feat: upgrade apisix-runtime to OpenResty 1.29.2.4

[jarvis9443]

Upgrades the apisix-runtime build script to OpenResty 1.29.2.4 and OpenSSL 3.4.1.

The OpenResty patch module dependencies now use released tags:

• api7/ngx_multi_upstream_module 1.3.3
• api7/apisix-nginx-module 1.19.5

Validation:

• git diff --check
• bash -n build-apisix-runtime.sh
• verified both release tags resolve to the merged patch commits
• downstream APISIX validation PR: chore: use apisix-runtime 1.3.6 apache/apisix#13412

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Updates the APISIX runtime build script to pin OpenResty 1.29.2.4, change the OpenSSL 3 install invocation, add a verify_module_commit helper, and make module retrieval deterministic by handling copy-vs-clone and enforcing pinned commit SHAs.

Changes

OpenResty 1.29.2.4 upgrade and module source retrieval improvements

Layer / File(s)	Summary
OpenResty version pinning and module alignment build-apisix-runtime.sh	OPENRESTY_VERSION default updated to 1.29.2.4; ngx_multi_upstream_module_ver and apisix_nginx_module_ver refs and their default pinned commit SHAs are updated.
OpenSSL 3 installation targets build-apisix-runtime.sh	OpenSSL 3 final install command changed from sudo make install to sudo make install_sw install_ssldirs.
verify_module_commit helper build-apisix-runtime.sh	Adds verify_module_commit(module_dir, expected_commit) that asserts a module dir is a git worktree and that HEAD equals the expected pinned commit, exiting on mismatch.
Conditional module source retrieval with commit checkout build-apisix-runtime.sh	Adds flags to select copy-from-previous-workdir vs clone-from-upstream for ngx_multi_upstream_module and apisix-nginx-module; when cloning and a commit SHA is set the script fetches and checks out that commit, and when sources were copied it verifies the current HEAD matches the pinned SHA (exits on mismatch).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• api7/api7-ee-3-gateway#1576: touches runtime build script OpenResty version and module pin/checkout handling similar to these changes.

Possibly related PRs

• api7/apisix-build-tools#459: Both PRs modify build-apisix-runtime.sh’s apisix_nginx_module_ver pin/checkout behavior.

Suggested reviewers

• nic-6443

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
E2e Test Quality Review	⚠️ Warning	This PR is a build script update (OpenResty 1.29.2.4 upgrade) with no E2E test changes. The custom check requires E2E test completeness (Blocking issue), but none exist in the PR.	Add E2E test coverage validating the build script produces a working runtime, or clarify if E2E tests are not required for build script changes in this project.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: upgrade apisix-runtime to OpenResty 1.29.2.4' directly and clearly describes the primary change - upgrading OpenResty to version 1.29.2.4, which aligns with the main objective and the raw summary showing OPENRESTY_VERSION update to 1.29.2.4.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Security Check	✅ Passed	Build script PR (bash) for packaging tool, not API control plane. No sensitive data, secrets, authorization issues, or new crypto problems introduced. Security check not applicable.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch nic/openresty-1.29.2.4-runtime-v2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Upgrades the apisix-runtime build script to build against OpenResty 1.29.2.4 and OpenSSL 3.4.1, including temporary pinning of specific dependency commits to keep required patches applying during the transition.

Changes:

• Bump OpenResty version to 1.29.2.4 and keep OpenSSL at 3.4.1.
• Temporarily pin ngx_multi_upstream_module and apisix-nginx-module to specific commits and add logic to clone+checkout those commits.
• Adjust OpenSSL install step to make install_sw install_ssldirs.

Comments suppressed due to low confidence (1)

build-apisix-runtime.sh:132

• Similarly, when apisix_nginx_module_commit is set (it is by default), the clone always uses main, so apisix_nginx_module_ver isn’t used for cloning in the default path. This makes the behavior harder to reason about and relies on git fetch by SHA for correctness. Consider cloning $apisix_nginx_module_ver and then checking out the pinned commit (or add a comment explaining why main is required).

    apisix_nginx_module_cloned=1
    apisix_nginx_module_clone_ref="$apisix_nginx_module_ver"
    if [ -n "$apisix_nginx_module_commit" ]; then
        apisix_nginx_module_clone_ref="main"
    fi
    git clone --depth=1 -b $apisix_nginx_module_clone_ref \
        https://github.com/api7/apisix-nginx-module.git \
        apisix-nginx-module-${apisix_nginx_module_ver}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

build-apisix-runtime.sh (1)

93-111: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Enforce pinned commit even when module source is copied from local workdir.

