diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 00000000..84a81703
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,5 @@
+#####################
+# Main global owner #
+#####################
+
+* @nginx/docker-unprivileged
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
deleted file mode 100644
index d67363b1..00000000
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-name: Bug report
-about: Create a bug report to help us improve
-title: ""
-labels: ""
-assignees: ""
----
-### Describe the bug
-
-A clear and concise description of what the bug is.
-
-### To reproduce
-
-Steps to reproduce the behavior:
-
-1. Deploy NGINX Unprivileged Docker image
-2. View output/logs/configuration on '...'
-3. See error
-
-### Expected behavior
-
-A clear and concise description of what you expected to happen.
-
-### Your environment
-
-- Version of Docker and method of installation (e.g. Docker Desktop / Docker Server)
-- Version/tag of the NGINX Unprivileged Docker image (e.g. `nginxinc/nginx-unprivileged:alpine`)
-- Target deployment environment/platform (e.g. OpenShift / Kubernetes / Docker Compose / etc...)
-
-### Additional context
-
-Add any other context about the problem here.
diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
new file mode 100644
index 00000000..b9048c2f
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -0,0 +1,67 @@
+---
+name: 🐛 Bug report
+description: Create a report to help us improve
+labels: bug
+body:
+ - type: markdown
+ attributes:
+ value: |
+ Thanks for taking the time to fill out this bug report!
+
+ Before you continue filling out this report, please take a moment to check that your bug has not been [already reported on GitHub][issue search] 🙌
+
+ Remember to redact any sensitive information such as authentication credentials and/or license keys!
+
+ **Note:** If you are seeking community support or have a question, please consider starting a new thread via [GitHub discussions][discussions] or the [NGINX Community forum][forum].
+
+ [issue search]: ../search?q=is%3Aissue&type=issues
+
+ [discussions]: ../discussions
+ [forum]: https://community.nginx.org
+
+ - type: textarea
+ id: overview
+ attributes:
+ label: Bug Overview
+ description: A clear and concise overview of the bug.
+ placeholder: When I do "X" with the NGINX unprivileged Docker image, "Y" happens instead of "Z".
+ validations:
+ required: true
+
+ - type: textarea
+ id: behavior
+ attributes:
+ label: Expected Behavior
+ description: A clear and concise description of what you expected to happen.
+ placeholder: When I do "X" with the NGINX unprivileged Docker image, I expect "Z" to happen.
+ validations:
+ required: true
+
+ - type: textarea
+ id: steps
+ attributes:
+ label: Steps to Reproduce the Bug
+ description: Detail the series of steps required to reproduce the bug. Deploy NGINX Unprivileged Docker image, View output/logs/configuration on '...', See error.
+ placeholder: When I run the NGINX Docker unprivileged image using [...], the image fails with an error message. If I check the terminal outputs and/or logs, I see the following error info.
+ validations:
+ required: true
+
+ - type: textarea
+ id: environment
+ attributes:
+ label: Environment Details
+ description: Please provide details about your environment.
+ value: |
+ - Version of Docker and method of installation: [e.g. Docker Desktop / Docker Server]
+ - Version/tag of the NGINX Docker unprivileged image or specific commit: [e.g. 1.4.3/commit hash]
+ - Target deployment platform: [e.g. OpenShift/Kubernetes/Docker Compose/local cluster/etc...]
+ - Target OS: [e.g. RHEL 9/Ubuntu 24.04/etc...]
+ validations:
+ required: true
+
+ - type: textarea
+ id: context
+ attributes:
+ label: Additional Context
+ description: Add any other context about the problem here.
+ placeholder: Feel free to add any other context/information/screenshots/etc... that you think might be relevant to this issue in here.
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
new file mode 100644
index 00000000..3f7850f7
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,12 @@
+---
+blank_issues_enabled: false
+contact_links:
+ - name: 💬 Talk to the NGINX community!
+ url: https://community.nginx.org
+ about: A community forum for NGINX users, developers, and contributors
+ - name: 📝 Code of Conduct
+ url: https://www.contributor-covenant.org/version/2/1/code_of_conduct
+ about: NGINX follows the Contributor Covenant Code of Conduct to ensure a safe and inclusive community
+ - name: 💼 For commercial & enterprise users
+ url: https://www.f5.com/products/nginx
+ about: F5 offers a wide range of NGINX products for commercial & enterprise users
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
deleted file mode 100644
index bb6fb0f0..00000000
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-title: ""
-labels: ""
-assignees: ""
----
-### Is your feature request related to a problem? Please describe
-
-A clear and concise description of what the problem is. Ex. I'm always frustrated when ...
-
-### Describe the solution you'd like
-
-A clear and concise description of what you want to happen.
-
-### Describe alternatives you've considered
-
-A clear and concise description of any alternative solutions or features you've considered.
-
-### Additional context
-
-Add any other context or screenshots about the feature request here.
diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml
new file mode 100644
index 00000000..b1a3fcb8
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -0,0 +1,41 @@
+---
+name: ✨ Feature request
+description: Suggest an idea for this project
+labels: enhancement
+body:
+ - type: markdown
+ attributes:
+ value: |
+ Thanks for taking the time to fill out this feature request!
+
+ Before you continue filling out this request, please take a moment to check that your feature has not been [already requested on GitHub][issue search] 🙌
+
+ **Note:** If you are seeking community support or have a question, please consider starting a new thread via [GitHub discussions][discussions] or the [NGINX Community forum][forum].
+
+ [issue search]: ../search?q=is%3Aissue&type=issues
+
+ [discussions]: ../discussions
+ [forum]: https://community.nginx.org
+
+ - type: textarea
+ id: overview
+ attributes:
+ label: Feature Overview
+ description: A clear and concise description of what the feature request is.
+ placeholder: I would like the NGINX Docker unprivileged image to be able to do "X".
+ validations:
+ required: true
+
+ - type: textarea
+ id: alternatives
+ attributes:
+ label: Alternatives Considered
+ description: Detail any potential alternative solutions/workarounds you've used or considered.
+ placeholder: I have done/might be able to do "X" using the NGINX Docker unprivileged image by doing "Y".
+
+ - type: textarea
+ id: context
+ attributes:
+ label: Additional Context
+ description: Add any other context about the problem here.
+ placeholder: Feel free to add any other context/information/screenshots/etc... that you think might be relevant to this feature request here.
diff --git a/.github/ISSUE_TEMPLATE/security_report.md b/.github/ISSUE_TEMPLATE/security_report.md
deleted file mode 100644
index 0e792849..00000000
--- a/.github/ISSUE_TEMPLATE/security_report.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-name: Security report
-about: Create a security report to help us improve
-title: ""
-labels: ""
-assignees: ""
----
-### Describe the bug
-
-A clear and concise description of what the security vulnerability is.
-
-### To reproduce
-
-Steps to reproduce the behavior:
-
-1. Deploy NGINX Unprivileged Docker image
-2. View output/logs/configuration on '...'
-3. See error
-
-### Your environment
-
-- Version of the NGINX Unprivileged Docker image
-- Target deployment environment/platform
-
-### Additional context
-
-Does this security vulnerability relate to one of the NGINX libraries specified in the [`SECURITY`](https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/SECURITY.md) doc?
diff --git a/.github/ISSUE_TEMPLATE/security_report.yml b/.github/ISSUE_TEMPLATE/security_report.yml
new file mode 100644
index 00000000..7f73b00e
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/security_report.yml
@@ -0,0 +1,35 @@
+---
+name: ⚠️ Security advisory
+description: Warn of a security advisory
+labels: security
+body:
+ - type: markdown
+ attributes:
+ value: |
+ Thanks for taking the time to fill out this security advisory!
+
+ Before you continue filling out this request, please take a moment to check that your advisory complies with the guidance in the [security documentation][security] and has not been [already reported on GitHub][issue search] 🙌
+
+ **Note:** If you are seeking community support or have a question, please consider starting a new thread via [GitHub discussions][discussions] or the [NGINX Community forum][forum].
+
+ [security]: https://github.com/nginx/docker-nginx-unprivileged/blob/main/SECURITY.md
+ [issue search]: ../search?q=is%3Aissue&type=issues
+
+ [discussions]: ../discussions
+ [forum]: https://community.nginx.org
+
+ - type: textarea
+ id: overview
+ attributes:
+ label: Security advisory overview
+ description: A clear and concise description of what the security advisory is.
+ placeholder: The NGINX Docker unprivileged image is vulnerable to CVE "X".
+ validations:
+ required: true
+
+ - type: textarea
+ id: context
+ attributes:
+ label: Additional Context
+ description: Add any other context about the problem here.
+ placeholder: Feel free to add any other context/information/screenshots/etc... that you think might be relevant to this security advisory here.
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index a054d333..87a9619c 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -6,7 +6,8 @@ Describe the use case and detail of the change. If this PR addresses an issue on
Before creating a PR, run through this checklist and mark each as complete:
-- [ ] I have read the [`CONTRIBUTING`](https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/CONTRIBUTING.md) document
-- [ ] I have run `./update.sh` and ensured all entrypoint/Dockerfile template changes have been applied to the relevant image entrypoint scripts & Dockerfiles
-- [ ] I have tested that the NGINX Unprivileged Docker images build and run correctly on all supported architectures on an unprivileged environment (check out the [`README`](https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/README.md) for more details)
-- [ ] I have updated any relevant documentation ([`README`](https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/README.md))
+- [ ] I have read the [contributing guidelines](/CONTRIBUTING.md)
+- [ ] I have signed the [F5 Contributor License Agreement (CLA)](https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md)
+- [ ] I have run the [`update.sh`](/update.sh) script and ensured all entrypoint/Dockerfile template changes have been applied to the relevant image entrypoint scripts & Dockerfiles
+- [ ] I have tested that the NGINX Docker unprivileged image builds and runs correctly on all supported architectures on an unprivileged environment (check out the [`README`](/README.md) for more details)
+- [ ] I have updated any relevant documentation ([`README.md`](/README.md))
diff --git a/.github/scorecard.yml b/.github/scorecard.yml
new file mode 100644
index 00000000..3bae3593
--- /dev/null
+++ b/.github/scorecard.yml
@@ -0,0 +1,7 @@
+---
+annotations:
+ - checks:
+ - fuzzing
+ - sast
+ reasons:
+ - reason: not-applicable
diff --git a/.github/workflows/alpine-mainline.yml b/.github/workflows/alpine-mainline.yml
index 32b5cd7e..d3142cf2 100644
--- a/.github/workflows/alpine-mainline.yml
+++ b/.github/workflows/alpine-mainline.yml
@@ -2,6 +2,7 @@
name: Alpine Mainline
on:
pull_request:
+ merge_group:
schedule:
- cron: "0 0 * * 1"
workflow_dispatch:
@@ -16,7 +17,7 @@ jobs:
distro: ${{ steps.distro_version.outputs.release }}
steps:
- name: Check out the codebase
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Parse NGINX mainline version
id: nginx_version
@@ -28,7 +29,7 @@ jobs:
- name: Parse Alpine version
id: distro_version
run: |
- echo "release=$(cat update.sh | grep -m7 '\[mainline\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT"
+ echo "release=$(cat update.sh | grep -m8 '\[mainline\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT"
slim:
name: Build Alpine NGINX mainline slim Docker image
@@ -38,17 +39,17 @@ jobs:
fail-fast: false
steps:
- name: Check out the codebase
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up QEMU
- uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+ uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+ uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Configure AWS credentials
if: ${{ github.event_name != 'pull_request' }}
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+ uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
with:
aws-region: ${{ secrets.AWS_REGION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -56,20 +57,20 @@ jobs:
- name: Login to Amazon ECR Public Gallery
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: public.ecr.aws
- name: Login to Docker Hub
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -77,7 +78,7 @@ jobs:
- name: Login to Quay
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
@@ -85,11 +86,11 @@ jobs:
- name: Extract metadata (annotations, labels, tags) for Docker
id: meta
- uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+ uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
with:
images: |
docker.io/nginxinc/nginx-unprivileged
- ghcr.io/nginxinc/nginx-unprivileged
+ ghcr.io/nginx/nginx-unprivileged
public.ecr.aws/nginx/nginx-unprivileged
quay.io/nginx/nginx-unprivileged
tags: |
@@ -108,9 +109,9 @@ jobs:
- name: Build and push NGINX mainline slim Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
id: build
- uses: docker/build-push-action@32945a339266b759abcbdc89316275140b0fc960 # v6.8.0
+ uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
- platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/s390x
+ platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x
context: "{{ defaultContext }}:mainline/alpine-slim"
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
@@ -156,17 +157,17 @@ jobs:
fail-fast: false
steps:
- name: Check out the codebase
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up QEMU
- uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+ uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+ uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Configure AWS credentials
if: ${{ github.event_name != 'pull_request' }}
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+ uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
with:
aws-region: ${{ secrets.AWS_REGION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -174,20 +175,20 @@ jobs:
- name: Login to Amazon ECR Public Gallery
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: public.ecr.aws
- name: Login to Docker Hub
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -195,7 +196,7 @@ jobs:
- name: Login to Quay
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
@@ -203,11 +204,11 @@ jobs:
- name: Extract metadata (annotations, labels, tags) for Docker
id: meta
- uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+ uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
with:
images: |
docker.io/nginxinc/nginx-unprivileged
- ghcr.io/nginxinc/nginx-unprivileged
+ ghcr.io/nginx/nginx-unprivileged
public.ecr.aws/nginx/nginx-unprivileged
quay.io/nginx/nginx-unprivileged
tags: |
@@ -226,9 +227,9 @@ jobs:
- name: Build and push NGINX mainline Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
id: build
- uses: docker/build-push-action@32945a339266b759abcbdc89316275140b0fc960 # v6.8.0
+ uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
- platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/s390x
+ platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x
context: "{{ defaultContext }}:mainline/alpine"
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
@@ -274,17 +275,17 @@ jobs:
fail-fast: false
steps:
- name: Check out the codebase
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up QEMU
- uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+ uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+ uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Configure AWS credentials
if: ${{ github.event_name != 'pull_request' }}
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+ uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
with:
aws-region: ${{ secrets.AWS_REGION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -292,20 +293,20 @@ jobs:
- name: Login to Amazon ECR Public Gallery
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: public.ecr.aws
- name: Login to Docker Hub
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -313,7 +314,7 @@ jobs:
- name: Login to Quay
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
@@ -321,11 +322,11 @@ jobs:
- name: Extract metadata (annotations, labels, tags) for Docker
id: meta
- uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+ uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
with:
images: |
docker.io/nginxinc/nginx-unprivileged
- ghcr.io/nginxinc/nginx-unprivileged
+ ghcr.io/nginx/nginx-unprivileged
public.ecr.aws/nginx/nginx-unprivileged
quay.io/nginx/nginx-unprivileged
tags: |
@@ -344,9 +345,9 @@ jobs:
- name: Build and push NGINX mainline perl Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
id: build
- uses: docker/build-push-action@32945a339266b759abcbdc89316275140b0fc960 # v6.8.0
+ uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
- platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/s390x
+ platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x
context: "{{ defaultContext }}:mainline/alpine-perl"
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
@@ -383,3 +384,121 @@ jobs:
DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }}
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
+
+ otel:
+ name: Build Alpine NGINX mainline otel Docker image
+ needs: [version, core]
+ runs-on: ubuntu-24.04
+ strategy:
+ fail-fast: false
+ steps:
+ - name: Check out the codebase
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+ - name: Set up QEMU
+ uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+ - name: Configure AWS credentials
+ if: ${{ github.event_name != 'pull_request' }}
+ uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+ with:
+ aws-region: ${{ secrets.AWS_REGION }}
+ aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+ aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+ - name: Login to Amazon ECR Public Gallery
+ if: ${{ github.event_name != 'pull_request' }}
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+ with:
+ registry: public.ecr.aws
+
+ - name: Login to Docker Hub
+ if: ${{ github.event_name != 'pull_request' }}
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+ with:
+ username: ${{ secrets.DOCKERHUB_USERNAME }}
+ password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+ - name: Login to GitHub Container Registry
+ if: ${{ github.event_name != 'pull_request' }}
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+ with:
+ registry: ghcr.io
