From 5a0eb8eec3e84204a43df44de94800bd21fa5173 Mon Sep 17 00:00:00 2001 From: Aleksei Bavshin Date: Fri, 14 Nov 2025 16:36:04 -0800 Subject: [PATCH 1/4] CI: cancel stale workflows. --- .github/workflows/ci.yaml | 4 ++++ .github/workflows/sanitizers.yaml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e0c3088..4a22fcc 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -6,6 +6,10 @@ on: - main pull_request: +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} + env: CARGO_TERM_COLOR: 'always' RUST_BACKTRACE: '1' diff --git a/.github/workflows/sanitizers.yaml b/.github/workflows/sanitizers.yaml index d3f9b7c..0509535 100644 --- a/.github/workflows/sanitizers.yaml +++ b/.github/workflows/sanitizers.yaml @@ -6,6 +6,10 @@ on: - main pull_request: +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} + env: CARGO_TERM_COLOR: 'always' RUST_BACKTRACE: '1' From e1790d9fa9f69be93a00657ef14cb931843e6062 Mon Sep 17 00:00:00 2001 From: Aleksei Bavshin Date: Mon, 17 Nov 2025 08:40:55 -0800 Subject: [PATCH 2/4] CI: allow dependabot to update indirect dependencies. --- .github/dependabot.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3e9e75e..f99fa8e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,6 +8,9 @@ updates: day: "monday" - package-ecosystem: "cargo" + allow: + # Allow both direct and indirect updates for all packages. + - dependency-type: "all" directory: "/" groups: all-dependencies: From 6a8a8d550da8a7ae4bd94cb6f14019758b9f5553 Mon Sep 17 00:00:00 2001 From: Aleksei Bavshin Date: Wed, 5 Nov 2025 12:57:09 -0800 Subject: [PATCH 3/4] CI: support building pebble from source. Shell implementation of get-pebble started getting too unwieldy, so it's been rewritten in Perl. --- .github/workflows/ci.yaml | 4 +- .github/workflows/sanitizers.yaml | 7 +- build/get-pebble.pl | 180 ++++++++++++++++++++++++++++++ build/get-pebble.sh | 59 ---------- 4 files changed, 186 insertions(+), 64 deletions(-) create mode 100644 build/get-pebble.pl delete mode 100755 build/get-pebble.sh diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 4a22fcc..4b36fdd 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -152,8 +152,8 @@ jobs: - name: download pebble run: | - build/get-pebble.sh - echo TEST_NGINX_PEBBLE_BINARY="$PWD/bin/pebble" >> "$GITHUB_ENV" + TEST_NGINX_PEBBLE_BINARY=$(perl build/get-pebble.pl) + echo TEST_NGINX_PEBBLE_BINARY="$TEST_NGINX_PEBBLE_BINARY" >> "$GITHUB_ENV" - name: build id: build diff --git a/.github/workflows/sanitizers.yaml b/.github/workflows/sanitizers.yaml index 0509535..f728cc6 100644 --- a/.github/workflows/sanitizers.yaml +++ b/.github/workflows/sanitizers.yaml @@ -21,6 +21,7 @@ env: git-core make openssl patch which perl-Digest-SHA + perl-File-Copy perl-FindBin perl-IO-Socket-INET6 perl-IO-Socket-SSL @@ -70,10 +71,10 @@ jobs: key: ${{ runner.os }}-cargo-asan-${{ hashFiles('**/Cargo.lock') }} restore-keys: ${{ runner.os }}-cargo-asan- - - name: download pebble + - name: download pebble run: | - build/get-pebble.sh - echo TEST_NGINX_PEBBLE_BINARY="$PWD/bin/pebble" >> "$GITHUB_ENV" + TEST_NGINX_PEBBLE_BINARY=$(perl build/get-pebble.pl) + echo TEST_NGINX_PEBBLE_BINARY="$TEST_NGINX_PEBBLE_BINARY" >> "$GITHUB_ENV" - name: Configure and build nginx run: | diff --git a/build/get-pebble.pl b/build/get-pebble.pl new file mode 100644 index 0000000..fd3b4f8 --- /dev/null +++ b/build/get-pebble.pl @@ -0,0 +1,180 @@ +#!/usr/bin/perl + +# Copyright (c) F5, Inc. +# +# This source code is licensed under the Apache License, Version 2.0 license +# found in the LICENSE file in the root directory of this source tree. + +# Find, download or build letsencrypt/pebble of at least the specified version. + +############################################################################### + +use strict; +use warnings; +use utf8; + +use Cwd qw/ realpath /; +use Digest::SHA; +use File::Copy qw/ copy /; +use File::Path qw/ rmtree /; +use File::Spec; +use File::Temp; +use IPC::Open3; +use POSIX qw/ uname waitpid /; + +BEGIN { use