When repo matches the module name, the script copies local sources and skips commit checkout. If ngx_multi_upstream_module_commit / apisix_nginx_module_commit is set, this can build from an unintended local HEAD and break reproducibility (Line 93 and Line 121 paths).

Suggested fix

 if [ -n "$ngx_multi_upstream_module_commit" ] && [ "$ngx_multi_upstream_module_cloned" = 1 ]; then
     git -C ngx_multi_upstream_module-${ngx_multi_upstream_module_ver} fetch --depth=1 \
         origin "$ngx_multi_upstream_module_commit"
     git -C ngx_multi_upstream_module-${ngx_multi_upstream_module_ver} checkout \
         "$ngx_multi_upstream_module_commit"
+elif [ -n "$ngx_multi_upstream_module_commit" ]; then
+    current_commit=$(git -C ngx_multi_upstream_module-${ngx_multi_upstream_module_ver} rev-parse HEAD)
+    if [ "$current_commit" != "$ngx_multi_upstream_module_commit" ]; then
+        echo "ERROR: ngx_multi_upstream_module HEAD ($current_commit) != pinned commit ($ngx_multi_upstream_module_commit)" >&2
+        exit 1
+    fi
 fi
@@
 if [ -n "$apisix_nginx_module_commit" ] && [ "$apisix_nginx_module_cloned" = 1 ]; then
     git -C apisix-nginx-module-${apisix_nginx_module_ver} fetch --depth=1 \
         origin "$apisix_nginx_module_commit"
     git -C apisix-nginx-module-${apisix_nginx_module_ver} checkout \
         "$apisix_nginx_module_commit"
+elif [ -n "$apisix_nginx_module_commit" ]; then
+    current_commit=$(git -C apisix-nginx-module-${apisix_nginx_module_ver} rev-parse HEAD)
+    if [ "$current_commit" != "$apisix_nginx_module_commit" ]; then
+        echo "ERROR: apisix-nginx-module HEAD ($current_commit) != pinned commit ($apisix_nginx_module_commit)" >&2
+        exit 1
+    fi
 fi

Also applies to: 121-139

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build-apisix-runtime.sh` around lines 93 - 111, The script currently copies
local workdir when repo == ngx_multi_upstream_module and sets
ngx_multi_upstream_module_cloned=0, which skips later commit checkout and breaks
reproducibility if ngx_multi_upstream_module_commit is set; fix by ensuring that
when ngx_multi_upstream_module_commit is non-empty you either perform a proper
git clone of the repo at that commit (use ngx_multi_upstream_module_clone_ref
and git clone/fetch/checkout) instead of raw cp, or after copying initialize a
git repo inside ngx_multi_upstream_module-${ngx_multi_upstream_module_ver} (git
init, git remote add origin, git fetch --depth=1 origin <commit>, git checkout
<commit>) so the subsequent checkout logic works; apply the same change for the
apisix_nginx_module code path (the analogous variables
apisix_nginx_module_commit and apisix_nginx_module_cloned) so pinned commits are
enforced in both cases.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@build-apisix-runtime.sh`:
- Around line 93-111: The script currently copies local workdir when repo ==
ngx_multi_upstream_module and sets ngx_multi_upstream_module_cloned=0, which
skips later commit checkout and breaks reproducibility if
ngx_multi_upstream_module_commit is set; fix by ensuring that when
ngx_multi_upstream_module_commit is non-empty you either perform a proper git
clone of the repo at that commit (use ngx_multi_upstream_module_clone_ref and
git clone/fetch/checkout) instead of raw cp, or after copying initialize a git
repo inside ngx_multi_upstream_module-${ngx_multi_upstream_module_ver} (git
init, git remote add origin, git fetch --depth=1 origin <commit>, git checkout
<commit>) so the subsequent checkout logic works; apply the same change for the
apisix_nginx_module code path (the analogous variables
apisix_nginx_module_commit and apisix_nginx_module_cloned) so pinned commits are
enforced in both cases.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f1d14880-9a35-40e0-b155-e602cc6fafff

📥 Commits

Reviewing files that changed from the base of the PR and between 478d4f5 and 98b4b90.

📒 Files selected for processing (1)

• build-apisix-runtime.sh

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

build-apisix-runtime.sh:150

• Same as above for apisix-nginx-module: the cp -r path will hit git ... rev-parse HEAD when a pinned commit is set, but that will fail (and terminate the script) if the copied directory isn't a valid git checkout/worktree. Please add an explicit git work-tree detection with a clearer error message (or skip the commit check when git metadata isn't present).

fi

if [ "$repo" == wasm-nginx-module ]; then
    cp -r "$prev_workdir" ./wasm-nginx-module-${wasm_nginx_module_ver}
else
    git clone --depth=1 -b $wasm_nginx_module_ver \

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.