+ username: ${{ github.actor }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Login to Quay
+ if: ${{ github.event_name != 'pull_request' }}
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+ with:
+ registry: quay.io
+ username: ${{ secrets.QUAY_USERNAME }}
+ password: ${{ secrets.QUAY_TOKEN }}
+
+ - name: Extract metadata (annotations, labels, tags) for Docker
+ id: meta
+ uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+ with:
+ images: |
+ docker.io/nginxinc/nginx-unprivileged
+ ghcr.io/nginx/nginx-unprivileged
+ public.ecr.aws/nginx/nginx-unprivileged
+ quay.io/nginx/nginx-unprivileged
+ tags: |
+ type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-otel
+ type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-otel
+ type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-otel
+ type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-otel
+ type=raw,value=${{ needs.version.outputs.major }}-alpine-otel
+ type=raw,value=${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-otel
+ type=raw,value=mainline-alpine-otel
+ type=raw,value=mainline-alpine${{ needs.version.outputs.distro }}-otel
+ type=raw,value=alpine-otel
+ type=raw,value=alpine${{ needs.version.outputs.distro }}-otel
+ env:
+ DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+
+ - name: Build and push NGINX mainline otel Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
+ id: build
+ uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+ with:
+ platforms: linux/amd64, linux/arm64
+ context: "{{ defaultContext }}:mainline/alpine-otel"
+ labels: ${{ steps.meta.outputs.labels }}
+ annotations: ${{ steps.meta.outputs.annotations }}
+ tags: ${{ steps.meta.outputs.tags }}
+ push: ${{ github.event_name != 'pull_request' }}
+ # cache-from: type=gha,scope=alpine-otel
+ # cache-to: type=gha,mode=min,scope=alpine-otel
+
+ - name: Sign Docker Hub Manifest
+ if: ${{ github.event_name != 'pull_request' }}
+ run: |
+ set -ex
+ sudo apt update
+ sudo apt install -y notary
+ mkdir -p ~/.docker/trust/private
+ echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key
+ chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key
+ docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx
+ DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2)
+ SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size')
+ export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0)
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ env:
+ DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }}
+ DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }}
+ DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
+ NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
diff --git a/.github/workflows/alpine-stable.yml b/.github/workflows/alpine-stable.yml
index ef082342..3f9db23c 100644
--- a/.github/workflows/alpine-stable.yml
+++ b/.github/workflows/alpine-stable.yml
@@ -2,6 +2,7 @@
name: Alpine Stable
on:
pull_request:
+ merge_group:
schedule:
- cron: "0 0 * * 1"
workflow_dispatch:
@@ -16,7 +17,7 @@ jobs:
distro: ${{ steps.distro_version.outputs.release }}
steps:
- name: Check out the codebase
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Parse NGINX stable version
id: nginx_version
@@ -28,7 +29,7 @@ jobs:
- name: Parse Alpine version
id: distro_version
run: |
- echo "release=$(cat update.sh | grep -m7 '\[stable\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT"
+ echo "release=$(cat update.sh | grep -m8 '\[stable\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT"
slim:
name: Build Alpine NGINX stable slim Docker image
@@ -38,17 +39,17 @@ jobs:
fail-fast: false
steps:
- name: Check out the codebase
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up QEMU
- uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+ uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+ uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Configure AWS credentials
if: ${{ github.event_name != 'pull_request' }}
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+ uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
with:
aws-region: ${{ secrets.AWS_REGION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -56,20 +57,20 @@ jobs:
- name: Login to Amazon ECR Public Gallery
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: public.ecr.aws
- name: Login to Docker Hub
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -77,7 +78,7 @@ jobs:
- name: Login to Quay
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
@@ -85,11 +86,11 @@ jobs:
- name: Extract metadata (annotations, labels, tags) for Docker
id: meta
- uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+ uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
with:
images: |
docker.io/nginxinc/nginx-unprivileged
- ghcr.io/nginxinc/nginx-unprivileged
+ ghcr.io/nginx/nginx-unprivileged
public.ecr.aws/nginx/nginx-unprivileged
quay.io/nginx/nginx-unprivileged
tags: |
@@ -104,9 +105,9 @@ jobs:
- name: Build and push NGINX stable slim Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
id: build
- uses: docker/build-push-action@32945a339266b759abcbdc89316275140b0fc960 # v6.8.0
+ uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
- platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/s390x
+ platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x
context: "{{ defaultContext }}:stable/alpine-slim"
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
@@ -148,17 +149,17 @@ jobs:
fail-fast: false
steps:
- name: Check out the codebase
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up QEMU
- uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+ uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+ uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Configure AWS credentials
if: ${{ github.event_name != 'pull_request' }}
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+ uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
with:
aws-region: ${{ secrets.AWS_REGION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -166,20 +167,20 @@ jobs:
- name: Login to Amazon ECR Public Gallery
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: public.ecr.aws
- name: Login to Docker Hub
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -187,7 +188,7 @@ jobs:
- name: Login to Quay
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
@@ -195,11 +196,11 @@ jobs:
- name: Extract metadata (annotations, labels, tags) for Docker
id: meta
- uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+ uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
with:
images: |
docker.io/nginxinc/nginx-unprivileged
- ghcr.io/nginxinc/nginx-unprivileged
+ ghcr.io/nginx/nginx-unprivileged
public.ecr.aws/nginx/nginx-unprivileged
quay.io/nginx/nginx-unprivileged
tags: |
@@ -214,9 +215,9 @@ jobs:
- name: Build and push NGINX stable Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
id: build
- uses: docker/build-push-action@32945a339266b759abcbdc89316275140b0fc960 # v6.8.0
+ uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
- platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/s390x
+ platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x
context: "{{ defaultContext }}:stable/alpine"
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
@@ -258,17 +259,17 @@ jobs:
fail-fast: false
steps:
- name: Check out the codebase
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up QEMU
- uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+ uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+ uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Configure AWS credentials
if: ${{ github.event_name != 'pull_request' }}
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+ uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
with:
aws-region: ${{ secrets.AWS_REGION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -276,20 +277,20 @@ jobs:
- name: Login to Amazon ECR Public Gallery
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: public.ecr.aws
- name: Login to Docker Hub
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -297,7 +298,7 @@ jobs:
- name: Login to Quay
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
@@ -305,11 +306,11 @@ jobs:
- name: Extract metadata (annotations, labels, tags) for Docker
id: meta
- uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+ uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
with:
images: |
docker.io/nginxinc/nginx-unprivileged
- ghcr.io/nginxinc/nginx-unprivileged
+ ghcr.io/nginx/nginx-unprivileged
public.ecr.aws/nginx/nginx-unprivileged
quay.io/nginx/nginx-unprivileged
tags: |
@@ -324,9 +325,9 @@ jobs:
- name: Build and push NGINX stable perl Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
id: build
- uses: docker/build-push-action@32945a339266b759abcbdc89316275140b0fc960 # v6.8.0
+ uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
- platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/s390x
+ platforms: linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64, linux/386, linux/ppc64le, linux/riscv64, linux/s390x
context: "{{ defaultContext }}:stable/alpine-perl"
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
@@ -359,3 +360,112 @@ jobs:
DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }}
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
+ otel:
+ name: Build Alpine NGINX stable otel Docker image
+ needs: [version, core]
+ runs-on: ubuntu-24.04
+ strategy:
+ fail-fast: false
+ steps:
+ - name: Check out the codebase
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+ - name: Set up QEMU
+ uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+ - name: Configure AWS credentials
+ if: ${{ github.event_name != 'pull_request' }}
+ uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+ with:
+ aws-region: ${{ secrets.AWS_REGION }}
+ aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+ aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+ - name: Login to Amazon ECR Public Gallery
+ if: ${{ github.event_name != 'pull_request' }}
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+ with:
+ registry: public.ecr.aws
+
+ - name: Login to Docker Hub
+ if: ${{ github.event_name != 'pull_request' }}
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+ with:
+ username: ${{ secrets.DOCKERHUB_USERNAME }}
+ password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+ - name: Login to GitHub Container Registry
+ if: ${{ github.event_name != 'pull_request' }}
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+ with:
+ registry: ghcr.io
+ username: ${{ github.actor }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Login to Quay
+ if: ${{ github.event_name != 'pull_request' }}
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+ with:
+ registry: quay.io
+ username: ${{ secrets.QUAY_USERNAME }}
+ password: ${{ secrets.QUAY_TOKEN }}
+
+ - name: Extract metadata (annotations, labels, tags) for Docker
+ id: meta
+ uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+ with:
+ images: |
+ docker.io/nginxinc/nginx-unprivileged
+ ghcr.io/nginx/nginx-unprivileged
+ public.ecr.aws/nginx/nginx-unprivileged
+ quay.io/nginx/nginx-unprivileged
+ tags: |
+ type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-otel
+ type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-otel
+ type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-otel
+ type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-otel
+ type=raw,value=stable-alpine-otel
+ type=raw,value=stable-alpine${{ needs.version.outputs.distro }}-otel
+ env:
+ DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+
+ - name: Build and push NGINX stable otel Alpine image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
+ id: build
+ uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+ with:
+ platforms: linux/amd64, linux/arm64
+ context: "{{ defaultContext }}:stable/alpine-otel"
+ labels: ${{ steps.meta.outputs.labels }}
+ annotations: ${{ steps.meta.outputs.annotations }}
+ tags: ${{ steps.meta.outputs.tags }}
+ push: ${{ github.event_name != 'pull_request' }}
+ # cache-from: type=gha,scope=stable-alpine-otel
+ # cache-to: type=gha,mode=min,scope=stable-alpine-otel
+
+ - name: Sign Docker Hub Manifest
+ if: ${{ github.event_name != 'pull_request' }}
+ run: |
+ set -ex
+ sudo apt update
+ sudo apt install -y notary
+ mkdir -p ~/.docker/trust/private
+ echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key
+ chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key
+ docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx
+ DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2)
+ SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size')
+ export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0)
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-alpine${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ env:
+ DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }}
+ DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }}
+ DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
+ NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
diff --git a/.github/workflows/debian-mainline.yml b/.github/workflows/debian-mainline.yml
index e3d5c28f..90a3dfa0 100644
--- a/.github/workflows/debian-mainline.yml
+++ b/.github/workflows/debian-mainline.yml
@@ -2,6 +2,7 @@
name: Debian Mainline
on:
pull_request:
+ merge_group:
schedule:
- cron: "0 0 * * 1"
workflow_dispatch:
@@ -16,7 +17,7 @@ jobs:
distro: ${{ steps.distro_version.outputs.release }}
steps:
- name: Check out the codebase
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Parse NGINX mainline version
id: nginx_version
@@ -28,7 +29,7 @@ jobs:
- name: Parse Debian version
id: distro_version
run: |
- echo "release=$(cat update.sh | grep -m6 '\[mainline\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT"
+ echo "release=$(cat update.sh | grep -m7 '\[mainline\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT"
core:
name: Build Debian NGINX mainline Docker image
@@ -38,17 +39,17 @@ jobs:
fail-fast: false
steps:
- name: Check out the codebase
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up QEMU
- uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+ uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+ uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Configure AWS credentials
if: ${{ github.event_name != 'pull_request' }}
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+ uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
with:
aws-region: ${{ secrets.AWS_REGION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -56,20 +57,20 @@ jobs:
- name: Login to Amazon ECR Public Gallery
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: public.ecr.aws
- name: Login to Docker Hub
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -77,7 +78,7 @@ jobs:
- name: Login to Quay
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
@@ -85,11 +86,11 @@ jobs:
- name: Extract metadata (annotations, labels, tags) for Docker
id: meta
- uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+ uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
with:
images: |
docker.io/nginxinc/nginx-unprivileged
- ghcr.io/nginxinc/nginx-unprivileged
+ ghcr.io/nginx/nginx-unprivileged
public.ecr.aws/nginx/nginx-unprivileged
quay.io/nginx/nginx-unprivileged
tags: |
@@ -108,7 +109,7 @@ jobs:
- name: Build and push NGINX mainline Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
id: build
- uses: docker/build-push-action@32945a339266b759abcbdc89316275140b0fc960 # v6.8.0
+ uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
platforms: linux/amd64, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x
# platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x
@@ -157,17 +158,17 @@ jobs:
fail-fast: false
steps:
- name: Check out the codebase
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up QEMU
- uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+ uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+ uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Configure AWS credentials
if: ${{ github.event_name != 'pull_request' }}
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+ uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
with:
aws-region: ${{ secrets.AWS_REGION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -175,20 +176,20 @@ jobs:
- name: Login to Amazon ECR Public Gallery
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: public.ecr.aws
- name: Login to Docker Hub
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -196,7 +197,7 @@ jobs:
- name: Login to Quay
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
@@ -204,11 +205,11 @@ jobs:
- name: Extract metadata (annotations, labels, tags) for Docker
id: meta
- uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+ uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
with:
images: |
docker.io/nginxinc/nginx-unprivileged
- ghcr.io/nginxinc/nginx-unprivileged
+ ghcr.io/nginx/nginx-unprivileged
public.ecr.aws/nginx/nginx-unprivileged
quay.io/nginx/nginx-unprivileged
tags: |
@@ -227,7 +228,7 @@ jobs:
- name: Build and push NGINX mainline perl Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
id: build
- uses: docker/build-push-action@32945a339266b759abcbdc89316275140b0fc960 # v6.8.0
+ uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
platforms: linux/amd64, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x
# platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x
@@ -267,3 +268,121 @@ jobs:
DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }}
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
+
+ otel:
+ name: Build Debian NGINX mainline otel Docker image
+ needs: [version, core]
+ runs-on: ubuntu-24.04
+ strategy:
+ fail-fast: false
+ steps:
+ - name: Check out the codebase
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+ - name: Set up QEMU
+ uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+ - name: Configure AWS credentials
+ if: ${{ github.event_name != 'pull_request' }}
+ uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+ with:
+ aws-region: ${{ secrets.AWS_REGION }}
+ aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+ aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+ - name: Login to Amazon ECR Public Gallery
+ if: ${{ github.event_name != 'pull_request' }}
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+ with:
+ registry: public.ecr.aws
+
+ - name: Login to Docker Hub
+ if: ${{ github.event_name != 'pull_request' }}
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+ with:
+ username: ${{ secrets.DOCKERHUB_USERNAME }}
+ password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+ - name: Login to GitHub Container Registry
+ if: ${{ github.event_name != 'pull_request' }}
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+ with:
+ registry: ghcr.io
+ username: ${{ github.actor }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Login to Quay
+ if: ${{ github.event_name != 'pull_request' }}
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+ with:
+ registry: quay.io
+ username: ${{ secrets.QUAY_USERNAME }}
+ password: ${{ secrets.QUAY_TOKEN }}
+
+ - name: Extract metadata (annotations, labels, tags) for Docker
+ id: meta
+ uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+ with:
+ images: |
+ docker.io/nginxinc/nginx-unprivileged
+ ghcr.io/nginx/nginx-unprivileged
+ public.ecr.aws/nginx/nginx-unprivileged
+ quay.io/nginx/nginx-unprivileged
+ tags: |
+ type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-otel
