Remove non-root user creation in PHP-FPM and CLI Dockerfiles: #15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PHP-CLI | |
| on: | |
| push: | |
| branches: [ main ] | |
| paths: | |
| - 'docker/php/cli/**' | |
| - '.github/workflows/build-cli.yml' | |
| schedule: | |
| - cron: '0 2 * * 1' | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| packages: write # needed for GHCR | |
| env: | |
| GHCR_IMAGE: ghcr.io/liquidrazor/php | |
| DOCKERHUB_IMAGE: docker.io/liquidrazor/php | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build-amd64: | |
| runs-on: blacksmith-4vcpu-ubuntu-2404 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - var: PHP_LATEST | |
| is_latest: true | |
| - var: PHP_PREVIOUS | |
| is_latest: false | |
| env: | |
| ARCH_SUFFIX: amd64 | |
| PHP_VERSION: ${{ vars[matrix.var] }} | |
| IS_LATEST: ${{ matrix.is_latest }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Blacksmith Builder | |
| uses: useblacksmith/setup-docker-builder@v1 | |
| # Log in to GHCR | |
| - uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # Log in to Docker Hub | |
| - uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Compute tags (CLI) | |
| id: tags | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| PHP_VERSION="${PHP_VERSION:?missing}" | |
| LINE_VERSION="$(cut -d. -f1,2 <<<"$PHP_VERSION")" | |
| TAGS=("${LINE_VERSION}-cli" "${PHP_VERSION}-cli") | |
| if [[ "${IS_LATEST}" == "true" ]]; then | |
| TAGS=("cli" "${TAGS[@]}") | |
| fi | |
| ARCH="${ARCH_SUFFIX}" | |
| # Registry-qualified tags with arch suffix | |
| mapfile -t TAGS_WITH_ARCH < <( | |
| for t in "${TAGS[@]}"; do | |
| printf "%s:%s-%s\n" "${GHCR_IMAGE}" "$t" "${ARCH}" | |
| printf "%s:%s-%s\n" "${DOCKERHUB_IMAGE}" "$t" "${ARCH}" | |
| done | |
| ) | |
| # No-arch tags (for manifest creation) | |
| mapfile -t TAGS_NO_ARCH < <( | |
| for t in "${TAGS[@]}"; do | |
| printf "%s:%s\n" "${GHCR_IMAGE}" "$t" | |
| printf "%s:%s\n" "${DOCKERHUB_IMAGE}" "$t" | |
| done | |
| ) | |
| { | |
| echo "tags_with_arch<<__ARCH__" | |
| printf '%s\n' "${TAGS_WITH_ARCH[@]}" | |
| echo "__ARCH__" | |
| } >> "$GITHUB_OUTPUT" | |
| { | |
| echo "tags_no_arch<<__NOARCH__" | |
| printf '%s\n' "${TAGS_NO_ARCH[@]}" | |
| echo "__NOARCH__" | |
| } >> "$GITHUB_OUTPUT" | |
| - uses: useblacksmith/build-push-action@v2 | |
| with: | |
| context: docker/php/cli/base | |
| file: docker/php/cli/base/Dockerfile | |
| push: true | |
| platforms: linux/amd64 | |
| build-args: | | |
| PHP_VERSION=${{ env.PHP_VERSION }} | |
| tags: ${{ steps.tags.outputs.tags_with_arch }} | |
| sbom: false | |
| provenance: false | |
| build-arm64: | |
| runs-on: blacksmith-4vcpu-ubuntu-2404-arm | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - var: PHP_LATEST | |
| is_latest: true | |
| - var: PHP_PREVIOUS | |
| is_latest: false | |
| env: | |
| ARCH_SUFFIX: arm64 | |
| PHP_VERSION: ${{ vars[matrix.var] }} | |
| IS_LATEST: ${{ matrix.is_latest }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Blacksmith Builder | |
| uses: useblacksmith/setup-docker-builder@v1 | |
| - uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Compute tags (CLI) | |
| id: tags | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| PHP_VERSION="${PHP_VERSION:?missing}" | |
| LINE_VERSION="$(cut -d. -f1,2 <<<"$PHP_VERSION")" | |
| TAGS=("${LINE_VERSION}-cli" "${PHP_VERSION}-cli") | |
| if [[ "${IS_LATEST}" == "true" ]]; then | |
| TAGS=("cli" "${TAGS[@]}") | |
| fi | |
| ARCH="${ARCH_SUFFIX}" | |
| mapfile -t TAGS_WITH_ARCH < <( | |
| for t in "${TAGS[@]}"; do | |
| printf "%s:%s-%s\n" "${GHCR_IMAGE}" "$t" "${ARCH}" | |
| printf "%s:%s-%s\n" "${DOCKERHUB_IMAGE}" "$t" "${ARCH}" | |
| done | |
| ) | |
| mapfile -t TAGS_NO_ARCH < <( | |
| for t in "${TAGS[@]}"; do | |
| printf "%s:%s\n" "${GHCR_IMAGE}" "$t" | |
| printf "%s:%s\n" "${DOCKERHUB_IMAGE}" "$t" | |
| done | |
| ) | |
| { | |
| echo "tags_with_arch<<__ARCH__" | |
| printf '%s\n' "${TAGS_WITH_ARCH[@]}" | |
| echo "__ARCH__" | |
| } >> "$GITHUB_OUTPUT" | |
| { | |
| echo "tags_no_arch<<__NOARCH__" | |
| printf '%s\n' "${TAGS_NO_ARCH[@]}" | |
| echo "__NOARCH__" | |
| } >> "$GITHUB_OUTPUT" | |
| - uses: useblacksmith/build-push-action@v2 | |
| with: | |
| context: docker/php/cli/base | |
| file: docker/php/cli/base/Dockerfile | |
| push: true | |
| platforms: linux/arm64 | |
| build-args: | | |
| PHP_VERSION=${{ env.PHP_VERSION }} | |
| tags: ${{ steps.tags.outputs.tags_with_arch }} | |
| sbom: false | |
| provenance: false | |
| manifest: | |
| runs-on: blacksmith-4vcpu-ubuntu-2404 | |
| needs: [build-amd64, build-arm64] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - var: PHP_LATEST | |
| is_latest: true | |
| - var: PHP_PREVIOUS | |
| is_latest: false | |
| env: | |
| PHP_VERSION: ${{ vars[matrix.var] }} | |
| IS_LATEST: ${{ matrix.is_latest }} | |
| steps: | |
| - name: Setup Blacksmith Builder | |
| uses: useblacksmith/setup-docker-builder@v1 | |
| - uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Recompute final tags (CLI) | |
| id: tags | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| PHP_VERSION="${PHP_VERSION:?missing}" | |
| LINE_VERSION="$(cut -d. -f1,2 <<<"$PHP_VERSION")" | |
| TAGS=("${LINE_VERSION}-cli" "${PHP_VERSION}-cli") | |
| if [[ "${IS_LATEST}" == "true" ]]; then | |
| TAGS=("cli" "${TAGS[@]}") | |
| fi | |
| # Fully-qualified (no-arch) targets for manifest creation, both registries | |
| mapfile -t TAGS_NO_ARCH < <( | |
| for t in "${TAGS[@]}"; do | |
| printf "%s:%s\n" "${GHCR_IMAGE}" "$t" | |
| printf "%s:%s\n" "${DOCKERHUB_IMAGE}" "$t" | |
| done | |
| ) | |
| { | |
| echo "tags_no_arch<<__NOARCH__" | |
| printf '%s\n' "${TAGS_NO_ARCH[@]}" | |
| echo "__NOARCH__" | |
| } >> "$GITHUB_OUTPUT" | |
| - name: Publish multi-arch manifests (CLI) | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| while IFS= read -r TARGET; do | |
| base="${TARGET%:*}" | |
| tag="${TARGET##*:}" | |
| echo "Creating manifest for ${base}:${tag}" | |
| docker buildx imagetools create \ | |
| -t "${base}:${tag}" \ | |
| "${base}:${tag}-amd64" \ | |
| "${base}:${tag}-arm64" | |
| done <<< "${{ steps.tags.outputs.tags_no_arch }}" |