From 91eaf624bc74e0abb92909c059f84a9d8de52d20 Mon Sep 17 00:00:00 2001
From: tcely <tcely@users.noreply.github.com>
Date: Fri, 22 May 2026 10:46:20 -0400
Subject: [PATCH 1/9] Adjust a comment about why the version begins with `v`

---
 restyrepo/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/restyrepo/Dockerfile b/restyrepo/Dockerfile
index 418b909..aa652b4 100644
--- a/restyrepo/Dockerfile
+++ b/restyrepo/Dockerfile
@@ -11,7 +11,7 @@ LABEL maintainer="Evan Wies <evan@neomantra.net>"
 # Docker Build Arguments
 ARG RESTY_IMAGE_BASE="debian"
 ARG RESTY_IMAGE_TAG="trixie-slim"
-ARG RESTY_VERSION="v1.29.2.4" # Includes the full branch name, hence 'v' prefix
+ARG RESTY_VERSION="v1.29.2.4" # Uses the full tag name, hence 'v' prefix
 ARG RESTY_SOURCE_REPO="https://github.com/openresty/openresty.git"
 ARG RESTY_LUAROCKS_VERSION="3.13.0"
 

From 8dfa99787c9196476e2b82466d3be7c6de0dc949 Mon Sep 17 00:00:00 2001
From: tcely <tcely@users.noreply.github.com>
Date: Fri, 22 May 2026 16:37:56 -0400
Subject: [PATCH 2/9] Include `asfald-latest` for verified downloads

---
 restyrepo/Dockerfile | 232 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 227 insertions(+), 5 deletions(-)

diff --git a/restyrepo/Dockerfile b/restyrepo/Dockerfile
index aa652b4..71c680b 100644
--- a/restyrepo/Dockerfile
+++ b/restyrepo/Dockerfile
@@ -4,13 +4,235 @@
 ARG RESTY_IMAGE_BASE="debian"
 ARG RESTY_IMAGE_TAG="trixie-slim"
 