+ type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-otel
+ type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-otel
+ type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-otel
+ type=raw,value=${{ needs.version.outputs.major }}-otel
+ type=raw,value=${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }}-otel
+ type=raw,value=mainline-otel
+ type=raw,value=mainline-${{ needs.version.outputs.distro }}-otel
+ type=raw,value=otel
+ type=raw,value=${{ needs.version.outputs.distro }}-otel
+ env:
+ DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+
+ - name: Build and push NGINX mainline otel Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
+ id: build
+ uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+ with:
+ platforms: linux/amd64, linux/arm64
+ context: "{{ defaultContext }}:mainline/debian-otel"
+ labels: ${{ steps.meta.outputs.labels }}
+ annotations: ${{ steps.meta.outputs.annotations }}
+ tags: ${{ steps.meta.outputs.tags }}
+ push: ${{ github.event_name != 'pull_request' }}
+ # cache-from: type=gha,scope=debian-otel
+ # cache-to: type=gha,mode=min,scope=debian-otel
+
+ - name: Sign Docker Hub Manifest
+ if: ${{ github.event_name != 'pull_request' }}
+ run: |
+ set -ex
+ sudo apt update
+ sudo apt install -y notary
+ mkdir -p ~/.docker/trust/private
+ echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key
+ chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key
+ docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx
+ DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2)
+ SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size')
+ export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0)
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}-${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged mainline-${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ env:
+ DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }}
+ DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }}
+ DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
+ NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
diff --git a/.github/workflows/debian-stable.yml b/.github/workflows/debian-stable.yml
index ae8dba5e..25081da4 100644
--- a/.github/workflows/debian-stable.yml
+++ b/.github/workflows/debian-stable.yml
@@ -2,6 +2,7 @@
name: Debian Stable
on:
pull_request:
+ merge_group:
schedule:
- cron: "0 0 * * 1"
workflow_dispatch:
@@ -16,7 +17,7 @@ jobs:
distro: ${{ steps.distro_version.outputs.release }}
steps:
- name: Check out the codebase
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Parse NGINX stable version
id: nginx_version
@@ -25,10 +26,10 @@ jobs:
echo "minor=$(cat update.sh | grep -m1 '\[stable\]=' | cut -d"'" -f2 | cut -d"." -f2)" >> "$GITHUB_OUTPUT"
echo "patch=$(cat update.sh | grep -m1 '\[stable\]=' | cut -d"'" -f2 | cut -d"." -f3)" >> "$GITHUB_OUTPUT"
- - name: Parse Alpine version
+ - name: Parse Debian version
id: distro_version
run: |
- echo "release=$(cat update.sh | grep -m6 '\[stable\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT"
+ echo "release=$(cat update.sh | grep -m7 '\[stable\]=' | tail -n1 | cut -d"'" -f2)" >> "$GITHUB_OUTPUT"
core:
name: Build Debian NGINX stable Docker image
@@ -38,17 +39,17 @@ jobs:
fail-fast: false
steps:
- name: Check out the codebase
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up QEMU
- uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+ uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+ uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Configure AWS credentials
if: ${{ github.event_name != 'pull_request' }}
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+ uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
with:
aws-region: ${{ secrets.AWS_REGION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -56,20 +57,20 @@ jobs:
- name: Login to Amazon ECR Public Gallery
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: public.ecr.aws
- name: Login to Docker Hub
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -77,7 +78,7 @@ jobs:
- name: Login to Quay
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
@@ -85,11 +86,11 @@ jobs:
- name: Extract metadata (annotations, labels, tags) for Docker
id: meta
- uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+ uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
with:
images: |
docker.io/nginxinc/nginx-unprivileged
- ghcr.io/nginxinc/nginx-unprivileged
+ ghcr.io/nginx/nginx-unprivileged
public.ecr.aws/nginx/nginx-unprivileged
quay.io/nginx/nginx-unprivileged
tags: |
@@ -104,7 +105,7 @@ jobs:
- name: Build and push NGINX stable Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
id: build
- uses: docker/build-push-action@32945a339266b759abcbdc89316275140b0fc960 # v6.8.0
+ uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
platforms: linux/amd64, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x
# platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x
@@ -149,17 +150,17 @@ jobs:
fail-fast: false
steps:
- name: Check out the codebase
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up QEMU
- uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+ uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+ uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Configure AWS credentials
if: ${{ github.event_name != 'pull_request' }}
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+ uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
with:
aws-region: ${{ secrets.AWS_REGION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -167,20 +168,20 @@ jobs:
- name: Login to Amazon ECR Public Gallery
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: public.ecr.aws
- name: Login to Docker Hub
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -188,7 +189,7 @@ jobs:
- name: Login to Quay
if: ${{ github.event_name != 'pull_request' }}
- uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
@@ -196,11 +197,11 @@ jobs:
- name: Extract metadata (annotations, labels, tags) for Docker
id: meta
- uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+ uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
with:
images: |
docker.io/nginxinc/nginx-unprivileged
- ghcr.io/nginxinc/nginx-unprivileged
+ ghcr.io/nginx/nginx-unprivileged
public.ecr.aws/nginx/nginx-unprivileged
quay.io/nginx/nginx-unprivileged
tags: |
@@ -215,7 +216,7 @@ jobs:
- name: Build and push NGINX stable perl Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
id: build
- uses: docker/build-push-action@32945a339266b759abcbdc89316275140b0fc960 # v6.8.0
+ uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
platforms: linux/amd64, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x
# platforms: linux/amd64, linux/arm/v5, linux/arm/v7, linux/arm64, linux/386, linux/mips64le, linux/ppc64le, linux/s390x
@@ -251,3 +252,113 @@ jobs:
DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }}
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
+
+ otel:
+ name: Build Debian NGINX stable otel Docker image
+ needs: [version, core]
+ runs-on: ubuntu-24.04
+ strategy:
+ fail-fast: false
+ steps:
+ - name: Check out the codebase
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+ - name: Set up QEMU
+ uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+ - name: Configure AWS credentials
+ if: ${{ github.event_name != 'pull_request' }}
+ uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+ with:
+ aws-region: ${{ secrets.AWS_REGION }}
+ aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+ aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+ - name: Login to Amazon ECR Public Gallery
+ if: ${{ github.event_name != 'pull_request' }}
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+ with:
+ registry: public.ecr.aws
+
+ - name: Login to Docker Hub
+ if: ${{ github.event_name != 'pull_request' }}
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+ with:
+ username: ${{ secrets.DOCKERHUB_USERNAME }}
+ password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+ - name: Login to GitHub Container Registry
+ if: ${{ github.event_name != 'pull_request' }}
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+ with:
+ registry: ghcr.io
+ username: ${{ github.actor }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Login to Quay
+ if: ${{ github.event_name != 'pull_request' }}
+ uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+ with:
+ registry: quay.io
+ username: ${{ secrets.QUAY_USERNAME }}
+ password: ${{ secrets.QUAY_TOKEN }}
+
+ - name: Extract metadata (annotations, labels, tags) for Docker
+ id: meta
+ uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+ with:
+ images: |
+ docker.io/nginxinc/nginx-unprivileged
+ ghcr.io/nginx/nginx-unprivileged
+ public.ecr.aws/nginx/nginx-unprivileged
+ quay.io/nginx/nginx-unprivileged
+ tags: |
+ type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-otel
+ type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-otel
+ type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-otel
+ type=raw,value=${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-otel
+ type=raw,value=stable-otel
+ type=raw,value=stable-${{ needs.version.outputs.distro }}-otel
+ env:
+ DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+
+ - name: Build and push NGINX stable otel Debian image to Amazon ECR Public Gallery, Docker Hub, GitHub Container Registry, and Quay
+ id: build
+ uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+ with:
+ platforms: linux/amd64, linux/arm64
+ context: "{{ defaultContext }}:stable/debian-otel"
+ labels: ${{ steps.meta.outputs.labels }}
+ annotations: ${{ steps.meta.outputs.annotations }}
+ tags: ${{ steps.meta.outputs.tags }}
+ push: ${{ github.event_name != 'pull_request' }}
+ # cache-from: type=gha,scope=stable-debian-otel
+ # cache-to: type=gha,mode=min,scope=stable-debian-otel
+
+ - name: Sign Docker Hub Manifest
+ if: ${{ github.event_name != 'pull_request' }}
+ run: |
+ set -ex
+ sudo apt update
+ sudo apt install -y notary
+ mkdir -p ~/.docker/trust/private
+ echo "$DOCKER_CONTENT_TRUST_REPOSITORY_KEY" > ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key
+ chmod 0400 ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key
+ docker trust key load ~/.docker/trust/private/$DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID.key --name nginx
+ DIGEST=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".digest' | cut -d ':' -f2)
+ SIZE=$(printf '${{ steps.build.outputs.metadata }}' | jq -r '."containerimage.descriptor".size')
+ export NOTARY_AUTH=$(printf "${{ secrets.DOCKERHUB_USERNAME }}:${{ secrets.DOCKERHUB_TOKEN }}" | base64 -w0)
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}.${{ needs.version.outputs.patch }}-${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged ${{ needs.version.outputs.major }}.${{ needs.version.outputs.minor }}-${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-otel $SIZE --sha256 $DIGEST --publish --verbose
+ notary -d ~/.docker/trust/ -s https://notary.docker.io addhash docker.io/nginxinc/nginx-unprivileged stable-${{ needs.version.outputs.distro }}-otel $SIZE --sha256 $DIGEST --publish --verbose
+ env:
+ DOCKER_CONTENT_TRUST_REPOSITORY_KEY: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }}
+ DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }}
+ DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
+ NOTARY_TARGETS_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
diff --git a/.github/workflows/f5_cla.yml b/.github/workflows/f5_cla.yml
new file mode 100644
index 00000000..fd93801e
--- /dev/null
+++ b/.github/workflows/f5_cla.yml
@@ -0,0 +1,42 @@
+---
+name: F5 CLA
+on:
+ issue_comment:
+ types: [created]
+ pull_request_target:
+ types: [opened, closed, synchronize]
+permissions: read-all
+jobs:
+ f5-cla:
+ name: F5 CLA
+ runs-on: ubuntu-24.04
+ permissions:
+ actions: write
+ pull-requests: write
+ statuses: write
+ steps:
+ - name: Run F5 Contributor License Agreement (CLA) assistant
+ if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target'
+ uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1
+ with:
+ # Any pull request targeting the following branch will trigger a CLA check.
+ # NOTE: You might need to edit this value to 'master'.
+ branch: main
+ # Path to the CLA document.
+ path-to-document: https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md
+ # Custom CLA messages.
+ custom-notsigned-prcomment: '🎉 Thank you for your contribution! It appears you have not yet signed the [F5 Contributor License Agreement (CLA)](https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md), which is required for your changes to be incorporated into an F5 Open Source Software (OSS) project. Please kindly read the [F5 CLA](https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md) and reply on a new comment with the following text to agree:'
+ custom-pr-sign-comment: 'I have hereby read the F5 CLA and agree to its terms'
+ custom-allsigned-prcomment: '✅ All required contributors have signed the F5 CLA for this PR. Thank you!'
+ # Remote repository storing CLA signatures.
+ remote-organization-name: f5
+ remote-repository-name: f5-cla-data
+ path-to-signatures: signatures/signatures.json
+ # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA.
+ # NOTE: You will want to edit the usernames to suit your project needs.
+ allowlist: bot*
+ # Do not lock PRs after a merge.
+ lock-pullrequest-aftermerge: false
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }}
diff --git a/.github/workflows/image-cleanup.yml b/.github/workflows/image-cleanup.yml
index 3ed920b8..478c6916 100644
--- a/.github/workflows/image-cleanup.yml
+++ b/.github/workflows/image-cleanup.yml
@@ -14,10 +14,10 @@ jobs:
fail-fast: false
steps:
- name: Check out the codebase
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Configure AWS credentials
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+ uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
with:
aws-region: ${{ secrets.AWS_REGION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -28,10 +28,13 @@ jobs:
.github/workflows/scripts/delete-untagged-amazon-public-ecr-images.sh
- name: Delete untagged NGINX Unprivileged Docker images on the GitHub Container Registry
- uses: stumpylog/image-cleaner-action/untagged@0924047a3709a8f39313ec9e5f5888597e3bf81b # v0.8.0
+ uses: dataaxiom/ghcr-cleanup-action@cd0cdb900b5dbf3a6f2cc869f0dbb0b8211f50c4 # v1.0.16
with:
- is_org: true
- owner: nginxinc
- package_name: nginx-unprivileged
- do_delete: true
+ package: nginx-unprivileged
+ delete-ghost-images: true
+ delete-untagged: true
+ delete-partial-images: true
+ delete-orphaned-images: true
+ older-than: 2 years
token: ${{ secrets.GITHUB_TOKEN }}
+ validate: true
diff --git a/.github/workflows/ossf_scorecard.yml b/.github/workflows/ossf_scorecard.yml
new file mode 100644
index 00000000..47f9e5af
--- /dev/null
+++ b/.github/workflows/ossf_scorecard.yml
@@ -0,0 +1,52 @@
+---
+# This workflow uses actions that are not certified by GitHub. They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation.
+name: OSSF Scorecard
+on:
+ # For Branch-Protection check. Only the default branch is supported. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection.
+ branch_protection_rule:
+ # To guarantee Maintained check is occasionally updated. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained.
+ schedule:
+ - cron: "0 0 * * 1"
+ push:
+ branches: [main]
+ workflow_dispatch:
+# Declare default permissions as read only.
+permissions: read-all
+jobs:
+ analysis:
+ name: Scorecard analysis
+ runs-on: ubuntu-24.04
+ # Delete the conditional below if you are using the OSSF Scorecard on a private repository.
+ if: ${{ github.event.repository.private == false }}
+ permissions:
+ # Needed if using Code Scanning alerts.
+ security-events: write
+ # Needed for GitHub OIDC token if publish_results is true.
+ id-token: write
+ steps:
+ - name: Check out the codebase
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+ with:
+ persist-credentials: false
+
+ - name: Run analysis
+ uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+ with:
+ results_file: results.sarif
+ results_format: sarif
+ # Publish the results for public repositories to enable scorecard badges. For more details, see https://github.com/ossf/scorecard-action#publishing-results.
+ publish_results: true
+
+ # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF format to the repository Actions tab.
+ - name: Upload artifact
+ uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+ with:
+ name: SARIF file
+ path: results.sarif
+ retention-days: 5
+
+ # Upload the results to GitHub's code scanning dashboard.
+ - name: Upload SARIF results to code scanning
+ uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
+ with:
+ sarif_file: results.sarif
diff --git a/.github/workflows/scripts/delete-untagged-amazon-public-ecr-images.sh b/.github/workflows/scripts/delete-untagged-amazon-public-ecr-images.sh
index 53bba9b7..bbc5ccc6 100755
--- a/.github/workflows/scripts/delete-untagged-amazon-public-ecr-images.sh
+++ b/.github/workflows/scripts/delete-untagged-amazon-public-ecr-images.sh
@@ -5,7 +5,8 @@
set -eu
REPOSITORY_NAME=nginx-unprivileged
-BATCH_DELETE_SIZE=100 # The max delete size allowed by the 'batch-delete-image' aws CLI command is 100
+BATCH_DELETE_SIZE=100 # The max delete size allowed by the 'batch-delete-image' AWS CLI command is 100
+CUTOFF_DATE=$(date -d '2 years ago' +%Y-%m-%d)
function batch_delete {
while read -r batch; do
@@ -23,7 +24,7 @@ function batch_delete {
# otherwise any referenced untagged images can not be deleted.
IMAGE_DIGESTS=$(aws ecr-public describe-images \
--repository-name "${REPOSITORY_NAME}" \
- --query 'imageDetails[?!imageTags && (contains(imageManifestMediaType, `manifest.list.v2`) || contains(imageManifestMediaType, `image.index.v1`))].{imageDigest: join(`=`, [`imageDigest`, imageDigest])}' \
+ --query 'imageDetails[?!imageTags && (contains(imageManifestMediaType, `manifest.list.v2`) || contains(imageManifestMediaType, `image.index.v1`)) && imagePushedAt < `'$CUTOFF_DATE'`].{imageDigest: join(`=`, [`imageDigest`, imageDigest])}' \
--output text)
batch_delete "${IMAGE_DIGESTS}"
@@ -31,8 +32,7 @@ batch_delete "${IMAGE_DIGESTS}"
# Find untagged images and delete them.
IMAGE_DIGESTS=$(aws ecr-public describe-images \
--repository-name "${REPOSITORY_NAME}" \
- --query 'imageDetails[?!imageTags].{imageDigest: join(`=`, [`imageDigest`, imageDigest])}' \
+ --query 'imageDetails[?!imageTags && imagePushedAt < `'$CUTOFF_DATE'` ].{imageDigest: join(`=`, [`imageDigest`, imageDigest])}' \
--output text)
batch_delete "${IMAGE_DIGESTS}"
-
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
index 0c6130c7..e18d3706 100644
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -10,20 +10,19 @@ We pledge to act and interact in ways that contribute to an open, welcoming, div
Examples of behavior that contributes to a positive environment for our community include:
-- Demonstrating empathy and kindness toward other people
-- Being respectful of differing opinions, viewpoints, and experiences
-- Giving and gracefully accepting constructive feedback
-- Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
-- Focusing on what is best not just for us as individuals, but for the overall community
+- Demonstrating empathy and kindness toward other people.
