Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
249 changes: 145 additions & 104 deletions .github/scripts/update-nginx-checksums.sh
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
#!/usr/bin/env bash
#
# Helper script to calculate and update SHA256 checksums for NGINX dependencies
# This script downloads the dependencies and updates the checksums in installer files
# Recalculate and optionally apply SHA256 checksums for nginx installer dependencies.
#
# Usage: ./update-nginx-checksums.sh [nginx_version] [openssl_version] [pcre2_version] [zlib_version]
# Usage:
# .github/scripts/update-nginx-checksums.sh
# .github/scripts/update-nginx-checksums.sh --apply
#

set -euo pipefail
Expand All @@ -19,121 +20,161 @@ log_success() { echo -e "${GREEN}[✓]${NC} $1"; }
log_error() { echo -e "${RED}[✗]${NC} $1" >&2; }
log_warn() { echo -e "${YELLOW}[!]${NC} $1"; }

# Get versions from arguments or read from installer files
NGINX_VERSION="${1:-$(grep -oP 'NGINX_VERSION="\K[^"]+' nginx/nginx_installer.sh)}"
OPENSSL_VERSION="${2:-$(grep -oP 'OPENSSL_VERSION="\K[^"]+' nginx/nginx_installer.sh)}"
PCRE2_VERSION="${3:-$(grep -oP 'PCRE2_VERSION="\K[^"]+' nginx/nginx_installer.sh)}"
ZLIB_VERSION="${4:-$(grep -oP 'ZLIB_VERSION="\K[^"]+' nginx/nginx_installer.sh)}"

log_info "Versions to check:"
echo " NGINX: $NGINX_VERSION"
echo " OpenSSL: $OPENSSL_VERSION"
echo " PCRE2: $PCRE2_VERSION"
echo " Zlib: $ZLIB_VERSION"
usage() {
cat <<'EOF'
Usage: update-nginx-checksums.sh [--apply]

Options:
--apply Apply calculated checksums to nginx/nginx_installer.sh and nginx/nginx_installer.ps1 without prompting
-h, --help Show this help
EOF
}

APPLY=false
while [[ $# -gt 0 ]]; do
case "$1" in
--apply)
APPLY=true
shift
;;
-h|--help)
usage
exit 0
;;
*)
log_error "Unknown argument: $1"
usage
exit 1
;;
esac
done

REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
readonly REPO_ROOT
readonly BASH_INSTALLER="$REPO_ROOT/nginx/nginx_installer.sh"
readonly PS_INSTALLER="$REPO_ROOT/nginx/nginx_installer.ps1"

cd "$REPO_ROOT"

read_sh_var() {
local key=$1
sed -n "s/^${key}=\"\\([^\"]*\\)\"$/\\1/p" "$BASH_INSTALLER" | head -n1
}

update_bash_var() {
local key=$1
local value=$2
sed -i "s/^${key}=\"[^\"]*\"$/${key}=\"${value}\"/" "$BASH_INSTALLER"
}

update_ps_var() {
local key=$1
local value=$2
sed -i "s#^\\(\\\$Script:${key}[[:space:]]*=[[:space:]]*'\\)[^']*'#\\1${value}'#" "$PS_INSTALLER"
}

download_and_hash() {
local url=$1
local file=$2
curl -fsSL "$url" -o "$file"
sha256sum "$file" | awk '{print $1}'
}

NGINX_VERSION="$(read_sh_var NGINX_VERSION)"
OPENSSL_VERSION="$(read_sh_var OPENSSL_VERSION)"
PCRE2_VERSION="$(read_sh_var PCRE2_VERSION)"
ZLIB_VERSION="$(read_sh_var ZLIB_VERSION)"
HEADERS_MORE_VERSION="$(read_sh_var HEADERS_MORE_VERSION)"
ZSTD_MODULE_VERSION="$(read_sh_var ZSTD_MODULE_VERSION)"
ACME_MODULE_VERSION="$(read_sh_var ACME_MODULE_VERSION)"

required_values=(
"$NGINX_VERSION"
"$OPENSSL_VERSION"
"$PCRE2_VERSION"
"$ZLIB_VERSION"
"$HEADERS_MORE_VERSION"
"$ZSTD_MODULE_VERSION"
"$ACME_MODULE_VERSION"
)
for value in "${required_values[@]}"; do
[[ -n "$value" ]] || { log_error "Failed to read one or more versions from $BASH_INSTALLER"; exit 1; }
done

log_info "Versions to recalculate:"
echo " NGINX: $NGINX_VERSION"
echo " OpenSSL: $OPENSSL_VERSION"
echo " PCRE2: $PCRE2_VERSION"
echo " Zlib: $ZLIB_VERSION"
echo " headers-more: $HEADERS_MORE_VERSION"
echo " zstd-module: $ZSTD_MODULE_VERSION"
echo " nginx-acme: $ACME_MODULE_VERSION"
echo