-FROM ${RESTY_IMAGE_BASE}:${RESTY_IMAGE_TAG}
+FROM ${RESTY_IMAGE_BASE}:${RESTY_IMAGE_TAG} AS resty-base
+RUN DEBIAN_FRONTEND=noninteractive apt-get update \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        bash \
+        busybox \
+        ca-certificates \
+        coreutils \
+        curl
+
+FROM ${RESTY_IMAGE_BASE}:${RESTY_IMAGE_TAG} AS asfald-download
+
+# Do not update this.
+# Simply download asfald-latest with this version instead.
+# Later versions removed the feature we depend upon.
+ARG ASFALD_VERSION="0.6.0"
+
+ARG ASFALD_FILE_AMD64="asfald-x86_64-unknown-linux-musl"
+ARG ASFALD_FILE_ARM64="asfald-aarch64-unknown-linux-musl"
+
+ARG SHA256_ASFALD_AMD64="017cdc44d767bb4733a3bd3fa5f97719e3f58236d006321dfae1924fdda3de9d"
+ARG SHA256_ASFALD_ARM64="4fc112617a71f97592b8760b98c16339d5243577186c970c784fbcab2ef8abd1"
+
+ARG DESTDIR="/downloaded"
+ARG CHECKSUM_ALGORITHM="sha256"
+
+ARG ASFALD_DOWNLOAD_URI="asfaload/asfald/releases/download/v${ASFALD_VERSION}"
+ARG ASFALD_URL="https://github.com/${ASFALD_DOWNLOAD_URI}"
+
+# Let Docker download and cache these files for us
+ADD "${ASFALD_URL}/checksums.txt" "${DESTDIR}/"
+ARG ASFALD_CHECKSUM_AMD64="${CHECKSUM_ALGORITHM}:${SHA256_ASFALD_AMD64}"
+ARG ASFALD_CHECKSUM_ARM64="${CHECKSUM_ALGORITHM}:${SHA256_ASFALD_ARM64}"
+ADD --checksum="${ASFALD_CHECKSUM_AMD64}" "${ASFALD_URL}/${ASFALD_FILE_AMD64}" "${DESTDIR}/"
+ADD --checksum="${ASFALD_CHECKSUM_ARM64}" "${ASFALD_URL}/${ASFALD_FILE_ARM64}" "${DESTDIR}/"
+
+ARG TARGETARCH
+RUN set -eu ; \
+    decide_fn() { \
+      case "${TARGETARCH}" in \
+        (amd64) printf -- '%s\n' "${ASFALD_FILE_AMD64}" ;; \
+        (arm64) printf -- '%s\n' "${ASFALD_FILE_ARM64}" ;; \
+        (*) printf -- '%s\n' 'fallback-to-busybox.sh' ;; \
+      esac ; \
+    } ; \
+\
+    { \
+        printf -- '%s\n' '#!/usr/bin/env sh' '' \
+            '_cleanup() { case "${1}" in' \
+            '    (register) [ -n "${2}" ] && _cleanup_registry="${_cleanup_registry}${2}\000" ;;' \
+            '    (clear)' \
+            '        busybox printf "%b" "${_cleanup_registry}" | busybox xargs -r -0 busybox rm -f;' \
+            '        _cleanup_registry="";' \
+            '        ;;' \
+            '    esac;' \
+            '}' '_cleanup_registry="";' 'trap "_cleanup clear" EXIT;' '' \
+            '_get_url() {' \
+            '    _o="${1}"; shift;' \
+            '    _u="${1}"; shift;' \
+            '    if [ 1 -eq "${USE_CURL:-0}" ]; then' \
+            '        curl -fsSLo "${_o}" -- "${_u}";' \
+            '    else' \
+            '        busybox wget -O "${_o}" "${@}" -- "${_u}";' \
+            '    fi;' \
+            '    _rc="${?}";' \
+            '    unset -v _o _u;' \
+            '    return "${_rc}";' \
+            '}' '' \
+            '_stderr() {' \
+            '    printf 1>&2 -- "%s\n" "${@}";' \
+            '}' '' \
+            'extract_gh_digests() {' \
+            '    busybox awk -e '\' \
+            '      /clipboard digest for / {' \
+            '        td=gensub(/<clipboard-copy (.+)>/, "\\1", "g");' \
+            '        d=gensub(/^.* value="[^:]+:([^"]+)".*$/, "\\1", 1, td);' \
+            '        f=gensub(/^.* aria-label=".+digest for ([^"]+)".*$/, "\\1", 1, td);' \
+            '        print d " *" f;' \
+            '      }' \
+            '    '\'';' \
+            '}' '' \
+            'find_hash_for_file() {' \
+            '    _f="${1}"; shift;' \
+            '    busybox awk -v file="${_f}" -e '\''$0 ~ " [* ]" file "$" {print $1; exit;}'\'' "${@}";' \
+            '    unset -v _f;' \
+            '}' '' \
+            'get_from_gh_url() { case "${1}" in' \
+            '    (owner)' \
+            '        busybox awk -v url="${2}" -e '\' \
+            '          END {' \
+            '            print gensub(/^https?:\/\/github\.com\/([^\/]+)\/.*$/, "\\1", 1, url);' \
+            '          }' \
+            '        '\'' </dev/null;' \
+            '        ;;' \
+            '    (repo)' \
+            '        busybox awk -v url="${2}" -e '\' \
+            '          END {' \
+            '            print gensub(/^https?:\/\/github\.com\/[^\/]+\/([^\/]+)\/.*$/, "\\1", 1, url);' \
+            '          }' \
+            '        '\'' </dev/null;' \
+            '        ;;' \
+            '    (tag)' \
+            '        _url="${2}";' \
+            '        if is_gh_tag_url "${_url}"; then' \
+            '            busybox basename "${_url}";' \
+            '        elif is_gh_download_url "${_url}"; then' \
+            '            _tag_url="$(busybox dirname "${_url}")";' \
+            '            busybox basename "${_tag_url}";' \
+            '            unset -v _tag_url;' \
+            '        fi;' \
+            '        unset -v _url;' \
+            '        ;;' \
+            '    esac;' \
+            '}' '' \
+            'get_gh_digests_from_tag() {' \
+            '    _url="$(printf -- "https://github.com/%s/%s/releases/expanded_assets/%s\n" "${1}" "${2}" "${3}")";' \
+            '    _get_url - "${_url}" -q | extract_gh_digests;' \
+            '    unset -v _url;' \
+            '}' '' \
+            'is_gh_download_url() { case "${1}" in' \
+            '    (http*://github.com/*/releases/download/*) return 0 ;;' \
+            '    esac;' \
+            '    return 1;' \
+            '}' '' \
+            'is_gh_tag_url() { case "${1}" in' \
+            '    (http*://github.com/*/releases/tag/*) return 0 ;;' \
+            '    esac;' \
+            '    return 1;' \
+            '}' '' \
+            'for _arg in "${@}"; do case "${_arg}" in' \
+            '    (--force-absent|-f) _verified=1 ;;' \
+            '    (--hash|-H) _set_H=1 ;;' \
+            '    (--output|-o) _set_o=1 ;;' \
+            '    (--pattern|-p) _set_p=1 ;;' \
+            '    (*)' \
+            '        if [ 1 -eq "${_set_H:-0}" ]; then hash="${_arg}"; unset -v _set_H ; fi ;' \
+            '        if [ 1 -eq "${_set_o:-0}" ]; then output="${_arg}"; unset -v _set_o ; fi ;' \
+            '        if [ 1 -eq "${_set_p:-0}" ]; then pattern="${_arg}"; unset -v _set_p ; fi ;' \
+            '        url="${_arg}"' \
+            '        ;;' \
+            'esac; done; unset -v _arg ;' '' \
+            'if [ -z "${output-}" ]; then output="$(busybox basename "${url}")"; fi;' \
+            'if [ -z "${hash-}" ] && [ -n "${pattern-}" ]; then' \
+            '    cs_url="$(busybox awk '\\ \
+            '        -v file="$(busybox basename "${url}")" '\\ \
+            '        -v fullpath="${url}" '\\ \
+            '        -v path="$(busybox dirname "${url}")" '\\ \
+            '        -v pattern="${pattern}" -e '\' \
+            '      END {' \
+            '        out = gensub(/[$][{]file[}]/, file, "g", pattern);' \
+            '        out = gensub(/[$][{]fullpath[}]/, fullpath, "g", out);' \
+            '        out = gensub(/[$][{]path[}]/, path, "g", out);' \
+            '        print out;' \
+            '      }' \
+            '    '\'' </dev/null)";' \
+            'fi;' \
+            'gh_tag="$(get_from_gh_url "tag" "${url}")";' \
+            'if [ -z "${hash-}" ] && [ -n "${gh_tag}" ]; then' \
+            '    gh_owner="$(get_from_gh_url "owner" "${url}")";' \
+            '    gh_repo="$(get_from_gh_url "repo" "${url}")";' \
+            '    csfile="$(busybox mktemp)" && _cleanup register "${csfile}" &&' \
+            '    get_gh_digests_from_tag "${gh_owner}" "${gh_repo}" "${gh_tag}" > "${csfile}" &&' \
+            '    hash="$(find_hash_for_file "$(busybox basename "${url}")" "${csfile}")";' \
+            '    [ -s "${csfile}" ] || _stderr "Warning: No digests extracted for any artifacts at GitHub.com!";' \
+            '    [ -n "${hash}" ] || _stderr "Warning: No digest found at GitHub.com!";' \
+            'fi;' \
+            'dlfile="$(busybox mktemp)" &&' \
+            '    _cleanup register "${dlfile}" &&' \
+            '    { [ -z "${cs_url-}" ] || { _get_url "${dlfile}" "${cs_url}" -q && hash="$(find_hash_for_file "$(busybox basename "${url}")" "${dlfile}")" ; [ -n "${hash-}" ]; } ; } &&' \
+            '    _get_url "${dlfile}" "${url}" &&' \
+            '    { [ -z "${hash-}" ] || { busybox printf -- "%s *%s\n" "${hash-}" "${dlfile}" | busybox sha256sum -cw && _verified=1 || _verified=0; } ; } &&' \
+            '    { [ "-" = "${output-}" ] && busybox cat "${dlfile}" || [ 1 -eq "${_verified:-0}" ] && busybox mv -fT "${dlfile}" "${output-}" ; } ;' \
+        ; \
+    } > "${DESTDIR}/fallback-to-busybox.sh" ; \
+\
+    file="$(decide_fn)" ; \
+    install -v -D -m 00755 -o root -g root "${DESTDIR}/${file}" "/verified/${TARGETARCH}/asfald"
+
+FROM scratch AS asfald
+ARG TARGETARCH
+COPY --from=asfald-download "/verified/${TARGETARCH}/asfald" /usr/local/sbin/
+
+FROM resty-base AS with-asfald
+COPY --from=asfald /usr/local/sbin/ /usr/local/sbin/
+
+ARG TARGETARCH
+RUN set -eu ; \
+\
+    decide_arch() { \
+      case "${TARGETARCH}" in \
+        (amd64) printf -- 'x86_64' ;; \
+        (arm64) printf -- 'aarch64' ;; \
+      esac ; \
+    } ; \
+    decide_latest_tag() { \
+        busybox wget -q -S -O /dev/null \
+            "https://github.com/${1}/${2}/releases/latest" 2>&1 | \
+            busybox awk -F : -e 'tolower($1) ~ /^[[:space:]]*location$/ { n = split($NF, P, "/"); print P[n]; exit; }' ; \
+    } ; \
+\
+    set -x ; arch="$(decide_arch)" ; \
+    gh_releases_uri='github.com/asfaload/asfald/releases' ; \
+    dest='/usr/local/sbin/asfald-latest' ; \
+    if [ -z "${arch}" ]; then ln -s asfald "${dest}" ; exit 0; fi ; \
+    TMPDIR="$(busybox dirname "${dest}")" \
+    asfald --overwrite --output "${dest}" \
+        --pattern '${path}/checksums.txt' -- \
+        "https://${gh_releases_uri}/latest/download/asfald-${arch}-unknown-linux-musl" && \
+    busybox chmod -c 00755 "${dest}" && busybox chown -c root:root "${dest}" ; \
+\
+    checksums_base_uri="https://gh.checksums.asfaload.com/${gh_releases_uri}/download" ; \
+    latest_version="$(decide_latest_tag 'asfaload' 'asfald')" ; \
+    checksums_url="${checksums_base_uri}/${latest_version}/checksums.txt" ; \
+    dest="$(busybox mktemp)" ; \
+    TMPDIR="$(busybox dirname "${dest}")" \
+    asfald --overwrite --output "${dest}" \
+        --quiet --force-absent --no-asfaload-index -- "${checksums_url}" ; \
+    specific_checksum="$(busybox awk -v dl="asfald-${arch}-unknown-linux-musl" -e '$NF ~ dl "$" { print $1; exit; }' "${dest}" ; busybox rm -f "${dest}")" ; \
+    (cd /usr/local/sbin && busybox printf -- '%s *%s\n' "${specific_checksum}" 'asfald-latest' | cksum --algorithm='sha256' --check --strict --warn || busybox rm -f 'asfald-latest') ; \
+    [ -x /usr/local/sbin/asfald-latest ] ; \
+    specific_checksum="$(asfald-latest --get-hash "https://${gh_releases_uri}/download/${latest_version}/asfald-${arch}-unknown-linux-musl" | busybox head -n 1)" ; \
+    (cd /usr/local/sbin && busybox printf -- '%s *%s\n' "${specific_checksum##*:}" 'asfald-latest' | cksum --algorithm="${specific_checksum%%:*}" --check --strict --warn || busybox rm -f 'asfald-latest') ; \
+    [ -x /usr/local/sbin/asfald-latest ] ;
+
+FROM with-asfald
+SHELL ["/usr/bin/env", "bash", "-c"]
 