+- Being respectful of differing opinions, viewpoints, and experiences.
+- Giving and gracefully accepting constructive feedback.
+- Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience.
+- Focusing on what is best not just for us as individuals, but for the overall community.
Examples of unacceptable behavior include:
-- The use of sexualized language or imagery, and sexual attention or advances of
- any kind
-- Trolling, insulting or derogatory comments, and personal or political attacks
-- Public or private harassment
-- Publishing others' private information, such as a physical or email address, without their explicit permission
-- Other conduct which could reasonably be considered inappropriate in a professional setting
+- The use of sexualized language or imagery, and sexual attention or advances of any kind.
+- Trolling, insulting or derogatory comments, and personal or political attacks.
+- Public or private harassment.
+- Publishing others' private information, such as a physical or email address, without their explicit permission.
+- Other conduct which could reasonably be considered inappropriate in a professional setting.
## Enforcement Responsibilities
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 8b4d720f..e20b4945 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,67 +1,59 @@
# Contributing Guidelines
-The following is a set of guidelines for contributing to the Docker Unprivileged NGINX image. We really appreciate that you are considering contributing!
+The following is a set of guidelines for contributing to the NGINX Docker unprivileged image. We really appreciate that you are considering contributing!
#### Table Of Contents
-[Ask a Question](#ask-a-question)
+- [Getting Started](#getting-started)
+- [Contributing](#contributing)
+- [Code Guidelines](#code-guidelines)
-[Project Overview](#project-overview)
+## Getting Started
-[Contributing](#contributing)
-
-[Code Guidelines](#code-guidelines)
-
-* [Docker NGINX Unprivileged Guidelines](#docker-nginx-unprivileged-guidelines)
-* [Git Guidelines](#git-guidelines)
-
-[Code of Conduct](https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/CODE_OF_CONDUCT.md)
-
-## Ask a Question
-
-Don't know how something works? Curious if the role can achieve your desired functionality? Please open an Issue on GitHub with the label `question`.
-
-### Project Overview
-
-* The Docker Unprivileged NGINX repository is a mirror image of the [Docker NGINX image](https://github.com/nginxinc/docker-nginx). Changes have been made in order to support running NGINX in an unprivileged environment.
-* New Docker Unprivileged NGINX images are built on a weekly basis using GitHub actions.
+Look at the upstream Docker image [how to use this image guide](https://hub.docker.com/_/nginx/) to get the NGINX Docker unprivileged image up and running.
## Contributing
### Report a Bug
-To report a bug, open an issue on GitHub with the label `bug` using the available bug report issue template. Please ensure the issue has not already been reported.
+To report a bug, open an issue on GitHub with the label `bug` using the available [bug report issue form](/.github/ISSUE_TEMPLATE/bug_report.yml). Please ensure the bug has not already been reported. **If the bug is a potential security vulnerability, please report it using our [security policy](/SECURITY.md).**
-### Report a Security vulnerability
+### Suggest a Feature or Enhancement
-To report a security vulnerability, open an issue on GitHub with the label `security` using the available security report issue template. Please ensure the security vulnerability directly impacts one of the NGINX dependencies listed in the [`SECURITY`](https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/SECURITY.md) doc. Other security vulnerabilities should be addressed by the weekly Monday night build and as such will be promptly closed.
+To suggest a feature or enhancement, please create an issue on GitHub with the label `enhancement` using the available [feature request issue form](/.github/ISSUE_TEMPLATE/feature_request.yml). Please ensure the feature or enhancement has not already been suggested.
-### Suggest a Feature or Enhancement
+### Open a Pull Request (PR)
-To suggest an enhancement, please create an issue on GitHub with the label `feature` or `enhancement` using the available feature issue template.
+- Fork the repo, create a branch, implement your changes, test that the corresponding Docker images can be built and run as intended, and submit a PR when your changes are **tested** and ready for review.
+- Fill in the [PR template](/.github/pull_request_template.md).
+- This repository is a mirror image of the upstream [NGINX Docker image](https://github.com/nginx/docker-nginx) with minor changes in order to support running NGINX in an unprivileged environment. As such only two types of PRs will be considered:
-### Open a Pull Request
+ 1. PRs that incorporate changes made to the upstream image that have not yet been ported to this image (e.g. there's a new NGINX release).
+ 2. PRs that add a critical feature or a nice-to-have enhancement for running these images on an unprivileged environment (e.g. allowing users specify to the UID/GID of the image user).
-* Fork the repo, create a branch, implement your changes, test that the corresponding Docker images can be built and run as intended, and submit a PR when your changes are **tested** and ready for review.
-* Fill in [our pull request template](https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/.github/pull_request_template.md).
+**Note:** If you'd like to implement a new feature, please consider creating a [feature request issue](/.github/ISSUE_TEMPLATE/feature_request.yml) first to start a discussion about the feature.
-Note: if you'd like to implement a new feature, please consider creating a feature request issue first to start a discussion about the feature.
+#### F5 Contributor License Agreement (CLA)
-## Code Guidelines
+F5 requires all contributors to agree to the terms of the F5 CLA (available [here](https://github.com/f5/f5-cla/.github/blob/main/docs/f5_cla.md)) before any of their changes can be incorporated into an F5 Open Source repository (even contributions to the F5 CLA itself!).
+
+If you have not yet agreed to the F5 CLA terms and submit a PR to this repository, a bot will prompt you to view and agree to the F5 CLA. You will have to agree to the F5 CLA terms through a comment in the PR before any of your changes can be merged. Your agreement signature will be safely stored by F5 and no longer be required in future PRs.
-### Docker NGINX Unprivileged Guidelines
+## Code Guidelines
-Given this repository is a mirror image of the upstream [Docker NGINX image](https://github.com/nginxinc/docker-nginx), only two types of PRs will be considered:
+### Docker Guidelines
-1. PRs that incorporate changes made to upstream images (e.g. there's a new NGINX release).
-2. PRs that add a critical feature or a nice-to-have enhancement for running these images on an unprivileged environment (e.g. allowing users specify to the UID/GID of the image user).
+- Update any entrypoint scripts via the the scripts contained in the [`/entrypoint`](/entrypoint) directory.
+- Update any Dockerfiles via the Dockerfile templates in the root directory (e.g. [`Dockerfile-alpine.template`](/Dockerfile-alpine.template)).
+- Run the [`./update.sh`](/update.sh) script to apply all entrypoint/Dockerfile template changes to the relevant image entrypoints & Dockerfiles.
### Git Guidelines
-* Keep a clean, concise and meaningful git commit history on your branch (within reason), rebasing locally and squashing before submitting a PR.
-* Follow the guidelines of writing a good commit message as described here and summarised in the next few points:
- * In the subject line, use the present tense ("Add feature" not "Added feature").
- * In the subject line, use the imperative mood ("Move cursor to..." not "Moves cursor to...").
- * Limit the subject line to 72 characters or less.
- * Reference issues and pull requests liberally after the subject line.
- * Add more detailed description in the body of the git message (`git commit -a` to give you more space and time in your text editor to write a good message instead of `git commit -am`).
+- Keep a clean, concise and meaningful git commit history on your branch (within reason), rebasing locally and squashing before submitting a PR.
+- If possible and/or relevant, use the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) format when writing a commit message, so that changelogs can be automatically generated.
+- Follow the guidelines of writing a good commit message as described here and summarized in the next few points:
+ - In the subject line, use the present tense ("Add feature" not "Added feature").
+ - In the subject line, use the imperative mood ("Move cursor to..." not "Moves cursor to...").
+ - Limit the subject line to 72 characters or less.
+ - Reference issues and pull requests liberally after the subject line.
+ - Add more detailed description in the body of the git message (`git commit -a` to give you more space and time in your text editor to write a good message instead of `git commit -am`).
diff --git a/Dockerfile-alpine-otel.template b/Dockerfile-alpine-otel.template
new file mode 100644
index 00000000..14212a09
--- /dev/null
+++ b/Dockerfile-alpine-otel.template
@@ -0,0 +1,74 @@
+ARG IMAGE=nginxinc/nginx-unprivileged:%%NGINX_VERSION%%-alpine
+FROM $IMAGE
+
+ENV OTEL_VERSION=%%OTEL_VERSION%%
+
+ARG UID=101
+ARG GID=101
+
+USER root
+
+RUN set -x \
+ && apkArch="$(cat /etc/apk/arch)" \
+ && nginxPackages="%%PACKAGES%%
+ " \
+# install prerequisites for public key and pkg-oss checks
+ && apk add --no-cache --virtual .checksum-deps \
+ openssl \
+ && case "$apkArch" in \
+ x86_64|aarch64) \
+# arches officially built by upstream
+ apk add -X "%%PACKAGEREPO%%v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from the published packaging sources
+ set -x \
+ && tempDir="$(mktemp -d)" \
+ && chown nobody:nobody $tempDir \
+ && apk add --no-cache --virtual .build-deps \
+ gcc \
+ libc-dev \
+ make \
+ openssl-dev \
+ pcre2-dev \
+ zlib-dev \
+ linux-headers \
+ cmake \
+ bash \
+ alpine-sdk \
+ findutils \
+ curl \
+ xz \
+ protobuf-dev \
+ grpc-dev \
+ && su nobody -s /bin/sh -c " \
+ export HOME=${tempDir} \
+ && cd ${tempDir} \
+ && curl -f -L -O https://github.com/nginx/pkg-oss/archive/%%REVISION%%.tar.gz \
+ && PKGOSSCHECKSUM=\"%%PKGOSSCHECKSUM%% *%%REVISION%%.tar.gz\" \
+ && if [ \"\$(openssl sha512 -r %%REVISION%%.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
+ echo \"pkg-oss tarball checksum verification succeeded!\"; \
+ else \
+ echo \"pkg-oss tarball checksum verification failed!\"; \
+ exit 1; \
+ fi \
+ && tar xzvf %%REVISION%%.tar.gz \
+ && cd pkg-oss-%%REVISION%% \
+ && cd alpine \
+ && make %%BUILDTARGET%% \
+ && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
+ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
+ " \
+ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
+ && apk del --no-network .build-deps \
+ && apk add -X ${tempDir}/packages/alpine/ --no-cache $nginxPackages \
+ ;; \
+ esac \
+# remove checksum deps
+ && apk del --no-network .checksum-deps \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \
+ && if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi
+
+USER $UID
diff --git a/Dockerfile-alpine-slim.template b/Dockerfile-alpine-slim.template
index 609c4ada..0a550e9d 100644
--- a/Dockerfile-alpine-slim.template
+++ b/Dockerfile-alpine-slim.template
@@ -81,23 +81,8 @@ RUN set -x \
# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
&& if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
-# Bring in gettext so we can get `envsubst`, then throw
-# the rest away. To do this, we need to install `gettext`
-# then move `envsubst` out of the way so `gettext` can
-# be deleted completely, then move `envsubst` back.