# Create temp directory
TEMP_DIR=$(mktemp -d)
trap 'rm -rf -- "$TEMP_DIR"' EXIT

cd "$TEMP_DIR"

# Download and calculate checksums
log_info "Downloading NGINX $NGINX_VERSION..."
if wget -q "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz"; then
NGINX_SHA256=$(sha256sum "nginx-${NGINX_VERSION}.tar.gz" | awk '{print $1}')
log_success "NGINX SHA256: $NGINX_SHA256"
else
log_error "Failed to download NGINX $NGINX_VERSION"
NGINX_SHA256=""
fi

log_info "Downloading OpenSSL $OPENSSL_VERSION..."
if wget -q "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz"; then
OPENSSL_SHA256=$(sha256sum "openssl-${OPENSSL_VERSION}.tar.gz" | awk '{print $1}')
log_success "OpenSSL SHA256: $OPENSSL_SHA256"
else
log_error "Failed to download OpenSSL $OPENSSL_VERSION"
OPENSSL_SHA256=""
fi

log_info "Downloading PCRE2 $PCRE2_VERSION..."
if wget -q "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE2_VERSION}/pcre2-${PCRE2_VERSION}.tar.gz"; then
PCRE2_SHA256=$(sha256sum "pcre2-${PCRE2_VERSION}.tar.gz" | awk '{print $1}')
log_success "PCRE2 SHA256: $PCRE2_SHA256"
else
log_error "Failed to download PCRE2 $PCRE2_VERSION"
PCRE2_SHA256=""
fi

log_info "Downloading Zlib $ZLIB_VERSION..."
if wget -q "https://github.com/madler/zlib/releases/download/v${ZLIB_VERSION}/zlib-${ZLIB_VERSION}.tar.gz"; then
ZLIB_SHA256=$(sha256sum "zlib-${ZLIB_VERSION}.tar.gz" | awk '{print $1}')
log_success "Zlib SHA256: $ZLIB_SHA256"
else
log_error "Failed to download Zlib $ZLIB_VERSION"
ZLIB_SHA256=""
fi

echo
log_info "SHA256 Checksums:"
echo "===================="
[ -n "$NGINX_SHA256" ] && echo "NGINX: $NGINX_SHA256"
[ -n "$OPENSSL_SHA256" ] && echo "OpenSSL: $OPENSSL_SHA256"
[ -n "$PCRE2_SHA256" ] && echo "PCRE2: $PCRE2_SHA256"
[ -n "$ZLIB_SHA256" ] && echo "Zlib: $ZLIB_SHA256"
echo
log_info "Downloading and hashing release tarballs..."

# Ask if user wants to update the files
read -rp "Update installer files with these checksums? [y/N] " response
if [[ "$response" =~ ^[Yy]$ ]]; then
cd "$OLDPWD"
NGINX_SHA256="$(download_and_hash "https://github.com/nginx/nginx/releases/download/release-${NGINX_VERSION}/nginx-${NGINX_VERSION}.tar.gz" "nginx.tar.gz")"
log_success "NGINX_SHA256: $NGINX_SHA256"

# Update Bash installer
if [ -n "$NGINX_SHA256" ]; then
sed -i "s/NGINX_SHA256=\"[^\"]*\"/NGINX_SHA256=\"$NGINX_SHA256\"/" nginx/nginx_installer.sh
log_success "Updated NGINX SHA256 in nginx_installer.sh"
fi
OPENSSL_SHA256="$(download_and_hash "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VERSION}/openssl-${OPENSSL_VERSION}.tar.gz" "openssl.tar.gz")"
log_success "OPENSSL_SHA256: $OPENSSL_SHA256"

if [ -n "$OPENSSL_SHA256" ]; then
sed -i "s/OPENSSL_SHA256=\"[^\"]*\"/OPENSSL_SHA256=\"$OPENSSL_SHA256\"/" nginx/nginx_installer.sh
log_success "Updated OpenSSL SHA256 in nginx_installer.sh"
fi
PCRE2_SHA256="$(download_and_hash "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE2_VERSION}/pcre2-${PCRE2_VERSION}.tar.gz" "pcre2.tar.gz")"
log_success "PCRE2_SHA256: $PCRE2_SHA256"