FindBin; chdir($FindBin::Bin) } + +############################################################################### + +my $GO = $ENV{GO} // 'go'; +my $NAME = 'pebble'; +my $TARGET = File::Spec->join( realpath('..'), 'bin', $NAME ); +my $URL = 'https://github.com/letsencrypt/pebble'; +my $VERSION = '2.8.0'; + +my %PREBUILT = ( + linux => { + amd64 => + '34595d915bbc2fc827affb3f58593034824df57e95353b031c8d5185724485ce', + arm64 => + '0e70f2537353f61cbf06aa54740bf7f7bb5f963ba00e909f23af5f85bc13fd1a', + }, + darwin => { + amd64 => + '9b9625651f8ce47706235179503fec149f8f38bce2b2554efe8c0f2a021f877c', + arm64 => + '39e07d63dc776521f2ffe0584e5f4f081c984ac02742c882b430891d89f0c866', + }, +); + +my %ARCH = ( + aarch64 => 'arm64', + x86_64 => 'amd64', +); + +############################################################################### + +my ( $bin, $version ) = do_check(); +if ( defined $version ) { + print STDERR "found pebble $version at $bin\n"; + print $bin; + exit 0; +} + +my $arch = ( uname() )[4]; +$arch = $ARCH{$arch} if defined $ARCH{$arch}; + +my $tempdir = File::Temp->newdir( 'get-pebble-XXXXXXXXXX', TMPDIR => 1 ) + or die "Can't create temp directory: $!\n"; + +if ( my $hash = $PREBUILT{$^O}{$arch} ) { + print STDERR "downloading pebble $VERSION for $^O $arch\n"; + print do_download( $^O, $arch, $hash ); +} +else { + print STDERR "building pebble $VERSION\n"; + print do_compile(); +} + +############################################################################### + +sub do_check { + my @names = which($NAME); + unshift @names, $TARGET; + + BIN: foreach my $bin (@names) { + my $version; + $version = $1 + if qx{ $bin -version 2>/dev/null } =~ /version:\s+v?(\d[\d\.]+)/; + next unless $version; + + my @v = split /\./, $version; + foreach my $n ( split /\./, $VERSION ) { + my $v = shift @v || 0; + last if $v > $n; + next BIN if $v < $n; + } + + return ( $bin, $version ); + } +} + +sub do_compile { + my @GO = which($GO) or die "Can't find Go toolchain: $!\n"; + + my $repo = $ENV{PEBBLE_SOURCE_DIR} + // File::Spec->join( $tempdir, 'pebble' ); + + run( 'git', 'clone', '--depth=1', '-b', "v${VERSION}", $URL, $repo ) + unless -d File::Spec->join( $repo, '.git' ); + + chdir($repo) or die "chdir failed: $!\n"; + + run( 'git', 'fetch', '--depth=1', 'origin', 'tag', "v${VERSION}" ); + run( 'git', 'checkout', "v${VERSION}" ); + + my $commit = run( 'git', 'rev-parse', 'HEAD' ); + my $ldflags = "-X 'main.version=v${VERSION} ($commit)'"; + + run( $GO[0], 'build', '-ldflags=' . $ldflags, './cmd/pebble' ); + + chdir($FindBin::Bin); + return copy_binary( File::Spec->join( $repo, 'pebble' ) ); +} + +sub do_download { + my ( $os, $arch, $hash ) = @_; + + chdir($tempdir) or die "chdir failed: $!\n"; + + my $archive = "pebble-$os-$arch.tar.gz"; + run( 'curl', '--fail', '--silent', '-L', '-o', $archive, + "$URL/releases/download/v${VERSION}/${archive}" ); + die "Checksum verification failed\n" if sha256sum($archive) ne $hash; + + run( 'tar', 'xzf', $archive ); + + chdir($FindBin::Bin); + return copy_binary( + File::Spec->join( $tempdir, "pebble-$os-$arch", $os, $arch, 'pebble' ) + ); +} + +sub copy_binary { + my ($src) = @_; + mkdir dirname($TARGET); + copy $src, $TARGET or die "copy $src, $TARGET: $!\n"; + chmod 0755, $TARGET or die "chmod $TARGET: $!\n"; + return $TARGET; +} + +sub dirname { + my ($filename) = @_; + my ( $vol, $dir ) = File::Spec->splitpath($filename); + return File::Spec->catpath( $vol, $dir, '' ); +} + +sub run { + my $pid = open3( undef, my $fh, '>&STDERR', @_ ); + waitpid( $pid, 0 ); + die "$_[0] failed: $! $?\n" unless $? == 0; + + $fh->read( my $out, 32768 ); + chomp($out); + return $out; +} + +sub sha256sum { + my ($filename) = @_; + my $sha = Digest::SHA->new('SHA-256'); + $sha->addfile( $filename, 'b' ); + return lc( $sha->hexdigest() ); +} + +sub which { + my ($name) = @_; + my @paths = File::Spec->path(); + return grep { -x } map { File::Spec->join( $_, $name ) } @paths; +} + +############################################################################### diff --git a/build/get-pebble.sh b/build/get-pebble.sh deleted file mode 100755 index aef2b3c..0000000 --- a/build/get-pebble.sh +++ /dev/null @@ -1,59 +0,0 @@ -#!