- && apk add --no-cache --virtual .gettext gettext \
- && mv /usr/bin/envsubst /tmp/ \
- \
- && runDeps="$( \
- scanelf --needed --nobanner /tmp/envsubst \
- | awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \
- | sort -u \
- | xargs -r apk info --installed \
- | sort -u \
- )" \
- && apk add --no-cache $runDeps \
- && apk del --no-network .gettext \
- && mv /tmp/envsubst /usr/local/bin/ \
+# Add `envsubst` for templating environment variables
+ && apk add --no-cache gettext-envsubst \
# Bring in tzdata so users could set the timezones through the environment
# variables
&& apk add --no-cache tzdata \
@@ -110,7 +95,7 @@ RUN set -x \
# implement changes required to run NGINX as an unprivileged user
RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/conf.d/default.conf \
&& sed -i '/user nginx;/d' /etc/nginx/nginx.conf \
- && sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
+ && sed -i 's,\(/var\)\{0\,1\}/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
&& sed -i "/^http {/a \ proxy_temp_path /tmp/proxy_temp;\n client_body_temp_path /tmp/client_temp;\n fastcgi_temp_path /tmp/fastcgi_temp;\n uwsgi_temp_path /tmp/uwsgi_temp;\n scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \
# nginx user must own the cache and etc directory to write cache and tweak the nginx config
&& chown -R $UID:0 /var/cache/nginx \
diff --git a/Dockerfile-debian-otel.template b/Dockerfile-debian-otel.template
new file mode 100644
index 00000000..93b8ea16
--- /dev/null
+++ b/Dockerfile-debian-otel.template
@@ -0,0 +1,97 @@
+ARG IMAGE=nginxinc/nginx-unprivileged:%%NGINX_VERSION%%
+FROM $IMAGE
+
+ENV OTEL_VERSION=%%OTEL_VERSION%%
+
+ARG UID=101
+ARG GID=101
+
+USER root
+
+RUN set -x; \
+ NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
+ dpkgArch="$(dpkg --print-architecture)" \
+ && nginxPackages="%%PACKAGES%%
+ " \
+ && case "$dpkgArch" in \
+ amd64|arm64) \
+# arches officially built by upstream
+ echo "deb [signed-by=$NGINX_GPGKEY_PATH] %%PACKAGEREPO%% %%DEBIAN_VERSION%% nginx" >> /etc/apt/sources.list.d/nginx.list \
+ && apt-get update \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from the published packaging sources
+# new directory for storing sources and .deb files
+ tempDir="$(mktemp -d)" \
+ && chmod 777 "$tempDir" \
+# (777 to ensure APT's "_apt" user can access it too)
+ \
+# save list of currently-installed packages so build dependencies can be cleanly removed later
+ && savedAptMark="$(apt-mark showmanual)" \
+ \
+# build .deb files from upstream's packaging sources
+ && apt-get update \
+ && apt-get install --no-install-recommends --no-install-suggests -y \
+ curl \
+ devscripts \
+ equivs \
+ git \
+ libxml2-utils \
+ lsb-release \
+ xsltproc \
+ && ( \
+ cd "$tempDir" \
+ && REVISION="%%REVISION%%" \
+ && REVISION=${REVISION%~*} \
+ && curl -f -L -O https://github.com/nginx/pkg-oss/archive/${REVISION}.tar.gz \
+ && PKGOSSCHECKSUM="%%PKGOSSCHECKSUM%% *${REVISION}.tar.gz" \
+ && if [ "$(openssl sha512 -r ${REVISION}.tar.gz)" = "$PKGOSSCHECKSUM" ]; then \
+ echo "pkg-oss tarball checksum verification succeeded!"; \
+ else \
+ echo "pkg-oss tarball checksum verification failed!"; \
+ exit 1; \
+ fi \
+ && tar xzvf ${REVISION}.tar.gz \
+ && cd pkg-oss-${REVISION} \
+ && cd debian \
+ && for target in %%BUILDTARGET%%; do \
+ make rules-$target; \
+ mk-build-deps --install --tool="apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes" \
+ debuild-$target/nginx-$NGINX_VERSION/debian/control; \
+ done \
+ && make %%BUILDTARGET%% \
+ ) \
+# we don't remove APT lists here because they get re-downloaded and removed later
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+ && apt-mark showmanual | xargs apt-mark auto > /dev/null \
+ && { [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; } \
+ \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ && ls -lAFh "$tempDir" \
+ && ( cd "$tempDir" && dpkg-scanpackages . > Packages ) \
+ && grep '^Package: ' "$tempDir/Packages" \
+ && echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ && apt-get -o Acquire::GzipIndexes=false update \
+ ;; \
+ esac \
+ \
+ && apt-get install --no-install-recommends --no-install-suggests -y \
+ $nginxPackages \
+ gettext-base \
+ curl \
+ && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list \
+ \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ && if [ -n "$tempDir" ]; then \
+ apt-get purge -y --auto-remove \
+ && rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+ fi
+
+USER $UID
diff --git a/Dockerfile-debian-perl.template b/Dockerfile-debian-perl.template
index 764c208c..fa99560f 100644
--- a/Dockerfile-debian-perl.template
+++ b/Dockerfile-debian-perl.template
@@ -13,7 +13,7 @@ RUN set -x; \
" \
&& case "$dpkgArch" in \
amd64|arm64) \
-# arches officialy built by upstream
+# arches officially built by upstream
echo "deb [signed-by=$NGINX_GPGKEY_PATH] %%PACKAGEREPO%% %%DEBIAN_VERSION%% nginx" >> /etc/apt/sources.list.d/nginx.list \
&& apt-get update \
;; \
diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template
index bc864472..ed3076da 100644
--- a/Dockerfile-debian.template
+++ b/Dockerfile-debian.template
@@ -29,11 +29,11 @@ RUN set -x \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
- gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
+ gpg1 --batch --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
done; \
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
done; \
- gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
+ gpg1 --batch --export $NGINX_GPGKEYS > "$NGINX_GPGKEY_PATH" ; \
rm -rf "$GNUPGHOME"; \
apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
&& dpkgArch="$(dpkg --print-architecture)" \
@@ -41,7 +41,7 @@ RUN set -x \
" \
&& case "$dpkgArch" in \
amd64|arm64) \
-# arches officialy built by upstream
+# arches officially built by upstream
echo "deb [signed-by=$NGINX_GPGKEY_PATH] %%PACKAGEREPO%% %%DEBIAN_VERSION%% nginx" >> /etc/apt/sources.list.d/nginx.list \
&& apt-get update \
;; \
@@ -128,8 +128,9 @@ RUN set -x \
# implement changes required to run NGINX as an unprivileged user
RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/conf.d/default.conf \
&& sed -i '/user nginx;/d' /etc/nginx/nginx.conf \
- && sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
+ && sed -i 's,\(/var\)\{0\,1\}/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
&& sed -i "/^http {/a \ proxy_temp_path /tmp/proxy_temp;\n client_body_temp_path /tmp/client_temp;\n fastcgi_temp_path /tmp/fastcgi_temp;\n uwsgi_temp_path /tmp/uwsgi_temp;\n scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \
+ && sed -i 's,PIDFILE=${PIDFILE:-/run/nginx.pid},PIDFILE=${PIDFILE:-/tmp/nginx.pid},' /etc/init.d/nginx \
# nginx user must own the cache and etc directory to write cache and tweak the nginx config
&& chown -R $UID:0 /var/cache/nginx \
&& chmod -R g+w /var/cache/nginx \
diff --git a/README.md b/README.md
index 8beb8989..f784bff4 100644
--- a/README.md
+++ b/README.md
@@ -1,17 +1,18 @@
+[](https://securityscorecards.dev/viewer/?uri=github.com/nginx/docker-nginx-unprivileged)
[](https://www.repostatus.org/#active)
-[](https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/SUPPORT.md)
-[](https://github.com/nginxinc/docker-nginx-unprivileged/main/CODE_OF_CONDUCT.md)
+[](/SUPPORT.md)
+[](https://community.nginx.org)
+[](https://opensource.org/license/apache-2-0)
+[](/CODE_OF_CONDUCT.md)
# NGINX Unprivileged Docker Image
-This repo contains a series of Dockerfiles to create an NGINX Docker image that runs NGINX as a non root, unprivileged user. Notable differences with respect to the official [NGINX Docker](https://github.com/nginxinc/docker-nginx) image include:
+This repo contains a series of Dockerfiles to create an NGINX Docker image that runs NGINX as a non root, unprivileged user. Notable differences with respect to the official [NGINX Docker](https://github.com/nginx/docker-nginx) image include:
-* The default NGINX listen port is now `8080` instead of `80` (this is no longer necessary as of Docker `20.03` but it's still required in other container runtimes)
-* The default NGINX user directive in `/etc/nginx/nginx.conf` has been removed
-* The default NGINX PID has been moved from `/var/run/nginx.pid` to `/tmp/nginx.pid`
-* Change `*_temp_path` variables to `/tmp/*`
-
-New images are built and pushed to on a weekly basis (every Monday night).
+- The default NGINX listen port is now `8080` instead of `80` (this is no longer necessary as of Docker `20.03` but it's still required in other container runtimes)
+- The default NGINX user directive in `/etc/nginx/nginx.conf` has been removed
+- The default NGINX PID has been moved from `/var/run/nginx.pid` (prior to NGINX 1.27.5) and `/run/nginx.pid` (NGINX 1.27.5 and later) to `/tmp/nginx.pid`
+- Change `*_temp_path` variables to `/tmp/*`
Check out the [docs](https://hub.docker.com/_/nginx) for the upstream Docker NGINX image for a detailed explanation on how to use this image.
@@ -21,26 +22,37 @@ Check out the [docs](https://hub.docker.com/_/nginx) for the upstream Docker NGI
You can find pre-built images in each of the following registries:
-* Amazon ECR -
-* Docker Hub -
-* GitHub Container Registry -
-* Quay -
+- Amazon ECR -
+- Docker Hub -
+- GitHub Container Registry -
+ - **Note**: For releases prior to NGINX 1.27.4 (mainline branch) and 1.26.3 (stable branch), use the old registry link
+- Quay -
+
+### Image Builds and Retention Policy
+
+#### Image Builds
+
+New images are built whenever there is a new NGINX release or a critical CVE is found and fixed (check the [security documentation](/SECURITY.md) for more details). New images are also built and pushed to all registries on a weekly basis every Monday night. Whenever a new image is built, the current NGINX mainline and stable tags get switched to the latest build, and the image that gets replaced will become untagged. If you wish to point your builds to a specific image over time, use the specific image digest instead of the tag.
+
+#### Image Retention Policy
+
+Untagged images on Amazon ECR and the GitHub Container Registry are cleaned up on a two year basis. Untagged images on Docker Hub are not cleaned up at this time (this might change with the incoming storage changes). Untagged images on Quay are continuously removed due to its built in garbage collector. The last built tag of every release is kept indefinitely in every of the aforementioned registries.
### Architectures
-Most images are built for the `amd64`, `arm32v5` (for Debian), `arm32v6` (for Alpine), `arm32v7`, `arm64v8`, `i386`, `mips64le` (for Debian), `ppc64le` and `s390x` architectures.
+Most images are built for the `amd64`, `arm32v5` (for Debian), `arm32v6` (for Alpine), `arm32v7`, `arm64`, `i386`, `mips64le` (for Debian), `ppc64le` and `s390x` architectures. OTel images are built for `amd64` and `arm64`.
## Troubleshooting Tips
-* If you wish to use a different user ID and/or group ID when running the Docker Unprivileged image, rebuild the image using the following Docker build arguments:
+- If you wish to use a different user ID and/or group ID when running the Docker Unprivileged image, rebuild the image using the following Docker build arguments:
```bash
docker build --build-arg UID= --build-arg GID= -t nginx-unprivileged .
```
-* If you override the default `nginx.conf` file you may encounter various types of error messages:
- * To fix `nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)`, you have to specify a valid `pid` location by adding the line `pid /tmp/nginx.pid;` at the top level of your config.
- * To fix `nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (30: Read-only file system)`, you have to specify a valid location for the various NGINX temporary paths by adding these lines within the `http` context:
+- If you override the default `nginx.conf` file you may encounter various types of error messages:
+ - To fix `nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)`, you have to specify a valid `pid` location by adding the line `pid /tmp/nginx.pid;` at the top level of your config. NOTE: NGINX 1.27.5 will complain about permissions for `/run/nginx.pid` due to a policy change for this path.
+ - To fix `nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (30: Read-only file system)`, you have to specify a valid location for the various NGINX temporary paths by adding these lines within the `http` context:
```nginx
http {
@@ -53,20 +65,20 @@ Most images are built for the `amd64`, `arm32v5` (for Debian), `arm32v6` (for Al
}
```
-## On Reporting Issues
+## On Reporting Issues and Opening PRs
Whilst issues and PRs are welcome, please do note that:
-1. Issues related to security vulnerabilities will be promptly closed unless they are accompanied by a solid reasoning as to why the vulnerability poses a real security threat to this image. Check out the [`SECURITY`](https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/SECURITY.md) doc for more details.
-2. These images are unprivileged ports of the upstream [Docker NGINX](https://github.com/nginxinc/docker-nginx) images. Any changes that do not specifically involve the changes made to run NGINX on an unprivileged system should be reported in the [Docker NGINX](https://github.com/nginxinc/docker-nginx) upstream repo. They will not get addressed here.
-3. Following from 2., base images (e.g. Alpine x.x or Debian x) in the [Docker NGINX](https://github.com/nginxinc/docker-nginx) upstream repo get updated when a new version of NGINX is released, never within the same release version. Similarly, new NGINX releases usually make their way to the [Docker NGINX](https://github.com/nginxinc/docker-nginx) image a couple days after their standard release. Please refrain from opening an issue or PR here if the upstream repo hasn't been updated -- it will be closed.
+1. Issues related to security vulnerabilities will be promptly closed unless they are accompanied by a solid reasoning as to why the vulnerability poses a real security threat to this image. Check out the [`security documentation`](/SECURITY.md) for more details.
+2. These images are unprivileged ports of the upstream [Docker NGINX](https://github.com/nginx/docker-nginx) images. Any changes that do not specifically involve the changes made to run NGINX on an unprivileged system should be reported in the [Docker NGINX](https://github.com/nginx/docker-nginx) upstream repo. They will not get addressed here.
+3. Following from 2., base images (e.g. Alpine x.x or Debian x) in the [Docker NGINX](https://github.com/nginx/docker-nginx) upstream repo get updated when a new version of NGINX is released, never within the same release version. Similarly, new NGINX releases usually make their way to the [Docker NGINX](https://github.com/nginx/docker-nginx) image a couple days after their standard release. Please refrain from opening an issue or PR here if the upstream repo hasn't been updated -- it will be closed.
## Contributing
-Please see the [contributing guide](https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/CONTRIBUTING.md) for guidelines on how to best contribute to this project.
+Please see the [contributing guide](/CONTRIBUTING.md) for guidelines on how to best contribute to this project.
## License
-[Apache License, Version 2.0](https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/LICENSE)
+[Apache License, Version 2.0](/LICENSE)
-© [F5, Inc.](https://www.f5.com/) 2018 - 2024
+© [F5, Inc.](https://www.f5.com/) 2018 - 2025
diff --git a/SECURITY.md b/SECURITY.md
index 75d58e35..3e3607a1 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,13 +2,20 @@
## Latest Versions
-We advise users to run or update to the most recent release of the NGINX Docker Unprivileged image. Older versions of the NGINX Docker Unprivileged image may not have all enhancements and/or bug fixes applied to them.
+We advise users to run or update to the most recent release of the NGINX Docker unprivileged image. Older versions of the NGINX Docker unprivileged image may not have all enhancements and/or bug fixes applied to them.
## Reporting a Vulnerability
-### Docker NGINX Unprivileged Image
+The F5 Security Incident Response Team (F5 SIRT) offers two methods to easily report potential security vulnerabilities:
-If you find a security vulnerability that directly affects a direct NGINX library dependency we encourage you open an issue detailing the security vulnerability.
+- If you’re an F5 customer with an active support contract, please contact [F5 Technical Support](https://www.f5.com/support).
+- If you aren’t an F5 customer, please report any potential or current instances of security vulnerabilities in any F5 product to the F5 Security Incident Response Team at .
+
+For more information, please read the F5 SIRT vulnerability reporting guidelines available at [https://www.f5.com/support/report-a-vulnerability](https://www.f5.com/support/report-a-vulnerability).
+
+## CVEs to be considered
+
+If you find a security vulnerability that directly affects a direct NGINX library dependency we encourage you open an issue detailing the security vulnerability. ***Only vulnerabilities related to to direct NGINX library dependencies will be considered. Other security vulnerabilities will be addressed by the weekly Monday night build and as such will be ignored/promptly closed.***
For reference, the direct NGINX library dependencies are:
@@ -25,14 +32,3 @@ For reference, the direct NGINX library dependencies are:
- `libpcre2`
- `libssl`
- `libz`
-
-***Note: Only vulnerabilities related to direct NGINX library dependencies will be considered. Other security vulnerabilities should be addressed by the weekly Monday night build and as such will be promptly closed.***
-
-### Codebase
-
-If you find a security vulnerability that affects the codebase, we encourage you to report it to the F5 Security Incident Response Team (F5 SIRT):
-
-- If you’re an F5 customer with an active support contract, please contact [F5 Technical Support](https://www.f5.com/services/support).
-- If you aren’t an F5 customer, please report any potential or current instances of security vulnerabilities with any F5 product to the F5 Security Incident Response Team at .
-
-For more information visit [https://www.f5.com/services/support/report-a-vulnerability](https://www.f5.com/services/support/report-a-vulnerability).
diff --git a/SUPPORT.md b/SUPPORT.md
index bbcd9980..2c804387 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -2,27 +2,23 @@
## Ask a Question
-We use GitHub for tracking bugs and feature requests related to all the Docker NGINX images (including all variants and container registries).
+We use GitHub for tracking bugs and feature requests related to all Docker NGINX unprivileged images (including all variants and container registries).
-Don't know how something in this project works? Curious if this project can achieve your desired functionality? Please open an issue on GitHub with the label `question`.
+Don't know how something in this project works? Curious if this project can achieve your desired functionality? Please open an issue on GitHub with the label `question`. Alternatively, start a GitHub discussion!
## NGINX Specific Questions and/or Issues
This isn't the right place to get support for NGINX specific questions, but the following resources are available below. Thanks for your understanding!
-### Community Slack
+### Community Forum
-We have a community [Slack](https://nginxcommunity.slack.com/)!
-
-If you are not a member, click [here](https://community.nginx.org/joinslack) to sign up (and let us know if the link does not seem to be working!)
-
-Once you join, check out the `#beginner-questions` and `nginx-users` channels :)
+We have a community [forum](https://community.nginx.org/)! If you have any questions and/or issues, try checking out the [`Troubleshooting`](https://community.nginx.org/c/troubleshooting/8) and [`How do I...?`](https://community.nginx.org/c/how-do-i/9) categories. Both fellow community members and NGINXers might be able to help you! :)
### Documentation
For a comprehensive list of all NGINX directives, check out .
-For a comprehensive list of admin and deployment guides for all NGINX products, check out .
+For a comprehensive list of administration and deployment guides for all NGINX products, check out .
### Mailing List
@@ -30,8 +26,12 @@ Want to get in touch with the NGINX development team directly? Try using the rel
## Contributing
-Please see the [contributing guide](https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/CONTRIBUTING.md) for guidelines on how to best contribute to this project.
+Please see the [contributing guide](/CONTRIBUTING.md) for guidelines on how to best contribute to this project.
## Commercial Support
-Commercial support for this project may be available. Please get in touch with [NGINX sales](https://www.nginx.com/contact-sales/) or check your contract details for more info!
+Commercial support for this project may be available. Please get in touch with [NGINX sales](https://www.f5.com/products/get-f5/) or check your contract details for more info!