 LABEL maintainer="Evan Wies <evan@neomantra.net>"
 
 # Docker Build Arguments
-ARG RESTY_IMAGE_BASE="debian"
-ARG RESTY_IMAGE_TAG="trixie-slim"
 ARG RESTY_VERSION="v1.29.2.4" # Uses the full tag name, hence 'v' prefix
 ARG RESTY_SOURCE_REPO="https://github.com/openresty/openresty.git"
 ARG RESTY_LUAROCKS_VERSION="3.13.0"
@@ -90,8 +312,10 @@ ARG _RESTY_CONFIG_DEPS="--with-pcre \
     --with-ld-opt='-L/usr/local/openresty/pcre2/lib -L/usr/local/openresty/openssl3/lib -Wl,-rpath,/usr/local/openresty/pcre2/lib:/usr/local/openresty/openssl3/lib' \
     "
 
+ARG RESTY_IMAGE_BASE RESTY_IMAGE_TAG
 LABEL resty_image_base="${RESTY_IMAGE_BASE}"
 LABEL resty_image_tag="${RESTY_IMAGE_TAG}"
+
 LABEL resty_version="${RESTY_VERSION}"
 LABEL resty_luarocks_version="${RESTY_LUAROCKS_VERSION}"
 LABEL resty_openssl_version="${RESTY_OPENSSL_VERSION}"
@@ -117,8 +341,6 @@ LABEL resty_pcre_options="${RESTY_PCRE_OPTIONS}"
 
 RUN DEBIAN_FRONTEND=noninteractive apt-get update \
     && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
-        ca-certificates \
-        curl \
         dos2unix \
         git \
         make \

From 9ea4706eafec62aeaca9a31fac26c8414bbc452f Mon Sep 17 00:00:00 2001
From: tcely <tcely@users.noreply.github.com>
Date: Fri, 22 May 2026 16:37:59 -0400
Subject: [PATCH 3/9] Stop using `curl` to blindly download

---
 restyrepo/Dockerfile | 50 +++++++++++++++++++++++++++++++-------------
 1 file changed, 35 insertions(+), 15 deletions(-)

diff --git a/restyrepo/Dockerfile b/restyrepo/Dockerfile
index 71c680b..f174aba 100644
--- a/restyrepo/Dockerfile
+++ b/restyrepo/Dockerfile
@@ -204,9 +204,9 @@ RUN set -eu ; \
     } ; \
 \
     set -x ; arch="$(decide_arch)" ; \
-    gh_releases_uri='github.com/asfaload/asfald/releases' ; \
     dest='/usr/local/sbin/asfald-latest' ; \
     if [ -z "${arch}" ]; then ln -s asfald "${dest}" ; exit 0; fi ; \
+    gh_releases_uri='github.com/asfaload/asfald/releases' ; \
     TMPDIR="$(busybox dirname "${dest}")" \
     asfald --overwrite --output "${dest}" \
         --pattern '${path}/checksums.txt' -- \
@@ -236,10 +236,12 @@ LABEL maintainer="Evan Wies <evan@neomantra.net>"
 ARG RESTY_VERSION="v1.29.2.4" # Uses the full tag name, hence 'v' prefix
 ARG RESTY_SOURCE_REPO="https://github.com/openresty/openresty.git"
 ARG RESTY_LUAROCKS_VERSION="3.13.0"
+ARG RESTY_LUAROCKS_SHA256="245bf6ec560c042cb8948e3d661189292587c5949104677f1eecddc54dbe7e37"
 
 # https://github.com/openresty/openresty-packaging/blob/master/deb/openresty-openssl3/debian/rules
 ARG RESTY_OPENSSL_VERSION="3.5.6"
 ARG RESTY_OPENSSL_PATCH_VERSION="3.5.5"
+ARG RESTY_OPENSSL_PATCH_SHA256="0a30cc762a9d72901e8415a33f7671bb68469d46121061e26afe7b718f47581e"
 ARG RESTY_OPENSSL_URL_BASE="https://github.com/openssl/openssl/releases/download/openssl-${RESTY_OPENSSL_VERSION}"
 # LEGACY:  "https://www.openssl.org/source/old/1.1.1"
 ARG RESTY_OPENSSL_BUILD_OPTIONS="enable-camellia enable-seed enable-rfc3779 enable-cms enable-md2 enable-rc5 \
@@ -318,13 +320,15 @@ LABEL resty_image_tag="${RESTY_IMAGE_TAG}"
 
