ci: refactor workflows

.github/workflows/cleanup-packages.yaml

@@ -7,6 +7,8 @@ name: Cleanup packages
 
 on:
   workflow_dispatch:
+  schedule:
+    - cron: '22 1 * * 3'
 
 env:
   # Use docker.io for Docker Hub if empty

.github/workflows/publish-containers.yaml

@@ -1,4 +1,4 @@
-name: Docker
+name: Build and Publish Dev Container Images
 
 # This workflow uses actions that are not certified by GitHub.
 # They are provided by a third-party and are governed by
@@ -44,14 +44,38 @@ jobs:
       - name: Create timestamp tag
         id: timestamp
         run: echo "image_timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" | tee $GITHUB_OUTPUT
+  runtime-versions:
+    name: Get runtime versions
+    runs-on: ubuntu-latest
+    needs: preparation
+    strategy:
+      matrix:
+        folder: ${{ fromJson(needs.preparation.outputs.folders) }}
+    outputs:
+      runtime_versions: ${{ steps.runtime-versions.outputs.runtime_versions }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Read runtime name from config.json
+        id: runtime-name
+        run: |
+          runtime_name=$(jq -r '.ci.runtime_name' src/${{ matrix.folder }}/config.json)
+          echo "RUNTIME_NAME=${runtime_name}" | tee $GITHUB_ENV
+      - name: Load ${{ env.RUNTIME_NAME }} runtime versions to process from config.json
+        id: runtime-versions
+        run: |
+          runtime_versions=$(jq -c --arg runtime_name "${RUNTIME_NAME}_versions" '.ci.[$runtime_name]' src/${{ matrix.folder }}/config.json)
+          echo "runtime_versions=$runtime_versions" | tee $GITHUB_OUTPUT
+        env:
+          RUNTIME_NAME: ${{ env.RUNTIME_NAME }}
 
   build:
     runs-on: ubuntu-latest
-    needs: preparation
+    needs: [preparation, runtime-versions]
     strategy:
       matrix:
         folder: ${{ fromJson(needs.preparation.outputs.folders) }}
-        php_version: [8.5, 8.4, 8.3, 8.2]
+        runtime_version: ${{ fromJson(needs.runtime-versions.outputs.runtime_versions) }}
     permissions:
       contents: read
       packages: write
@@ -67,13 +91,14 @@ jobs:
         run: |
           sudo apt-get update
           sudo apt-get install -y skopeo
-      - uses: xom9ikk/dotenv@v2.4.0
+      - name: Load environment variables from .env file
+        uses: xom9ikk/dotenv@v2.4.0
         with:
           path: "src/${{ matrix.folder }}"
           mode: ''
           load-mode: 'skip'
         env: 
-          PHP_VERSION: ${{ matrix.php_version }}
+          RUNTIME_VERSION: ${{ matrix.runtime_version }}
       - name: Get image base digest
         id: get-image-base-digest
         run: |

.github/workflows/trivy.yaml

@@ -34,20 +34,45 @@ jobs:
       - name: Get lowercase repo name
         id: lowercase-repo
         run: echo "repo=${GITHUB_REPOSITORY@L}" | tee $GITHUB_OUTPUT
-  build:
+
+  runtime-versions:
+    name: Get runtime versions
+    runs-on: ubuntu-latest
+    needs: preparation
+    strategy:
+      matrix:
+        folder: ${{ fromJson(needs.preparation.outputs.folders) }}
+    outputs:
+      runtime_versions: ${{ steps.runtime-versions.outputs.runtime_versions }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Read runtime name from config.json
+        id: runtime-name
+        run: |
+          runtime_name=$(jq -r '.ci.runtime_name' src/${{ matrix.folder }}/config.json)
+          echo "RUNTIME_NAME=${runtime_name}" | tee $GITHUB_ENV
+      - name: Load ${{ env.RUNTIME_NAME }} runtime versions to process from config.json
+        id: runtime-versions
+        run: |
+          runtime_versions=$(jq -c --arg runtime_name "${RUNTIME_NAME}_versions" '.ci.[$runtime_name]' src/${{ matrix.folder }}/config.json)
+          echo "runtime_versions=$runtime_versions" | tee $GITHUB_OUTPUT
+        env:
+          RUNTIME_NAME: ${{ env.RUNTIME_NAME }}
+  scan:
     permissions:
       #contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
       actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
-    name: Build
+    name: Scan images
     runs-on: ubuntu-latest
-    needs: preparation
+    needs: [preparation, runtime-versions]
     strategy:
       matrix:
         folder: ${{ fromJson(needs.preparation.outputs.folders) }}
-        php_version: [8.5, 8.4, 8.3, 8.2]
+        runtime_version: ${{ fromJson(needs.runtime-versions.outputs.runtime_versions) }}
     steps:
-      - name: Checkout code
+      - name: Checkout repository
         uses: actions/checkout@v6
 