+
+## Community Support
+
+Community support is offered on a best effort basis through either GitHub issues/PRs/discussions or through any of our active communities.
diff --git a/entrypoint/10-listen-on-ipv6-by-default.sh b/entrypoint/10-listen-on-ipv6-by-default.sh
index 29898b1c..17660794 100755
--- a/entrypoint/10-listen-on-ipv6-by-default.sh
+++ b/entrypoint/10-listen-on-ipv6-by-default.sh
@@ -27,7 +27,7 @@ fi
touch /$DEFAULT_CONF_FILE 2>/dev/null || { entrypoint_log "$ME: info: can not modify /$DEFAULT_CONF_FILE (read-only file system?)"; exit 0; }
# check if the file is already modified, e.g. on a container restart
-grep -q "listen \[::]\:8080;" /$DEFAULT_CONF_FILE && { entrypoint_log "$ME: info: IPv6 listen already enabled"; exit 0; }
+grep -q "listen \[::\]:8080;" /$DEFAULT_CONF_FILE && { entrypoint_log "$ME: info: IPv6 listen already enabled"; exit 0; }
if [ -f "/etc/os-release" ]; then
. /etc/os-release
diff --git a/mainline/alpine-otel/Dockerfile b/mainline/alpine-otel/Dockerfile
new file mode 100644
index 00000000..2e9fc25f
--- /dev/null
+++ b/mainline/alpine-otel/Dockerfile
@@ -0,0 +1,85 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "update.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+ARG IMAGE=nginxinc/nginx-unprivileged:1.29.1-alpine
+FROM $IMAGE
+
+ENV OTEL_VERSION=0.1.2
+
+ARG UID=101
+ARG GID=101
+
+USER root
+
+RUN set -x \
+ && apkArch="$(cat /etc/apk/arch)" \
+ && nginxPackages=" \
+ nginx=${NGINX_VERSION}-r${PKG_RELEASE} \
+ nginx-module-xslt=${NGINX_VERSION}-r${DYNPKG_RELEASE} \
+ nginx-module-geoip=${NGINX_VERSION}-r${DYNPKG_RELEASE} \
+ nginx-module-image-filter=${NGINX_VERSION}-r${DYNPKG_RELEASE} \
+ nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${NJS_RELEASE} \
+ nginx-module-otel=${NGINX_VERSION}.${OTEL_VERSION}-r${PKG_RELEASE} \
+ " \
+# install prerequisites for public key and pkg-oss checks
+ && apk add --no-cache --virtual .checksum-deps \
+ openssl \
+ && case "$apkArch" in \
+ x86_64|aarch64) \
+# arches officially built by upstream
+ apk add -X "https://nginx.org/packages/mainline/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from the published packaging sources
+ set -x \
+ && tempDir="$(mktemp -d)" \
+ && chown nobody:nobody $tempDir \
+ && apk add --no-cache --virtual .build-deps \
+ gcc \
+ libc-dev \
+ make \
+ openssl-dev \
+ pcre2-dev \
+ zlib-dev \
+ linux-headers \
+ cmake \
+ bash \
+ alpine-sdk \
+ findutils \
+ curl \
+ xz \
+ protobuf-dev \
+ grpc-dev \
+ && su nobody -s /bin/sh -c " \
+ export HOME=${tempDir} \
+ && cd ${tempDir} \
+ && curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
+ && PKGOSSCHECKSUM=\"43ecd667d9039c9ab0fab9068c16b37825b15f7d4ef6ea8f36a41378bdf1a198463c751f8b76cfe2aef7ffa8dd9f88f180b958a8189d770258b5a97dc302daf4 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
+ && if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
+ echo \"pkg-oss tarball checksum verification succeeded!\"; \
+ else \
+ echo \"pkg-oss tarball checksum verification failed!\"; \
+ exit 1; \
+ fi \
+ && tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
+ && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \
+ && cd alpine \
+ && make module-otel \
+ && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
+ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
+ " \
+ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
+ && apk del --no-network .build-deps \
+ && apk add -X ${tempDir}/packages/alpine/ --no-cache $nginxPackages \
+ ;; \
+ esac \
+# remove checksum deps
+ && apk del --no-network .checksum-deps \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \
+ && if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi
+
+USER $UID
diff --git a/mainline/alpine-perl/Dockerfile b/mainline/alpine-perl/Dockerfile
index 2713acec..e317ec26 100644
--- a/mainline/alpine-perl/Dockerfile
+++ b/mainline/alpine-perl/Dockerfile
@@ -3,7 +3,7 @@
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
-ARG IMAGE=nginxinc/nginx-unprivileged:1.27.1-alpine
+ARG IMAGE=nginxinc/nginx-unprivileged:1.29.1-alpine
FROM $IMAGE
ARG UID=101
@@ -52,7 +52,7 @@ RUN set -x \
export HOME=${tempDir} \
&& cd ${tempDir} \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
- && PKGOSSCHECKSUM=\"e1a8e980d904df21484fc09793f1c938d566dcf0e752171714e70fc364dcd54b1bf3ce3e2ec90747114c5b24ac8050f1e8c6a774ff4476508d5dc99666e59443 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
+ && PKGOSSCHECKSUM=\"43ecd667d9039c9ab0fab9068c16b37825b15f7d4ef6ea8f36a41378bdf1a198463c751f8b76cfe2aef7ffa8dd9f88f180b958a8189d770258b5a97dc302daf4 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
&& if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
echo \"pkg-oss tarball checksum verification succeeded!\"; \
else \
diff --git a/mainline/alpine-slim/10-listen-on-ipv6-by-default.sh b/mainline/alpine-slim/10-listen-on-ipv6-by-default.sh
index 29898b1c..17660794 100755
--- a/mainline/alpine-slim/10-listen-on-ipv6-by-default.sh
+++ b/mainline/alpine-slim/10-listen-on-ipv6-by-default.sh
@@ -27,7 +27,7 @@ fi
touch /$DEFAULT_CONF_FILE 2>/dev/null || { entrypoint_log "$ME: info: can not modify /$DEFAULT_CONF_FILE (read-only file system?)"; exit 0; }
# check if the file is already modified, e.g. on a container restart
-grep -q "listen \[::]\:8080;" /$DEFAULT_CONF_FILE && { entrypoint_log "$ME: info: IPv6 listen already enabled"; exit 0; }
+grep -q "listen \[::\]:8080;" /$DEFAULT_CONF_FILE && { entrypoint_log "$ME: info: IPv6 listen already enabled"; exit 0; }
if [ -f "/etc/os-release" ]; then
. /etc/os-release
diff --git a/mainline/alpine-slim/Dockerfile b/mainline/alpine-slim/Dockerfile
index 6261531f..360d319a 100644
--- a/mainline/alpine-slim/Dockerfile
+++ b/mainline/alpine-slim/Dockerfile
@@ -3,14 +3,14 @@
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
-ARG IMAGE=alpine:3.20
+ARG IMAGE=alpine:3.22
FROM $IMAGE
LABEL maintainer="NGINX Docker Maintainers "
-ENV NGINX_VERSION=1.27.1
+ENV NGINX_VERSION=1.29.1
ENV PKG_RELEASE=1
-ENV DYNPKG_RELEASE=2
+ENV DYNPKG_RELEASE=1
ARG UID=101
ARG GID=101
@@ -63,7 +63,7 @@ RUN set -x \
export HOME=${tempDir} \
&& cd ${tempDir} \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
- && PKGOSSCHECKSUM=\"e1a8e980d904df21484fc09793f1c938d566dcf0e752171714e70fc364dcd54b1bf3ce3e2ec90747114c5b24ac8050f1e8c6a774ff4476508d5dc99666e59443 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
+ && PKGOSSCHECKSUM=\"43ecd667d9039c9ab0fab9068c16b37825b15f7d4ef6ea8f36a41378bdf1a198463c751f8b76cfe2aef7ffa8dd9f88f180b958a8189d770258b5a97dc302daf4 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
&& if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
echo \"pkg-oss tarball checksum verification succeeded!\"; \
else \
@@ -87,23 +87,8 @@ RUN set -x \
# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
&& if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
-# Bring in gettext so we can get `envsubst`, then throw
-# the rest away. To do this, we need to install `gettext`
-# then move `envsubst` out of the way so `gettext` can
-# be deleted completely, then move `envsubst` back.
- && apk add --no-cache --virtual .gettext gettext \
- && mv /usr/bin/envsubst /tmp/ \
- \
- && runDeps="$( \
- scanelf --needed --nobanner /tmp/envsubst \
- | awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \
- | sort -u \
- | xargs -r apk info --installed \
- | sort -u \
- )" \
- && apk add --no-cache $runDeps \
- && apk del --no-network .gettext \
- && mv /tmp/envsubst /usr/local/bin/ \
+# Add `envsubst` for templating environment variables
+ && apk add --no-cache gettext-envsubst \
# Bring in tzdata so users could set the timezones through the environment
# variables
&& apk add --no-cache tzdata \
@@ -116,7 +101,7 @@ RUN set -x \
# implement changes required to run NGINX as an unprivileged user
RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/conf.d/default.conf \
&& sed -i '/user nginx;/d' /etc/nginx/nginx.conf \
- && sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
+ && sed -i 's,\(/var\)\{0\,1\}/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
&& sed -i "/^http {/a \ proxy_temp_path /tmp/proxy_temp;\n client_body_temp_path /tmp/client_temp;\n fastcgi_temp_path /tmp/fastcgi_temp;\n uwsgi_temp_path /tmp/uwsgi_temp;\n scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \
# nginx user must own the cache and etc directory to write cache and tweak the nginx config
&& chown -R $UID:0 /var/cache/nginx \
diff --git a/mainline/alpine/Dockerfile b/mainline/alpine/Dockerfile
index b57908bd..c27aad30 100644
--- a/mainline/alpine/Dockerfile
+++ b/mainline/alpine/Dockerfile
@@ -3,10 +3,10 @@
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
-ARG IMAGE=nginxinc/nginx-unprivileged:1.27.1-alpine-slim
+ARG IMAGE=nginxinc/nginx-unprivileged:1.29.1-alpine-slim
FROM $IMAGE
-ENV NJS_VERSION=0.8.5
+ENV NJS_VERSION=0.9.1
ENV NJS_RELEASE=1
ARG UID=101
@@ -57,7 +57,7 @@ RUN set -x \
export HOME=${tempDir} \
&& cd ${tempDir} \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
- && PKGOSSCHECKSUM=\"e1a8e980d904df21484fc09793f1c938d566dcf0e752171714e70fc364dcd54b1bf3ce3e2ec90747114c5b24ac8050f1e8c6a774ff4476508d5dc99666e59443 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
+ && PKGOSSCHECKSUM=\"43ecd667d9039c9ab0fab9068c16b37825b15f7d4ef6ea8f36a41378bdf1a198463c751f8b76cfe2aef7ffa8dd9f88f180b958a8189d770258b5a97dc302daf4 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
&& if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
echo \"pkg-oss tarball checksum verification succeeded!\"; \
else \
diff --git a/mainline/debian-otel/Dockerfile b/mainline/debian-otel/Dockerfile
new file mode 100644
index 00000000..6ba96044
--- /dev/null
+++ b/mainline/debian-otel/Dockerfile
@@ -0,0 +1,108 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "update.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+ARG IMAGE=nginxinc/nginx-unprivileged:1.29.1
+FROM $IMAGE
+
+ENV OTEL_VERSION=0.1.2
+
+ARG UID=101
+ARG GID=101
+
+USER root
+
+RUN set -x; \
+ NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
+ dpkgArch="$(dpkg --print-architecture)" \
+ && nginxPackages=" \
+ nginx=${NGINX_VERSION}-${PKG_RELEASE} \
+ nginx-module-xslt=${NGINX_VERSION}-${DYNPKG_RELEASE} \
+ nginx-module-geoip=${NGINX_VERSION}-${DYNPKG_RELEASE} \
+ nginx-module-image-filter=${NGINX_VERSION}-${DYNPKG_RELEASE} \
+ nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \
+ nginx-module-otel=${NGINX_VERSION}+${OTEL_VERSION}-${PKG_RELEASE} \
+ " \
+ && case "$dpkgArch" in \
+ amd64|arm64) \
+# arches officially built by upstream
+ echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/mainline/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list \
+ && apt-get update \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from the published packaging sources
+# new directory for storing sources and .deb files
+ tempDir="$(mktemp -d)" \
+ && chmod 777 "$tempDir" \
+# (777 to ensure APT's "_apt" user can access it too)
+ \
+# save list of currently-installed packages so build dependencies can be cleanly removed later
+ && savedAptMark="$(apt-mark showmanual)" \
+ \
+# build .deb files from upstream's packaging sources
+ && apt-get update \
+ && apt-get install --no-install-recommends --no-install-suggests -y \
+ curl \
+ devscripts \
+ equivs \
+ git \
+ libxml2-utils \
+ lsb-release \
+ xsltproc \
+ && ( \
+ cd "$tempDir" \
+ && REVISION="${NGINX_VERSION}-${PKG_RELEASE}" \
+ && REVISION=${REVISION%~*} \
+ && curl -f -L -O https://github.com/nginx/pkg-oss/archive/${REVISION}.tar.gz \
+ && PKGOSSCHECKSUM="43ecd667d9039c9ab0fab9068c16b37825b15f7d4ef6ea8f36a41378bdf1a198463c751f8b76cfe2aef7ffa8dd9f88f180b958a8189d770258b5a97dc302daf4 *${REVISION}.tar.gz" \
+ && if [ "$(openssl sha512 -r ${REVISION}.tar.gz)" = "$PKGOSSCHECKSUM" ]; then \
+ echo "pkg-oss tarball checksum verification succeeded!"; \
+ else \
+ echo "pkg-oss tarball checksum verification failed!"; \
+ exit 1; \
+ fi \
+ && tar xzvf ${REVISION}.tar.gz \
+ && cd pkg-oss-${REVISION} \
+ && cd debian \
+ && for target in module-otel; do \
+ make rules-$target; \
+ mk-build-deps --install --tool="apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes" \