 LABEL resty_version="${RESTY_VERSION}"
 LABEL resty_luarocks_version="${RESTY_LUAROCKS_VERSION}"
+LABEL resty_luarocks_sha256="${RESTY_LUAROCKS_SHA256}"
 LABEL resty_openssl_version="${RESTY_OPENSSL_VERSION}"
 LABEL resty_openssl_patch_version="${RESTY_OPENSSL_PATCH_VERSION}"
+LABEL resty_openssl_patch_sha256="${RESTY_OPENSSL_PATCH_SHA256}"
 LABEL resty_openssl_url_base="${RESTY_OPENSSL_URL_BASE}"
 LABEL resty_openssl_build_options="${RESTY_OPENSSL_BUILD_OPTIONS}"
 LABEL resty_pcre_version="${RESTY_PCRE_VERSION}"
-LABEL resty_pcre_build_options="${RESTY_PCRE_BUILD_OPTIONS}"
 LABEL resty_pcre_sha256="${RESTY_PCRE_SHA256}"
+LABEL resty_pcre_build_options="${RESTY_PCRE_BUILD_OPTIONS}"
 LABEL resty_config_options="${RESTY_CONFIG_OPTIONS}"
 LABEL resty_config_options_more="${RESTY_CONFIG_OPTIONS_MORE}"
 LABEL resty_config_deps="${_RESTY_CONFIG_DEPS}"
@@ -368,21 +372,32 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update \
         ${RESTY_ADD_PACKAGE_RUNDEPS} \
     && cd /tmp \
     && if [ -n "${RESTY_EVAL_PRE_CONFIGURE}" ]; then eval $(echo ${RESTY_EVAL_PRE_CONFIGURE}); fi \
-    && curl -fSL "${RESTY_OPENSSL_URL_BASE}/openssl-${RESTY_OPENSSL_VERSION}.tar.gz" -o openssl-${RESTY_OPENSSL_VERSION}.tar.gz \
-    && tar xzf openssl-${RESTY_OPENSSL_VERSION}.tar.gz \
+    && TMPDIR="${TMPDIR:-/tmp}" asfald --overwrite \
+        --output "${TMPDIR:-/tmp}/openssl-${RESTY_OPENSSL_VERSION}.tar.gz" \
+        --pattern '${fullpath}.sha256' -- \
+        "${RESTY_OPENSSL_URL_BASE}/openssl-${RESTY_OPENSSL_VERSION}.tar.gz" \
+    && tar xzf "${TMPDIR:-/tmp}/openssl-${RESTY_OPENSSL_VERSION}.tar.gz" \
     && cd openssl-${RESTY_OPENSSL_VERSION} \
+    && TMPDIR="${TMPDIR:-/tmp}" asfald --overwrite \
+        --hash "${RESTY_OPENSSL_PATCH_SHA256}" \
+        --output "${TMPDIR:-/tmp}/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch" -- \
+        "https://github.com/openresty/openresty/raw/refs/heads/master/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch" \
     && if [ $(echo ${RESTY_OPENSSL_VERSION} | cut -c 1-2) = "3." ] ; then \
         echo 'patching OpenSSL 3.x for OpenResty' \
-        && curl -s https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch | patch -p1 ; \
+        && patch -p1 < "${TMPDIR:-/tmp}/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch"; \
     fi \
     && if [ $(echo ${RESTY_OPENSSL_VERSION} | cut -c 1-5) = "1.1.1" ] ; then \
         echo 'patching OpenSSL 1.1.1 for OpenResty' \
-        && curl -s https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch | patch -p1 ; \
+        && patch -p1 < "${TMPDIR:-/tmp}/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch"; \
     fi \
     && if [ $(echo ${RESTY_OPENSSL_VERSION} | cut -c 1-5) = "1.1.0" ] ; then \
         echo 'patching OpenSSL 1.1.0 for OpenResty' \
-        && curl -s https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-1.1.0j-parallel_build_fix.patch | patch -p1 \
-        && curl -s https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch | patch -p1 ; \
+        && TMPDIR="${TMPDIR:-/tmp}" asfald --overwrite \
+            --hash '060720ca2b93452dcf68211064841e0417c4a4a40e976fe0b2b5797162917066' \
+            --output "${TMPDIR:-/tmp}/openssl-1.1.0j-parallel_build_fix.patch" -- \
+            'https://github.com/openresty/openresty/raw/refs/heads/master/patches/openssl-1.1.0j-parallel_build_fix.patch' \
+        && patch -p1 < "${TMPDIR:-/tmp}/openssl-1.1.0j-parallel_build_fix.patch" \
+        && patch -p1 < "${TMPDIR:-/tmp}/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch"; \
     fi \
     && ./config \
       shared zlib -g \
@@ -393,9 +408,11 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update \
     && make -j${RESTY_J} \
     && make -j${RESTY_J} install_sw \
     && cd /tmp \
-    && curl -fSL "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${RESTY_PCRE_VERSION}/pcre2-${RESTY_PCRE_VERSION}.tar.gz" -o pcre2-${RESTY_PCRE_VERSION}.tar.gz \
-    && echo "${RESTY_PCRE_SHA256}  pcre2-${RESTY_PCRE_VERSION}.tar.gz" | shasum -a 256 --check \
-    && tar xzf pcre2-${RESTY_PCRE_VERSION}.tar.gz \
+    && TMPDIR="${TMPDIR:-/tmp}" asfald --overwrite \
+        --hash "${RESTY_PCRE_SHA256}" \
+        --output "${TMPDIR:-/tmp}/pcre2-${RESTY_PCRE_VERSION}.tar.gz" -- \
+        "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${RESTY_PCRE_VERSION}/pcre2-${RESTY_PCRE_VERSION}.tar.gz" \
+    && tar xzf "${TMPDIR:-/tmp}/pcre2-${RESTY_PCRE_VERSION}.tar.gz" \
     && cd /tmp/pcre2-${RESTY_PCRE_VERSION} \
     && CFLAGS="-g -O3" ./configure \
         --prefix=/usr/local/openresty/pcre2 \
@@ -414,11 +431,14 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update \
     && make -j${RESTY_J} install \
     && cd /tmp \
     && rm -rf \
-        openssl-${RESTY_OPENSSL_VERSION}.tar.gz openssl-${RESTY_OPENSSL_VERSION} \
-        pcre2-${RESTY_PCRE_VERSION}.tar.gz pcre2-${RESTY_PCRE_VERSION} \
+        "${TMPDIR:-/tmp}/openssl-${RESTY_OPENSSL_VERSION}.tar.gz" "${TMPDIR:-/tmp}"/openssl-*.patch openssl-${RESTY_OPENSSL_VERSION} \
+        "${TMPDIR:-/tmp}/pcre2-${RESTY_PCRE_VERSION}.tar.gz" pcre2-${RESTY_PCRE_VERSION} \
         openresty-${RESTY_VERSION}.tar.gz openresty-${RESTY_VERSION} openresty_src \
-    && curl -fSL https://luarocks.github.io/luarocks/releases/luarocks-${RESTY_LUAROCKS_VERSION}.tar.gz -o luarocks-${RESTY_LUAROCKS_VERSION}.tar.gz \
-    && tar xzf luarocks-${RESTY_LUAROCKS_VERSION}.tar.gz \
+    && TMPDIR="${TMPDIR:-/tmp}" asfald --overwrite \
+        --hash "${RESTY_LUAROCKS_SHA256}" \
+        --output "${TMPDIR:-/tmp}/luarocks-${RESTY_LUAROCKS_VERSION}.tar.gz" -- \
+        "https://github.com/luarocks/luarocks/raw/refs/heads/gh-pages/releases/luarocks-${RESTY_LUAROCKS_VERSION}.tar.gz" \
+    && tar xzf "${TMPDIR:-/tmp}/luarocks-${RESTY_LUAROCKS_VERSION}.tar.gz" \
     && cd luarocks-${RESTY_LUAROCKS_VERSION} \
     && ./configure \
         --prefix=/usr/local/openresty/luajit \

From fdb9e1dc643b46fa8772b648ae593946b00bccd7 Mon Sep 17 00:00:00 2001
From: tcely <tcely@users.noreply.github.com>
Date: Fri, 22 May 2026 16:38:02 -0400
Subject: [PATCH 4/9] Use a manually specified `sha256` hash for OpenSSL

---
 restyrepo/Dockerfile | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/restyrepo/Dockerfile b/restyrepo/Dockerfile
index f174aba..a755df2 100644
--- a/restyrepo/Dockerfile
+++ b/restyrepo/Dockerfile
@@ -240,6 +240,7 @@ ARG RESTY_LUAROCKS_SHA256="245bf6ec560c042cb8948e3d661189292587c5949104677f1eecd
 
