diff --git a/.github/workflows/cleanup-packages.yaml b/.github/workflows/cleanup-packages.yaml index 29dd983..202154b 100644 --- a/.github/workflows/cleanup-packages.yaml +++ b/.github/workflows/cleanup-packages.yaml @@ -7,6 +7,8 @@ name: Cleanup packages on: workflow_dispatch: + schedule: + - cron: '22 1 * * 3' env: # Use docker.io for Docker Hub if empty diff --git a/.github/workflows/publish-containers.yaml b/.github/workflows/publish-containers.yaml index 3f76bc1..40af72a 100644 --- a/.github/workflows/publish-containers.yaml +++ b/.github/workflows/publish-containers.yaml @@ -1,4 +1,4 @@ -name: Docker +name: Build and Publish Dev Container Images # This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by @@ -44,14 +44,38 @@ jobs: - name: Create timestamp tag id: timestamp run: echo "image_timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" | tee $GITHUB_OUTPUT + runtime-versions: + name: Get runtime versions + runs-on: ubuntu-latest + needs: preparation + strategy: + matrix: + folder: ${{ fromJson(needs.preparation.outputs.folders) }} + outputs: + runtime_versions: ${{ steps.runtime-versions.outputs.runtime_versions }} + steps: + - name: Checkout repository + uses: actions/checkout@v6 + - name: Read runtime name from config.json + id: runtime-name + run: | + runtime_name=$(jq -r '.ci.runtime_name' src/${{ matrix.folder }}/config.json) + echo "RUNTIME_NAME=${runtime_name}" | tee $GITHUB_ENV + - name: Load ${{ env.RUNTIME_NAME }} runtime versions to process from config.json + id: runtime-versions + run: | + runtime_versions=$(jq -c --arg runtime_name "${RUNTIME_NAME}_versions" '.ci.[$runtime_name]' src/${{ matrix.folder }}/config.json) + echo "runtime_versions=$runtime_versions" | tee $GITHUB_OUTPUT + env: + RUNTIME_NAME: ${{ env.RUNTIME_NAME }} build: runs-on: ubuntu-latest - needs: preparation + needs: [preparation, runtime-versions] strategy: matrix: folder: ${{ fromJson(needs.preparation.outputs.folders) }} - php_version: [8.5, 8.4, 8.3, 8.2] + runtime_version: ${{ fromJson(needs.runtime-versions.outputs.runtime_versions) }} permissions: contents: read packages: write @@ -67,13 +91,14 @@ jobs: run: | sudo apt-get update sudo apt-get install -y skopeo - - uses: xom9ikk/dotenv@v2.4.0 + - name: Load environment variables from .env file + uses: xom9ikk/dotenv@v2.4.0 with: path: "src/${{ matrix.folder }}" mode: '' load-mode: 'skip' env: - PHP_VERSION: ${{ matrix.php_version }} + RUNTIME_VERSION: ${{ matrix.runtime_version }} - name: Get image base digest id: get-image-base-digest run: | diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index ad37190..5a4be42 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -34,20 +34,45 @@ jobs: - name: Get lowercase repo name id: lowercase-repo run: echo "repo=${GITHUB_REPOSITORY@L}" | tee $GITHUB_OUTPUT - build: + + runtime-versions: + name: Get runtime versions + runs-on: ubuntu-latest + needs: preparation + strategy: + matrix: + folder: ${{ fromJson(needs.preparation.outputs.folders) }} + outputs: + runtime_versions: ${{ steps.runtime-versions.outputs.runtime_versions }} + steps: + - name: Checkout repository + uses: actions/checkout@v6 + - name: Read runtime name from config.json + id: runtime-name + run: | + runtime_name=$(jq -r '.ci.runtime_name' src/${{ matrix.folder }}/config.json) + echo "RUNTIME_NAME=${runtime_name}" | tee $GITHUB_ENV + - name: Load ${{ env.RUNTIME_NAME }} runtime versions to process from config.json + id: runtime-versions + run: | + runtime_versions=$(jq -c --arg runtime_name "${RUNTIME_NAME}_versions" '.ci.