if [ -n "$PCRE2_SHA256" ]; then
sed -i "s/PCRE2_SHA256=\"[^\"]*\"/PCRE2_SHA256=\"$PCRE2_SHA256\"/" nginx/nginx_installer.sh
log_success "Updated PCRE2 SHA256 in nginx_installer.sh"
fi
ZLIB_SHA256="$(download_and_hash "https://github.com/madler/zlib/releases/download/v${ZLIB_VERSION}/zlib-${ZLIB_VERSION}.tar.gz" "zlib.tar.gz")"
log_success "ZLIB_SHA256: $ZLIB_SHA256"

if [ -n "$ZLIB_SHA256" ]; then
sed -i "s/ZLIB_SHA256=\"[^\"]*\"/ZLIB_SHA256=\"$ZLIB_SHA256\"/" nginx/nginx_installer.sh
log_success "Updated Zlib SHA256 in nginx_installer.sh"
fi
HEADERS_MORE_SHA256="$(download_and_hash "https://github.com/openresty/headers-more-nginx-module/archive/refs/tags/v${HEADERS_MORE_VERSION}.tar.gz" "headers-more.tar.gz")"
log_success "HEADERS_MORE_SHA256: $HEADERS_MORE_SHA256"

# Update PowerShell installer ($Script:VAR = '...' met single quotes)
if [ -n "$NGINX_SHA256" ]; then
sed -i "s/\(\\\$Script:NGINX_SHA256\s*=\s*'\)[^']*'/\1$NGINX_SHA256'/" nginx/nginx_installer.ps1
log_success "Updated NGINX SHA256 in nginx_installer.ps1"
fi
ZSTD_MODULE_SHA256="$(download_and_hash "https://github.com/tokers/zstd-nginx-module/archive/refs/tags/${ZSTD_MODULE_VERSION}.tar.gz" "zstd-module.tar.gz")"
log_success "ZSTD_MODULE_SHA256: $ZSTD_MODULE_SHA256"

if [ -n "$OPENSSL_SHA256" ]; then
sed -i "s/\(\\\$Script:OPENSSL_SHA256\s*=\s*'\)[^']*'/\1$OPENSSL_SHA256'/" nginx/nginx_installer.ps1
log_success "Updated OpenSSL SHA256 in nginx_installer.ps1"
fi
ACME_MODULE_SHA256="$(download_and_hash "https://github.com/nginx/nginx-acme/releases/download/v${ACME_MODULE_VERSION}/nginx-acme-${ACME_MODULE_VERSION}.tar.gz" "nginx-acme.tar.gz")"
log_success "ACME_MODULE_SHA256: $ACME_MODULE_SHA256"

if [ -n "$PCRE2_SHA256" ]; then
sed -i "s/\(\\\$Script:PCRE2_SHA256\s*=\s*'\)[^']*'/\1$PCRE2_SHA256'/" nginx/nginx_installer.ps1
log_success "Updated PCRE2 SHA256 in nginx_installer.ps1"
fi
echo
log_info "Calculated checksums:"
echo " NGINX_SHA256: $NGINX_SHA256"
echo " OPENSSL_SHA256: $OPENSSL_SHA256"
echo " PCRE2_SHA256: $PCRE2_SHA256"
echo " ZLIB_SHA256: $ZLIB_SHA256"
echo " HEADERS_MORE_SHA256: $HEADERS_MORE_SHA256"
echo " ZSTD_MODULE_SHA256: $ZSTD_MODULE_SHA256"
echo " ACME_MODULE_SHA256: $ACME_MODULE_SHA256"
echo

if [ -n "$ZLIB_SHA256" ]; then
sed -i "s/\(\\\$Script:ZLIB_SHA256\s*=\s*'\)[^']*'/\1$ZLIB_SHA256'/" nginx/nginx_installer.ps1
log_success "Updated Zlib SHA256 in nginx_installer.ps1"
if [[ "$APPLY" != true ]]; then
read -rp "Apply these checksums to installer files? [y/N] " response
if [[ ! "$response" =~ ^[Yy]$ ]]; then
log_info "No changes made"
exit 0
fi

echo
log_success "All checksums updated in installer files!"
log_info "Review the changes with: git diff nginx/"
else
log_info "No changes made to installer files"
fi

cd "$REPO_ROOT"

update_bash_var NGINX_SHA256 "$NGINX_SHA256"
update_bash_var OPENSSL_SHA256 "$OPENSSL_SHA256"
update_bash_var PCRE2_SHA256 "$PCRE2_SHA256"
update_bash_var ZLIB_SHA256 "$ZLIB_SHA256"
update_bash_var HEADERS_MORE_SHA256 "$HEADERS_MORE_SHA256"
update_bash_var ZSTD_MODULE_SHA256 "$ZSTD_MODULE_SHA256"
update_bash_var ACME_MODULE_SHA256 "$ACME_MODULE_SHA256"

