From 8e5aff92b564f6bf9c5e58c96498403efe52b9c0 Mon Sep 17 00:00:00 2001 From: Thomas HUCKE Date: Sun, 17 May 2026 14:56:51 +0200 Subject: [PATCH 01/12] ci: fine tune trivy --- .github/workflows/trivy.yaml | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index ad37190..522fa9e 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -58,24 +58,19 @@ jobs: env: PHP_VERSION: ${{ matrix.php_version }} - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@v4 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + uses: aquasecurity/trivy-action@v0.36.0 with: image-ref: '${{ env.REGISTRY }}/${{ needs.preparation.outputs.repo }}/${{ matrix.folder }}:${{ env.TARGET_IMAGE_BASETAG }}' - format: 'template' - template: '@/contrib/sarif.tpl' + format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' - + ignore-unfixed: true + env: + TRIVY_USERNAME: ${{ github.actor }} + TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 + if: always() with: sarif_file: 'trivy-results.sarif' From 562f6ea49974473cc2bdfd29682c365dfb172f68 Mon Sep 17 00:00:00 2001 From: Thomas HUCKE Date: Sun, 17 May 2026 15:07:14 +0200 Subject: [PATCH 02/12] ci: INPUT_LIMIT_SEVERITIES_FOR_SARIF --- .github/workflows/trivy.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 522fa9e..5120333 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -69,6 +69,7 @@ jobs: env: TRIVY_USERNAME: ${{ github.actor }} TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + INPUT_LIMIT_SEVERITIES_FOR_SARIF: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v4 if: always() From c68828946c7a442c4f1b21ef2775272539452a30 Mon Sep 17 00:00:00 2001 From: Thomas HUCKE Date: Sun, 17 May 2026 15:42:18 +0200 Subject: [PATCH 03/12] ci: add configuration file for each package --- .github/workflows/publish-containers.yaml | 3 ++- .github/workflows/trivy.yaml | 17 ++++++++++++++--- src/typo3-apache/config.json | 10 ++++++++++ src/typo3-frankenphp/config.json | 10 ++++++++++ src/typo3-nginx/config.json | 10 ++++++++++ 5 files changed, 46 insertions(+), 4 deletions(-) create mode 100644 src/typo3-apache/config.json create mode 100644 src/typo3-frankenphp/config.json create mode 100644 src/typo3-nginx/config.json diff --git a/.github/workflows/publish-containers.yaml b/.github/workflows/publish-containers.yaml index 3f76bc1..81d5bf5 100644 --- a/.github/workflows/publish-containers.yaml +++ b/.github/workflows/publish-containers.yaml @@ -67,7 +67,8 @@ jobs: run: | sudo apt-get update sudo apt-get install -y skopeo - - uses: xom9ikk/dotenv@v2.4.0 + - name: Load environment variables from .env file + uses: xom9ikk/dotenv@v2.4.0 with: path: "src/${{ matrix.folder }}" mode: '' diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 5120333..d578336 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -34,18 +34,29 @@ jobs: - name: Get lowercase repo name id: lowercase-repo run: echo "repo=${GITHUB_REPOSITORY@L}" | tee $GITHUB_OUTPUT - build: + php-versions: + runs-on: ubuntu-latest + needs: preparation + outputs: + php_versions: ${{ steps.php-versions.outputs.php_versions }} + steps: + - name: Load php versions to process from config.json + id: php-versions + run: | + php_versions=$(jq -r .ci.php_versions src/${{ matrix.folder }}/config.json) + echo "php_versions=$php_versions" | tee $GITHUB_OUTPUT + scan: permissions: #contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Build runs-on: ubuntu-latest - needs: preparation + needs: [preparation, php-versions] strategy: matrix: folder: ${{ fromJson(needs.preparation.outputs.folders) }} - php_version: [8.5, 8.4, 8.3, 8.2] + php_version: ${{ fromJson(needs.php-versions.outputs.php_versions) }} steps: - name: Checkout code uses: actions/checkout@v6 diff --git a/src/typo3-apache/config.json b/src/typo3-apache/config.json new file mode 100644 index 0000000..5db765f --- /dev/null +++ b/src/typo3-apache/config.json @@ -0,0 +1,10 @@ +{ + "ci": { + "php_versions": [ + 8.2, + 8.3, + 8.4, + 8.5 + ] + } +} diff --git a/src/typo3-frankenphp/config.json b/src/typo3-frankenphp/config.json new file mode 100644 index 0000000..5db765f --- /dev/null +++ b/src/typo3-frankenphp/config.json @@ -0,0 +1,10 @@ +{ + "ci": { + "php_versions": [ + 8.2, + 8.3, + 8.4, + 8.5 + ] + } +} diff --git a/src/typo3-nginx/config.json b/src/typo3-nginx/config.json new file mode 100644 index 0000000..5db765f --- /dev/null +++ b/src/typo3-nginx/config.json @@ -0,0 +1,10 @@ +{ + "ci": { + "php_versions": [ + 8.2, + 8.3, + 8.4, + 8.5 + ] + } +} From 5efd1e2689b925e2527c06befcabebfcbfe1a334 Mon Sep 17 00:00:00 2001 From: Thomas HUCKE Date: Sun, 17 May 2026 15:43:45 +0200 Subject: [PATCH 04/12] ci: fix matrix --- .github/workflows/trivy.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index d578336..fbc0c4b 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -37,6 +37,9 @@ jobs: php-versions: runs-on: ubuntu-latest needs: preparation + strategy: + matrix: + folder: ${{ fromJson(needs.preparation.outputs.folders) }} outputs: php_versions: ${{ steps.php-versions.outputs.php_versions }} steps: From f7dd672ded266a3396f42f288c754671819d0ac9 Mon Sep 17 00:00:00 2001 From: Thomas HUCKE Date: Sun, 17 May 2026 15:45:23 +0200 Subject: [PATCH 05/12] ci: fix step php-versions --- .github/workflows/trivy.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index fbc0c4b..7e0c9a1 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -43,6 +43,8 @@ jobs: outputs: php_versions: ${{ steps.php-versions.outputs.php_versions }} steps: + - name: Checkout repository + uses: actions/checkout@v6 - name: Load php versions to process from config.json id: php-versions run: | @@ -61,7 +63,7 @@ jobs: folder: ${{ fromJson(needs.preparation.outputs.folders) }} php_version: ${{ fromJson(needs.php-versions.outputs.php_versions) }} steps: - - name: Checkout code + - name: Checkout repository uses: actions/checkout@v6 - uses: xom9ikk/dotenv@v2.4.0 From e05c784f94998aba7ff19698c01f03966e8ff63c Mon Sep 17 00:00:00 2001 From: Thomas HUCKE Date: Sun, 17 May 2026 15:58:17 +0200 Subject: [PATCH 06/12] ci: fix json processing with jq --- .github/workflows/trivy.yaml | 2 +- src/typo3-apache/config.json | 8 ++++---- src/typo3-frankenphp/config.json | 8 ++++---- src/typo3-nginx/config.json | 8 ++++---- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 7e0c9a1..0af90a7 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -48,7 +48,7 @@ jobs: - name: Load php versions to process from config.json id: php-versions run: | - php_versions=$(jq -r .ci.php_versions src/${{ matrix.folder }}/config.json) + php_versions=$(jq -c '.ci.php_versions' src/${{ matrix.folder }}/config.json) echo "php_versions=$php_versions" | tee $GITHUB_OUTPUT scan: permissions: diff --git a/src/typo3-apache/config.json b/src/typo3-apache/config.json index 5db765f..ea6f5b1 100644 --- a/src/typo3-apache/config.json +++ b/src/typo3-apache/config.json @@ -1,10 +1,10 @@ { "ci": { "php_versions": [ - 8.2, - 8.3, - 8.4, - 8.5 + "8.2", + "8.3", + "8.4", + "8.5" ] } } diff --git a/src/typo3-frankenphp/config.json b/src/typo3-frankenphp/config.json index 5db765f..ea6f5b1 100644 --- a/src/typo3-frankenphp/config.json +++ b/src/typo3-frankenphp/config.json @@ -1,10 +1,10 @@ { "ci": { "php_versions": [ - 8.2, - 8.3, - 8.4, - 8.5 + "8.2", + "8.3", + "8.4", + "8.5" ] } } diff --git a/src/typo3-nginx/config.json b/src/typo3-nginx/config.json index 5db765f..ea6f5b1 100644 --- a/src/typo3-nginx/config.json +++ b/src/typo3-nginx/config.json @@ -1,10 +1,10 @@ { "ci": { "php_versions": [ - 8.2, - 8.3, - 8.4, - 8.5 + "8.2", + "8.3", + "8.4", + "8.5" ] } } From 3f3cd4ddfec581009cd2fdc9f04d18d2857b80b5 Mon Sep 17 00:00:00 2001 From: Thomas HUCKE Date: Sun, 17 May 2026 16:17:58 +0200 Subject: [PATCH 07/12] ci: independent runtime job? --- .github/workflows/trivy.yaml | 28 ++++++++++++++++++---------- src/typo3-apache/.env | 6 +++--- src/typo3-apache/config.json | 1 + src/typo3-frankenphp/.env | 6 +++--- src/typo3-frankenphp/config.json | 1 + src/typo3-nginx/.env | 6 +++--- src/typo3-nginx/config.json | 1 + 7 files changed, 30 insertions(+), 19 deletions(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 0af90a7..d1c1d81 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -24,6 +24,7 @@ jobs: outputs: folders: ${{ steps.devcontainer-folders.outputs.folders }} repo: ${{ steps.lowercase-repo.outputs.repo }} + runtime_name: ${{ steps.runtime-name.outputs.runtime_name }} steps: - name: Checkout repository uses: actions/checkout@v6 @@ -34,34 +35,41 @@ jobs: - name: Get lowercase repo name id: lowercase-repo run: echo "repo=${GITHUB_REPOSITORY@L}" | tee $GITHUB_OUTPUT - php-versions: + - name: Read runtime name from config.json + id: runtime-name + run: | + runtime_name=$(jq -c '.ci.runtime_name' src/${{ matrix.folder }}/config.json) + echo "runtime_name=$runtime_name" | tee $GITHUB_OUTPUT + + runtime-versions: + name: Get runtime ${{ needs.preparation.outputs.runtime_name }} versions runs-on: ubuntu-latest needs: preparation strategy: matrix: folder: ${{ fromJson(needs.preparation.outputs.folders) }} outputs: - php_versions: ${{ steps.php-versions.outputs.php_versions }} + runtime_versions: ${{ steps.runtime-versions.outputs.runtime_versions }} steps: - name: Checkout repository uses: actions/checkout@v6 - - name: Load php versions to process from config.json - id: php-versions + - name: Load runtime versions to process from config.json + id: runtime-versions run: | - php_versions=$(jq -c '.ci.php_versions' src/${{ matrix.folder }}/config.json) - echo "php_versions=$php_versions" | tee $GITHUB_OUTPUT + runtime_versions=$(jq -c --arg runtime_name "${{ needs.preparation.outputs.runtime_name }}" '.ci.