 # https://github.com/openresty/openresty-packaging/blob/master/deb/openresty-openssl3/debian/rules
 ARG RESTY_OPENSSL_VERSION="3.5.6"
+ARG RESTY_OPENSSL_SHA256="deae7c80cba99c4b4f940ecadb3c3338b13cb77418409238e57d7f31f2a3b736"
 ARG RESTY_OPENSSL_PATCH_VERSION="3.5.5"
 ARG RESTY_OPENSSL_PATCH_SHA256="0a30cc762a9d72901e8415a33f7671bb68469d46121061e26afe7b718f47581e"
 ARG RESTY_OPENSSL_URL_BASE="https://github.com/openssl/openssl/releases/download/openssl-${RESTY_OPENSSL_VERSION}"
@@ -322,6 +323,7 @@ LABEL resty_version="${RESTY_VERSION}"
 LABEL resty_luarocks_version="${RESTY_LUAROCKS_VERSION}"
 LABEL resty_luarocks_sha256="${RESTY_LUAROCKS_SHA256}"
 LABEL resty_openssl_version="${RESTY_OPENSSL_VERSION}"
+LABEL resty_openssl_sha256="${RESTY_OPENSSL_SHA256}"
 LABEL resty_openssl_patch_version="${RESTY_OPENSSL_PATCH_VERSION}"
 LABEL resty_openssl_patch_sha256="${RESTY_OPENSSL_PATCH_SHA256}"
 LABEL resty_openssl_url_base="${RESTY_OPENSSL_URL_BASE}"
@@ -373,8 +375,8 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update \
     && cd /tmp \
     && if [ -n "${RESTY_EVAL_PRE_CONFIGURE}" ]; then eval $(echo ${RESTY_EVAL_PRE_CONFIGURE}); fi \
     && TMPDIR="${TMPDIR:-/tmp}" asfald --overwrite \
-        --output "${TMPDIR:-/tmp}/openssl-${RESTY_OPENSSL_VERSION}.tar.gz" \
-        --pattern '${fullpath}.sha256' -- \
+        --hash "${RESTY_OPENSSL_SHA256}" \
+        --output "${TMPDIR:-/tmp}/openssl-${RESTY_OPENSSL_VERSION}.tar.gz" -- \
         "${RESTY_OPENSSL_URL_BASE}/openssl-${RESTY_OPENSSL_VERSION}.tar.gz" \
     && tar xzf "${TMPDIR:-/tmp}/openssl-${RESTY_OPENSSL_VERSION}.tar.gz" \
     && cd openssl-${RESTY_OPENSSL_VERSION} \

From 2da25039b9b2002098bd67b9202fa48e41c4bc8d Mon Sep 17 00:00:00 2001
From: tcely <tcely@users.noreply.github.com>
Date: Fri, 22 May 2026 16:38:05 -0400
Subject: [PATCH 5/9] Fetch GitHub generated archives using curl

---
 restyrepo/Dockerfile | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/restyrepo/Dockerfile b/restyrepo/Dockerfile
index a755df2..a2bb090 100644
--- a/restyrepo/Dockerfile
+++ b/restyrepo/Dockerfile
@@ -234,7 +234,6 @@ LABEL maintainer="Evan Wies <evan@neomantra.net>"
 
 # Docker Build Arguments
 ARG RESTY_VERSION="v1.29.2.4" # Uses the full tag name, hence 'v' prefix
-ARG RESTY_SOURCE_REPO="https://github.com/openresty/openresty.git"
 ARG RESTY_LUAROCKS_VERSION="3.13.0"
 ARG RESTY_LUAROCKS_SHA256="245bf6ec560c042cb8948e3d661189292587c5949104677f1eecddc54dbe7e37"
 
@@ -355,9 +354,33 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update \
         perl \
         unzip \
         wget \
+    && checksum_archives() ( cd work \
+        && cksum --algorithm='sha256' --binary --untagged * \
+    ) \
+    && fetch_archives() ( cd work \
+        && curl --config .curl-config --parallel --parallel-max 4 \
+        --fail --location --connect-timeout 10 --retry 3 --retry-delay 2 \
+        --remove-on-error --remote-time --silent --show-error \
+        --write-out 'HTTP: %{http_code}  Wrote: %{size_download} bytes\t%{filename_effective}\nURL: %{url_effective}\n\n' \
+    ) \
     && cd /tmp \
-    && git clone --depth 1 --branch "${RESTY_VERSION}" "${RESTY_SOURCE_REPO}" openresty_src \
+    && mkdir -v -p openresty_src.tmp/work \
+    && cd openresty_src.tmp \
+    && printf > work/.curl-config -- '%s\n' \
+        'output = openresty.tar.gz' \
+        'url = "https://github.com/openresty/openresty/archive/refs/tags/'"${RESTY_VERSION}"'.tar.gz"' \
+    && fetch_archives && checksum_archives \
+    && cd /tmp \
+    && tar xzf openresty_src.tmp/work/openresty.tar.gz \
+    && mv openresty-*/ openresty_src \
+    && rm -rf openresty_src.tmp \
+    && mkdir -v -p openresty_src/work \
     && cd openresty_src \
+    && ( . util/ver >/dev/null \
+        && busybox grep -B 1 -e '^[$]root/util/get-tarball ' util/mirror-tarballs | busybox sed -e 's@ver="$main_ver"@ver="'"${main_ver}"'"@;' \
+    ) > work/.calls \
+    && busybox awk -e '/^ver=/ { ver=gensub(/^ver="?([^"]+)"?$/, "\\1", 1); } $1 ~ /\/util\/get-tarball$/ { gsub(/[$][{]?ver[}]?/, ver); ofp=gensub(/^"?([^"]+)"?$/, "\\1", 1, $4); print "output","=",ofp; if (0 == system("test -s '\''" ofp "'\''")) { print "time-cond","=",ofp; }; print "url","=",$2; }' < work/.calls > work/.curl-config \
+    && fetch_archives && checksum_archives \
     && make \
     && mv openresty-*.tar.gz "/tmp/openresty-${RESTY_VERSION}.tar.gz" \
     && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \

From 4e2a75b6a17f9d43844720daf3a05653e51723b8 Mon Sep 17 00:00:00 2001
From: tcely <tcely@users.noreply.github.com>
Date: Fri, 22 May 2026 16:38:08 -0400
Subject: [PATCH 6/9] Verify the generated hash for our openresty tag

---
 restyrepo/Dockerfile | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/restyrepo/Dockerfile b/restyrepo/Dockerfile
index a2bb090..d781c64 100644
--- a/restyrepo/Dockerfile
+++ b/restyrepo/Dockerfile
@@ -234,6 +234,7 @@ LABEL maintainer="Evan Wies <evan@neomantra.net>"
 
 # Docker Build Arguments
 ARG RESTY_VERSION="v1.29.2.4" # Uses the full tag name, hence 'v' prefix
+ARG RESTY_SHA256="a9de2d4e7e20e31e439a85960300e1146837a9e33761d27ecb8964bef215aa85"
 ARG RESTY_LUAROCKS_VERSION="3.13.0"
 ARG RESTY_LUAROCKS_SHA256="245bf6ec560c042cb8948e3d661189292587c5949104677f1eecddc54dbe7e37"
 
@@ -319,6 +320,7 @@ LABEL resty_image_base="${RESTY_IMAGE_BASE}"
 LABEL resty_image_tag="${RESTY_IMAGE_TAG}"
 