[$runtime_name]' src/${{ matrix.folder }}/config.json) + echo "runtime_versions=$runtime_versions" | tee $GITHUB_OUTPUT + env: + RUNTIME_NAME: ${{ env.RUNTIME_NAME }} + scan: permissions: #contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - name: Build + name: Scan images runs-on: ubuntu-latest - needs: preparation + needs: [preparation, runtime-versions] strategy: matrix: folder: ${{ fromJson(needs.preparation.outputs.folders) }} - php_version: [8.5, 8.4, 8.3, 8.2] + runtime_version: ${{ fromJson(needs.runtime-versions.outputs.runtime_versions) }} steps: - - name: Checkout code + - name: Checkout repository uses: actions/checkout@v6 - uses: xom9ikk/dotenv@v2.4.0 @@ -56,26 +81,23 @@ jobs: mode: '' load-mode: 'skip' env: - PHP_VERSION: ${{ matrix.php_version }} + RUNTIME_VERSION: ${{ matrix.runtime_version }} - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@v4 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + uses: aquasecurity/trivy-action@v0.36.0 with: image-ref: '${{ env.REGISTRY }}/${{ needs.preparation.outputs.repo }}/${{ matrix.folder }}:${{ env.TARGET_IMAGE_BASETAG }}' - format: 'template' - template: '@/contrib/sarif.tpl' + format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' - + ignore-unfixed: true + env: + TRIVY_USERNAME: ${{ github.actor }} + TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + INPUT_LIMIT_SEVERITIES_FOR_SARIF: true + TARGET_IMAGE_BASETAG: ${{ env.TARGET_IMAGE_BASETAG }} - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 + if: always() with: sarif_file: 'trivy-results.sarif' diff --git a/src/typo3-apache/.env b/src/typo3-apache/.env index 123211e..d672041 100644 --- a/src/typo3-apache/.env +++ b/src/typo3-apache/.env @@ -1,4 +1,4 @@ -TARGET_IMAGE_BASETAG=php${PHP_VERSION}-trixie -PHP_VERSION=${PHP_VERSION} +PHP_VERSION=${RUNTIME_VERSION} +TARGET_IMAGE_BASETAG=php${RUNTIME_VERSION}-trixie IMAGE_BASE_NAME=docker.io/library/php -IMAGE_BASE_TAG=${PHP_VERSION}-apache-trixie +IMAGE_BASE_TAG=${RUNTIME_VERSION}-apache-trixie diff --git a/src/typo3-apache/config.json b/src/typo3-apache/config.json new file mode 100644 index 0000000..511403b --- /dev/null +++ b/src/typo3-apache/config.json @@ -0,0 +1,11 @@ +{ + "ci": { + "runtime_name": "php", + "php_versions": [ + "8.2", + "8.3", + "8.4", + "8.5" + ] + } +} diff --git a/src/typo3-frankenphp/.env b/src/typo3-frankenphp/.env index 1d70fc2..348a948 100644 --- a/src/typo3-frankenphp/.env +++ b/src/typo3-frankenphp/.env @@ -1,4 +1,4 @@ -TARGET_IMAGE_BASETAG=php${PHP_VERSION}-trixie -PHP_VERSION=${PHP_VERSION} +PHP_VERSION=${RUNTIME_VERSION} +TARGET_IMAGE_BASETAG=php${RUNTIME_VERSION}-trixie IMAGE_BASE_NAME=docker.io/dunglas/frankenphp -IMAGE_BASE_TAG=1-php${PHP_VERSION}-trixie +IMAGE_BASE_TAG=1-php${RUNTIME_VERSION}-trixie diff --git a/src/typo3-frankenphp/config.json b/src/typo3-frankenphp/config.json new file mode 100644 index 0000000..511403b --- /dev/null +++ b/src/typo3-frankenphp/config.json @@ -0,0 +1,11 @@ +{ + "ci": { + "runtime_name": "php", + "php_versions": [ + "8.2", + "8.3", + "8.4", + "8.5" + ] + } +} diff --git a/src/typo3-nginx/.env b/src/typo3-nginx/.env index 33aa7f7..6986779 100644 --- a/src/typo3-nginx/.env +++ b/src/typo3-nginx/.env @@ -1,4 +1,4 @@ -TARGET_IMAGE_BASETAG=php${PHP_VERSION}-trixie -PHP_VERSION=${PHP_VERSION} +PHP_VERSION=${RUNTIME_VERSION} +TARGET_IMAGE_BASETAG=php${RUNTIME_VERSION}-trixie IMAGE_BASE_NAME=docker.io/library/php -IMAGE_BASE_TAG=${PHP_VERSION}-fpm-trixie +IMAGE_BASE_TAG=${RUNTIME_VERSION}-fpm-trixie diff --git a/src/typo3-nginx/config.json b/src/typo3-nginx/config.json new file mode 100644 index 0000000..511403b --- /dev/null +++ b/src/typo3-nginx/config.json @@ -0,0 +1,11 @@ +{ + "ci": { + "runtime_name": "php", + "php_versions": [ + "8.2", + "8.3", + "8.4", + "8.5" + ] + } +}