       - uses: xom9ikk/dotenv@v2.4.0
@@ -56,26 +81,23 @@ jobs:
           mode: ''
           load-mode: 'skip'
         env: 
-          PHP_VERSION: ${{ matrix.php_version }}
+          RUNTIME_VERSION: ${{ matrix.runtime_version }}
 
-      - name: Log into registry ${{ env.REGISTRY }}
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v4
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           image-ref: '${{ env.REGISTRY }}/${{ needs.preparation.outputs.repo }}/${{ matrix.folder }}:${{ env.TARGET_IMAGE_BASETAG }}'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
+          format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
-
+          ignore-unfixed: true
+        env:
+          TRIVY_USERNAME: ${{ github.actor }}
+          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+          INPUT_LIMIT_SEVERITIES_FOR_SARIF: true
+          TARGET_IMAGE_BASETAG: ${{ env.TARGET_IMAGE_BASETAG }}
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
         with:
           sarif_file: 'trivy-results.sarif'

src/typo3-apache/.env

@@ -1,4 +1,4 @@
-TARGET_IMAGE_BASETAG=php${PHP_VERSION}-trixie
-PHP_VERSION=${PHP_VERSION}
+PHP_VERSION=${RUNTIME_VERSION}
+TARGET_IMAGE_BASETAG=php${RUNTIME_VERSION}-trixie
 IMAGE_BASE_NAME=docker.io/library/php
-IMAGE_BASE_TAG=${PHP_VERSION}-apache-trixie
+IMAGE_BASE_TAG=${RUNTIME_VERSION}-apache-trixie

src/typo3-apache/config.json

@@ -0,0 +1,11 @@
+{
+  "ci": {
+    "runtime_name": "php",
+    "php_versions": [
+      "8.2",
+      "8.3",
+      "8.4",
+      "8.5"
+    ]
+  }
+}

src/typo3-frankenphp/.env

@@ -1,4 +1,4 @@
-TARGET_IMAGE_BASETAG=php${PHP_VERSION}-trixie
-PHP_VERSION=${PHP_VERSION}
+PHP_VERSION=${RUNTIME_VERSION}
+TARGET_IMAGE_BASETAG=php${RUNTIME_VERSION}-trixie
 IMAGE_BASE_NAME=docker.io/dunglas/frankenphp
-IMAGE_BASE_TAG=1-php${PHP_VERSION}-trixie
+IMAGE_BASE_TAG=1-php${RUNTIME_VERSION}-trixie

src/typo3-frankenphp/config.json

@@ -0,0 +1,11 @@
+{
+  "ci": {
+    "runtime_name": "php",
+    "php_versions": [
+      "8.2",
+      "8.3",
+      "8.4",
+      "8.5"
+    ]
+  }
+}

src/typo3-nginx/.env

@@ -1,4 +1,4 @@
-TARGET_IMAGE_BASETAG=php${PHP_VERSION}-trixie
-PHP_VERSION=${PHP_VERSION}
+PHP_VERSION=${RUNTIME_VERSION}
+TARGET_IMAGE_BASETAG=php${RUNTIME_VERSION}-trixie
 IMAGE_BASE_NAME=docker.io/library/php
-IMAGE_BASE_TAG=${PHP_VERSION}-fpm-trixie
+IMAGE_BASE_TAG=${RUNTIME_VERSION}-fpm-trixie

src/typo3-nginx/config.json

@@ -0,0 +1,11 @@
+{
+  "ci": {
+    "runtime_name": "php",
+    "php_versions": [
+      "8.2",
+      "8.3",
+      "8.4",
+      "8.5"
+    ]
+  }
+}