 LABEL resty_version="${RESTY_VERSION}"
+LABEL resty_sha256="${RESTY_SHA256}"
 LABEL resty_luarocks_version="${RESTY_LUAROCKS_VERSION}"
 LABEL resty_luarocks_sha256="${RESTY_LUAROCKS_SHA256}"
 LABEL resty_openssl_version="${RESTY_OPENSSL_VERSION}"
@@ -367,9 +369,13 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update \
     && mkdir -v -p openresty_src.tmp/work \
     && cd openresty_src.tmp \
     && printf > work/.curl-config -- '%s\n' \
-        'output = openresty.tar.gz' \
+        'output = openresty-'"${RESTY_VERSION#v}"'.tar.gz' \
         'url = "https://github.com/openresty/openresty/archive/refs/tags/'"${RESTY_VERSION}"'.tar.gz"' \
     && fetch_archives && checksum_archives \
+    && TMPDIR="${PWD}/work" asfald --overwrite \
+        --hash "${RESTY_SHA256}" \
+        --output 'work/openresty.tar.gz' -- \
+        "https://github.com/openresty/openresty/archive/refs/tags/${RESTY_VERSION}.tar.gz" \
     && cd /tmp \
     && tar xzf openresty_src.tmp/work/openresty.tar.gz \
     && mv openresty-*/ openresty_src \

From f406461f36e22527960d528713975bf1835c6f1b Mon Sep 17 00:00:00 2001
From: tcely <tcely@users.noreply.github.com>
Date: Fri, 22 May 2026 16:38:10 -0400
Subject: [PATCH 7/9] Use the patches from the tag archive

---
 restyrepo/Dockerfile | 35 ++++++++++++-----------------------
 1 file changed, 12 insertions(+), 23 deletions(-)

diff --git a/restyrepo/Dockerfile b/restyrepo/Dockerfile
index d781c64..3a127dc 100644
--- a/restyrepo/Dockerfile
+++ b/restyrepo/Dockerfile
@@ -242,7 +242,6 @@ ARG RESTY_LUAROCKS_SHA256="245bf6ec560c042cb8948e3d661189292587c5949104677f1eecd
 ARG RESTY_OPENSSL_VERSION="3.5.6"
 ARG RESTY_OPENSSL_SHA256="deae7c80cba99c4b4f940ecadb3c3338b13cb77418409238e57d7f31f2a3b736"
 ARG RESTY_OPENSSL_PATCH_VERSION="3.5.5"
-ARG RESTY_OPENSSL_PATCH_SHA256="0a30cc762a9d72901e8415a33f7671bb68469d46121061e26afe7b718f47581e"
 ARG RESTY_OPENSSL_URL_BASE="https://github.com/openssl/openssl/releases/download/openssl-${RESTY_OPENSSL_VERSION}"
 # LEGACY:  "https://www.openssl.org/source/old/1.1.1"
 ARG RESTY_OPENSSL_BUILD_OPTIONS="enable-camellia enable-seed enable-rfc3779 enable-cms enable-md2 enable-rc5 \
@@ -326,7 +325,6 @@ LABEL resty_luarocks_sha256="${RESTY_LUAROCKS_SHA256}"
 LABEL resty_openssl_version="${RESTY_OPENSSL_VERSION}"
 LABEL resty_openssl_sha256="${RESTY_OPENSSL_SHA256}"
 LABEL resty_openssl_patch_version="${RESTY_OPENSSL_PATCH_VERSION}"
-LABEL resty_openssl_patch_sha256="${RESTY_OPENSSL_PATCH_SHA256}"
 LABEL resty_openssl_url_base="${RESTY_OPENSSL_URL_BASE}"
 LABEL resty_openssl_build_options="${RESTY_OPENSSL_BUILD_OPTIONS}"
 LABEL resty_pcre_version="${RESTY_PCRE_VERSION}"
@@ -409,27 +407,18 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update \
         "${RESTY_OPENSSL_URL_BASE}/openssl-${RESTY_OPENSSL_VERSION}.tar.gz" \
     && tar xzf "${TMPDIR:-/tmp}/openssl-${RESTY_OPENSSL_VERSION}.tar.gz" \
     && cd openssl-${RESTY_OPENSSL_VERSION} \
-    && TMPDIR="${TMPDIR:-/tmp}" asfald --overwrite \
-        --hash "${RESTY_OPENSSL_PATCH_SHA256}" \
-        --output "${TMPDIR:-/tmp}/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch" -- \
-        "https://github.com/openresty/openresty/raw/refs/heads/master/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch" \
-    && if [ $(echo ${RESTY_OPENSSL_VERSION} | cut -c 1-2) = "3." ] ; then \
-        echo 'patching OpenSSL 3.x for OpenResty' \
-        && patch -p1 < "${TMPDIR:-/tmp}/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch"; \
-    fi \
-    && if [ $(echo ${RESTY_OPENSSL_VERSION} | cut -c 1-5) = "1.1.1" ] ; then \
-        echo 'patching OpenSSL 1.1.1 for OpenResty' \
-        && patch -p1 < "${TMPDIR:-/tmp}/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch"; \
-    fi \
-    && if [ $(echo ${RESTY_OPENSSL_VERSION} | cut -c 1-5) = "1.1.0" ] ; then \
-        echo 'patching OpenSSL 1.1.0 for OpenResty' \
-        && TMPDIR="${TMPDIR:-/tmp}" asfald --overwrite \
-            --hash '060720ca2b93452dcf68211064841e0417c4a4a40e976fe0b2b5797162917066' \
-            --output "${TMPDIR:-/tmp}/openssl-1.1.0j-parallel_build_fix.patch" -- \
-            'https://github.com/openresty/openresty/raw/refs/heads/master/patches/openssl-1.1.0j-parallel_build_fix.patch' \
-        && patch -p1 < "${TMPDIR:-/tmp}/openssl-1.1.0j-parallel_build_fix.patch" \
-        && patch -p1 < "${TMPDIR:-/tmp}/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch"; \
-    fi \
+    && case "$(printf -- '%s' "${RESTY_OPENSSL_VERSION}" | cut -c 1-5)" in \
+        (3.*) \
+            echo 'patching OpenSSL 3.x for OpenResty' \
+            && patch -p1 < "/tmp/openresty_src/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch" ;; \
+        (1.1.1) \
+            echo 'patching OpenSSL 1.1.1 for OpenResty' \
+            && patch -p1 < "/tmp/openresty_src/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch" ;; \
+        (1.1.0) \
+            echo 'patching OpenSSL 1.1.0 for OpenResty' \
+            && patch -p1 < "/tmp/openresty_src/patches/openssl-1.1.0j-parallel_build_fix.patch" \
+            && patch -p1 < "/tmp/openresty_src/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch" ;; \
+    esac \
     && ./config \
       shared zlib -g \
       --prefix=/usr/local/openresty/openssl3 \

From 807de53a3fcb227d75724bcc90e760234751198a Mon Sep 17 00:00:00 2001
From: tcely <tcely@users.noreply.github.com>
Date: Fri, 22 May 2026 16:38:13 -0400
Subject: [PATCH 8/9] Add the reported archive checksums