update_ps_var NGINX_SHA256 "$NGINX_SHA256"
update_ps_var OPENSSL_SHA256 "$OPENSSL_SHA256"
update_ps_var PCRE2_SHA256 "$PCRE2_SHA256"
update_ps_var ZLIB_SHA256 "$ZLIB_SHA256"
update_ps_var HEADERS_MORE_SHA256 "$HEADERS_MORE_SHA256"
update_ps_var ZSTD_MODULE_SHA256 "$ZSTD_MODULE_SHA256"
update_ps_var ACME_MODULE_SHA256 "$ACME_MODULE_SHA256"

log_success "Updated checksums in:"
echo " - nginx/nginx_installer.sh"
echo " - nginx/nginx_installer.ps1"
87 changes: 5 additions & 82 deletions .github/workflows/update-nginx-checksums.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ name: Update nginx SHA256 checksums

on:
pull_request:
types: [opened, synchronize, reopened]
branches: [main]
paths:
- 'nginx/nginx_installer.sh'
Expand All @@ -17,96 +18,18 @@ jobs:
update-checksums:
name: Recalculate SHA256 checksums
runs-on: ubuntu-latest
if: startsWith(github.head_ref, 'renovate/')
if: startsWith(github.head_ref, 'renovate/') && github.actor == 'renovate[bot]'
steps:
- name: Checkout PR branch
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.GITHUB_TOKEN }}

- name: Read versions from bash installer
id: versions
- name: Recalculate and apply checksums
run: |
echo "nginx=$(grep -oP 'NGINX_VERSION="\K[^"]+' nginx/nginx_installer.sh)" >> $GITHUB_OUTPUT
echo "openssl=$(grep -oP 'OPENSSL_VERSION="\K[^"]+' nginx/nginx_installer.sh)" >> $GITHUB_OUTPUT
echo "pcre2=$(grep -oP 'PCRE2_VERSION="\K[^"]+' nginx/nginx_installer.sh)" >> $GITHUB_OUTPUT
echo "zlib=$(grep -oP 'ZLIB_VERSION="\K[^"]+' nginx/nginx_installer.sh)" >> $GITHUB_OUTPUT
echo "headers_more=$(grep -oP 'HEADERS_MORE_VERSION="\K[^"]+' nginx/nginx_installer.sh)" >> $GITHUB_OUTPUT
echo "zstd=$(grep -oP 'ZSTD_MODULE_VERSION="\K[^"]+' nginx/nginx_installer.sh)" >> $GITHUB_OUTPUT
echo "acme=$(grep -oP 'ACME_MODULE_VERSION="\K[^"]+' nginx/nginx_installer.sh)" >> $GITHUB_OUTPUT

- name: Download tarballs and calculate SHA256
id: checksums
run: |
set -euo pipefail
TMPDIR=$(mktemp -d)
cd "$TMPDIR"

download_and_hash() {
local url="$1" file="$2"
if ! wget -q "$url" -O "$file"; then
echo "ERROR: Failed to download $url" >&2
exit 1
fi
sha256sum "$file" | awk '{print $1}'
}

NGINX_SHA=$(download_and_hash \
"https://github.com/nginx/nginx/releases/download/release-${{ steps.versions.outputs.nginx }}/nginx-${{ steps.versions.outputs.nginx }}.tar.gz" \
"nginx.tar.gz")

OPENSSL_SHA=$(download_and_hash \
"https://github.com/openssl/openssl/releases/download/openssl-${{ steps.versions.outputs.openssl }}/openssl-${{ steps.versions.outputs.openssl }}.tar.gz" \
"openssl.tar.gz")

PCRE2_SHA=$(download_and_hash \
"https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${{ steps.versions.outputs.pcre2 }}/pcre2-${{ steps.versions.outputs.pcre2 }}.tar.gz" \
"pcre2.tar.gz")

ZLIB_SHA=$(download_and_hash \
"https://github.com/madler/zlib/releases/download/v${{ steps.versions.outputs.zlib }}/zlib-${{ steps.versions.outputs.zlib }}.tar.gz" \
"zlib.tar.gz")

HEADERS_MORE_SHA=$(download_and_hash \
"https://github.com/openresty/headers-more-nginx-module/archive/refs/tags/v${{ steps.versions.outputs.headers_more }}.tar.gz" \
"headers-more.tar.gz")

ZSTD_SHA=$(download_and_hash \
"https://github.com/tokers/zstd-nginx-module/archive/refs/tags/${{ steps.versions.outputs.zstd }}.tar.gz" \
"zstd.tar.gz")