+ debuild-$target/nginx-$NGINX_VERSION/debian/control; \
+ done \
+ && make module-otel \
+ ) \
+# we don't remove APT lists here because they get re-downloaded and removed later
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+ && apt-mark showmanual | xargs apt-mark auto > /dev/null \
+ && { [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; } \
+ \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ && ls -lAFh "$tempDir" \
+ && ( cd "$tempDir" && dpkg-scanpackages . > Packages ) \
+ && grep '^Package: ' "$tempDir/Packages" \
+ && echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ && apt-get -o Acquire::GzipIndexes=false update \
+ ;; \
+ esac \
+ \
+ && apt-get install --no-install-recommends --no-install-suggests -y \
+ $nginxPackages \
+ gettext-base \
+ curl \
+ && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list \
+ \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ && if [ -n "$tempDir" ]; then \
+ apt-get purge -y --auto-remove \
+ && rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+ fi
+
+USER $UID
diff --git a/mainline/debian-perl/Dockerfile b/mainline/debian-perl/Dockerfile
index f942df77..d3a9583b 100644
--- a/mainline/debian-perl/Dockerfile
+++ b/mainline/debian-perl/Dockerfile
@@ -3,7 +3,7 @@
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
-ARG IMAGE=nginxinc/nginx-unprivileged:1.27.1
+ARG IMAGE=nginxinc/nginx-unprivileged:1.29.1
FROM $IMAGE
ARG UID=101
@@ -24,7 +24,7 @@ RUN set -x; \
" \
&& case "$dpkgArch" in \
amd64|arm64) \
-# arches officialy built by upstream
+# arches officially built by upstream
echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/mainline/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list \
&& apt-get update \
;; \
@@ -54,7 +54,7 @@ RUN set -x; \
&& REVISION="${NGINX_VERSION}-${PKG_RELEASE}" \
&& REVISION=${REVISION%~*} \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${REVISION}.tar.gz \
- && PKGOSSCHECKSUM="e1a8e980d904df21484fc09793f1c938d566dcf0e752171714e70fc364dcd54b1bf3ce3e2ec90747114c5b24ac8050f1e8c6a774ff4476508d5dc99666e59443 *${REVISION}.tar.gz" \
+ && PKGOSSCHECKSUM="43ecd667d9039c9ab0fab9068c16b37825b15f7d4ef6ea8f36a41378bdf1a198463c751f8b76cfe2aef7ffa8dd9f88f180b958a8189d770258b5a97dc302daf4 *${REVISION}.tar.gz" \
&& if [ "$(openssl sha512 -r ${REVISION}.tar.gz)" = "$PKGOSSCHECKSUM" ]; then \
echo "pkg-oss tarball checksum verification succeeded!"; \
else \
diff --git a/mainline/debian/10-listen-on-ipv6-by-default.sh b/mainline/debian/10-listen-on-ipv6-by-default.sh
index 29898b1c..17660794 100755
--- a/mainline/debian/10-listen-on-ipv6-by-default.sh
+++ b/mainline/debian/10-listen-on-ipv6-by-default.sh
@@ -27,7 +27,7 @@ fi
touch /$DEFAULT_CONF_FILE 2>/dev/null || { entrypoint_log "$ME: info: can not modify /$DEFAULT_CONF_FILE (read-only file system?)"; exit 0; }
# check if the file is already modified, e.g. on a container restart
-grep -q "listen \[::]\:8080;" /$DEFAULT_CONF_FILE && { entrypoint_log "$ME: info: IPv6 listen already enabled"; exit 0; }
+grep -q "listen \[::\]:8080;" /$DEFAULT_CONF_FILE && { entrypoint_log "$ME: info: IPv6 listen already enabled"; exit 0; }
if [ -f "/etc/os-release" ]; then
. /etc/os-release
diff --git a/mainline/debian/Dockerfile b/mainline/debian/Dockerfile
index 8ce96b02..7f2afa7a 100644
--- a/mainline/debian/Dockerfile
+++ b/mainline/debian/Dockerfile
@@ -8,11 +8,11 @@ FROM $IMAGE
LABEL maintainer="NGINX Docker Maintainers "
-ENV NGINX_VERSION=1.27.1
-ENV NJS_VERSION=0.8.5
+ENV NGINX_VERSION=1.29.1
+ENV NJS_VERSION=0.9.1
ENV NJS_RELEASE=1~bookworm
ENV PKG_RELEASE=1~bookworm
-ENV DYNPKG_RELEASE=2~bookworm
+ENV DYNPKG_RELEASE=1~bookworm
ARG UID=101
ARG GID=101
@@ -34,11 +34,11 @@ RUN set -x \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
- gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
+ gpg1 --batch --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
done; \
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
done; \
- gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
+ gpg1 --batch --export $NGINX_GPGKEYS > "$NGINX_GPGKEY_PATH" ; \
rm -rf "$GNUPGHOME"; \
apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
&& dpkgArch="$(dpkg --print-architecture)" \
@@ -51,7 +51,7 @@ RUN set -x \
" \
&& case "$dpkgArch" in \
amd64|arm64) \
-# arches officialy built by upstream
+# arches officially built by upstream
echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/mainline/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list \
&& apt-get update \
;; \
@@ -81,7 +81,7 @@ RUN set -x \
&& REVISION="${NGINX_VERSION}-${PKG_RELEASE}" \
&& REVISION=${REVISION%~*} \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${REVISION}.tar.gz \
- && PKGOSSCHECKSUM="e1a8e980d904df21484fc09793f1c938d566dcf0e752171714e70fc364dcd54b1bf3ce3e2ec90747114c5b24ac8050f1e8c6a774ff4476508d5dc99666e59443 *${REVISION}.tar.gz" \
+ && PKGOSSCHECKSUM="43ecd667d9039c9ab0fab9068c16b37825b15f7d4ef6ea8f36a41378bdf1a198463c751f8b76cfe2aef7ffa8dd9f88f180b958a8189d770258b5a97dc302daf4 *${REVISION}.tar.gz" \
&& if [ "$(openssl sha512 -r ${REVISION}.tar.gz)" = "$PKGOSSCHECKSUM" ]; then \
echo "pkg-oss tarball checksum verification succeeded!"; \
else \
@@ -138,8 +138,9 @@ RUN set -x \
# implement changes required to run NGINX as an unprivileged user
RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/conf.d/default.conf \
&& sed -i '/user nginx;/d' /etc/nginx/nginx.conf \
- && sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
+ && sed -i 's,\(/var\)\{0\,1\}/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
&& sed -i "/^http {/a \ proxy_temp_path /tmp/proxy_temp;\n client_body_temp_path /tmp/client_temp;\n fastcgi_temp_path /tmp/fastcgi_temp;\n uwsgi_temp_path /tmp/uwsgi_temp;\n scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \
+ && sed -i 's,PIDFILE=${PIDFILE:-/run/nginx.pid},PIDFILE=${PIDFILE:-/tmp/nginx.pid},' /etc/init.d/nginx \
# nginx user must own the cache and etc directory to write cache and tweak the nginx config
&& chown -R $UID:0 /var/cache/nginx \
&& chmod -R g+w /var/cache/nginx \
diff --git a/stable/alpine-otel/Dockerfile b/stable/alpine-otel/Dockerfile
new file mode 100644
index 00000000..f3d1ea67
--- /dev/null
+++ b/stable/alpine-otel/Dockerfile
@@ -0,0 +1,85 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "update.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+ARG IMAGE=nginxinc/nginx-unprivileged:1.28.0-alpine
+FROM $IMAGE
+
+ENV OTEL_VERSION=0.1.2
+
+ARG UID=101
+ARG GID=101
+
+USER root
+
+RUN set -x \
+ && apkArch="$(cat /etc/apk/arch)" \
+ && nginxPackages=" \
+ nginx=${NGINX_VERSION}-r${PKG_RELEASE} \
+ nginx-module-xslt=${NGINX_VERSION}-r${DYNPKG_RELEASE} \
+ nginx-module-geoip=${NGINX_VERSION}-r${DYNPKG_RELEASE} \
+ nginx-module-image-filter=${NGINX_VERSION}-r${DYNPKG_RELEASE} \
+ nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${NJS_RELEASE} \
+ nginx-module-otel=${NGINX_VERSION}.${OTEL_VERSION}-r${PKG_RELEASE} \
+ " \
+# install prerequisites for public key and pkg-oss checks
+ && apk add --no-cache --virtual .checksum-deps \
+ openssl \
+ && case "$apkArch" in \
+ x86_64|aarch64) \
+# arches officially built by upstream
+ apk add -X "https://nginx.org/packages/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from the published packaging sources
+ set -x \
+ && tempDir="$(mktemp -d)" \
+ && chown nobody:nobody $tempDir \
+ && apk add --no-cache --virtual .build-deps \
+ gcc \
+ libc-dev \
+ make \
+ openssl-dev \
+ pcre2-dev \
+ zlib-dev \
+ linux-headers \
+ cmake \
+ bash \
+ alpine-sdk \
+ findutils \
+ curl \
+ xz \
+ protobuf-dev \
+ grpc-dev \
+ && su nobody -s /bin/sh -c " \
+ export HOME=${tempDir} \
+ && cd ${tempDir} \
+ && curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
+ && PKGOSSCHECKSUM=\"517bc18954ccf4efddd51986584ca1f37966833ad342a297e1fe58fd0faf14c5a4dabcb23519dca433878a2927a95d6bea05a6749ee2fa67a33bf24cdc41b1e4 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
+ && if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
+ echo \"pkg-oss tarball checksum verification succeeded!\"; \
+ else \
+ echo \"pkg-oss tarball checksum verification failed!\"; \
+ exit 1; \
+ fi \
+ && tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
+ && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \
+ && cd alpine \
+ && make module-otel \
+ && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
+ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
+ " \
+ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
+ && apk del --no-network .build-deps \
+ && apk add -X ${tempDir}/packages/alpine/ --no-cache $nginxPackages \
+ ;; \
+ esac \
+# remove checksum deps
+ && apk del --no-network .checksum-deps \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \
+ && if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi
+
+USER $UID
diff --git a/stable/alpine-perl/Dockerfile b/stable/alpine-perl/Dockerfile
index 7754fe1f..bdde6779 100644
--- a/stable/alpine-perl/Dockerfile
+++ b/stable/alpine-perl/Dockerfile
@@ -3,7 +3,7 @@
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
-ARG IMAGE=nginxinc/nginx-unprivileged:1.26.2-alpine
+ARG IMAGE=nginxinc/nginx-unprivileged:1.28.0-alpine
FROM $IMAGE
ARG UID=101
@@ -52,7 +52,7 @@ RUN set -x \
export HOME=${tempDir} \
&& cd ${tempDir} \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
- && PKGOSSCHECKSUM=\"b5d8ad59567a5df18f134236c4e22a339229cd56f4b2ae8d1b77a17f3dcfb16672103bd9191d419acf93c90e866b59417aad26ad7710d9dcc53bf38d1f88d764 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
+ && PKGOSSCHECKSUM=\"517bc18954ccf4efddd51986584ca1f37966833ad342a297e1fe58fd0faf14c5a4dabcb23519dca433878a2927a95d6bea05a6749ee2fa67a33bf24cdc41b1e4 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
&& if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
echo \"pkg-oss tarball checksum verification succeeded!\"; \
else \
diff --git a/stable/alpine-slim/10-listen-on-ipv6-by-default.sh b/stable/alpine-slim/10-listen-on-ipv6-by-default.sh
index 29898b1c..17660794 100755
--- a/stable/alpine-slim/10-listen-on-ipv6-by-default.sh
+++ b/stable/alpine-slim/10-listen-on-ipv6-by-default.sh
@@ -27,7 +27,7 @@ fi
touch /$DEFAULT_CONF_FILE 2>/dev/null || { entrypoint_log "$ME: info: can not modify /$DEFAULT_CONF_FILE (read-only file system?)"; exit 0; }
# check if the file is already modified, e.g. on a container restart
-grep -q "listen \[::]\:8080;" /$DEFAULT_CONF_FILE && { entrypoint_log "$ME: info: IPv6 listen already enabled"; exit 0; }
+grep -q "listen \[::\]:8080;" /$DEFAULT_CONF_FILE && { entrypoint_log "$ME: info: IPv6 listen already enabled"; exit 0; }
if [ -f "/etc/os-release" ]; then
. /etc/os-release
diff --git a/stable/alpine-slim/Dockerfile b/stable/alpine-slim/Dockerfile
index d6bb43da..6c591082 100644
--- a/stable/alpine-slim/Dockerfile
+++ b/stable/alpine-slim/Dockerfile
@@ -3,14 +3,14 @@
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
-ARG IMAGE=alpine:3.20
+ARG IMAGE=alpine:3.21
FROM $IMAGE
LABEL maintainer="NGINX Docker Maintainers "
-ENV NGINX_VERSION=1.26.2
+ENV NGINX_VERSION=1.28.0
ENV PKG_RELEASE=1
-ENV DYNPKG_RELEASE=2
+ENV DYNPKG_RELEASE=1
ARG UID=101
ARG GID=101
@@ -63,7 +63,7 @@ RUN set -x \
export HOME=${tempDir} \
&& cd ${tempDir} \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
- && PKGOSSCHECKSUM=\"b5d8ad59567a5df18f134236c4e22a339229cd56f4b2ae8d1b77a17f3dcfb16672103bd9191d419acf93c90e866b59417aad26ad7710d9dcc53bf38d1f88d764 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
+ && PKGOSSCHECKSUM=\"517bc18954ccf4efddd51986584ca1f37966833ad342a297e1fe58fd0faf14c5a4dabcb23519dca433878a2927a95d6bea05a6749ee2fa67a33bf24cdc41b1e4 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
&& if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
echo \"pkg-oss tarball checksum verification succeeded!\"; \
else \
@@ -87,23 +87,8 @@ RUN set -x \
# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
&& if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
-# Bring in gettext so we can get `envsubst`, then throw
-# the rest away. To do this, we need to install `gettext`
-# then move `envsubst` out of the way so `gettext` can
-# be deleted completely, then move `envsubst` back.