${runtime_name}_versions' src/${{ matrix.folder }}/config.json) + echo "runtime_versions=$runtime_versions" | tee $GITHUB_OUTPUT scan: permissions: #contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - name: Build + name: Scan images runs-on: ubuntu-latest - needs: [preparation, php-versions] + needs: [preparation, runtime-versions] strategy: matrix: folder: ${{ fromJson(needs.preparation.outputs.folders) }} - php_version: ${{ fromJson(needs.php-versions.outputs.php_versions) }} + runtime_version: ${{ fromJson(needs.runtime-versions.outputs.runtime_versions) }} steps: - name: Checkout repository uses: actions/checkout@v6 @@ -72,7 +80,7 @@ jobs: mode: '' load-mode: 'skip' env: - PHP_VERSION: ${{ matrix.php_version }} + RUNTIME_VERSION: ${{ matrix.runtime_version }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@v0.36.0 diff --git a/src/typo3-apache/.env b/src/typo3-apache/.env index 123211e..d672041 100644 --- a/src/typo3-apache/.env +++ b/src/typo3-apache/.env @@ -1,4 +1,4 @@ -TARGET_IMAGE_BASETAG=php${PHP_VERSION}-trixie -PHP_VERSION=${PHP_VERSION} +PHP_VERSION=${RUNTIME_VERSION} +TARGET_IMAGE_BASETAG=php${RUNTIME_VERSION}-trixie IMAGE_BASE_NAME=docker.io/library/php -IMAGE_BASE_TAG=${PHP_VERSION}-apache-trixie +IMAGE_BASE_TAG=${RUNTIME_VERSION}-apache-trixie diff --git a/src/typo3-apache/config.json b/src/typo3-apache/config.json index ea6f5b1..511403b 100644 --- a/src/typo3-apache/config.json +++ b/src/typo3-apache/config.json @@ -1,5 +1,6 @@ { "ci": { + "runtime_name": "php", "php_versions": [ "8.2", "8.3", diff --git a/src/typo3-frankenphp/.env b/src/typo3-frankenphp/.env index 1d70fc2..348a948 100644 --- a/src/typo3-frankenphp/.env +++ b/src/typo3-frankenphp/.env @@ -1,4 +1,4 @@ -TARGET_IMAGE_BASETAG=php${PHP_VERSION}-trixie -PHP_VERSION=${PHP_VERSION} +PHP_VERSION=${RUNTIME_VERSION} +TARGET_IMAGE_BASETAG=php${RUNTIME_VERSION}-trixie IMAGE_BASE_NAME=docker.io/dunglas/frankenphp -IMAGE_BASE_TAG=1-php${PHP_VERSION}-trixie +IMAGE_BASE_TAG=1-php${RUNTIME_VERSION}-trixie diff --git a/src/typo3-frankenphp/config.json b/src/typo3-frankenphp/config.json index ea6f5b1..511403b 100644 --- a/src/typo3-frankenphp/config.json +++ b/src/typo3-frankenphp/config.json @@ -1,5 +1,6 @@ { "ci": { + "runtime_name": "php", "php_versions": [ "8.2", "8.3", diff --git a/src/typo3-nginx/.env b/src/typo3-nginx/.env index 33aa7f7..6986779 100644 --- a/src/typo3-nginx/.env +++ b/src/typo3-nginx/.env @@ -1,4 +1,4 @@ -TARGET_IMAGE_BASETAG=php${PHP_VERSION}-trixie -PHP_VERSION=${PHP_VERSION} +PHP_VERSION=${RUNTIME_VERSION} +TARGET_IMAGE_BASETAG=php${RUNTIME_VERSION}-trixie IMAGE_BASE_NAME=docker.io/library/php -IMAGE_BASE_TAG=${PHP_VERSION}-fpm-trixie +IMAGE_BASE_TAG=${RUNTIME_VERSION}-fpm-trixie diff --git a/src/typo3-nginx/config.json b/src/typo3-nginx/config.json index ea6f5b1..511403b 100644 --- a/src/typo3-nginx/config.json +++ b/src/typo3-nginx/config.json @@ -1,5 +1,6 @@ { "ci": { + "runtime_name": "php", "php_versions": [ "8.2", "8.3", From 6f9f1a7c36b6ff0932aa7aa70f9315e842b9e748 Mon Sep 17 00:00:00 2001 From: Thomas HUCKE Date: Sun, 17 May 2026 16:26:24 +0200 Subject: [PATCH 08/12] ci: fix --- .github/workflows/trivy.yaml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index d1c1d81..b7f17d9 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -24,7 +24,6 @@ jobs: outputs: folders: ${{ steps.devcontainer-folders.outputs.folders }} repo: ${{ steps.lowercase-repo.outputs.repo }} - runtime_name: ${{ steps.runtime-name.outputs.runtime_name }} steps: - name: Checkout repository uses: actions/checkout@v6 @@ -35,14 +34,9 @@ jobs: - name: Get lowercase repo name id: lowercase-repo run: echo "repo=${GITHUB_REPOSITORY@L}" | tee $GITHUB_OUTPUT - - name: Read runtime name from config.json - id: runtime-name - run: | - runtime_name=$(jq -c '.ci.runtime_name' src/${{ matrix.folder }}/config.json) - echo "runtime_name=$runtime_name" | tee $GITHUB_OUTPUT runtime-versions: - name: Get runtime ${{ needs.preparation.outputs.runtime_name }} versions + name: Get runtime versions runs-on: ubuntu-latest needs: preparation strategy: @@ -53,11 +47,18 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v6 - - name: Load runtime versions to process from config.json + - name: Read runtime name from config.json + id: runtime-name + run: | + runtime_name=$(jq -c '.ci.runtime_name' src/${{ matrix.folder }}/config.json) + echo "RUNTIME_NAME=${runtime_name}" | tee $GITHUB_ENV + - name: Load ${{ env.RUNTIME_NAME }} runtime versions to process from config.json id: runtime-versions run: | - runtime_versions=$(jq -c --arg runtime_name "${{ needs.preparation.outputs.runtime_name }}" '.ci.${runtime_name}_versions' src/${{ matrix.folder }}/config.json) + runtime_versions=$(jq -c --arg runtime_name "${RUNTIME_NAME}" '.ci.${runtime_name}_versions' src/${{ matrix.folder }}/config.json) echo "runtime_versions=$runtime_versions" | tee $GITHUB_OUTPUT + env: + RUNTIME_NAME: ${{ env.RUNTIME_NAME }} scan: permissions: #contents: read # for actions/checkout to fetch code From 4813a9f31bc64a6a151b2de754f9bf7c004991d2 Mon Sep 17 00:00:00 2001 From: Thomas HUCKE Date: Sun, 17 May 2026 16:41:56 +0200 Subject: [PATCH 09/12] ci: next fix? --- .github/workflows/trivy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index b7f17d9..bded7df 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -55,7 +55,7 @@ jobs: - name: Load ${{ env.RUNTIME_NAME }} runtime versions to process from config.json id: runtime-versions run: | - runtime_versions=$(jq -c --arg runtime_name "${RUNTIME_NAME}" '.ci.${runtime_name}_versions' src/${{ matrix.folder }}/config.json) + runtime_versions=$(jq -c --arg runtime_name "${RUNTIME_NAME}_versions" '.ci.[$runtime_name]' src/${{ matrix.folder }}/config.json) echo "runtime_versions=$runtime_versions" | tee $GITHUB_OUTPUT env: RUNTIME_NAME: ${{ env.RUNTIME_NAME }} From e3ad2819f4b3ce94fe09c6dfbda0034a3b82b29a Mon Sep 17 00:00:00 2001 From: Thomas HUCKE Date: Sun, 17 May 2026 16:46:33 +0200 Subject: [PATCH 10/12] ci: jq reading runtime_name --- .github/workflows/trivy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index bded7df..8b8fd81 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -50,7 +50,7 @@ jobs: - name: Read runtime name from config.json id: runtime-name run: | - runtime_name=$(jq -c '.ci.runtime_name' src/${{ matrix.folder }}/config.json) + runtime_name=$(jq -r '.ci.runtime_name' src/${{ matrix.folder }}/config.json) echo "RUNTIME_NAME=${runtime_name}" | tee $GITHUB_ENV - name: Load ${{ env.RUNTIME_NAME }} runtime versions to process from config.json id: runtime-versions From 1c762095fdd23bdade5883b0fc4cbd13451109a8 Mon Sep 17 00:00:00 2001 From: Thomas HUCKE Date: Sun, 17 May 2026 16:51:35 +0200 Subject: [PATCH 11/12] ci: switch publish workflow to runtime_name --- .github/workflows/publish-containers.yaml | 30 ++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish-containers.yaml b/.github/workflows/publish-containers.yaml index 81d5bf5..4084b40 100644 --- a/.github/workflows/publish-containers.yaml +++ b/.github/workflows/publish-containers.yaml @@ -44,14 +44,38 @@ jobs: - name: Create timestamp tag id: timestamp run: echo "image_timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" | tee $GITHUB_OUTPUT + runtime-versions: + name: Get runtime versions + runs-on: ubuntu-latest + needs: preparation + strategy: + matrix: + folder: ${{ fromJson(needs.preparation.outputs.folders) }} + outputs: + runtime_versions: ${{ steps.runtime-versions.outputs.runtime_versions }} + steps: + - name: Checkout repository + uses: actions/checkout@v6 + - name: Read runtime name from config.json + id: runtime-name + run: | + runtime_name=$(jq -r '.ci.runtime_name' src/${{ matrix.folder }}/config.json) + echo "RUNTIME_NAME=${runtime_name}" | tee $GITHUB_ENV + - name: Load ${{ env.RUNTIME_NAME }} runtime versions to process from config.json + id: runtime-versions + run: | + runtime_versions=$(jq -c --arg runtime_name "${RUNTIME_NAME}_versions" '.ci.[$runtime_name]' src/${{ matrix.folder }}/config.json) + echo "runtime_versions=$runtime_versions" | tee $GITHUB_OUTPUT + env: + RUNTIME_NAME: ${{ env.RUNTIME_NAME }} build: runs-on: ubuntu-latest - needs: preparation + needs: [preparation, runtime-versions] strategy: matrix: folder: ${{ fromJson(needs.preparation.outputs.folders) }} - php_version: [8.5, 8.4, 8.3, 8.2] + runtime_version: ${{ fromJson(needs.runtime-versions.outputs.runtime_versions) }} permissions: contents: read packages: write @@ -74,7 +98,7 @@ jobs: mode: '' load-mode: 'skip' env: - PHP_VERSION: ${{ matrix.php_version }} + RUNTIME_VERSION: ${{ matrix.runtime_version }} - name: Get image base digest id: get-image-base-digest run: | From cd8c713284b6a7469f54c0929846487ab28a2b73 Mon Sep 17 00:00:00 2001 From: Thomas HUCKE Date: Sun, 17 May 2026 17:11:57 +0200 Subject: [PATCH 12/12] ci: finalizing ci refactoring --- .github/workflows/cleanup-packages.yaml | 2 ++ .github/workflows/publish-containers.yaml | 2 +- .github/workflows/trivy.yaml | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cleanup-packages.yaml b/.github/workflows/cleanup-packages.yaml index 29dd983..202154b 100644 --- a/.github/workflows/cleanup-packages.yaml +++ b/.github/workflows/cleanup-packages.yaml @@ -7,6 +7,8 @@ name: Cleanup packages on: workflow_dispatch: + schedule: + - cron: '22 1 * * 3' env: # Use docker.io for Docker Hub if empty diff --git a/.github/workflows/publish-containers.yaml b/.github/workflows/publish-containers.yaml index 4084b40..40af72a 100644 --- a/.github/workflows/publish-containers.yaml +++ b/.github/workflows/publish-containers.yaml @@ -1,4 +1,4 @@ -name: Docker +name: Build and Publish Dev Container Images # This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 8b8fd81..5a4be42 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -95,6 +95,7 @@ jobs: TRIVY_USERNAME: ${{ github.actor }} TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} INPUT_LIMIT_SEVERITIES_FOR_SARIF: true + TARGET_IMAGE_BASETAG: ${{ env.TARGET_IMAGE_BASETAG }} - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v4 if: always()