This is only for reference, because GitHub generates these archives
rather than reading them.
---
 restyrepo/checksums.txt | 48 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 restyrepo/checksums.txt

diff --git a/restyrepo/checksums.txt b/restyrepo/checksums.txt
new file mode 100644
index 0000000..61ab809
--- /dev/null
+++ b/restyrepo/checksums.txt
@@ -0,0 +1,48 @@
+b4477219ae6fea510a371027c494ad0939114d1dff5e84049369a8a59f1c86ab *LuaJIT-2.1-20260415.tar.gz
+6bde636cb9e8506a542c8f507601a63b5ea9ddd957c50ce805d5714235f82c9c *array-var-nginx-module-0.06.tar.gz
+cf5f71146f4f6c9badde95ea6afd8c9e09d8d7e42978a9c180c299bd687a8d6c *drizzle-nginx-module-0.1.13.tar.gz
+a76dddd5fc43b3a13fff183a32fc8d129674bcd887ca77e0b2ef39951611f649 *echo-nginx-module-0.64.tar.gz
+0eb663163a450b146bda3750c5d2c672eab388749fb93bf7e3eb8c496174fc90 *encrypted-session-nginx-module-0.09.tar.gz
+1eba7d1d5858601ff1b7f406d99c15d3e3bcba118a31fb3339288e6b0dd50c2e *form-input-nginx-module-0.12.tar.gz
+591a8c8556cc1503ad77c9c0471fb17542114410df28b1ab1156fed822b11f71 *headers-more-nginx-module-0.39.tar.gz
+07a27dc8b7064bc356879898464fb9516c3e995fbfe9655b20f5047810df4674 *iconv-nginx-module-0.14.tar.gz
+510062d471fc9c4cd87b367a7b879c7a5f2af70513d97708842d097614d96188 *lua-cjson-2.1.0.17.tar.gz
+9bd5a522ac74a849b0f2dd05657ef64798956b47faa688be174bd3b14876c38e *lua-nginx-module-0.10.31rc2.tar.gz
+de52eb79fa4f2cbf252dcabaae553ba9c27f92572eee065421153b3974ec1e1e *lua-rds-parser-0.06.tar.gz
+19414da5d00ec56378411c6a8322d50d55b3ff57a92ea1298439f487f283c07b *lua-redis-parser-0.13.tar.gz
+79abac565f521dc3175e0e9152c89921872a81907f78da742d9e555e268cd61d *lua-resty-core-0.1.34rc2.tar.gz
+d9b3c58cc98e6125a57fdf828aac148ae360bd389c737f1d81ce2fdd692ec9f0 *lua-resty-dns-0.23.tar.gz
+6b6dab65f7cfc3a6bbdc7701597716d252c1babbc6b0bebffb622e8f43ff9174 *lua-resty-limit-traffic-0.09.tar.gz
+6aebf4412639a84eedc8b140aa48e065d625453859699a6712a62fa8085f2704 *lua-resty-lock-0.09.tar.gz
+adcbb1a95cc2ba2a484351bd1116619a4fb42f0856da220d2897876d472c6ce1 *lua-resty-lrucache-0.15.tar.gz
+0513e2be4e9d6dd59c5575432c8a28e5f7a105b373009fa5058f685f0759f28f *lua-resty-memcached-0.17.tar.gz
+85de2cbb975f0d9833f3728b812ac23f901f6971cae7a29626b1856a737ef333 *lua-resty-mysql-0.30.tar.gz
+303c099c9a0f7abad9b3cb51748e53a1a4260d20e69b8fa35afedaa1b61a0b5f *lua-resty-openssl-1.7.1.tar.gz
+70accaf2d0f95ba0b120574cb176e67f850fafe579a6f146330f2512cfbbb493 *lua-resty-redis-0.33.tar.gz
+b27fc4abc510c587a93c377abbeedda8da0a7dcc887d480fcc5e0c3cdf505d6d *lua-resty-rsa-1.1.1.tar.gz
+34135c8c46c924716781672b62701af78c60a2a07a248ca810ff7e98a9a845f6 *lua-resty-shell-0.03.tar.gz
+c4e3ce774fb186623cd7f0b4cc70e26528a04ded3b5ea8b51b7178ad8efa806e *lua-resty-signal-0.04.tar.gz
+ddb3d96f2a67c843ad635ad48831fee58c93662d11ffa13ecc4c2bd7271b831c *lua-resty-string-0.17.tar.gz
+c7e94aefd32ed04068642fd5da2dcc41aa41a63a8dfac6d73b203bc73f1a3232 *lua-resty-upload-0.11.tar.gz
+d160269c133225fed45375002dd8c971ad7f9ef1756353ffe90eb88890717a82 *lua-resty-upstream-healthcheck-0.09.tar.gz
+fc207af899506c515c17d667801aba0a3b8c39dfe970de878fe4e5259acfb3ce *lua-resty-websocket-0.13.tar.gz
+9d618b937b95282760f2f0d09d271f41ceefbb50716044dd7fc9ec35fcae8cc8 *lua-tablepool-0.03.tar.gz
+26f71fc96e64aa49e100f3c3032590601ad220f090f5e9bb874d4730e856592a *lua-upstream-nginx-module-0.08.tar.gz
+70c4d1c827d5105b00a3a15c8b05d1d33bf3ab695c637de693b97a19846be677 *memc-nginx-module-0.20.tar.gz
+656b2939d8a96428830f62c391cc2e9dd8b59f2f4438485dc397a262356176f9 *nginx-1.29.2.tar.gz
+74de6a6781a7d77cb6ac272d1651a9948c27fb3f2d0915580ea650b5db547d2b *ngx_coolkit-0.2.tar.gz
+7bf5fdc7ec22456767723a9e276720097063e3f7725c03c3560657978e372137 *ngx_devel_kit-0.3.4.tar.gz
+3628d15637b819ca4ce2272c6cd23383411c91ac07786b94e9e91aad6c0f7e92 *ngx_postgres-1.0.tar.gz
+a9de2d4e7e20e31e439a85960300e1146837a9e33761d27ecb8964bef215aa85 *openresty-1.29.2.4.tar.gz
+060720ca2b93452dcf68211064841e0417c4a4a40e976fe0b2b5797162917066 *openssl-1.1.0j-parallel_build_fix.patch
+0a30cc762a9d72901e8415a33f7671bb68469d46121061e26afe7b718f47581e *openssl-3.5.5-sess_set_get_cb_yield.patch
+23659bd8caa89cbdf4889dc2022ea0ced7895d7d8c41b1806bb5b736e6545f73 *opm-0.0.9.tar.gz
+079d790a8f424ad743f4b5d1f8e8150c6f2c54368ec878307461066d4b8bc0ca *rds-csv-nginx-module-0.10.tar.gz
+a8c7654e899cf312f58ebdcc0b3043be792cfdd51d6225df283f97c62caf99d8 *rds-json-nginx-module-0.17.tar.gz
+7d58d6f97c26fcac99795afdbb2f4d984da78a6699001fcaa222a237e28b89fa *redis-nginx-module-0.41.tar.gz
+6b2fcc6b54f6e5814a8dd55e010ca567ed61c526a2b80ecc6529f98953d70ec9 *redis2-nginx-module-0.15.tar.gz
+0192419f920963c5d9cefd10fb64163a1b010eaf7feedede493330d3cb88e0e5 *resty-cli-0.32.tar.gz
+baaaa9f1b9c9d211e8a496eb83be86c06f523dd88517b681858d5f1874a30656 *set-misc-nginx-module-0.33.tar.gz
+a2a2d69e084101a809097d2e386ab7a745edac6e02a42a46d47ee807f060acf6 *srcache-nginx-module-0.33.tar.gz
+7823d9dc84889a99ed967f411911aff3d134ea391f19da208f9bfe64f4cdb549 *stream-lua-nginx-module-0.0.19rc3.tar.gz
+90ae27ff0a9e84b7e12d0b6f822b4ba39781fc5fd0406e2b7cbb02e9b218c565 *xss-nginx-module-0.07.tar.gz

