Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
186 changes: 129 additions & 57 deletions .github/scripts/update-nginx-checksums.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,18 +9,90 @@

set -euo pipefail

readonly RED='\033[0;31m'
readonly GREEN='\033[0;32m'
readonly YELLOW='\033[1;33m'
readonly BLUE='\033[0;34m'
readonly NC='\033[0m'

log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
log_success() { echo -e "${GREEN}[✓]${NC} $1"; }
log_error() { echo -e "${RED}[✗]${NC} $1" >&2; }
log_warn() { echo -e "${YELLOW}[!]${NC} $1"; }

usage() {
# ============================================================================
# Common Helper Functions
# The same helpers are used in every bash script in this repo, so the
# scripts stay consistent while remaining standalone single-file downloads.
# Function names follow the PowerShell Verb-Noun convention.
# ============================================================================

# shellcheck disable=SC2034 # not every script uses every color
readonly RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' \
BLUE='\033[0;34m' PURPLE='\033[0;35m' BOLD='\033[1m' NC='\033[0m'

# Optional plain-text logfile; set LOG_FILE after this block to enable.
LOG_FILE="${LOG_FILE:-}"

# Usage: Write-Log <INFO|SUCCESS|WARN|ERROR|STEP> "message"
Write-Log() {
local level=$1; shift
local color=$NC
case $level in
INFO) color=$BLUE ;;
SUCCESS) color=$GREEN ;;
WARN) color=$YELLOW ;;
ERROR) color=$RED ;;
STEP) color=$PURPLE ;;
esac
if [[ $level == ERROR ]]; then
echo -e "${color}[$level]${NC} $*" >&2
else
echo -e "${color}[$level]${NC} $*"
fi
if [[ -n "$LOG_FILE" ]]; then
echo "[$level] $*" >> "$LOG_FILE"
fi
}

# Usage: Stop-Script "fatal message"
Stop-Script() {
Write-Log ERROR "$1"
exit 1
}

# Usage: Test-Root (exits unless running as root)
Test-Root() {
[[ $EUID -eq 0 ]] || Stop-Script "Run as root (sudo)."
}

# Usage: mgr=$(Get-PkgMgr) -> apt | dnf | pacman | unknown
Get-PkgMgr() {
if command -v apt-get >/dev/null 2>&1; then
echo "apt"
elif command -v dnf >/dev/null 2>&1; then
echo "dnf"
elif command -v pacman >/dev/null 2>&1; then
echo "pacman"
else
echo "unknown"
fi
}

# Usage: os_id=$(Get-OsId) -> lowercase /etc/os-release ID (ubuntu, debian,
# fedora, arch, ...) or "unknown". Call in $(...) so sourcing stays contained.
Get-OsId() {
if [[ -r /etc/os-release ]]; then
# shellcheck disable=SC1091
. /etc/os-release
local os_id="${ID:-unknown}"
echo "${os_id,,}"
else
echo "unknown"
fi
}

# Usage: Invoke-Cmd command [args...]
# Logs the command, sends its output to LOG_FILE when set, aborts on failure.
Invoke-Cmd() {
Write-Log INFO "Executing: $*"
if [[ -n "$LOG_FILE" ]]; then
"$@" >> "$LOG_FILE" 2>&1 || Stop-Script "Command failed: '$*'. Check log: $LOG_FILE"
else
"$@" || Stop-Script "Command failed: '$*'"
fi
}

Show-Usage() {
cat <<'EOF'
Usage: update-nginx-checksums.sh [--apply]

Expand All @@ -38,12 +110,12 @@ while [[ $# -gt 0 ]]; do
shift
;;
-h|--help)
usage
Show-Usage
exit 0
;;
*)
log_error "Unknown argument: $1"
usage
Write-Log ERROR "Unknown argument: $1"
Show-Usage
exit 1
;;
esac
Expand All @@ -56,36 +128,36 @@ readonly PS_INSTALLER="$REPO_ROOT/nginx/nginx_installer.ps1"

cd "$REPO_ROOT"

read_sh_var() {
Get-BashVar() {
local key=$1
sed -n "s/^${key}=\"\\([^\"]*\\)\"$/\\1/p" "$BASH_INSTALLER" | head -n1
}

update_bash_var() {
Set-BashVar() {
local key=$1
local value=$2
sed -i "s/^${key}=\"[^\"]*\"$/${key}=\"${value}\"/" "$BASH_INSTALLER"
}

update_ps_var() {
Set-PsVar() {
local key=$1
local value=$2
sed -i "s#^\\(\\\$Script:${key}[[:space:]]*=[[:space:]]*'\\)[^']*'#\\1${value}'#" "$PS_INSTALLER"
}

download_and_hash() {
Get-UrlHash() {
local url=$1
local file=$2
curl -fsSL "$url" -o "$file"
sha256sum "$file" | awk '{print $1}'
}

