-
Notifications
You must be signed in to change notification settings - Fork 0
140 lines (124 loc) · 4.01 KB
/
Copy pathci.yml
File metadata and controls
140 lines (124 loc) · 4.01 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
name: Build, Test and Push Docker PHP CLI Images
on:
workflow_dispatch: {}
schedule:
- cron: '0 2 */3 * *' # Runs every 3 days at 02:00 UTC
push:
branches:
- main
paths:
- 'src/Dockerfile'
- 'src/entrypoint.sh'
- 'src/.env'
- 'src/.env.example'
- 'support/makefile/**'
- '.hadolint.yaml'
- '.github/workflows/ci.yml'
pull_request:
branches:
- main
- develop
paths:
- 'src/Dockerfile'
- 'src/entrypoint.sh'
- 'src/.env'
- 'src/.env.example'
- 'support/makefile/**'
- '.hadolint.yaml'
- '.github/workflows/ci.yml'
concurrency:
group: ${{ github.ref }}-build
cancel-in-progress: true
jobs:
keepalive:
# Resets GitHub's 60-day inactivity timer so the scheduled rebuild
# never falls into disabled_inactivity again (phpfpm was dead 2026-05-31..06-12).
if: github.event_name == 'schedule'
runs-on: ubuntu-latest
permissions:
actions: write
steps:
- name: Re-enable workflow (keepalive)
env:
GH_TOKEN: ${{ github.token }}
run: gh api -X PUT repos/${{ github.repository }}/actions/workflows/ci.yml/enable
hadolint:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Check out the repository
uses: actions/checkout@v6
- name: Lint Dockerfile (hadolint)
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: src/Dockerfile
config: .hadolint.yaml
build-test-and-push:
runs-on: ubuntu-latest
strategy:
matrix:
php_version: ["8.2", "8.3", "8.4"]
fail-fast: false
permissions:
contents: read
id-token: write
attestations: write
steps:
- name: Check out the repository
uses: actions/checkout@v6
- name: Login to Docker Hub
uses: docker/login-action@v4
with:
username: ${{ secrets.DOCKER_USER_NAME }}
password: ${{ secrets.DOCKER_PAT }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
with:
driver-opts: image=moby/buildkit:buildx-stable-1
- name: Set up QEMU
uses: docker/setup-qemu-action@v4
- name: Prepare env
run: |
cp src/.env.example src/.env || true
echo "PHP_VERSION=${{ matrix.php_version }}" >> src/.env
- name: Run tests (amd64/arm64 on test images)
run: |
PHP_VERSION=${{ matrix.php_version }} make CACHE_BACKEND=gha test-all
# Push-Guard: build on PR (via test-all above), publish only on merge/schedule/dispatch.
- name: Build & push current version (multi-arch)
if: github.event_name != 'pull_request'
run: |
PHP_VERSION=${{ matrix.php_version }} make CACHE_BACKEND=gha build-remote-version
trivy-report:
# Non-blocking CVE visibility on the freshly published images (base-image CVEs
# are not self-fixable, so this reports instead of failing the build).
# continue-on-error keeps the run green even if Trivy itself errors (DB download,
# rate limit) — this job is purely informational and must never block a publish.
if: github.event_name != 'pull_request'
needs: build-test-and-push
runs-on: ubuntu-latest
continue-on-error: true
permissions:
contents: read
strategy:
matrix:
php_version: ["8.2", "8.3", "8.4"]
fail-fast: false
steps:
- name: Scan image for HIGH/CRITICAL CVEs
uses: aquasecurity/trivy-action@v0.36.0
with:
image-ref: headgent/phpcli:${{ matrix.php_version }}
format: table
severity: HIGH,CRITICAL
exit-code: '0'
output: trivy-${{ matrix.php_version }}.txt
- name: Publish report to job summary
run: |
{
echo "## Trivy CVE report — phpcli:${{ matrix.php_version }} (HIGH/CRITICAL)";
echo '```';
cat trivy-${{ matrix.php_version }}.txt;
echo '```';
} >> "$GITHUB_STEP_SUMMARY"