ACME_SHA=$(download_and_hash \
"https://github.com/nginx/nginx-acme/releases/download/v${{ steps.versions.outputs.acme }}/nginx-acme-${{ steps.versions.outputs.acme }}.tar.gz" \
"acme.tar.gz")

echo "nginx=$NGINX_SHA" >> $GITHUB_OUTPUT
echo "openssl=$OPENSSL_SHA" >> $GITHUB_OUTPUT
echo "pcre2=$PCRE2_SHA" >> $GITHUB_OUTPUT
echo "zlib=$ZLIB_SHA" >> $GITHUB_OUTPUT
echo "headers_more=$HEADERS_MORE_SHA" >> $GITHUB_OUTPUT
echo "zstd=$ZSTD_SHA" >> $GITHUB_OUTPUT
echo "acme=$ACME_SHA" >> $GITHUB_OUTPUT

- name: Update checksums in bash installer
run: |
sed -i "s/NGINX_SHA256=\"[^\"]*\"/NGINX_SHA256=\"${{ steps.checksums.outputs.nginx }}\"/" nginx/nginx_installer.sh
sed -i "s/OPENSSL_SHA256=\"[^\"]*\"/OPENSSL_SHA256=\"${{ steps.checksums.outputs.openssl }}\"/" nginx/nginx_installer.sh
sed -i "s/PCRE2_SHA256=\"[^\"]*\"/PCRE2_SHA256=\"${{ steps.checksums.outputs.pcre2 }}\"/" nginx/nginx_installer.sh
sed -i "s/ZLIB_SHA256=\"[^\"]*\"/ZLIB_SHA256=\"${{ steps.checksums.outputs.zlib }}\"/" nginx/nginx_installer.sh
sed -i "s/HEADERS_MORE_SHA256=\"[^\"]*\"/HEADERS_MORE_SHA256=\"${{ steps.checksums.outputs.headers_more }}\"/" nginx/nginx_installer.sh
sed -i "s/ZSTD_MODULE_SHA256=\"[^\"]*\"/ZSTD_MODULE_SHA256=\"${{ steps.checksums.outputs.zstd }}\"/" nginx/nginx_installer.sh
sed -i "s/ACME_MODULE_SHA256=\"[^\"]*\"/ACME_MODULE_SHA256=\"${{ steps.checksums.outputs.acme }}\"/" nginx/nginx_installer.sh

- name: Update checksums in PowerShell installer
run: |
sed -i "s/\(\$Script:NGINX_SHA256\s*=\s*'\)[^']*'/\1${{ steps.checksums.outputs.nginx }}'/" nginx/nginx_installer.ps1
sed -i "s/\(\$Script:OPENSSL_SHA256\s*=\s*'\)[^']*'/\1${{ steps.checksums.outputs.openssl }}'/" nginx/nginx_installer.ps1
sed -i "s/\(\$Script:PCRE2_SHA256\s*=\s*'\)[^']*'/\1${{ steps.checksums.outputs.pcre2 }}'/" nginx/nginx_installer.ps1
sed -i "s/\(\$Script:ZLIB_SHA256\s*=\s*'\)[^']*'/\1${{ steps.checksums.outputs.zlib }}'/" nginx/nginx_installer.ps1
sed -i "s/\(\$Script:HEADERS_MORE_SHA256\s*=\s*'\)[^']*'/\1${{ steps.checksums.outputs.headers_more }}'/" nginx/nginx_installer.ps1
sed -i "s/\(\$Script:ZSTD_MODULE_SHA256\s*=\s*'\)[^']*'/\1${{ steps.checksums.outputs.zstd }}'/" nginx/nginx_installer.ps1
sed -i "s/\(\$Script:ACME_MODULE_SHA256\s*=\s*'\)[^']*'/\1${{ steps.checksums.outputs.acme }}'/" nginx/nginx_installer.ps1
chmod +x .github/scripts/update-nginx-checksums.sh
.github/scripts/update-nginx-checksums.sh --apply

- name: Commit updated checksums
run: |
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/validate-scripts.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,10 @@ jobs:
id: find-scripts
run: |
# Find all .sh files, excluding third-party directories
find . -type f -name "*.sh" ! -path "./TLS-tools/testssl.sh-*" > bash_scripts.txt
find . -type f -name "*.sh" \
! -path "./TLS-tools/testssl.sh/*" \
! -path "./TLS-tools/testssl.sh" \
> bash_scripts.txt
cat bash_scripts.txt

- name: Validate bash syntax
Expand Down
Loading
Loading