diff --git a/.checkov.yml b/.checkov.yml new file mode 100644 index 0000000..3f6df45 --- /dev/null +++ b/.checkov.yml @@ -0,0 +1,5 @@ +# You can see all available properties here: https://github.com/bridgecrewio/checkov#configuration-using-a-config-file +quiet: true +skip-check: + - CKV_DOCKER_2 + - CKV_DOCKER_3 diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml new file mode 100644 index 0000000..699717b --- /dev/null +++ b/.github/workflows/pr-build.yml @@ -0,0 +1,186 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json +name: PR Build and Report + +on: + pull_request: + types: [opened, synchronize, reopened] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} + +permissions: read-all + +jobs: + pr-build: + name: PR Build + runs-on: ubuntu-latest + timeout-minutes: 30 + + permissions: + contents: read + issues: write + pull-requests: write + statuses: write + + strategy: + fail-fast: false + matrix: + php: [php74, php80, php81, php82, php83, php84] + arch: ["linux/amd64", "linux/arm64"] + + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Set result filename + id: resultfile + run: | + TAG_ARCH="${{ matrix.arch }}" + TAG_ARCH="${TAG_ARCH//\//-}" + FILENAME="result-${{ matrix.php }}-${TAG_ARCH}.json" + echo "filename=$FILENAME" >> "$GITHUB_OUTPUT" + echo "tag_arch=$TAG_ARCH" >> "$GITHUB_OUTPUT" + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 + + - name: Log in to the Container registry + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Docker metadata + id: meta + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.php }} + tags: | + type=raw,value=${{ matrix.php }}-${{ matrix.arch }} + + - name: Extract base image + id: baseimage + run: | + BASE_IMAGE="$(grep -m1 '^FROM ' ${{ env.DOCKERFILE_PATH }} | awk '{print $2}')" + echo "base_image=$BASE_IMAGE" >> "$GITHUB_OUTPUT" + + - name: Build Docker image (capture cache usage) + id: build + shell: bash + run: | + TAG_ARCH="${{ steps.resultfile.outputs.tag_arch }}" + IMAGE_TAG="${{ env.IMAGE_NAME }}:${{ matrix.php }}-${TAG_ARCH}" + START="$(date +%s)" + docker buildx build \ + --platform ${{ matrix.arch }} \ + --tag "$IMAGE_TAG" \ + --progress plain \ + --load ./${{ matrix.php }}/ | tee build.log + END="$(date +%s)" + echo "duration=$((END-START))" >> "$GITHUB_OUTPUT" + if grep -q 'CACHED' build.log; then + echo "cache_used=true" >> "$GITHUB_OUTPUT" + else + echo "cache_used=false" >> "$GITHUB_OUTPUT" + fi + + - name: Get image size + id: image_info + shell: bash + run: | + TAG_ARCH="${{ steps.resultfile.outputs.tag_arch }}" + IMAGE="${{ env.IMAGE_NAME }}:${{ matrix.php }}-${TAG_ARCH}" + SIZE="$(docker image inspect "$IMAGE" --format='{{.Size}}')" + SIZE_MB="$((SIZE/1024/1024))" + echo "size_mb=$SIZE_MB" >> "$GITHUB_OUTPUT" + + - name: Save build result + shell: bash + run: | + jq -n \ + --arg php "${{ matrix.php }}" \ + --arg arch "${{ matrix.arch }}" \ + --arg status "success" \ + --arg duration "${{ steps.build.outputs.duration }}" \ + --arg size_mb "${{ steps.image_info.outputs.size_mb }}" \ + --arg base_image "${{ steps.baseimage.outputs.base_image }}" \ + --arg cache_used "${{ steps.build.outputs.cache_used }}" \ + '{ + php: $php, + arch: $arch, + status: $status, + duration: $duration, + size_mb: $size_mb, + base_image: $base_image, + cache_used: $cache_used + }' > ${{ steps.resultfile.outputs.filename }} + + - name: Move result file to output directory + shell: bash + run: | + mkdir -p results + mv ${{ steps.resultfile.outputs.filename }} results/ + + - name: Upload build result + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: build-results + path: results/ + overwrite: true + if-no-files-found: warn + + aggregate-results: + name: Aggregate Results and Comment + runs-on: ubuntu-latest + needs: pr-build + + permissions: + contents: read + issues: write + pull-requests: write + statuses: write + + if: github.event_name == 'pull_request' + steps: + - name: Download all build results + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + with: + name: build-results + path: results + + - name: Summarize results + id: summarize + shell: bash + run: | + { + echo "## Build Matrix Results" + echo "" + echo "| PHP Version | Architecture | Status | Duration (s) | Image Size (MB) | Base Image | Cache Used |" + echo "|-------------|--------------|---------|--------------|-----------------|------------|------------|" + } > comment.md + for f in results/*.json; do + php=$(jq -r .php "$f") + arch=$(jq -r .arch "$f") + status=$(jq -r .status "$f") + duration=$(jq -r .duration "$f") + size_mb=$(jq -r .size_mb "$f") + base_image=$(jq -r .base_image "$f") + cache_used=$(jq -r .cache_used "$f") + echo "| $php | $arch | $status | $duration | $size_mb | $base_image | $cache_used |" >> comment.md + done + + - name: Create or update PR comment + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + issue-number: ${{ github.event.pull_request.number }} + body-file: comment.md + diff --git a/.hadolint.yaml b/.hadolint.yaml index 3691953..d505fed 100644 --- a/.hadolint.yaml +++ b/.hadolint.yaml @@ -6,3 +6,4 @@ ignored: - DL3018 - DL3008 - SC2046 + - DL4006 diff --git a/.kics.config.yaml b/.kics.config.yaml index 1e4f4b4..113cac7 100644 --- a/.kics.config.yaml +++ b/.kics.config.yaml @@ -3,3 +3,4 @@ type: exclude-queries: - fd54f200-402c-4333-a5a4-36ef6709af2f - 965a08d7-ef86-4f14-8792-4a3b2098937e + - b03a748a-542d-44f4-bb86-9199ab4fd2d5 diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..7a2f130 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,2 @@ +AVD-DS-0002 +AVD-DS-0026 diff --git a/php74/Dockerfile b/php74/Dockerfile index 1e73862..80bf4ec 100644 --- a/php74/Dockerfile +++ b/php74/Dockerfile @@ -6,21 +6,19 @@ LABEL \ version="1.0" \ description="PHP 7.4 with Imagick and Composer" -SHELL ["/bin/bash", "-o", "pipefail", "-c"] - # Install PHP extensions and required libraries RUN \ apt-get update \ && apt-get install -y --no-install-recommends \ - libicu-dev=* \ - libxml2-dev=2.* \ - libfreetype6-dev=2.* \ - libjpeg62-turbo-dev=* \ - libpng-dev=1.* \ - libonig-dev=6.* \ - libmagickwand-dev=8:6.* \ - python3-dev=3.* \ - unzip=6.* \ + libicu-dev \ + libxml2-dev \ + libfreetype6-dev \ + libjpeg62-turbo-dev \ + libpng-dev \ + libonig-dev \ + libmagickwand-dev \ + python3-dev \ + unzip \ && docker-php-ext-configure gd --with-freetype --with-jpeg \ && docker-php-ext-install -j$(nproc) \ bcmath \ @@ -35,19 +33,8 @@ RUN \ && yes '' | pecl install imagick \ && docker-php-ext-enable imagick \ && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -# Install Composer -RUN set -o pipefail \ + && rm -rf /var/lib/apt/lists/* \ && curl -sS https://getcomposer.org/installer | \ - php -- --install-dir=/usr/local/bin --filename=composer - -# Verify installations -RUN set -o pipefail \ + php -- --install-dir=/usr/local/bin --filename=composer \ && php --version \ && composer --version - -HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ - CMD php -v || exit 1 - -USER www-data diff --git a/php80/Dockerfile b/php80/Dockerfile index b9b97e4..0294921 100644 --- a/php80/Dockerfile +++ b/php80/Dockerfile @@ -6,16 +6,9 @@ LABEL \ version="1.0" \ description="PHP 8.0 with Imagick and Composer" -USER www-data - -HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ - CMD php -v || exit 1 - -SHELL ["/bin/bash", "-o", "pipefail", "-c"] - # Install PHP extensions and required libraries -RUN set -o pipefail \ - && apt-get update --no-cache \ +RUN \ + apt-get update \ && apt-get install -y --no-install-recommends \ libicu-dev \ libxml2-dev \ @@ -40,14 +33,8 @@ RUN set -o pipefail \ && yes '' | pecl install imagick \ && docker-php-ext-enable imagick \ && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -# Install Composer -RUN set -o pipefail \ + && rm -rf /var/lib/apt/lists/* \ && curl -sS https://getcomposer.org/installer | \ - php -- --install-dir=/usr/local/bin --filename=composer - -# Verify installations -RUN set -o pipefail \ + php -- --install-dir=/usr/local/bin --filename=composer \ && php --version \ && composer --version diff --git a/php81/Dockerfile b/php81/Dockerfile index f8a8ac7..3d0bc7c 100644 --- a/php81/Dockerfile +++ b/php81/Dockerfile @@ -6,16 +6,9 @@ LABEL \ version="1.0" \ description="PHP 8.1 with Imagick and Composer" -USER www-data - -HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ - CMD php -v || exit 1 - -SHELL ["/bin/bash", "-o", "pipefail", "-c"] - # Install PHP extensions and required libraries -RUN set -o pipefail \ - && apt-get update --no-cache \ +RUN \ + apt-get update \ && apt-get install -y --no-install-recommends \ libicu-dev \ libxml2-dev \ @@ -40,14 +33,8 @@ RUN set -o pipefail \ && yes '' | pecl install imagick \ && docker-php-ext-enable imagick \ && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -# Install Composer -RUN set -o pipefail \ + && rm -rf /var/lib/apt/lists/* \ && curl -sS https://getcomposer.org/installer | \ - php -- --install-dir=/usr/local/bin --filename=composer - -# Verify installations -RUN set -o pipefail \ + php -- --install-dir=/usr/local/bin --filename=composer \ && php --version \ && composer --version diff --git a/php82/Dockerfile b/php82/Dockerfile index e58dfc2..b7b9bdc 100644 --- a/php82/Dockerfile +++ b/php82/Dockerfile @@ -6,16 +6,9 @@ LABEL \ version="1.0" \ description="PHP 8.2 with Imagick and Composer" -USER www-data - -HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ - CMD php -v || exit 1 - -SHELL ["/bin/bash", "-o", "pipefail", "-c"] - # Install PHP extensions and required libraries -RUN set -o pipefail \ - && apt-get update --no-cache \ +RUN \ + apt-get update \ && apt-get install -y --no-install-recommends \ libicu-dev \ libxml2-dev \ @@ -40,14 +33,8 @@ RUN set -o pipefail \ && yes '' | pecl install imagick \ && docker-php-ext-enable imagick \ && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -# Install Composer -RUN set -o pipefail \ + && rm -rf /var/lib/apt/lists/* \ && curl -sS https://getcomposer.org/installer | \ - php -- --install-dir=/usr/local/bin --filename=composer - -# Verify installations -RUN set -o pipefail \ + php -- --install-dir=/usr/local/bin --filename=composer \ && php --version \ && composer --version diff --git a/php83/Dockerfile b/php83/Dockerfile index cd11e9d..ee935e7 100644 --- a/php83/Dockerfile +++ b/php83/Dockerfile @@ -6,16 +6,9 @@ LABEL \ version="1.0" \ description="PHP 8.3 with Imagick and Composer" -USER www-data - -HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ - CMD php -v || exit 1 - -SHELL ["/bin/bash", "-o", "pipefail", "-c"] - # Install PHP extensions and required libraries -RUN set -o pipefail \ - && apt-get update --no-cache \ +RUN \ + apt-get update \ && apt-get install -y --no-install-recommends \ libicu-dev \ libxml2-dev \ @@ -40,14 +33,8 @@ RUN set -o pipefail \ && yes '' | pecl install imagick \ && docker-php-ext-enable imagick \ && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -# Install Composer -RUN set -o pipefail \ + && rm -rf /var/lib/apt/lists/* \ && curl -sS https://getcomposer.org/installer | \ - php -- --install-dir=/usr/local/bin --filename=composer - -# Verify installations -RUN set -o pipefail \ + php -- --install-dir=/usr/local/bin --filename=composer \ && php --version \ && composer --version diff --git a/php84/Dockerfile b/php84/Dockerfile index f12b663..a2431c6 100644 --- a/php84/Dockerfile +++ b/php84/Dockerfile @@ -6,16 +6,9 @@ LABEL \ version="1.0" \ description="PHP 8.4 with Imagick and Composer" -USER www-data - -HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ - CMD php -v || exit 1 - -SHELL ["/bin/bash", "-o", "pipefail", "-c"] - # Install PHP extensions and required libraries -RUN set -o pipefail \ - && apt-get update --no-cache \ +RUN \ + apt-get update \ && apt-get install -y --no-install-recommends \ libicu-dev \ libxml2-dev \ @@ -40,14 +33,8 @@ RUN set -o pipefail \ && yes '' | pecl install imagick \ && docker-php-ext-enable imagick \ && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -# Install Composer -RUN set -o pipefail \ + && rm -rf /var/lib/apt/lists/* \ && curl -sS https://getcomposer.org/installer | \ - php -- --install-dir=/usr/local/bin --filename=composer - -# Verify installations -RUN set -o pipefail \ + php -- --install-dir=/usr/local/bin --filename=composer \ && php --version \ && composer --version