From dea63ad96d7dd536de74f2772504ad53b33e0c1c Mon Sep 17 00:00:00 2001 From: huangzhiqiang Date: Sat, 7 Jun 2025 14:54:16 +0800 Subject: [PATCH] add action: update build-ubuntu.yaml --- .gitea/workflows/build-ubuntu.yaml | 195 +++++++++++++++++++++++------ 1 file changed, 159 insertions(+), 36 deletions(-) diff --git a/.gitea/workflows/build-ubuntu.yaml b/.gitea/workflows/build-ubuntu.yaml index bf9141f..1e61ba4 100644 --- a/.gitea/workflows/build-ubuntu.yaml +++ b/.gitea/workflows/build-ubuntu.yaml @@ -6,78 +6,201 @@ on: branches: - main +env: + ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true + +defaults: + run: + shell: 'bash -Eeo pipefail -x {0}' + jobs: build-nginx: + name: ubuntu-22.04, amd64 runs-on: ubuntu-22.04 + needs: check-if-allowed + if: needs.check-if-allowed.outputs.allowed == 'true' + steps: - name: 检出代码 - uses: actions/checkout@v3 + uses: actions/checkout@v4 - - name: 更新 apt 源 - run: sudo apt update - - - name: 安装编译工具和依赖 + - name: 设置构建环境 run: | - sudo apt install -y gcc make libpcre3-dev zlib1g-dev libssl-dev + # 设置编译选项 + CC_OPT="$(DEB_BUILD_MAINT_OPTIONS=hardening=+all DEB_CFLAGS_MAINT_APPEND=-fPIC DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed dpkg-buildflags --get CFLAGS)" + LD_OPT="$(DEB_BUILD_MAINT_OPTIONS=hardening=+all DEB_CFLAGS_MAINT_APPEND=-fPIC DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed dpkg-buildflags --get LDFLAGS)" + + # 基础配置选项 + CONFIGURE_OPTS="--prefix=/usr/local/nginx \ + --with-http_ssl_module \ + --with-http_realip_module \ + --with-http_addition_module \ + --with-http_sub_module \ + --with-http_dav_module \ + --with-http_flv_module \ + --with-http_mp4_module \ + --with-http_gunzip_module \ + --with-http_gzip_static_module \ + --with-http_random_index_module \ + --with-http_secure_link_module \ + --with-http_stub_status_module \ + --with-mail \ + --with-mail_ssl_module \ + --with-select_module \ + --with-poll_module \ + --with-http_auth_request_module \ + --with-http_v2_module \ + --with-http_slice_module \ + --with-stream \ + --with-stream_ssl_module \ + --with-stream_ssl_preread_module \ + --with-stream_realip_module \ + --with-threads \ + --with-compat \ + --with-http_perl_module \ + --with-http_xslt_module \ + --with-http_image_filter_module \ + --with-http_degradation_module \ + --with-http_v3_module" - - name: 配置构建 - run: | - auto/configure + # 导出环境变量 + { + echo "CC_OPT=$CC_OPT" + echo "LD_OPT=$LD_OPT" + echo "CONFIGURE_OPTS=$CONFIGURE_OPTS" + } >> $GITHUB_ENV - - name: 编译 NGINX + # 创建必要目录 + mkdir -p t/ + # 启用 coredumps + ulimit -c unlimited + + - name: 安装依赖包 run: | - make + sudo apt update + sudo apt install -y \ + gcc \ + make \ + libpcre3-dev \ + zlib1g-dev \ + libssl-dev \ + libxml2-dev \ + libxslt1-dev \ + libgd-dev \ + libperl-dev \ + jq \ + dpkg-dev \ + --no-install-recommends + sudo apt clean + + - name: 配置和编译 NGINX + run: | + echo "开始配置 NGINX..." + auto/configure \ + $CONFIGURE_OPTS \ + --with-cc-opt="$CC_OPT" \ + --with-ld-opt="$LD_OPT" \ + || { + echo "配置失败,查看错误日志:" + cat objs/autoconf.err + exit 1 + } + + echo "开始编译 NGINX..." + make -j$(nproc) || { + echo "并行编译失败,尝试单线程编译..." + make + } - name: 安装 NGINX - run: | - sudo make install + run: sudo make install - - name: 测试 NGINX 运行 + - name: 测试 NGINX run: | + echo "启动 NGINX 服务..." sudo /usr/local/nginx/sbin/nginx - curl -v localhost || true - - name: 停止 NGINX 服务 - run: | - sudo /usr/local/nginx/sbin/nginx -s stop || true + echo "等待服务启动..." + sleep 2 - - name: 创建 Dockerfile + echo "测试 HTTP 连接..." + curl -f http://localhost || { + echo "HTTP 测试失败,查看 NGINX 状态..." + sudo /usr/local/nginx/sbin/nginx -t + sudo /usr/local/nginx/sbin/nginx -V + exit 1 + } + + echo "停止 NGINX 服务..." + sudo /usr/local/nginx/sbin/nginx -s quit || sudo /usr/local/nginx/sbin/nginx -s stop + + - name: 设置 Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: 创建优化的 Dockerfile run: | cat > Dockerfile << 'EOF' FROM ubuntu:22.04 - - # 安装依赖 + + # 设置非交互模式和时区 + ENV DEBIAN_FRONTEND=noninteractive + ENV TZ=Asia/Shanghai + + # 安装运行时依赖 RUN apt-get update && \ - apt-get install -y libpcre3 zlib1g libssl1.1 && \ + apt-get install -y --no-install-recommends \ + libpcre3 \ + zlib1g \ + libssl3 \ + libxml2 \ + libxslt1.1 \ + libgd3 \ + ca-certificates && \ apt-get clean && \ - rm -rf /var/lib/apt/lists/* - + rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + + # 创建 nginx 用户 + RUN groupadd -r nginx && useradd -r -g nginx nginx + # 复制编译好的 nginx - COPY /usr/local/nginx /usr/local/nginx - + COPY --from=builder /usr/local/nginx /usr/local/nginx + + # 创建必要的目录 + RUN mkdir -p /var/log/nginx /var/cache/nginx && \ + chown -R nginx:nginx /var/log/nginx /var/cache/nginx /usr/local/nginx + # 暴露端口 EXPOSE 80 443 - + + # 健康检查 + HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ + CMD curl -f http://localhost/ || exit 1 + # 设置工作目录 WORKDIR /usr/local/nginx - + + # 使用非 root 用户运行 + USER nginx + # 启动 nginx CMD ["/usr/local/nginx/sbin/nginx", "-g", "daemon off;"] EOF - - - name: 设置 Docker Buildx - uses: docker/setup-buildx-action@v2 - + - name: 登录到 Harbor - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ${{ secrets.HARBOR_REGISTRY }} username: ${{ secrets.HARBOR_USERNAME }} password: ${{ secrets.HARBOR_PASSWORD }} - + - name: 构建并推送 Docker 镜像 - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: . push: true - tags: ${{ secrets.HARBOR_REGISTRY }}/nginx/nginx:${{ github.sha }},${{ secrets.HARBOR_REGISTRY }}/nginx/nginx:latest + tags: | + ${{ secrets.HARBOR_REGISTRY }}/nginx/nginx:${{ github.sha }} + ${{ secrets.HARBOR_REGISTRY }}/nginx/nginx:latest + cache-from: type=gha + cache-to: type=gha,mode=max + platforms: linux/amd64