name: Build NGINX on Ubuntu on: push: pull_request: branches: - main env: ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true defaults: run: shell: 'bash -Eeo pipefail -x {0}' jobs: build-nginx: name: ubuntu-22.04, amd64 runs-on: ubuntu-22.04 steps: - name: 检出代码 uses: actions/checkout@v4 - name: 设置构建环境 run: | # 设置编译选项 CC_OPT="$(DEB_BUILD_MAINT_OPTIONS=hardening=+all DEB_CFLAGS_MAINT_APPEND=-fPIC DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed dpkg-buildflags --get CFLAGS)" LD_OPT="$(DEB_BUILD_MAINT_OPTIONS=hardening=+all DEB_CFLAGS_MAINT_APPEND=-fPIC DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed dpkg-buildflags --get LDFLAGS)" # 基础配置选项 CONFIGURE_OPTS="--prefix=/usr/local/nginx \ --with-http_ssl_module \ --with-http_realip_module \ --with-http_addition_module \ --with-http_sub_module \ --with-http_dav_module \ --with-http_flv_module \ --with-http_mp4_module \ --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-http_random_index_module \ --with-http_secure_link_module \ --with-http_stub_status_module \ --with-mail \ --with-mail_ssl_module \ --with-select_module \ --with-poll_module \ --with-http_auth_request_module \ --with-http_v2_module \ --with-http_slice_module \ --with-stream \ --with-stream_ssl_module \ --with-stream_ssl_preread_module \ --with-stream_realip_module \ --with-threads \ --with-compat \ --with-http_perl_module \ --with-http_xslt_module \ --with-http_image_filter_module \ --with-http_degradation_module \ --with-http_v3_module" # 导出环境变量 { echo "CC_OPT=$CC_OPT" echo "LD_OPT=$LD_OPT" echo "CONFIGURE_OPTS=$CONFIGURE_OPTS" } >> $GITHUB_ENV # 创建必要目录 mkdir -p t/ # 启用 coredumps ulimit -c unlimited - name: 安装依赖包 run: | sudo apt update sudo apt install -y \ gcc \ make \ libpcre3-dev \ zlib1g-dev \ libssl-dev \ libxml2-dev \ libxslt1-dev \ libgd-dev \ libperl-dev \ jq \ dpkg-dev \ --no-install-recommends sudo apt clean - name: 配置和编译 NGINX run: | echo "当前工作目录: $(pwd)" echo "目录内容:" ls -la # 检查是否存在 auto/configure 文件 if [ ! -f "auto/configure" ]; then echo "错误:找不到 auto/configure 文件" echo "可能的 configure 文件位置:" find . -name "configure" -type f 2>/dev/null || true find . -name "auto" -type d 2>/dev/null || true exit 1 fi echo "开始配置 NGINX..." ./auto/configure \ $CONFIGURE_OPTS \ --with-cc-opt="$CC_OPT" \ --with-ld-opt="$LD_OPT" \ || { echo "配置失败,查看错误日志:" if [ -f "objs/autoconf.err" ]; then cat objs/autoconf.err else echo "错误日志文件 objs/autoconf.err 不存在" fi exit 1 } echo "开始编译 NGINX..." make -j$(nproc) || { echo "并行编译失败,尝试单线程编译..." make } - name: 安装 NGINX run: sudo make install - name: 测试 NGINX run: | echo "启动 NGINX 服务..." sudo /usr/local/nginx/sbin/nginx echo "等待服务启动..." sleep 2 echo "测试 HTTP 连接..." curl -f http://localhost || { echo "HTTP 测试失败,查看 NGINX 状态..." sudo /usr/local/nginx/sbin/nginx -t sudo /usr/local/nginx/sbin/nginx -V exit 1 } echo "停止 NGINX 服务..." sudo /usr/local/nginx/sbin/nginx -s quit || sudo /usr/local/nginx/sbin/nginx -s stop - name: 设置 Docker Buildx uses: docker/setup-buildx-action@v3 - name: 创建优化的 Dockerfile run: | cat > Dockerfile << 'EOF' FROM ubuntu:22.04 # 设置非交互模式和时区 ENV DEBIAN_FRONTEND=noninteractive ENV TZ=Asia/Shanghai # 安装运行时依赖 RUN apt-get update && \ apt-get install -y --no-install-recommends \ libpcre3 \ zlib1g \ libssl3 \ libxml2 \ libxslt1.1 \ libgd3 \ ca-certificates \ curl && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* # 创建 nginx 用户 RUN groupadd -r nginx && useradd -r -g nginx nginx # 复制编译好的 nginx COPY /usr/local/nginx /usr/local/nginx # 创建必要的目录 RUN mkdir -p /var/log/nginx /var/cache/nginx && \ chown -R nginx:nginx /var/log/nginx /var/cache/nginx /usr/local/nginx # 暴露端口 EXPOSE 80 443 # 健康检查 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ CMD curl -f http://localhost/ || exit 1 # 设置工作目录 WORKDIR /usr/local/nginx # 使用非 root 用户运行 USER nginx # 启动 nginx CMD ["/usr/local/nginx/sbin/nginx", "-g", "daemon off;"] EOF - name: 登录到 Harbor uses: docker/login-action@v3 with: registry: ${{ secrets.HARBOR_REGISTRY }} username: ${{ secrets.HARBOR_USERNAME }} password: ${{ secrets.HARBOR_PASSWORD }} - name: 构建并推送 Docker 镜像 uses: docker/build-push-action@v5 with: context: . push: true tags: | ${{ secrets.HARBOR_REGISTRY }}/nginx/nginx:${{ github.sha }} ${{ secrets.HARBOR_REGISTRY }}/nginx/nginx:latest cache-from: type=gha cache-to: type=gha,mode=max platforms: linux/amd64 username: ${{ secrets.HARBOR_USERNAME }} password: ${{ secrets.HARBOR_PASSWORD }}