/bin/sh - -# Copyright (c) F5, Inc. -# -# This source code is licensed under the Apache License, Version 2.0 license -# found in the LICENSE file in the root directory of this source tree. - -set -e - -VERSION="${1:-2.8.0}" -SHA256SUM="$2" -TARGET=${3:-$PWD/bin/pebble} - -SHA256SUM_darwin_amd64=9b9625651f8ce47706235179503fec149f8f38bce2b2554efe8c0f2a021f877c -SHA256SUM_darwin_arm64=39e07d63dc776521f2ffe0584e5f4f081c984ac02742c882b430891d89f0c866 -SHA256SUM_linux_amd64=34595d915bbc2fc827affb3f58593034824df57e95353b031c8d5185724485ce -SHA256SUM_linux_arm64=0e70f2537353f61cbf06aa54740bf7f7bb5f963ba00e909f23af5f85bc13fd1a - -if "$TARGET" -version | grep "$VERSION"; then - exit 0 -fi - -SYSTEM=$(uname -s | tr "[:upper:]" "[:lower:]") -MACHINE=$(uname -m) -case "$MACHINE" in - aarch64) - MACHINE=arm64;; - x86_64) - MACHINE=amd64;; -esac - -if [ -z "$SHA256SUM" ]; then - eval "SHA256SUM=\$SHA256SUM_${SYSTEM}_${MACHINE}" -fi - -if echo "$SHA256SUM $TARGET" | shasum -a 256 -c; then - exit 0; -fi - -PREFIX="pebble-${SYSTEM}-${MACHINE}" - -WORKDIR=$(mktemp -d) -trap 'rm -rf "$WORKDIR"' EXIT - -cd "$WORKDIR" - -curl -L -o "$PREFIX.tar.gz" \ - "https://github.com/letsencrypt/pebble/releases/download/v${VERSION}/${PREFIX}.tar.gz" - -if ! echo "$SHA256SUM $PREFIX.tar.gz" | shasum -a 256 -c; then - echo "checksum mismatch" - exit 1; -fi - -tar -xzf "$PREFIX.tar.gz" - -mkdir -p "$(dirname "$TARGET")" -mv "$PREFIX/$SYSTEM/$MACHINE/pebble" "$TARGET" -chmod +x "$TARGET" From efdbc9fa9214907c1930c7b99e68e19bb7352cbb Mon Sep 17 00:00:00 2001 From: Aleksei Bavshin Date: Fri, 14 Nov 2025 16:58:14 -0800 Subject: [PATCH 4/4] CI: add FreeBSD and NetBSD VM workflows. --- .github/workflows/vmactions.yaml | 96 ++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 .github/workflows/vmactions.yaml diff --git a/.github/workflows/vmactions.yaml b/.github/workflows/vmactions.yaml new file mode 100644 index 0000000..da8b4e8 --- /dev/null +++ b/.github/workflows/vmactions.yaml @@ -0,0 +1,96 @@ +name: VM + +on: + push: + branches: + - main + pull_request: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} + +env: + CARGO_TERM_COLOR: 'always' + NGINX_SOURCE_DIR: nginx + TEST_NGINX_GLOBALS: 'user root nobody;' + +jobs: + freebsd: + name: FreeBSD + runs-on: ubuntu-latest + env: + BUILDREQUIRES: >- + git + go + llvm + p5-Digest-SHA + p5-IO-Socket-INET6 + p5-IO-Socket-SSL + p5-JSON-PP + p5-TimeDate + pcre2 + pkgconf + rust + + steps: + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + ref: ${{ matrix.nginx-ref }} + repository: 'nginx/nginx' + path: 'nginx' + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + repository: 'nginx/nginx-tests' + path: 'nginx/tests' + + - uses: vmactions/freebsd-vm@783ae15c0393f8a2582a139f76cc55f2d887b4a6 # v1.2.6 + with: + copyback: false + envs: 'CARGO_TERM_COLOR NGINX_SOURCE_DIR TEST_NGINX_GLOBALS' + prepare: | + pkg install -y ${{ env.BUILDREQUIRES }} + run: | + TEST_NGINX_PEBBLE_BINARY=$(perl build/get-pebble.pl) + export TEST_NGINX_PEBBLE_BINARY + make + + netbsd: + name: NetBSD + runs-on: ubuntu-latest + env: + GO: go124 + BUILDREQUIRES: >- + clang + git + go124 + p5-IO-Socket-INET6 + p5-IO-Socket-SSL + p5-TimeDate + pcre2 + pkgconf + rust + + steps: + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + ref: ${{ matrix.nginx-ref }} + repository: 'nginx/nginx' + path: 'nginx' + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + repository: 'nginx/nginx-tests' + path: 'nginx/tests' + + - uses: vmactions/netbsd-vm@495b430eb9f48e0c42f3e0e23294ba00d2df22a7 # v1.2.1 + with: + copyback: false + envs: 'CARGO_TERM_COLOR NGINX_SOURCE_DIR TEST_NGINX_GLOBALS GO' + prepare: | + /usr/sbin/pkg_add ${{ env.BUILDREQUIRES }} + run: | + TEST_NGINX_PEBBLE_BINARY=$(perl build/get-pebble.pl) + export TEST_NGINX_PEBBLE_BINARY + make