref on main branch deploys	2026-04-23 03:16:46 -04:00
Jose Diaz-Gonzalez	e5f2625df2	feat: set buildpack ref on main branch deploys The ci-pre-deploy script already sets the buildpack ref for review apps via a .buildpacks file. For main/master branch deploys, use dokku buildpacks:set to pin the buildpack to the current branch ref.	2026-04-23 03:16:18 -04:00
Jose Diaz-Gonzalez	0fcbc35eed	Merge pull request #99 from dokku/add-ci-workflow feat: add CI workflow to lint and compile nginx on PRs	2026-04-23 01:45:30 -04:00
Jose Diaz-Gonzalez	cad1e54b14	refactor: merge release workflow into ci workflow The build job now handles both CI verification and release asset uploads, eliminating duplicated compilation logic between the two workflows.	2026-04-23 01:37:40 -04:00
Jose Diaz-Gonzalez	df8cba3582	fix: use correct path for nginx binary in CI verify step	2026-04-23 01:33:27 -04:00
Jose Diaz-Gonzalez	aaf995fd4e	feat: add CI workflow to lint and compile nginx on PRs	2026-04-23 01:22:23 -04:00
Jose Diaz-Gonzalez	ec95819e3d	Merge pull request #98 from dokku/precompile-release-assets feat: precompile nginx binary on release and download during builds	2026-04-23 01:18:54 -04:00
Jose Diaz-Gonzalez	11755954fe	chore: run shfmt	2026-04-23 01:10:31 -04:00
Jose Diaz-Gonzalez	d72ac92402	refactor: extract shared nginx build config to conf/nginx-configure-flags Moves version variables and configure flags to a single sourced file, eliminating duplication between bin/compile and the release workflow.	2026-04-23 01:08:52 -04:00
Jose Diaz-Gonzalez	27155d8eaf	feat: precompile nginx binary on release and download during builds On release creation, a GitHub Actions workflow compiles a statically-linked nginx binary and uploads it as a release asset. During builds, the compile script now attempts to download the precompiled binary before falling back to source compilation, significantly speeding up cold-cache deploys.	2026-04-19 19:16:11 -04:00
Jose Diaz-Gonzalez	d157f257ce	Merge pull request #97 from dokku/josegonzalez-patch-1 chore: upgrade to nginx 1.29.8	2026-04-19 18:47:12 -04:00
Jose Diaz-Gonzalez	a0f7d9e34f	chore: upgrade to nginx 1.29.8	2026-04-19 18:44:00 -04:00