NGINX_VERSION="$(read_sh_var NGINX_VERSION)"
PCRE2_VERSION="$(read_sh_var PCRE2_VERSION)"
ZLIB_VERSION="$(read_sh_var ZLIB_VERSION)"
HEADERS_MORE_VERSION="$(read_sh_var HEADERS_MORE_VERSION)"
ZSTD_MODULE_VERSION="$(read_sh_var ZSTD_MODULE_VERSION)"
ACME_MODULE_VERSION="$(read_sh_var ACME_MODULE_VERSION)"
NGINX_VERSION="$(Get-BashVar NGINX_VERSION)"
PCRE2_VERSION="$(Get-BashVar PCRE2_VERSION)"
ZLIB_VERSION="$(Get-BashVar ZLIB_VERSION)"
HEADERS_MORE_VERSION="$(Get-BashVar HEADERS_MORE_VERSION)"
ZSTD_MODULE_VERSION="$(Get-BashVar ZSTD_MODULE_VERSION)"
ACME_MODULE_VERSION="$(Get-BashVar ACME_MODULE_VERSION)"

required_values=(
"$NGINX_VERSION"
Expand All @@ -96,10 +168,10 @@ required_values=(
"$ACME_MODULE_VERSION"
)
for value in "${required_values[@]}"; do
[[ -n "$value" ]] || { log_error "Failed to read one or more versions from $BASH_INSTALLER"; exit 1; }
[[ -n "$value" ]] || { Write-Log ERROR "Failed to read one or more versions from $BASH_INSTALLER"; exit 1; }
done

log_info "Versions to recalculate:"
Write-Log INFO "Versions to recalculate:"
echo " NGINX: $NGINX_VERSION"
echo " PCRE2: $PCRE2_VERSION"
echo " Zlib: $ZLIB_VERSION"
Expand All @@ -112,28 +184,28 @@ TEMP_DIR=$(mktemp -d)
trap 'rm -rf -- "$TEMP_DIR"' EXIT
cd "$TEMP_DIR"

log_info "Downloading and hashing release tarballs..."
Write-Log INFO "Downloading and hashing release tarballs..."

NGINX_SHA256="$(download_and_hash "https://github.com/nginx/nginx/releases/download/release-${NGINX_VERSION}/nginx-${NGINX_VERSION}.tar.gz" "nginx.tar.gz")"
log_success "NGINX_SHA256: $NGINX_SHA256"
NGINX_SHA256="$(Get-UrlHash "https://github.com/nginx/nginx/releases/download/release-${NGINX_VERSION}/nginx-${NGINX_VERSION}.tar.gz" "nginx.tar.gz")"
Write-Log SUCCESS "NGINX_SHA256: $NGINX_SHA256"

PCRE2_SHA256="$(download_and_hash "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE2_VERSION}/pcre2-${PCRE2_VERSION}.tar.gz" "pcre2.tar.gz")"
log_success "PCRE2_SHA256: $PCRE2_SHA256"
PCRE2_SHA256="$(Get-UrlHash "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE2_VERSION}/pcre2-${PCRE2_VERSION}.tar.gz" "pcre2.tar.gz")"
Write-Log SUCCESS "PCRE2_SHA256: $PCRE2_SHA256"

ZLIB_SHA256="$(download_and_hash "https://github.com/madler/zlib/releases/download/v${ZLIB_VERSION}/zlib-${ZLIB_VERSION}.tar.gz" "zlib.tar.gz")"
log_success "ZLIB_SHA256: $ZLIB_SHA256"
ZLIB_SHA256="$(Get-UrlHash "https://github.com/madler/zlib/releases/download/v${ZLIB_VERSION}/zlib-${ZLIB_VERSION}.tar.gz" "zlib.tar.gz")"
Write-Log SUCCESS "ZLIB_SHA256: $ZLIB_SHA256"

HEADERS_MORE_SHA256="$(download_and_hash "https://github.com/openresty/headers-more-nginx-module/archive/refs/tags/v${HEADERS_MORE_VERSION}.tar.gz" "headers-more.tar.gz")"
log_success "HEADERS_MORE_SHA256: $HEADERS_MORE_SHA256"
HEADERS_MORE_SHA256="$(Get-UrlHash "https://github.com/openresty/headers-more-nginx-module/archive/refs/tags/v${HEADERS_MORE_VERSION}.tar.gz" "headers-more.tar.gz")"
Write-Log SUCCESS "HEADERS_MORE_SHA256: $HEADERS_MORE_SHA256"