From 1ec3f030398660f0d6b35c6130c1e8540f4364bf Mon Sep 17 00:00:00 2001
From: tcely <tcely@users.noreply.github.com>
Date: Fri, 22 May 2026 16:38:18 -0400
Subject: [PATCH 9/9] Provide a copy of the fallback script for review

Generated with:
    $ awk \
        '/^        printf -- ...... ....usr.bin.env sh. .. .$/,/^[ ]+[;] .$/ {print;}' \
        ./restyrepo/Dockerfile | sh | tee ./restyrepo/fallback-to-busybox.sh
---
 restyrepo/fallback-to-busybox.sh | 138 +++++++++++++++++++++++++++++++
 1 file changed, 138 insertions(+)
 create mode 100644 restyrepo/fallback-to-busybox.sh

diff --git a/restyrepo/fallback-to-busybox.sh b/restyrepo/fallback-to-busybox.sh
new file mode 100644
index 0000000..bdddf76
--- /dev/null
+++ b/restyrepo/fallback-to-busybox.sh
@@ -0,0 +1,138 @@
+#!/usr/bin/env sh
+
+_cleanup() { case "${1}" in
+    (register) [ -n "${2}" ] && _cleanup_registry="${_cleanup_registry}${2}\000" ;;
+    (clear)
+        busybox printf "%b" "${_cleanup_registry}" | busybox xargs -r -0 busybox rm -f;
+        _cleanup_registry="";
+        ;;
+    esac;
+}
+_cleanup_registry="";
+trap "_cleanup clear" EXIT;
+
+_get_url() {
+    _o="${1}"; shift;
+    _u="${1}"; shift;
+    if [ 1 -eq "${USE_CURL:-0}" ]; then
+        curl -fsSLo "${_o}" -- "${_u}";
+    else
+        busybox wget -O "${_o}" "${@}" -- "${_u}";
+    fi;
+    _rc="${?}";
+    unset -v _o _u;
+    return "${_rc}";
+}
+
+_stderr() {
+    printf 1>&2 -- "%s\n" "${@}";
+}
+
+extract_gh_digests() {
+    busybox awk -e '
+      /clipboard digest for / {
+        td=gensub(/<clipboard-copy (.+)>/, "\\1", "g");
+        d=gensub(/^.* value="[^:]+:([^"]+)".*$/, "\\1", 1, td);
+        f=gensub(/^.* aria-label=".+digest for ([^"]+)".*$/, "\\1", 1, td);
+        print d " *" f;
+      }
+    ';
+}
+
+find_hash_for_file() {
+    _f="${1}"; shift;
+    busybox awk -v file="${_f}" -e '$0 ~ " [* ]" file "$" {print $1; exit;}' "${@}";
+    unset -v _f;
+}
+
+get_from_gh_url() { case "${1}" in
+    (owner)
+        busybox awk -v url="${2}" -e '
+          END {
+            print gensub(/^https?:\/\/github\.com\/([^\/]+)\/.*$/, "\\1", 1, url);
+          }
+        ' </dev/null;
+        ;;
+    (repo)
+        busybox awk -v url="${2}" -e '
+          END {
+            print gensub(/^https?:\/\/github\.com\/[^\/]+\/([^\/]+)\/.*$/, "\\1", 1, url);
+          }
+        ' </dev/null;
+        ;;
+    (tag)
+        _url="${2}";
+        if is_gh_tag_url "${_url}"; then
+            busybox basename "${_url}";
+        elif is_gh_download_url "${_url}"; then
+            _tag_url="$(busybox dirname "${_url}")";
+            busybox basename "${_tag_url}";
+            unset -v _tag_url;
+        fi;
+        unset -v _url;
+        ;;
+    esac;
+}
+
+get_gh_digests_from_tag() {
+    _url="$(printf -- "https://github.com/%s/%s/releases/expanded_assets/%s\n" "${1}" "${2}" "${3}")";
+    _get_url - "${_url}" -q | extract_gh_digests;
+    unset -v _url;
+}
+
+is_gh_download_url() { case "${1}" in
+    (http*://github.com/*/releases/download/*) return 0 ;;
+    esac;
+    return 1;
+}
+
+is_gh_tag_url() { case "${1}" in
+    (http*://github.com/*/releases/tag/*) return 0 ;;
+    esac;
+    return 1;
+}
+
+for _arg in "${@}"; do case "${_arg}" in
+    (--force-absent|-f) _verified=1 ;;
+    (--hash|-H) _set_H=1 ;;
+    (--output|-o) _set_o=1 ;;
+    (--pattern|-p) _set_p=1 ;;
+    (*)
+        if [ 1 -eq "${_set_H:-0}" ]; then hash="${_arg}"; unset -v _set_H ; fi ;
+        if [ 1 -eq "${_set_o:-0}" ]; then output="${_arg}"; unset -v _set_o ; fi ;
+        if [ 1 -eq "${_set_p:-0}" ]; then pattern="${_arg}"; unset -v _set_p ; fi ;
+        url="${_arg}"
+        ;;
+esac; done; unset -v _arg ;
+
+if [ -z "${output-}" ]; then output="$(busybox basename "${url}")"; fi;
+if [ -z "${hash-}" ] && [ -n "${pattern-}" ]; then
+    cs_url="$(busybox awk \
+        -v file="$(busybox basename "${url}")" \
+        -v fullpath="${url}" \
+        -v path="$(busybox dirname "${url}")" \
+        -v pattern="${pattern}" -e '
+      END {
+        out = gensub(/[$][{]file[}]/, file, "g", pattern);
+        out = gensub(/[$][{]fullpath[}]/, fullpath, "g", out);
+        out = gensub(/[$][{]path[}]/, path, "g", out);
+        print out;
+      }
+    ' </dev/null)";
+fi;
+gh_tag="$(get_from_gh_url "tag" "${url}")";
+if [ -z "${hash-}" ] && [ -n "${gh_tag}" ]; then
+    gh_owner="$(get_from_gh_url "owner" "${url}")";
+    gh_repo="$(get_from_gh_url "repo" "${url}")";
+    csfile="$(busybox mktemp)" && _cleanup register "${csfile}" &&
+    get_gh_digests_from_tag "${gh_owner}" "${gh_repo}" "${gh_tag}" > "${csfile}" &&
+    hash="$(find_hash_for_file "$(busybox basename "${url}")" "${csfile}")";
+    [ -s "${csfile}" ] || _stderr "Warning: No digests extracted for any artifacts at GitHub.com!";
+    [ -n "${hash}" ] || _stderr "Warning: No digest found at GitHub.com!";
+fi;
+dlfile="$(busybox mktemp)" &&
+    _cleanup register "${dlfile}" &&
+    { [ -z "${cs_url-}" ] || { _get_url "${dlfile}" "${cs_url}" -q && hash="$(find_hash_for_file "$(busybox basename "${url}")" "${dlfile}")" ; [ -n "${hash-}" ]; } ; } &&
+    _get_url "${dlfile}" "${url}" &&
+    { [ -z "${hash-}" ] || { busybox printf -- "%s *%s\n" "${hash-}" "${dlfile}" | busybox sha256sum -cw && _verified=1 || _verified=0; } ; } &&
+    { [ "-" = "${output-}" ] && busybox cat "${dlfile}" || [ 1 -eq "${_verified:-0}" ] && busybox mv -fT "${dlfile}" "${output-}" ; } ;