- && apk add --no-cache --virtual .gettext gettext \
- && mv /usr/bin/envsubst /tmp/ \
- \
- && runDeps="$( \
- scanelf --needed --nobanner /tmp/envsubst \
- | awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \
- | sort -u \
- | xargs -r apk info --installed \
- | sort -u \
- )" \
- && apk add --no-cache $runDeps \
- && apk del --no-network .gettext \
- && mv /tmp/envsubst /usr/local/bin/ \
+# Add `envsubst` for templating environment variables
+ && apk add --no-cache gettext-envsubst \
# Bring in tzdata so users could set the timezones through the environment
# variables
&& apk add --no-cache tzdata \
@@ -116,7 +101,7 @@ RUN set -x \
# implement changes required to run NGINX as an unprivileged user
RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/conf.d/default.conf \
&& sed -i '/user nginx;/d' /etc/nginx/nginx.conf \
- && sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
+ && sed -i 's,\(/var\)\{0\,1\}/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
&& sed -i "/^http {/a \ proxy_temp_path /tmp/proxy_temp;\n client_body_temp_path /tmp/client_temp;\n fastcgi_temp_path /tmp/fastcgi_temp;\n uwsgi_temp_path /tmp/uwsgi_temp;\n scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \
# nginx user must own the cache and etc directory to write cache and tweak the nginx config
&& chown -R $UID:0 /var/cache/nginx \
diff --git a/stable/alpine/Dockerfile b/stable/alpine/Dockerfile
index ac676948..fece7d1e 100644
--- a/stable/alpine/Dockerfile
+++ b/stable/alpine/Dockerfile
@@ -3,10 +3,10 @@
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
-ARG IMAGE=nginxinc/nginx-unprivileged:1.26.2-alpine-slim
+ARG IMAGE=nginxinc/nginx-unprivileged:1.28.0-alpine-slim
FROM $IMAGE
-ENV NJS_VERSION=0.8.5
+ENV NJS_VERSION=0.8.10
ENV NJS_RELEASE=1
ARG UID=101
@@ -57,7 +57,7 @@ RUN set -x \
export HOME=${tempDir} \
&& cd ${tempDir} \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
- && PKGOSSCHECKSUM=\"b5d8ad59567a5df18f134236c4e22a339229cd56f4b2ae8d1b77a17f3dcfb16672103bd9191d419acf93c90e866b59417aad26ad7710d9dcc53bf38d1f88d764 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
+ && PKGOSSCHECKSUM=\"517bc18954ccf4efddd51986584ca1f37966833ad342a297e1fe58fd0faf14c5a4dabcb23519dca433878a2927a95d6bea05a6749ee2fa67a33bf24cdc41b1e4 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
&& if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
echo \"pkg-oss tarball checksum verification succeeded!\"; \
else \
diff --git a/stable/debian-otel/Dockerfile b/stable/debian-otel/Dockerfile
new file mode 100644
index 00000000..4eb0b52a
--- /dev/null
+++ b/stable/debian-otel/Dockerfile
@@ -0,0 +1,108 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "update.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+ARG IMAGE=nginxinc/nginx-unprivileged:1.28.0
+FROM $IMAGE
+
+ENV OTEL_VERSION=0.1.2
+
+ARG UID=101
+ARG GID=101
+
+USER root
+
+RUN set -x; \
+ NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
+ dpkgArch="$(dpkg --print-architecture)" \
+ && nginxPackages=" \
+ nginx=${NGINX_VERSION}-${PKG_RELEASE} \
+ nginx-module-xslt=${NGINX_VERSION}-${DYNPKG_RELEASE} \
+ nginx-module-geoip=${NGINX_VERSION}-${DYNPKG_RELEASE} \
+ nginx-module-image-filter=${NGINX_VERSION}-${DYNPKG_RELEASE} \
+ nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \
+ nginx-module-otel=${NGINX_VERSION}+${OTEL_VERSION}-${PKG_RELEASE} \
+ " \
+ && case "$dpkgArch" in \
+ amd64|arm64) \
+# arches officially built by upstream
+ echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list \
+ && apt-get update \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from the published packaging sources
+# new directory for storing sources and .deb files
+ tempDir="$(mktemp -d)" \
+ && chmod 777 "$tempDir" \
+# (777 to ensure APT's "_apt" user can access it too)
+ \
+# save list of currently-installed packages so build dependencies can be cleanly removed later
+ && savedAptMark="$(apt-mark showmanual)" \
+ \
+# build .deb files from upstream's packaging sources
+ && apt-get update \
+ && apt-get install --no-install-recommends --no-install-suggests -y \
+ curl \
+ devscripts \
+ equivs \
+ git \
+ libxml2-utils \
+ lsb-release \
+ xsltproc \
+ && ( \
+ cd "$tempDir" \
+ && REVISION="${NGINX_VERSION}-${PKG_RELEASE}" \
+ && REVISION=${REVISION%~*} \
+ && curl -f -L -O https://github.com/nginx/pkg-oss/archive/${REVISION}.tar.gz \
+ && PKGOSSCHECKSUM="517bc18954ccf4efddd51986584ca1f37966833ad342a297e1fe58fd0faf14c5a4dabcb23519dca433878a2927a95d6bea05a6749ee2fa67a33bf24cdc41b1e4 *${REVISION}.tar.gz" \
+ && if [ "$(openssl sha512 -r ${REVISION}.tar.gz)" = "$PKGOSSCHECKSUM" ]; then \
+ echo "pkg-oss tarball checksum verification succeeded!"; \
+ else \
+ echo "pkg-oss tarball checksum verification failed!"; \
+ exit 1; \
+ fi \
+ && tar xzvf ${REVISION}.tar.gz \
+ && cd pkg-oss-${REVISION} \
+ && cd debian \
+ && for target in module-otel; do \
+ make rules-$target; \
+ mk-build-deps --install --tool="apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes" \
+ debuild-$target/nginx-$NGINX_VERSION/debian/control; \
+ done \
+ && make module-otel \
+ ) \
+# we don't remove APT lists here because they get re-downloaded and removed later
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+ && apt-mark showmanual | xargs apt-mark auto > /dev/null \
+ && { [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; } \
+ \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ && ls -lAFh "$tempDir" \
+ && ( cd "$tempDir" && dpkg-scanpackages . > Packages ) \
+ && grep '^Package: ' "$tempDir/Packages" \
+ && echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ && apt-get -o Acquire::GzipIndexes=false update \
+ ;; \
+ esac \
+ \
+ && apt-get install --no-install-recommends --no-install-suggests -y \
+ $nginxPackages \
+ gettext-base \
+ curl \
+ && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list \
+ \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ && if [ -n "$tempDir" ]; then \
+ apt-get purge -y --auto-remove \
+ && rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+ fi
+
+USER $UID
diff --git a/stable/debian-perl/Dockerfile b/stable/debian-perl/Dockerfile
index 3a861f81..89777a71 100644
--- a/stable/debian-perl/Dockerfile
+++ b/stable/debian-perl/Dockerfile
@@ -3,7 +3,7 @@
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
-ARG IMAGE=nginxinc/nginx-unprivileged:1.26.2
+ARG IMAGE=nginxinc/nginx-unprivileged:1.28.0
FROM $IMAGE
ARG UID=101
@@ -24,7 +24,7 @@ RUN set -x; \
" \
&& case "$dpkgArch" in \
amd64|arm64) \
-# arches officialy built by upstream
+# arches officially built by upstream
echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list \
&& apt-get update \
;; \
@@ -54,7 +54,7 @@ RUN set -x; \
&& REVISION="${NGINX_VERSION}-${PKG_RELEASE}" \
&& REVISION=${REVISION%~*} \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${REVISION}.tar.gz \
- && PKGOSSCHECKSUM="b5d8ad59567a5df18f134236c4e22a339229cd56f4b2ae8d1b77a17f3dcfb16672103bd9191d419acf93c90e866b59417aad26ad7710d9dcc53bf38d1f88d764 *${REVISION}.tar.gz" \
+ && PKGOSSCHECKSUM="517bc18954ccf4efddd51986584ca1f37966833ad342a297e1fe58fd0faf14c5a4dabcb23519dca433878a2927a95d6bea05a6749ee2fa67a33bf24cdc41b1e4 *${REVISION}.tar.gz" \
&& if [ "$(openssl sha512 -r ${REVISION}.tar.gz)" = "$PKGOSSCHECKSUM" ]; then \
echo "pkg-oss tarball checksum verification succeeded!"; \
else \
diff --git a/stable/debian/10-listen-on-ipv6-by-default.sh b/stable/debian/10-listen-on-ipv6-by-default.sh
index 29898b1c..17660794 100755
--- a/stable/debian/10-listen-on-ipv6-by-default.sh
+++ b/stable/debian/10-listen-on-ipv6-by-default.sh
@@ -27,7 +27,7 @@ fi
touch /$DEFAULT_CONF_FILE 2>/dev/null || { entrypoint_log "$ME: info: can not modify /$DEFAULT_CONF_FILE (read-only file system?)"; exit 0; }
# check if the file is already modified, e.g. on a container restart
-grep -q "listen \[::]\:8080;" /$DEFAULT_CONF_FILE && { entrypoint_log "$ME: info: IPv6 listen already enabled"; exit 0; }
+grep -q "listen \[::\]:8080;" /$DEFAULT_CONF_FILE && { entrypoint_log "$ME: info: IPv6 listen already enabled"; exit 0; }
if [ -f "/etc/os-release" ]; then
. /etc/os-release
diff --git a/stable/debian/Dockerfile b/stable/debian/Dockerfile
index 452f8dee..989b30e5 100644
--- a/stable/debian/Dockerfile
+++ b/stable/debian/Dockerfile
@@ -8,11 +8,11 @@ FROM $IMAGE
LABEL maintainer="NGINX Docker Maintainers "
-ENV NGINX_VERSION=1.26.2
-ENV NJS_VERSION=0.8.5
+ENV NGINX_VERSION=1.28.0
+ENV NJS_VERSION=0.8.10
ENV NJS_RELEASE=1~bookworm
ENV PKG_RELEASE=1~bookworm
-ENV DYNPKG_RELEASE=2~bookworm
+ENV DYNPKG_RELEASE=1~bookworm
ARG UID=101
ARG GID=101
@@ -34,11 +34,11 @@ RUN set -x \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
- gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
+ gpg1 --batch --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
done; \
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
done; \
- gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
+ gpg1 --batch --export $NGINX_GPGKEYS > "$NGINX_GPGKEY_PATH" ; \
rm -rf "$GNUPGHOME"; \
apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
&& dpkgArch="$(dpkg --print-architecture)" \
@@ -51,7 +51,7 @@ RUN set -x \
" \
&& case "$dpkgArch" in \
amd64|arm64) \
-# arches officialy built by upstream
+# arches officially built by upstream
echo "deb [signed-by=$NGINX_GPGKEY_PATH] https://nginx.org/packages/debian/ bookworm nginx" >> /etc/apt/sources.list.d/nginx.list \
&& apt-get update \
;; \
@@ -81,7 +81,7 @@ RUN set -x \
&& REVISION="${NGINX_VERSION}-${PKG_RELEASE}" \
&& REVISION=${REVISION%~*} \
&& curl -f -L -O https://github.com/nginx/pkg-oss/archive/${REVISION}.tar.gz \
- && PKGOSSCHECKSUM="b5d8ad59567a5df18f134236c4e22a339229cd56f4b2ae8d1b77a17f3dcfb16672103bd9191d419acf93c90e866b59417aad26ad7710d9dcc53bf38d1f88d764 *${REVISION}.tar.gz" \
+ && PKGOSSCHECKSUM="517bc18954ccf4efddd51986584ca1f37966833ad342a297e1fe58fd0faf14c5a4dabcb23519dca433878a2927a95d6bea05a6749ee2fa67a33bf24cdc41b1e4 *${REVISION}.tar.gz" \
&& if [ "$(openssl sha512 -r ${REVISION}.tar.gz)" = "$PKGOSSCHECKSUM" ]; then \
echo "pkg-oss tarball checksum verification succeeded!"; \
else \
@@ -138,8 +138,9 @@ RUN set -x \
# implement changes required to run NGINX as an unprivileged user
RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/conf.d/default.conf \
&& sed -i '/user nginx;/d' /etc/nginx/nginx.conf \
- && sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
+ && sed -i 's,\(/var\)\{0\,1\}/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
&& sed -i "/^http {/a \ proxy_temp_path /tmp/proxy_temp;\n client_body_temp_path /tmp/client_temp;\n fastcgi_temp_path /tmp/fastcgi_temp;\n uwsgi_temp_path /tmp/uwsgi_temp;\n scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \
+ && sed -i 's,PIDFILE=${PIDFILE:-/run/nginx.pid},PIDFILE=${PIDFILE:-/tmp/nginx.pid},' /etc/init.d/nginx \
# nginx user must own the cache and etc directory to write cache and tweak the nginx config
&& chown -R $UID:0 /var/cache/nginx \
&& chmod -R g+w /var/cache/nginx \
diff --git a/update.sh b/update.sh
index f49e1549..6adb4f7a 100755
--- a/update.sh
+++ b/update.sh
@@ -12,14 +12,14 @@ declare branches=(
# Current nginx versions
# Remember to update pkgosschecksum when changing this.
declare -A nginx=(
- [mainline]='1.27.1'
- [stable]='1.26.2'
+ [mainline]='1.29.1'
+ [stable]='1.28.0'
)
# Current njs versions
declare -A njs=(
- [mainline]='0.8.5'
- [stable]='0.8.5'
+ [mainline]='0.9.1'
+ [stable]='0.8.10'
)
# Current njs patchlevel version
@@ -29,6 +29,12 @@ declare -A njspkg=(
[stable]='1'
)
+# Current otel versions
+declare -A otel=(
+ [mainline]='0.1.2'
+ [stable]='0.1.2'
+)
+
# Current nginx package patchlevel version
# Remember to update pkgosschecksum when changing this.
declare -A pkg=(
@@ -39,8 +45,8 @@ declare -A pkg=(
# Current built-in dynamic modules package patchlevel version
# Remember to update pkgosschecksum when changing this
declare -A dynpkg=(
- [mainline]=2
- [stable]=2
+ [mainline]=1
+ [stable]=1
)
declare -A debian=(
@@ -49,8 +55,8 @@ declare -A debian=(
)
declare -A alpine=(
- [mainline]='3.20'
- [stable]='3.20'
+ [mainline]='3.22'
+ [stable]='3.21'
)
# When we bump njs version in a stable release we don't move the tag in the
@@ -66,8 +72,8 @@ declare -A rev=(
# revision/tag in the previous block
# Used in builds for architectures not packaged by nginx.org
declare -A pkgosschecksum=(
- [mainline]='e1a8e980d904df21484fc09793f1c938d566dcf0e752171714e70fc364dcd54b1bf3ce3e2ec90747114c5b24ac8050f1e8c6a774ff4476508d5dc99666e59443'
- [stable]='b5d8ad59567a5df18f134236c4e22a339229cd56f4b2ae8d1b77a17f3dcfb16672103bd9191d419acf93c90e866b59417aad26ad7710d9dcc53bf38d1f88d764'
+ [mainline]='43ecd667d9039c9ab0fab9068c16b37825b15f7d4ef6ea8f36a41378bdf1a198463c751f8b76cfe2aef7ffa8dd9f88f180b958a8189d770258b5a97dc302daf4'
+ [stable]='517bc18954ccf4efddd51986584ca1f37966833ad342a297e1fe58fd0faf14c5a4dabcb23519dca433878a2927a95d6bea05a6749ee2fa67a33bf24cdc41b1e4'
)
get_packages() {
@@ -75,6 +81,8 @@ get_packages() {
shift
local branch="$1"
shift
+ local bn=""
+ local otel=
local perl=
local r=
local sep=
@@ -93,6 +101,10 @@ get_packages() {
*-perl)
perl="nginx-module-perl"
;;
+ *-otel)
+ otel="nginx-module-otel"
+ bn="\n"
+ ;;
esac
echo -n ' \\\n'
@@ -110,16 +122,21 @@ get_packages() {
echo -n ' '"$p"'=${NGINX_VERSION}-'"$r"'${DYNPKG_RELEASE} \\\n'
done
for p in nginx-module-njs; do
- echo -n ' '"$p"'=${NGINX_VERSION}'"$sep"'${NJS_VERSION}-'"$r"'${NJS_RELEASE} \\'
+ echo -n ' '"$p"'=${NGINX_VERSION}'"$sep"'${NJS_VERSION}-'"$r"'${NJS_RELEASE} \\'"$bn"
+ done
+ for p in $otel; do
+ echo -n ' '"$p"'=${NGINX_VERSION}'"$sep"'${OTEL_VERSION}-'"$r"'${PKG_RELEASE} \\'
done
;;
esac
}
get_packagerepo() {
- local distro="${1%-perl}"
- distro="${distro%-slim}"
+ local distro="$1"
shift
+ distro="${distro%-perl}"
+ distro="${distro%-otel}"
+ distro="${distro%-slim}"
local branch="$1"
shift
@@ -129,8 +146,11 @@ get_packagerepo() {
}
get_packagever() {
- local distro="${1%-perl}"
+ local distro="$1"
shift
+ distro="${distro%-perl}"
+ distro="${distro%-otel}"
+ distro="${distro%-slim}"
local branch="$1"
shift
local package="$1"
@@ -154,6 +174,7 @@ get_packagever() {
get_buildtarget() {
local distro="$1"
+ shift
case "$distro" in
alpine-slim)
echo base
@@ -167,6 +188,9 @@ get_buildtarget() {
*-perl)
echo module-perl
;;
+ *-otel)
+ echo module-otel
+ ;;
esac
}
@@ -182,15 +206,15 @@ __EOF__
for branch in "${branches[@]}"; do
for variant in \
- alpine{,-perl,-slim} \
- debian{,-perl}; do
+ alpine{,-perl,-otel,-slim} \
+ debian{,-perl,-otel}; do
echo "$branch: $variant dockerfiles"
dir="$branch/$variant"
variant="$(basename "$variant")"
[ -d "$dir" ] || continue
- template="Dockerfile-${variant%}.template"
+ template="Dockerfile-${variant}.template"
{
generated_warning
cat "$template"
@@ -200,6 +224,7 @@ for branch in "${branches[@]}"; do
alpinever="${alpine[$branch]}"
nginxver="${nginx[$branch]}"
njsver="${njs[${branch}]}"
+ otelver="${otel[${branch}]}"
revver="${rev[${branch}]}"
pkgosschecksumver="${pkgosschecksum[${branch}]}"
@@ -217,6 +242,7 @@ for branch in "${branches[@]}"; do
-e 's,%%NGINX_VERSION%%,'"$nginxver"',' \
-e 's,%%NJS_VERSION%%,'"$njsver"',' \
-e 's,%%NJS_RELEASE%%,'"$njspkgver"',' \
+ -e 's,%%OTEL_VERSION%%,'"$otelver"',' \
-e 's,%%PKG_RELEASE%%,'"$packagever"',' \
-e 's,%%PACKAGES%%,'"$packages"',' \
-e 's,%%PACKAGEREPO%%,'"$packagerepo"',' \
@@ -225,7 +251,7 @@ for branch in "${branches[@]}"; do
-e 's,%%BUILDTARGET%%,'"$buildtarget"',' \
"$dir/Dockerfile"
- done
+ done
for variant in \
alpine-slim \