ZSTD_MODULE_SHA256="$(download_and_hash "https://github.com/tokers/zstd-nginx-module/archive/refs/tags/${ZSTD_MODULE_VERSION}.tar.gz" "zstd-module.tar.gz")"
log_success "ZSTD_MODULE_SHA256: $ZSTD_MODULE_SHA256"
ZSTD_MODULE_SHA256="$(Get-UrlHash "https://github.com/tokers/zstd-nginx-module/archive/refs/tags/${ZSTD_MODULE_VERSION}.tar.gz" "zstd-module.tar.gz")"
Write-Log SUCCESS "ZSTD_MODULE_SHA256: $ZSTD_MODULE_SHA256"

ACME_MODULE_SHA256="$(download_and_hash "https://github.com/nginx/nginx-acme/releases/download/v${ACME_MODULE_VERSION}/nginx-acme-${ACME_MODULE_VERSION}.tar.gz" "nginx-acme.tar.gz")"
log_success "ACME_MODULE_SHA256: $ACME_MODULE_SHA256"
ACME_MODULE_SHA256="$(Get-UrlHash "https://github.com/nginx/nginx-acme/releases/download/v${ACME_MODULE_VERSION}/nginx-acme-${ACME_MODULE_VERSION}.tar.gz" "nginx-acme.tar.gz")"
Write-Log SUCCESS "ACME_MODULE_SHA256: $ACME_MODULE_SHA256"

echo
log_info "Calculated checksums:"
Write-Log INFO "Calculated checksums:"
echo " NGINX_SHA256: $NGINX_SHA256"
echo " PCRE2_SHA256: $PCRE2_SHA256"
echo " ZLIB_SHA256: $ZLIB_SHA256"
Expand All @@ -145,27 +217,27 @@ echo
if [[ "$APPLY" != true ]]; then
read -rp "Apply these checksums to installer files? [y/N] " response
if [[ ! "$response" =~ ^[Yy]$ ]]; then
log_info "No changes made"
Write-Log INFO "No changes made"
exit 0
fi
fi

cd "$REPO_ROOT"

update_bash_var NGINX_SHA256 "$NGINX_SHA256"
update_bash_var PCRE2_SHA256 "$PCRE2_SHA256"
update_bash_var ZLIB_SHA256 "$ZLIB_SHA256"
update_bash_var HEADERS_MORE_SHA256 "$HEADERS_MORE_SHA256"
update_bash_var ZSTD_MODULE_SHA256 "$ZSTD_MODULE_SHA256"
update_bash_var ACME_MODULE_SHA256 "$ACME_MODULE_SHA256"

update_ps_var NGINX_SHA256 "$NGINX_SHA256"
update_ps_var PCRE2_SHA256 "$PCRE2_SHA256"
update_ps_var ZLIB_SHA256 "$ZLIB_SHA256"
update_ps_var HEADERS_MORE_SHA256 "$HEADERS_MORE_SHA256"
update_ps_var ZSTD_MODULE_SHA256 "$ZSTD_MODULE_SHA256"
update_ps_var ACME_MODULE_SHA256 "$ACME_MODULE_SHA256"

log_success "Updated checksums in:"
Set-BashVar NGINX_SHA256 "$NGINX_SHA256"
Set-BashVar PCRE2_SHA256 "$PCRE2_SHA256"
Set-BashVar ZLIB_SHA256 "$ZLIB_SHA256"
Set-BashVar HEADERS_MORE_SHA256 "$HEADERS_MORE_SHA256"
Set-BashVar ZSTD_MODULE_SHA256 "$ZSTD_MODULE_SHA256"
Set-BashVar ACME_MODULE_SHA256 "$ACME_MODULE_SHA256"

Set-PsVar NGINX_SHA256 "$NGINX_SHA256"
Set-PsVar PCRE2_SHA256 "$PCRE2_SHA256"
Set-PsVar ZLIB_SHA256 "$ZLIB_SHA256"
Set-PsVar HEADERS_MORE_SHA256 "$HEADERS_MORE_SHA256"
Set-PsVar ZSTD_MODULE_SHA256 "$ZSTD_MODULE_SHA256"
Set-PsVar ACME_MODULE_SHA256 "$ACME_MODULE_SHA256"

Write-Log SUCCESS "Updated checksums in:"
echo " - nginx/nginx_installer.sh"
echo " - nginx/nginx_installer.ps1"
Loading
Loading